Anders: Everybody, we're getting started. Um welcome to the session. Um I know it's late, so um great to see all of you actually join us for this topic that we're gonna be walking through here today. Um I'm Anders, I'm joined by Svetlana and Ed and we're gonna be your presenters today walking through how to manage resources and applications at scale with um AWS.
Before we dive into the actual topic, how does this fit into the overall cloud up story? Um cloud ops was a cloud operation is something we announced, I think about a year ago, a year and a half ago, which is a way of helping you customers to take advantage of all the infrastructure and all the things that we've done on top of AWS so that you can leverage that when you're um running your business on top of AWS, making sure that you get your uh um uh return of investment, um better operational resilience, et cetera, et cetera.
And all this gets back to like, how do you do this when you're running on top of scale? Like you're going to build things, you're gonna build applications, resources, you're going to be deploying a lot of resources, sometimes billions of resources, depending on how big of an application you have. When you get on top the cloud, when you go to the cloud, there's a journey you walk through. Uh you start off with setting something up defining what it is you want to get into play and then you roll it out by building you migrating your application from on premise to try to get it into play. And once it in place you need to operate it, you need to understand how healthy it is. Are there any security situations? Um are there things i need to be aware of to do better? Maybe i need to scale it up because i got a lot of customers interacting with what i've deployed.
And that actually is a very nice transition to what we will be covering. As i said, how do you manage resources and applications at scale and we'll walk through various details of this.
What have you told us? What have we heard? Why we, why did we build this presentation and why do we have all the technology we're gonna be talking on in this session? Well, there's three big things.
One is, it's really hard to find things in AWS. I can't find my resources. I don't know where the resources are. I might get an alarm and i get an identifier, but i don't know which region it is. I might not even know which account it's in um i might not have a, a good chance of finding out who actually i should be contacting because there is a problem, right?
The second one is we actually think more in terms of applications than individual resources, right? Individual resource. That's nice. But what we look at is the group of resources that together provide some business value that we are, we need to run our business together on our business is dependent on and how do we do that on top of AWS instead of having to focus and go and look at and do things with individual resources.
And the third one, it's really around. How do we make it easier, um reduced work that our development team and our financial team and other teams need to do in order for them to be able to do their thing on top of AWS. Are there ways where we can make it simpler so that we um we define something once and then i can reuse it in various different places without having to go and redefine or reset up or whatever the, whatever the, the steps i have to go through.
Do you guys agree with us? Is this similar to situations you guys are sitting in most of this, most of these things are pretty common as we hear them very often with customers.
So, so what are we gonna be covering today? So we're gonna walk through three major areas one is, and if you think about them, they sort of like tackle all those three, pain points in a sense and i'll get back to those as we go through the presentation. Right. We're gonna cover, explore. How do i find my stuff? Like, i find a research. How do i deal it? How do i find it? Um, how do i now organize it? I found my resources. I now want to organize them and something logical that i can deal with that. I can later on act on which is the last topic. How do i now perform things on it? How do i operate on those aspects?
We're also gonna do a lot of demos um throughout the, the, the session to make sure to just show you like how you do it. Uh demos are always nice that actually helps you better keep it in your head and remember it when you go uh go from here.
So the other key thing i want to bring up and this is super important is that you're gonna find, there's a theme that goes through the whole presentation of that is we love fruit. So everything referred to as an example, it's gonna be fruit, there's gonna be bananas and apples and oranges all over the place. Um more as a way of keeping you guys awake guessing what next fruit is gonna be that we're gonna be discussing. So we'll keep there.
So with that Svetlana. Why don't you talk about how to explore?
Svetlana: Thank you. Thank you, Anders. So yes, let's start with explore. So how do i find my stuff? How do i find my application resources? It's very hard to organize into applications if i don't know what, what i have. So to help with that, we launched a new service called AWS Resource Explorer. We just launched it a few weeks ago on November 8th.
A resource explorer helps customers to search for and discover relevant application resources across AWS commercial regions. So now you can find your ac two instances. You can find your s3 buckets. You can find your DynamoDB tables across regions within the the one account.
You can search using free form text. So there's not a new language you need to learn. You can also use attributes such as tags for your searches. So you can start your search leveraging AWS Resource Explorer console. Also you can search using the unified search available across AWS Management Console. You can also leverage ad AWS SDK and AWS CLI command line interface to find your sources resources within your automation tools.
AWS Resource Explorer addresses a number of key use cases that we heard from many of our customers. For example, you may want to identify which regions every resource in my application is in. So now Universe Resource Explorer can help with that because it offers cross-region search.
