aws certified solution architect.
6 kelebihan cloud computing.
economic of scale
variable vs capital expense
stop guessing capacity
increase speed and agility
focus on business differentiators
go global in minutes
==================================
deployment model:
all-in cloud
^ semua full di cloud
hybrid
^ ada hubungannya dengan existing resource / datacenter
=====================================
aws -> on demand.
kyk bli listrik di pln langsung
^ kapasitas tergantung yang dibutuhkan dan digunakan.
^ lower cost diawal. scaling gampang.
====================================
exam -> focus di aws global infra dan aws approach to security and compliance
======================================
aws server ada di lebih dari 190 negara.
providing lower latency higher througput
setiap region punya isolated location -> disebut availability zones.
complete isolation antar region!
tapi terhubung via low-latency link.
setiap availability zones terhubung ke tier-1 transit provider.
===================================
security best practice di aws:
SOC / service organization control. ISAE /international standard on assurance engagement 3402, SOC2, SOC3
FISMA / federal information security management act.
DIACAP / departement of defense information assurance certification and accreditation process, and federal risk
and authorization management program
PCI DSS / payment card industry data security standard. level 1
IOS 9001 / international organization for standardization , ISO 27001, ISO 27018
==============================
Access platform:
bisa menggunakan:
1 AWS CLI
- web application buat manage aws service
- bs perform banyak task.
- bs liad informasi account & billing
- bisa control multiple service & automate menggunakan script.
2 AWS SDK ( aws software development kit )
- provide API untuk interaksi dengan web services.
- support banyak programming language.
==============================
// compute and network service
- amazon EC2
provide virtual computing environtment ( virtual server ) in amazon datacenter.
bisa control memory, CPU, storage
bisa milih OS, custom application, manage network access permission
- AWS lambda
0 administration computer platform untuk back end developer. -> jalanin code di AWS cloud ( dijalanin di EC2 ). accross multiple availability zone in region.
^ provide high availability. security, performance, scalability AWS infra.
- auto scalling
memperbolehkan sebuah organisasi untuk membesarkan / mengecilkan skala dari amazon EC2.
^ sesuai dari demand / workload.
^ optimize COST!
- elastic load balancing
auto distribute incoming application traffic accross amazon EC2 instances di cloud.
^ fault tolerance.
^ load balance
- AWS Elastic Beanstalk
^ cara paling simple dan tercepat untuk deploy web application.
auto resource provisioning, loadbalancing, auto scalling,
monitoring.
user tetap memiliki control terhadap resources. dan bisa ngeset resources kapan aj.
^ support php, java, python, ruby, nodejs, .net, go
- amazon VPC ( virtual private cloud )
provision logically isolated section on amazon cloud.
supaya bisa diakses organisasi secara terisolir.
^ selection ip address range, creation subnet, config route table, gateway.
^ bisa extend corporate datacenter network ke aws via VPN / dedicated circuit menggunakan AWS Direct Connect
- AWS Direct Connect
establish dedicated network connection (private) from datacenter to AWS.
^ reduce cost, increase bandwidth througput, more consistent network experience than VPN based connection
- amazon route 53
highly available and scalable DNS.
^ serves as domain registrar allowing purchange and manage domain directly from AWS
==============================
// storage and content delivery
1 amazon simple storage service (S3)
high durable, scalable object storage.
handle virtually unlimited amount of data and concurrent users.
can store any number of object such as :
html page,
source code file, image file, encrypted data, and access using http based protocol.
cost effective.
can be used as backup and recovery,big data analytic, nearline archive, disaster recovery, cloud app, content distribution.
2 amazon cloudfront
amazon CDN / content delivery web service
^ accros the world, low latency, high data transfer, no minimum usage commitments.
^ auto routed to nearest edge location.
^ best possible performance to end user
3 amazon elastic block store (EBS)
provide persistent block-level storage volume for used with EC2 instances.
^ each EBS automatically replicated within availability zone.
^ consistent, low latency
4 amazon glacier
secure durable low cost storage service for data archive and long term backup.
