Amazon - Deployment Considerations

DNS:

Migrating a web application to the AWS cloud requires making some DNS changes. Redirecting your public traffic to your application in the AWS cloud requires changing your public DNS to point to an Elastic Load Balancer (ELB) CNAME or to an Elastic IP address. DNS, however, restricts the use of CNAMES to sub-domains so the root domain (e.g., example.com) cannot point to an CNAME.

Note that the IP addresses behind the ELB CNAME can change over time, so it is not currently possible to point your root DNS A-record at the IPs behind the ELB CNAME.

A simple work-around for this is to assign Elastic IPs, which is dynamically assignable static IP address to two or more EC2 web servers in your application and have those web servers redirect web traffic to the proper sub-domain that routes traffic to the ELB CNAME (e.g., www.example.com).

The domain name registra used for purchasing your domain name should provide a simple mechanism for applying the ELB CNAME to the proper sub-domain (e.g., www.example.com) and for settings the list of Elastic IP addresses for the root domain A-records.

Configure traffic for your root domain (example.com) to be redirected to www.example.com, and configure www.example.com to point to ELB CNAME.

Security:

Unlike a traditional web hosting model, inbound network traffic filtering should not be confined to the edge, but rather be applied at the host level. Amazon EC2 provides a feature called security groups, which are analogous to an inbound network firewall, that allow you to specify the protocols, ports, and source IPs ranges that are allowed to reach your EC2 instances. Each EC2 instances may be assigned one or more security groups, which routes the appropriate traffic to each instance.

Security groups can be configured such that only specific subnets or IP address have access to the EC2 instance, or they can reference other security groups to limit access to EC2 instances that are in specific groups. For instance, in the security group for the web server cluster might only allow access for any host over TCP port 80 and 443, and from instances in the application server security group on port 22 (SSH) for direct host management. The security group of the application server cluster, on the other hand, might allow access from the web server security group for handling web requests and from your corporate subnet over TCP on port 22 (SSH) for direct host management.

Load balancing across clusters:

Elastic Load Balancing is a configurable load-balancing solution that supports health-checks on hosts, distribution of traffic to EC2 instances across multiple availability zones and the dynamic addition and removal of EC2 hosts from the load-balancing rotation. ELB also can dynamically grow and shrink the load-balancing capacity to meet growing and shrinking traffic demands, while providing a predictable entry point via a persistent CNAME. ELB also support sticky sessions to address more advanced routing needs. If your application requires more advanced load-balancing capabilities, alternative approach would be to use software load-balancing package on top of EC2 instances (e.g. Zeus, HAProxy, nginx) and assign Elastic IPs to those load-balancing EC2 instances.

Finding hosts and services:

Most of your hosts will have dynamic IP addresses (you will no longer be assigning specific private or public IP addresses to your hosts). Although every EC2 instance can have both public and private DNS entries, and will be addressable over the Internet, the DNS entries and the IP addresses will be assigned dynamically upon starting the instance and cannot be manually assigned. Static IPs (Elastic IPs in AWS terminology) can be assigned to running instances after they are launched, but only those hosts in AWS cloud with Elastic IPs will have consistent endpoints for network communication. Elastic IPs should be used for instances and services that require consistent endpoints such as master databases, central file servers and EC2-hosted load-balancers. … See the document "Web Application Hosting in the AWS Cloud: Best Practices"

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License