The next one is a really big one. Keeps coming up. We heard it from many customers. How do i find any un tagged or miss tagged resources and then tag them appropriately to meet your compliance needs? Overall recommendation is to use the tagging strategy, tag policies for compliance needs. But as you define your strategy, as you implement your strategy, you may have some of the resources that do not comply with your standard. So you want to find them and then resolve them. Also, either us resource explorer can help with potentially faster troubleshooting.
You may get an email alert um about the situation and then that it would have, let's say a resource id, your on-call engineer can take that resource id and then find that resource very quickly. And then it will take you to that regional console so you can start troubleshooting.
So let's go through the administrative experience of resource explorer. So first admi the administrator with the right privileges will go in and turn on AWS Resource Explorer. In this case, we turn it on for three, for three regions, but you can turn it on across all the regions within your account. When you enable your resource explorer, a local index is created within ev every region and the local index is a collection of information that resource explorer keeps around uh uh uh about your resources and helps with faster searches.
Then you would select an aggregator index. So the aggregated index stores and maintains a local copy of other indexes. And that's what enables the cross-region search. And then an administrator would create and set a default view. And that's what your end users will be searching against. For example, in this case, we set up a view where any principle within the account can search for resources within that account across regions. But you can also select other views as well.
For example, you can set a view where um only resource names aren't, are returned or used within the search, but tags are not used because you may want to keep that uh information confidential. Or maybe you wanna limit the view based on the resource types. You have developers in one region and you create a view to search for ec2 instances um only within that region can also give it uh filter it even further to say ec2 instances only within my development environment based on some type of uh environment flag.
So how do i search? So you can search using plain text. In this example, we're gonna use banana and orange because we all love fruit. So that's that query returns uh anything that's tagged with banana or orange. And also if you have anything that's banana and orange in your resource name, arn, you can also search using tags.
So if you want to find the application resources across region and services, here's one of the examples where you tag tag application is equal to banana. My second example um it shows you how to find un tagged resources. So tag call a non. So it will return you all the ante resources and you can start tagging them appropriately to meet your compliance needs.
And in my last example, it's finding application resources that are incorrectly tagged or miss tagged. So in this example, find anything that's not tagged with application equals to banana.
So with that, i'll turn it over to Ed to actually show this an action show a demo.
Ed: Great. Thank you very much, Svetlana. Let's walk through this. I'm gonna demo two different things. I'm gonna demo setting up Resource Explorer as we walk through just so you can see how it gets set up and how you can use it. And then I'm gonna demonstrate a couple of the queries as well. So you can see actually how the query language works.
So I'm on console home. Um to find Resource Explorer. I can simply type a resource explore and there it is and this isn't an account that has not yet had Resource Explorer configured. Um so when you are an account that hasn't had it configured, you're going to land on this splash screen, that's going to explain how it works. It's going to give you some use cases benefits and features. You'll note that up in the upper right, there's a button or a link to basically turn on Resource Explorer.
So if we go there, we have two options for how we set up Resource Explorer, we have a quick setup option, which is right here. If we do the quick setup option, the only thing we need to set is the region that we want to aggregate our results in. So that's the region where you can look at your search results across all other regions. Um I'm going to for this demo uh just do this in us east one, but I want to show you the advanced set up just so that you can see what options you have.
So one option you have is by default, we'll create indexes in all your regions, but you can go in and select the regions that you want to if you don't want to create an index in every region. So that's an option for you. Um another thing you can do is we cannot create an aggregator index. Perhaps you only want to search within a region, you don't want cross region results. That's an option as well.
Um and then when you go through the set up process, create what's called a default view, which will include all your resource types and it will also include the tag information. And as Svetlana said, you may not that. So if you want to create your own custom view, that's another option available to you.
We'll go back to quick set up. Um we'll turn on Resource Explorer and you're gonna see what happens as it starts to create my regions. So they're available for me. It takes a bit of time for that index to be built. So, what i'm gonna quickly do is jump over to another AWS account where um i've had that index already up and running. And that way, then we can just run a few queries right right away.
I'm going to quickly just switch my region and we'll go to Resource Explore. So this, this account has had the Resource Explorer already set up. So you can see when i went to Resource Explorer, i landed right on the search page. Um by default, you're gonna get your default view. That's the one that you set up and marked as default. In this case, it's going to search all resource types um and include tags.
Um you can, you'll get by default a list of all your resources. You can filter those resources, you can filter them by region um and you can filter them by types. So real quickly here, i can get a list of just my ec2 instances. Um that's an option for me. But if i want to search across all my resources i can and let's run a couple of the queries that Svetlana walked us through.