^ buat data yg jarang diakses tp ber giga2. low cost!
5 amazon storage gateway
service connecting on premises software app with cloud based storage to provide seamless and secure intgration between on premis IT environtment and aws infra. ( S3, glacier)
==============================
// database services
petabyte-scale data warehouse solution.
fully managed relational and noSQL db service.
1 amazon RDS / relational database services
fully managed relational database
^ operational task ditanggung oleh amazon.
^ user tinggal fokus ke proses bisnis
^ --backup, software patching, monitoring, scaling , replication
2 amazon DynamoDB
fast, flexible NoSQL database. key, value.
used for: mobile, web gaming, ad-tech, IOT, app.
3 amazon Redshift
fast, full manage, petabyte sclae.
simple cost effective
analyze structure data.
fast query.
allowing automate task with provisioning, configure, monitoring cloud data warehouse
4 amazon elastiCache
in memory cache in the cloud.
allow retreive information from fast, managed in memory cache instead rely on slower disk based database.
^ support memcached & redis cache engines.
========================
// management tools
1 amazon cloudwatch
monitor aws cloud resource.
track metric, monitor log, set alarm.
visibility resource utilization, app performance, operational health
2 amazon cloudformation
manageable by developer & sys admin
define JSON-based templating language that can be used to describe aws resources worklooad
3 AWS cloudtrail
record AWS API calls for account and delover log file for audit and review.
^ identity, time api call, source ip of api caller, request param, response element
4 AWS Config
fully managed service providing:
aws resource inventory
config history
config change & notification
discover aws resource and config detail ( can be exported ).
determine how resources was configured at any time point.
^ used for compliance audit, security analyze, resource change tracking, troubleshooting
========================
// security and identity
1 AWS IAM / identity and access management
secure control and access to aws cloud service for their users.
grouping and user permission!
2 AWS KMS / key management service
create encryption key. use HSM ( Hardware security modules ) to protect security
of the key.
3 AWS Directory service
setup and run microsoft AD on aws cloud.
can connect aws resource with existing on-premises.
4 AWS Certificate Manager
easy privision manage and deploy SSL/TLS certificate used with AWS cloud service.
^ remove time consuming purchase upload renew ssl certificate
5 AWS WAF
protect web app.
apply web security rules!
=======================
// application services
1 amazon API Gateway.
create, publish, maintain, monitor secure API.
pintu depan buat akses data, bisnis logic, backend functionality.
2 amazon elastic transcoder
convert media dari source format ke format yang bisa dimainkan di smartphone, tablets, PC
3 amazon SNS / simple notification service
web service coordinates and manages delivery to recipient.
ada publisher,subscriber.
subscriber consume message dari sebuah topic yg telah disebar oleh publisher.
4 amazon SES / simple email service
cost efecctive email service.
can receive msg deliver to amazon S3 bucket, call custom code via AWS lambda / publish notif ke amazon SNS
5 amazon SWF / simple workflow service
state tracker and task coordinator.
^ ngecek klo semisal aplikasi kelamaan ( 500 ms ). ngecek state.
provide ability to recover / or retry.
6 amazon amazon SQS / simple queue service
message queueing service.
decouple component of cloud app.
can transmit any volume of data, at any level throughput without data loss
================
topic:
global infra
understand regions
understand availability zones
understand hybrid deployment model
Wednesday, September 25, 2019
Network Design Part 1
cisco design!!
1 plan:
- design
- assessment
- strategy & analysis for solution
2 build
- validation
- deployment
- migration
minimumly distruptive as possible!
** achieve bisnis goals. -> minimize operational downtime of network infrastructure.
3 manage
- product support
- solution support
- optimization
- operations management
==========================
di plan phase bakal banyak
HLD / HIGH LEVEL DESIGN
LLD / LOW LEVEL DESIGN
BOM / BILL OF MATERIAL
=========================
- Network life cycle model
PPDIOO
prepare
plan
design
^ 3 ini masuk kategori plan
implement
^ build
operate
optimize
^ 2 ini masuk kategori manage
dari atas ke bawah, trus ke atas lagi.
====================
PPPDIO part2
1 prepare phase. ( high level )
proposing solution.
financial justification.
identify particular technology that suit organization.
2 plan
make more details!
characterizing existing network. putting particular goal in baseline.
3 Design
before implemen.
make sure business and technical goal fit in.
creating design
each solution scalable.
perform at spec
high available?
^ 3 metric ini paling penting
4 Implement
least distruptive existing infra.
5 Operate
6 Optimize
day to day check and optimize!
====================
characterize existing nework
- network maps
- network addressing and naming
- wiring and media
- architecture / environtment constraint
- network health :
prepare checklist to make sure the network is healthy!
cisco provide us with nice starting point for analyze health of our existing network as we plan to redesign.
- ethernet segment should not feature a sustained utilization 40% or higher.
- all ethernet segments should be switched -- no shared segments ( hub-based )
- no WAN link should feature a sustained utilization 70% or higher
- response time should be generally less than 100ms
- LAN response time should generally be 2ms
- no segments have more than 1 CRC error per million bytes of data
- no segments should have more than 20% multicast / broadcast traffic
- for ethernet segments, there should be less than .1 percent collisions over 5 min intervals.
- CPU utilization should not exceed 75%
- number of output queue drop should not exceed 100 in an hour
- number of input queue drop should not exceed 50 in an hour
- number of buffer miss should not exceed 25 in an hour
==========================
identify
network audit
analyze
=========================
existing documentationn
existing management software
additional auditing tools
=======================
bisa lewat cli. show command.
atau pake tools kyk cisco prime infrastructure. / solarwind
polling graphic/resource via SNMP.
======================
MIB = database of variables. diakses oleh NMS buat analisis data.
SNMP 1
SNMP 2c
SNMP 3 -> ++ authentication, integrity, encryption
=====================
CDP -> cisco prop
LLDP -> vendor neutral ( link layer discovery protocol )
Netflow -> built in within cisco router
====================
komponen netflow:
- monitor / traffic monitoring
- exporter / gathering information and sending to device
- collector
exporter:
# flow exporter NF_1 !! give name
# destination 12.12.12.100 !! ip dari collector
# transport udp 9996 !! choosing port number
# source serial0/0 !!select interface klo ada banyak interface
# exit
monitor
# flow monitor NF_MON1
# exporter NF_EXPORTER1
# record netflow-original
!! assign monitor
# int serial 0/0
# ip flow monitor NF_MON1 input !! direction
# end
!! test
# show flow monitor name NF_MON1 cache
===================
IP SLA.
testing the network delay using UDP packet based jitter!
^ penting buat VOIP
R1------------R2
!! create responder
R2# ip sla responder udp-echo ipaddress 12.12.12.2 port 5000
!! generate traffic
R1# ip sla 1
# udp-jitter 12.12.12.2 16384 codec g711alaw
# frequency 30 // change default 60s to 30s
!! schedule ip sla test
R1# ip sla schedule 1 start-time now life forever
!! check on r2
R2# show ip sla responder
R1# show ip sla statistics 1
==================
!! design network.
OSI model --> design from top or bottom??
APP first?
cabling first?
design from bottom up cons:
- fast
- based on prev experience
- org reg
- failure problem -> high probability
^ need VOIP? buy cabling first, router, Gigabit ethernet, xyz
design top down :
- big picture
- time consuming
^ requirement of technology / application
^ need validation design.
2 method:
prototyping -> construct in lab environtment
pilot -> use small portion of production.
use small data. actual user, actual action.
connected to production network
=================
!! building modular network
core
distribution
access
modular --> troubleshooting quick
MTTR = mean time to repair.
break network into smaller convergence domain!
ospf area 0 -> dipecah jadi banyak area
1 convergence domain
2 scalability
3 resiliency -- network can take more overal fault.