So here's banana apple. So as she said, what this is searching for is i have 11 resources that have the text banana or the text apple in either the a rn or a tag. Now, i want to be might want to be more specific than that i might want to say, you know what i have a tag that i use. It's called application and i just want to find the that are tagged and i probably typed, i probably made a typo here. Um, let me try it again. tag. This is the, so the tag is equal to application and the value is banana and i'm not, um, oh, it's equal. Thank you ha ha.
So here we get um all of my tags that are just equal to banana. Um i've narrowed down that research result if i'm interested in the resources that are that have any value. So they have the tag key of application but could have any value. I can actually use a wild card and i can see that i'm actually using that tag key for other values as well. So that's useful.
Talked about the use case of tag
None. So let's look at resources in this account that have no tags. So these are all the resources in this account if I want to. Now I can filter this list by type and every link is a link into the resource. So if I want to go in and remediate that I can or as we talked about you can write automation, I'm gonna do one more query which is a little bit more advanced.
Um I'm going to show that I can search for banana, but then I can say find me all the resources that have the term banana, either in the r and or tag, but take out the resources that have a tag with application equal to banana. So we'll do that equal to banana. And I found one resource.
Why would I be interested in this? Well, this could tell me this is that miss tag scenario like I, I intended to tag my application with banana, but perhaps I made a mistake if I here I can go to that resource page. In this case, it's an s3 bucket. So I land straight into s3 for this particular resource. I can scroll down and I can see, oh, look at that. You're right. I actually made him a typo um and I misspelled applications. So if I want to fix that I can and I can save that and my index will get updated.
That's an easy way to fix it. One last thing I'll show you is what I've been doing is also available for you actually from unified search. So everything I've done within resource explorer because I have it set up. I can also search here for banana and application and I will get back that same 11 set right there from console home great anders. They'll be back to you.
How many have used resource explorer we launched about a week or two weeks ago? See one hand you should go try it out. It's like actually pretty cool. Um especially the, the non tag, finding all the resources that are not tagged or being able to find things that are miss tagged.
One of the, one of the biggest challenges we hear from customers. The other one that keeps coming up a lot is also um being able to just get an in, I just get an id. I don't have no idea which region it is like, give me more information around it. So you can type in the idea of the resource and we'll show you that um we had some customers we interacted with, that's had cases where they weren't aware that they had resources in a certain region and it shows up on the bell. Now, you can actually proactively go and find this a little bit earlier than when you get your bell. So you can actually clear up and we have resources in singapore, why? I don't know why they're there.
So uh let's see, there we go. So we've organized, we've gone in and we've searched the resources, made it easy to find resources based on various various different criterias. Next step is now, how do we not organize them? How do we get to this? Remember the second one that talk, we issue or pain point that came up, we talk about applications. We think about applications. When we deal with things, logical groups of resources gathered together that we wanna do things with.
There's various different ways of doing this and i'll walk you through different technology that exist and so like build the story around it. The simplest way of doing it is by using tags and using tags policies. Um we showed some examples when we do the searches to show you how you can search for tags, tags, simple key value pairs. Um tag policies is a mechanism for you to govern how tags are being applied to ensure an example that if you have only certain values can apply to a specific tag key as an example.
Um and tag policy, you can do other things. You can ensure that enforce that you also have capitalization in a certain way. So it is easier to find things in a consistent way, getting it in play. So with tags, you get a, i'll call it a simple group, right? You can't do very much advanced with, with it like you put a metadata on the resource and now when you start querying, you can ask for, give me everything that's tagged with application equals banana. As an example, you get back those resources but anything more complex than that is really not what tags directly provide you.
Uh what t a policy does is the, is the governor's part. And I want to show an example here, excuse me where this tag policy. If you apply it, it basically says if anybody uses the key tag, key application, i'm gonna allow them to use banana, orange and apple. Those are the only three values. If somebody now tries to tag a resource, they put an application and they put in pineapple, it's gonna fail, it's not gonna work, right?
One aspect that i didn't put up here as an example, a way of further enforcing policy for enforcing using tags is using service control policies. This is a policy for you to basically govern at the top saying is i need this to happen. So you can require a tags are being applied upon creation of a resource. So if you now use an sep that says only at any time a resource gets created, i want the tag key application to be there and use the tag policy to say these are the three values. Now you've pretty much locked down hard what that gets in place and you get some order on how you actually organize your resources. So that's tags and tag policies.
Next one is layer office. So t tags, individual metadata. Next next step out is using resource groups. Oh, actually before i go there, how many actually use tags today in anything that they're doing? I wanna see all hands. I think i see all hands. That's good. What do you use them for? Is it for permissions billing? Curious to hear. Ok, hold on. Yeah. Yeah.
So the next step is using resource groups. So resource group is a service that allows you to also group resources and it leverages tags as well as one of the mechanisms. And now you can create a query, basically say anything that's tagged with application equals to banana and cost center 123. As an example, all those resources that have those two tags end up in a resource group. And the research group is referenceable. It has an arm, you can tag the research group if you want to.
Uh but you can also use this research group across a bunch of services that understands how to deal with a logical group of resources based on a research group. The other way of getting resources in a resource group is using a stack cloud formation stack. And this is where you have a stack that's been deployed. You can now go to resource groups and you point at the stack saying is i want all the resources in that stack to appear in my resource group.
So now you have one construct that feeds out of two different mechanisms and you can build either your own tooling around it or you can allow leverage aws services that understands the notion of a resource group. So compared to what t is, it gives you a little bit more complexity or a little more freedom of how you define how resources should be grouped. You could do one as i said, banana and call center as a combination. Um and the benefit also is you can define the resource group once and you can reuse it across multiple services.
Getting back to remember the third bow that we talked about pain points. How do i make it easier for my teams and my environment when i'm working on it, will i define a research group? One? And now you can reuse it as in uh in the, in the dev ops use case or in other use cases as well as a way of taking advantage of what you set up. Ok. And this is a simple example of what you define a research group. What it looks like this basically says any resource that has the tag application equal the project equals to banana belong to this uh this research group.
Now, tags and resource groups um have existed for quite a while. And then um does anybody here use research groups today hand up, why not? I didn't know about it. Ok. We can get to that later. Next step. That is interesting or the next way of organizing and say one of the things we were talking about this whole presentation about how do i manage things at scale and how do i make it easier with applications that is to take advantage of uh service, catalogs app registry.
It's a service that was launched about two years ago. And this allows you to logically group resources based on similar criteria. You create an application and you decide and you basically tell what resources are part of it. And what app radio issue does? It takes those two steps we talked about before the tagging aspect and the grouping aspect and does it for you, it will wrap the resources in a resource group and it will ensure that there are tags that are being published and pushed to the resources that are part of your application.
And there's three tags. It's an application id, there's an ac application name, you pick the name and there's ba a a uh the arn of the application and this is the arn in opera industry. So it is also now an object that you can put policies around and you can put tags on the um the arm of the application. So that's what it does. And so this allows you to bring it all together. Now you get consistency in tagging because everything's gonna be tagged in a similar way, application id with an id and then the id is gonna be different for the different applications.
But now you can create. So the way you can associate resources i should mention as well with that registry. There's two ways you can either associate resources by pointing at one or more stacks. So there's no, there's no 1 to 1 mapping here that necessary. You could have 100 stacks and you add those to an application, you have to go through the process of adding them in there. But once they're in there, operator does the work for you of research group and putting the re the tags on the resources, but you can also uh add resources based on tags and resources, right?
Um and this could be a lot of you are already using tags today. So this is a way of very quickly getting them control and getting it in under the umbrella of what we call an application is that way you do this is you define you, you decide a key tag key that you wanna use to identify resources, how they belong to an application. And then when you create or configure your application in that registry, you say, well, this is the value i wanna look at on my tags and take those resources and add those to my application.
So i can both use stack and the tag key and the and the key mechanism as a different ways of getting things in. And the reason for this is to help you as well, right? A lot of customers use cloud formation. There are also a lot of customers that use other technologies of deploying resources as long as you ensure that those are tagged in a way that you can consume. You can bring those all those resources into upper registry and fold them into this application. Construct the same thing here as you have with resource groups, you create an application once and it can now be reused across a number of services that you have within uh that that exist within aws.
Well, that's easy for you to like, you can go and create an application. I have to add the resources in it. It sounds like it's manual work. Is there any way i can do this and offload my teams and automate this as much as possible? Of course, there is one thing you can do is you can update your cloud formation templates and you put a little bit of code snip in it. And as part of that code snip what it will do, it will create an application and app registry and it will register the stack that gets created out of the template as part of that application.
So this is something that so now when you deploy, you can get your stack created, there's no need to go to app registry, creating the application and all of this kind of stuff it is done for you as part of the deployment. That's one mechanism. The second one is we talked about tags. I'll get to that back to that in a little bit. Um or you could use these services or these mechanisms or you use the aws cd k or you can use uh one of the aws solutions.
There's a a fair amount of them um that are available for you to take advantage of. And what they will do is they will register your application without registry. So it helps you not having to worry about to have to go outrageous to do things, it will do a lot of these things for you. So, so this is an example of what you would put in a cloud formation template, the code that you add in there. Um and you could do this something that you would do to any template that you have if you want to go down that route, um if you're using cloud formation, so it goes in, it creates an application um create puts a name to it.