=================
campus network:
- campus infrastructure
- datacenter
edge network:
- e-commerce
- internet connectivity
- remote access
- WAN connectivity
ISP:
-ISP1
-ISP2
-WAN
remote network:
- teleworker
- enterprise branch
- enterprise datacenter
======================
!! applying modularity
think hierarchical
- hub and spoke
- core, dist, access
core layer: speed,speed,speed // biasanya antar core layer di aggregate / etherchannel.
dist layer: aggregate, summarize, security policy ( biasanya multilayer switch, high speed port )
access layer: wired, wireless. ( mac based, not routing )
- collapsed core ( 2 tier topology )
^ core and distribution combined become 1 device ( saving cost )
^ access layer tetep ada.
^ tapi ga cocok buat large campus, yg punya banyak building.
- multilayer
===================
!! virtualization
physical vs logical : VLAN
segregation : VSAN
desegregation : connecting 2 dataenter long distance virtualization -> OTV / OVERLAY TRANSPORT VIRTUALIZATION.
^ JADI SEOLAH2 CONNECT SECARA L2 walaupun beda lokasi.
density / resource workload = how much ram / cpu per server. ( utilization )
High availability
==========================
VSS = virtual switching system.
^ multiple virtual switch connected!
=======================
!! consequence
1 fate sharing
^ kerusakan di 1 physical bakal ngefek ke beberapa virtual
2 suboptimal pathing
^ assymetric routing
3 overuse virtualization
=====================
nexus -> creating VDC / virtual device context
========================
!! campus design
end to end vs localized vlan approach
* best = localized ( simple, scalable )
end to end = differentiate sales vlan, hr vlan.
!! geographical
1st floor = vlan_1
2nd floor = vlan_2
====================
HSRP = CISCO PROP
VRRP = IETF
GLBP = GATEWAY LOAD BALANCING // using virtual mac.
!! best practice vlan
vlan default 1 => change.
^ ketika ada switch baru ga make default vlan. improved security
================
802.1D = legacy stp
802.1W = RAPID SPANNING TREE PROTOCOL
802.1S = MSTP
================
!!stp protocol
BPDU GUARD = put on access port on server / workstation.
ROOT GUARD = protecting new switch become the root bridge
LOOP GUARD
================
vss = virtual switching system. tied multiple switch become 1 ( logical )
cisco stackwise = using stacking cable
==================
!! designing enterprise security
defense in depth concept. -> layer of security.
attacker -> 1 layer then next layer -> tighten !
!! physical
^ use password security on console port device.
!! os security
^ device hardening
ex: auto secure di cisco
# auto secure
^ function : disabled unused service on interface ( scripting )
setting enable secret password
edit login banner
configuration local user database
setting blocking period ( how many second time after login failure )
setting maximum login failure attempt
configure ssh
configure CBAC firewall
===================
firewall security
packet -> ACL
stateful firewall -
Application layer gateway -> proxy
Next Generation -> look deep inside application traffic, apply IPS, Malware guard.
===================
cisco ASA ( adaptive security appliance ) -> NG Firewall
!! define inside network
!! define outside network
!! allow all inside, allow only appropriate several response from outside network.
# show nameif !! check interface name in ASA, security level
^ 0 = untrusted, 100 = completely trusted
# show run int gi0/1 !! check config interface
==================
Security firewall
!! Intrusion detection system
IDS -> have database of signature attack , recognize most form of attack ( inform the user there is an attackk!!! )
!! Instrusion prevention system
IPS -> drop known attack
cisco asa bisa dimasukin FirePower module
^ buat upgrade jadi fitur IPS
^ ++ URL Filtering, Application inspection, anti malware.
FW ++ IPS ++ NAC + AAA
NAC = meet defined posturing ! , correct patches, OS before entering network
multi factor authentication!
=================
1 plan:
- design
- assessment
- strategy & analysis for solution
2 build
- validation
- deployment
- migration
minimumly distruptive as possible!