And then as i said, when the stack is created, the stack is automatically added as an application uh as a resource under that application, you wanna use tags, i sort of like walk through this real quick previously. Um but let me, let me reiterate again, what you, what you do is you define a tag key example would be application that you are going to look at and that's gonna be the same tag key regardless of what application it is that you want to create. The difference is with the value you're gonna be looking for.
So if i go to select application as a tag key and i create an application that i call banana, i would just gonna say well for the tag key application, anything that's tagged with banana belongs to the banana application. So the benefit out of this is once it's configured. Now, as long as resources gets tagged appropriately through whatever the mechanism is that you want to use. If it's tagged on when you create the resources or as part of deployment, the resources automatically get added in under the application without anything additional needing to happen from the developer, whoever is deploying the resources, right?
Once again, helps you with the problem of how do i make it easier for my development team and my finance team to, to, to work through things and here. Cool. Thank you. And we will take over and now demo everything that i talked about not quite everything. Uh we're gonna keep this to schedule, but what i want to do is anders talked about tagging um tag policies. He talked about resource groups and then we talked about applications and what i want to show is how that last applications works in a real life scenario.
Um so i'm gonna create two different applications in two different ways. So you can just see real life how it actually happens. I'm in the console, in this case, app registry is actually a feature of service catalog that just mentioned a moment ago. So if i go to the service catalog console, um in there is access to this app registry feature and you can see it says nice flash rage. It explains how the service works.
Um there's a quick link to create an application. I'm going to create an application, as i mentioned two different ways. First, i'm going to do it via tags because we've already determined in my last demo that i, i'm using the tag application and i have some values banana. So i want to grab those resources and put them in an application
Then after that, I'll do the same thing, but I'll do it via CloudFormation in an automated way. Um so the first thing I'm gonna do is I'm gonna go into the settings with an App Registry and I'm gonna set a tag key. The reason I set a tag key as Anders mentioned is that, oops, sorry, is that this uh not banana? I'm got free on the mind. Um this sets the key for this account um and region. So it says, hey, I'm standardizing on this tag key application and resources that have that t tag key can now be part of an application. It also means they can't be part of another application because we've heard clearly from customers. They want governance around this. They want to know that an app resource belongs to one and only one application.
Once I create this, I can go in to create an application and to do so is quite simple. Um I give it a name so we'll, we'll stick with the, the, the fruit theme. Um we'll say that this uh peels bananas. Um when I create an application, it can actually be, it can actually go across multiple accounts. Um oftentimes customers will have applications that have resources and multiple accounts. I'm gonna not do that in this demo and just keep it in a single account, but that is an option.
Um then I associate resources to the application and we talked about doing it via CloudFormation. But here you can see I can also do it via, via tag. So by simply entering the value of my tag, um it now goes out and it says, hey, I found a couple of resources those are now going to be included in the application. When I use App Registry, I not only associate resources to the application, but I can also associate metadata to the application. And this is this um we call these attribute groups and you can have these predefined. So I've predefined an app um set of metadata that defines the characteristics of this application. I've said it's customer facing and it's a critical application for our business based on that I just press create and you can see here that it's going to go through and it's going to create the application, not only does it create the application, but it actually also creates a resource group. The reason we do that the resource group is what collects together all the resources for this application. And we did this automatically, you can see now that this application uh here's my resource resources that are there. You can see also that I have this metadata available for my application. And if I click through to it, you can actually see what it contains, which is just some information about this application, the type of application, the criticality and perhaps the team that owns it. But you can define that and set that up in terms of how you want to uh manage your applications. That's one way to build an application.
I want to walk through one other way. Um and andrew talked about the idea that you can do it via CloudFormation and through CloudFormation resources. And he also mentioned that AWS solutions has and when you deploy an AWS solution, many of those solutions now automatically create an application for you and they do that via the CloudFormation technology. So just to show exactly what this can look like, and I'm going to do it through a solution, but this could be your own stack as well.
Um this is a distributed low testing uh solution on AWS. Um and here's the solution page that explains how it works and what the architecture is. If I click just to launch this solution in my console, it's gonna take me into the CloudFormation console. I haven't done anything yet in regards to an application, but it tells me, hey, you already have a template. Um it's gonna ask me for some details to provision it. So I'll call it, you know, my um load testing. I'll break from the uh from the fruit the here for a second. Um it asked me for a little bit of information uh uh uh in terms of my email address. But aside from that, that's all I need to enter and, and click next and next and acknowledge and provision.
And when we create this application, you can see how it's being created for me. Um and as it starts to create the resources here, there they go. I can actually look and they are the resources that are actually being created. You can see that the application is actually already being created for me. Um and oops sorry and that happened automatically f in just as a result of the CloudFormation template, once the application is complete, being created and it takes a second for this to be uh done. But then I can go back into App Registry. I'll see if it's already there and there it is. So this is the application that I created. It happened automatically through that CloudFormation stack.
If I click into the the application, you can see there's the CloudFormation stack. Um there's the resource group that get automatically created, which is gonna help me manage it and I'm gonna walk through that in my next demo. Um and also here's some interesting metadata. So with the AWS solutions team, every solution that gets created is typed, named and versioned. Um so all of that's available for you now and it's associated to that whole collection of resources that get created for the solution. So it's a really nice way of managing at scale the resources that you're creating on AWS. And I think with that, I'm going to pass back to you Anders and see to switch back. We're good.
So, how many knew about App Registry before this? See one hand now everybody knows everybody's an expert. Everybody's going to go home and use it. You should be flipping up your laptops and deploying it now and testing it out. So, um, no, but I said if you, if you think about it, it's a really useful tool. It makes life much easier for you because you know, if, if it goes in and its structures ensures the tags are consistently applied. These are also system tags which is, has an infantry property of that. You can't, your users can't change them. They're only controlled through AWS services, which gives a lot of benefit with regards to nobody can go muck around or add their own tags that magically adds that in there. But the system tags with the application id and application name is something that is, um, uh, you can be taken advantage of.
Ok. So we started with explore finding our stuff, we could find things that are not tagged. Once we find all these pieces we went in and organized them, you can use different ways of doing it either with tags, you can use research groups upr she's probably the preferable one because it does a lot of the heavy lifting for you. So you should definitely go back and look at it once, once we're done with the presentation.
Now, what can we do with this stuff? How do we act on a, we've gone in and group them? We got to do things with it. So let's walk through the same way. We started with tags and we're gonna get further up the chain of how you can do things.
Um, so if you've used tags and you've used, everybody raised their hand. When I asked the question previously, there's three cases that normally comes up with regards to tags, what you can do like one is around cost management, one is around permissions and one is around operations and support. And if we walk through them one by one, like the cost management aspect, this is cost allocation tags. Most people know about them, you have to enable them. But once they're enabled, you can now get your cost and usage broken out by tags. You can also set budgets based on tags. It's not just getting the usage, you can control and get alarms based on where you're at with your budgets, et cetera.
Um and the other one that I put up here as an example is also anomaly detection from a billing perspective. Like maybe suddenly my cost is going up higher than it normally does. I will get a notification about it if I've set it up.
Um and this is where like you have to go in. And if you see here, these are the tags, the tag keys, I should say that you go and enable for cost allocation that are related to registry that put on the resources, right permissions.
Um if you wanna control permissions, this is attributes based access control, um industry terms, it allows you to go in and define permissions based on the tags on the resource. And you can also take advantage of tags on the principle and use that as a way of matching and saying as how control gets applied, depending on which group they're in and what, what they're trying to do with the resource. And it allows you to simplify your policy a lot because you don't have to go to specify a service. You don't have to specify the resource type unless you specifically want to do. So. Um but it gives you a little bit of more simplicity of how you actually control and put the policy in place.
Um and I'll show an example of that in a, in a little bit in a slide to come. The last one is a way of uh getting more context on the resources so that if there is something that's happened, you can do things with it. Like let's say there's an alarm to fires and what you get is the resource id, right? Well, if you get the resource id, you can get ask for the tags on it, maybe there's a contact information on it or maybe there's other ways of doing it. Another way of getting contact information would be using attribute groups associated with the application.
Um the other benefit of having the tag information with the application id and application name. Let's say there's an alum that fires and you know, the resource you can now know which application, that resource is part of. So you know which application in your world that is being impact, not, not just the individual resource, those are key, key things.
Um if we look at the policy that i wanted to walk through, um there are other sessions that walk through much deeper and how you deal with permissions in the ion space. But i really want to bring this up because it actually shows the power of using tags. So what this policy states basically saying is allow any action on any resource from any service as long as it has a resource tag, which is service catalog, the application name equals to banana and the tag on the principle is t equals to fruit salad, right? So now whenever a a new resource gets added, i don't have to change the policy, right? It just automatically gets access in here another way of being controlled if you want to control it in a slightly different way. But you get a similar result is really saying is i wanna have any resource um and any action service. I want to make sure that they can get access as long as the application name is equal to the team name. Now, i don't even have to specify banana and the policy, i just basically say that application name colon and then i put the principal tag team on the on the right hand side. So now anybody in the banana team gets access to the banana resources and anybody in the orange team gets access to the orange resources and you can use the same policy across all of these different teams and resources, very, very powerful. So anybody using this today? Yeah, i see the people nodding a little bit. So you should definitely take an advantage and look at it. It's really powerful.