** achieve bisnis goals. -> minimize operational downtime of network infrastructure.
3 manage
- product support
- solution support
- optimization
- operations management
==========================
di plan phase bakal banyak
HLD / HIGH LEVEL DESIGN
LLD / LOW LEVEL DESIGN
BOM / BILL OF MATERIAL
=========================
- Network life cycle model
PPDIOO
prepare
plan
design
^ 3 ini masuk kategori plan
implement
^ build
operate
optimize
^ 2 ini masuk kategori manage
dari atas ke bawah, trus ke atas lagi.
====================
PPPDIO part2
1 prepare phase. ( high level )
proposing solution.
financial justification.
identify particular technology that suit organization.
2 plan
make more details!
characterizing existing network. putting particular goal in baseline.
3 Design
before implemen.
make sure business and technical goal fit in.
creating design
each solution scalable.
perform at spec
high available?
^ 3 metric ini paling penting
4 Implement
least distruptive existing infra.
5 Operate
6 Optimize
day to day check and optimize!
====================
characterize existing nework
- network maps
- network addressing and naming
- wiring and media
- architecture / environtment constraint
- network health :
prepare checklist to make sure the network is healthy!
cisco provide us with nice starting point for analyze health of our existing network as we plan to redesign.
- ethernet segment should not feature a sustained utilization 40% or higher.
- all ethernet segments should be switched -- no shared segments ( hub-based )
- no WAN link should feature a sustained utilization 70% or higher
- response time should be generally less than 100ms
- LAN response time should generally be 2ms
- no segments have more than 1 CRC error per million bytes of data
- no segments should have more than 20% multicast / broadcast traffic
- for ethernet segments, there should be less than .1 percent collisions over 5 min intervals.
- CPU utilization should not exceed 75%
- number of output queue drop should not exceed 100 in an hour
- number of input queue drop should not exceed 50 in an hour
- number of buffer miss should not exceed 25 in an hour
==========================
identify
network audit
analyze
=========================
existing documentationn
existing management software
additional auditing tools
=======================
bisa lewat cli. show command.
atau pake tools kyk cisco prime infrastructure. / solarwind
polling graphic/resource via SNMP.
======================
MIB = database of variables. diakses oleh NMS buat analisis data.
SNMP 1
SNMP 2c
SNMP 3 -> ++ authentication, integrity, encryption
=====================
CDP -> cisco prop
LLDP -> vendor neutral ( link layer discovery protocol )
Netflow -> built in within cisco router
====================
komponen netflow:
- monitor / traffic monitoring
- exporter / gathering information and sending to device
- collector
exporter:
# flow exporter NF_1 !! give name
# destination 12.12.12.100 !! ip dari collector
# transport udp 9996 !! choosing port number
# source serial0/0 !!select interface klo ada banyak interface
# exit
monitor
# flow monitor NF_MON1
# exporter NF_EXPORTER1
# record netflow-original
!! assign monitor
# int serial 0/0
# ip flow monitor NF_MON1 input !! direction
# end
!! test
# show flow monitor name NF_MON1 cache
===================
IP SLA.
testing the network delay using UDP packet based jitter!
^ penting buat VOIP
R1------------R2
!! create responder
R2# ip sla responder udp-echo ipaddress 12.12.12.2 port 5000
!! generate traffic
R1# ip sla 1
# udp-jitter 12.12.12.2 16384 codec g711alaw
# frequency 30 // change default 60s to 30s
!! schedule ip sla test
R1# ip sla schedule 1 start-time now life forever
!! check on r2
R2# show ip sla responder
R1# show ip sla statistics 1
==================
!! design network.
OSI model --> design from top or bottom??
APP first?
cabling first?
design from bottom up cons:
- fast
- based on prev experience
- org reg
- failure problem -> high probability
^ need VOIP? buy cabling first, router, Gigabit ethernet, xyz
design top down :
- big picture
- time consuming
^ requirement of technology / application
^ need validation design.
2 method:
prototyping -> construct in lab environtment
pilot -> use small portion of production.
use small data. actual user, actual action.
connected to production network
=================
!! building modular network
core
distribution
access
modular --> troubleshooting quick
MTTR = mean time to repair.
break network into smaller convergence domain!
ospf area 0 -> dipecah jadi banyak area
1 convergence domain
2 scalability
3 resiliency -- network can take more overal fault.