So, so this was being taking action on re on, on resources. Now, if we go up the layer, we talked about you grouping them based on research groups.
Um and there's several services today that allows you to uh point at a resource group and basically say, perform actions on that thing and all the resources in it. An example here is like Systems Manager and there's flavors of System Manager like Incident Manager and there's Patch Manager, et cetera, et cetera. And you can go into those individual services as selecting, i wanna do my stuff on that resource group and they will iterate through the resources and do whatever it is that you've defined as part of it. Example, is patch management where you will patch, you're going to patch the instances that are part of a research group. So instead of doing it individually, you can put a research group. Now, you've got the, the benefit out of it, which means even that we say resource group, given that up registry envelopes, all the resources in the resource group, you can point at that resource group um big the big advantage, same thing with CloudWatch.
Um you can go in and build a dashboard by pointing out a research group as a way of monitoring what the health is. Um and same thing here, you can point out a resource group and take advantage of what you've done there. And it sort of like just a simple clip of what it would look like.
Um usually it resources or the services will give you options of what you can select different ways of grouping it. The benefit of using resource groups is it's like a um exchange where you can have different technologies that allows you to have the resources in that group. And the, and the service just understands it and take advantage of it. And here i'm basically saying, pick the resource group that's called um application banana. And that is the resource group name that oper industry will create just to show taking advantage once again of what oper industry has uh produces for you.
Ok? We did tags, we did research groups is there a better way. Is there a better experience you can have around this? Now, we get to the applications that are registered that you created in that registry. And there are services, multiple services you can see up here. And this is something that will continue to grow um over time where we're gonna add more and more services in uh in here that will fully understand this concept of an application that we've created.
So Collabos Application Insights, Resilience Hub, Well Architected Service Management connector, this is to connect into Service. Now, uh the application that you defined and Application Manager all services where they will list the applications that you have created in App Registry. So you can select from there, right? And this one thing and it gets back to this whole, like how do you make it simpler? I only have to define something once and I can reuse it depending on what my job is. Well, this is where you take that advantage of making life easier for your teams.
Um this is a simple, just a simple clip of what it looks like when you select it. This is only has banana. I should probably have more examples here, but you basically get an experience of what it looks like. You can also in all of these services. Uh i think it's all of these services, but most of them, you can also create an application, it will create it in out registry. So if you've used another, if the service allows you to um pick other research group as an example, you can click, create application and will create the application and include those resources into an application in up registry.
So i didn't talk about Application Manager. I want to have a separate slide to go through that because this is, this is the hub for you to manage and operate your applications on AWS. This is should be your starting point.
Um what Application Manager does is pulls together a lot of pieces. It pulls together ways of uh pulling in resources depending on how they are being grouped like applications and upper industry research groups. You can point out a stack. Um you can point out things that have been uh uh deployed through Launch Wizard. Um even ETS clusters is another technology that's part of this that can, that can be imported in and, and monitored and, and looked at and once you've gotten these constructs in or you basically selected what you want to look at them, it allows you to do a lot of different things
It brings together a lot of information from CloudWatch such as alarms and logs. It allows you to look at how you're doing from with AWS.
Config and Config rules are you compliant with the rules that have been set up in your environment?
The CloudTrail logs information that comes out of the logs so you can see what events have been trickling, have been registered for your application.
And is that right? And then, and the last one I bought gun of theirs also says, Cloud Cost Explorer. So it will start surfacing your cost based on your application, right?
So it is truly a hub where you should be working and looking and monitoring and working and doing a lot of your work around from an application perspective.
The last part is you import resources. You can go to investigate, to understand like, what's the health, how is it doing? Is it rolling along? Is it healthy?
And once you find things you want to do, the next step would be, you need to remediate it, you need to poke at it. And this was where things such as like Patch Manager that I talked about previously also will help out and, and, and get those resources in place.
The fixes in place with that. I think it's time for the next demo. Yes. Thank you Anders.
Okay. For the next demo, what I'm going to focus on is demonstrating primarily Application Manager because I think as, as Andrews talked about that's where we're really able to pull it all together and I can show you walk you through some of the management functions that you can do in Application Manager.
Application Manager. One of its inputs is the App Registry, which we've already fed into. So we're going to be able to look at our applications and pull them up in that tool.
I'm on the console home page and the reason I've started, I've started every demo there, but one of the things we've just recently launched, is actually an application's widget right on the home page of AWS.
So this is, we're kind of getting into this notion that you should be able to get to your application from wherever you are on AWS and have a one click away.
So we've actually got that. Now, you can see here's the banana application, here's that load testing application for this demo. I'm gonna use a different application that has, it's been running for a bit. It has a bit more interesting aspects to it which are gonna make it easier for me to demo.
So we're gonna click into that with one click. I now go into Application Manager, which is a capability of Systems Manager as you can see here in the chain.
And you can, when you come into Application Manager, you get a single dashboard of your application. Let's just walk through it.
In the left hand pane, we get what, what are the components that sit in this application? This particular application was provisioned via CloudFormation stack. So these are all there's actually eight CloudFormation stacks that came together to build this application.
One stack deploys the compute another stack, deploys the storage, another stack deploys our database. So all of those are deployed and then we have additional stacks that are actually deploying config rules right here.
You can see that we have, we can see what alarms, CloudWatch alarms are in place for these applications. These are alarms that are actually included in the application and associated to the resource.
So as Anders talked about how connect my alarms to my applications. This is something that Application Manager is helping us do.
So we can see that I have seven alarms that are in alarm two for my database, two for my compute and two for my file storage. And I can see a summary of those here in terms of I also have 11 that are actually in a fine state.
If I click into a stack, this will render for just that one stack and I can actually click into those alarms. One of the tools this is what we're doing with applications is pulling together multiple AWS services and without manager.
So you can see as I pull, look into the the compute stack, I can see that there is a set of alarms that have actually been created and and determined by Application Insights.
So prior to launching this app, I told Application Insights look at this application and determine how to monitor it using a IML. So it's built a couple of alarms and it says, you know, you should take a look at those, those are low severity, but they're, they're potential issues.
And then down here are the alarms that I've actually created as part of the app. I defined these. If I want to actually look at them, I can actually click on them and that will take me straight into CloudWatch right into that alarm.
So now I can do my investigation, my troubleshooting. It's all right there, you know, two clicks away from my application.
So that's, that's super powerful. If I come back into this application, I want to show a couple other aspects that we can look at.
So one another key thing is I want to understand how much my application costs. And so we have a summary of costs right on the home page of App Manager. You can see I provisioned this in November. So we don't have any costs in September and October. But so far it's cost me $707.96 in November.
This is just for the resources in this application. So only those resources are contributing to this calculation of cost.
Further down, I can actually look at compliance of the application. So this will tell me for the Config rules that I have defined in this AWS account where this application is running, looking just at the resources that are in this application, which ones are compliant and which ones aren't compliant.
You can see, I have five resources that are non compliant. 11 that are compliant and a few that I don't yet have enough, have enough data.
If I want to look at all my compliance rules, I can do that. I can look at all 11 rules that I have in place and for each rule, it'll tell me how many resources are fine and how many resources are, are have an issue.
And actually, if there's a remediation action set up, it'll actually list the remediation action as well. And if I want to take more action on this, it's one click away for me to go to AWS Config and, and work on my remediation.
The last thing I want to show with Application Manager is the ability to drill into individual resources. So Andrew talked about this idea of how do I collect together my resources into one place.
So these are just the resources I've got 32 resources in this application. And it's super easy. Now for me to find, let's say I want to find an EC2 instance I can find that instance right there.
This is the EC2 instance that's running, that's powering this application. When I look at that instance, I can actually also take action on it.
So App Manager integrates with Runbooks. SSM Runbooks and I can write here with one click. Look at a set of runbooks that are applicable to this. And if I wanted to, for instance, to restart this instance, it's one click away and I can actually execute that runbook here and restart the instance.
So that's available to me right there from, with an App Manager.
Anders mentioned a couple other services that are integrated as well with applications. This is Application Manager. We mentioned Well Architected so you can now perform if I go to Well Architected. Let me just show you that I won't be able to, I don't have the time to do a full demonstration of it.
But just to show you when you go into Well Architected, for those of you who use the Well Architected service, you can now connect your Well-Architected analysis to an application.
So down here, we have the ability right here to actually select the application that I've created. And now you've connected that analysis back to the application.
One other tool, I'll just show you really quick just so you get a sense is Resilience Hub. So you might want to analyze the resilience of your application and understand, you know how you can improve that resilience, which is what Resilience Hub enables you to do Resilience Hub also has the ability to grab an App Registry application and go ahead and just drop that in and then do a resilience analysis on it.
So those, all those services are plugged into this one library of your applications. And I think with that, I'll pass it back to you.
251
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