=================
campus network:
- campus infrastructure
- datacenter
edge network:
- e-commerce
- internet connectivity
- remote access
- WAN connectivity
ISP:
-ISP1
-ISP2
-WAN
remote network:
- teleworker
- enterprise branch
- enterprise datacenter
======================
!! applying modularity
think hierarchical
- hub and spoke
- core, dist, access
core layer: speed,speed,speed // biasanya antar core layer di aggregate / etherchannel.
dist layer: aggregate, summarize, security policy ( biasanya multilayer switch, high speed port )
access layer: wired, wireless. ( mac based, not routing )
- collapsed core ( 2 tier topology )
^ core and distribution combined become 1 device ( saving cost )
^ access layer tetep ada.
^ tapi ga cocok buat large campus, yg punya banyak building.
- multilayer
===================
!! virtualization
physical vs logical : VLAN
segregation : VSAN
desegregation : connecting 2 dataenter long distance virtualization -> OTV / OVERLAY TRANSPORT VIRTUALIZATION.
^ JADI SEOLAH2 CONNECT SECARA L2 walaupun beda lokasi.
density / resource workload = how much ram / cpu per server. ( utilization )
High availability
==========================
VSS = virtual switching system.
^ multiple virtual switch connected!
=======================
!! consequence
1 fate sharing
^ kerusakan di 1 physical bakal ngefek ke beberapa virtual
2 suboptimal pathing
^ assymetric routing
3 overuse virtualization
=====================
nexus -> creating VDC / virtual device context
========================
!! campus design
end to end vs localized vlan approach
* best = localized ( simple, scalable )
end to end = differentiate sales vlan, hr vlan.
!! geographical
1st floor = vlan_1
2nd floor = vlan_2
====================
HSRP = CISCO PROP
VRRP = IETF
GLBP = GATEWAY LOAD BALANCING // using virtual mac.
!! best practice vlan
vlan default 1 => change.
^ ketika ada switch baru ga make default vlan. improved security
================
802.1D = legacy stp
802.1W = RAPID SPANNING TREE PROTOCOL
802.1S = MSTP
================
!!stp protocol
BPDU GUARD = put on access port on server / workstation.
ROOT GUARD = protecting new switch become the root bridge
LOOP GUARD
================
vss = virtual switching system. tied multiple switch become 1 ( logical )
cisco stackwise = using stacking cable
==================
!! designing enterprise security
defense in depth concept. -> layer of security.
attacker -> 1 layer then next layer -> tighten !
!! physical
^ use password security on console port device.
!! os security
^ device hardening
ex: auto secure di cisco
# auto secure
^ function : disabled unused service on interface ( scripting )
setting enable secret password
edit login banner
configuration local user database
setting blocking period ( how many second time after login failure )
setting maximum login failure attempt
configure ssh
configure CBAC firewall
===================
firewall security
packet -> ACL
stateful firewall -
Application layer gateway -> proxy
Next Generation -> look deep inside application traffic, apply IPS, Malware guard.
===================
cisco ASA ( adaptive security appliance ) -> NG Firewall
!! define inside network
!! define outside network
!! allow all inside, allow only appropriate several response from outside network.
# show nameif !! check interface name in ASA, security level
^ 0 = untrusted, 100 = completely trusted
# show run int gi0/1 !! check config interface
==================
Security firewall
!! Intrusion detection system
IDS -> have database of signature attack , recognize most form of attack ( inform the user there is an attackk!!! )
!! Instrusion prevention system
IPS -> drop known attack
cisco asa bisa dimasukin FirePower module
^ buat upgrade jadi fitur IPS
^ ++ URL Filtering, Application inspection, anti malware.
FW ++ IPS ++ NAC + AAA
NAC = meet defined posturing ! , correct patches, OS before entering network
multi factor authentication!
=================
Subscribe to:
Posts (Atom)