Wednesday, March 25, 2015

AWS Lab - Phase 3 Install Php/MySQL Application

Sorry guys...this is not as polished..these are the notes I took when I actually did this myself:

1. Allow firewall rules, open port 80/443 inbound

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
## Open 443 port i.e. HTTPS
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

/etc/init.d/iptables restart

2. Install Apache

sudo yum install httpd

3. Register Apache

chkconfig httpd on

4. Start Apache

/etc/init.d/httpd restart

5. Test (see if you can bring up the Apache test page)

6. Install PHP with MySQL support

sudo yum install php php-mysql

7. create phpinfo page

8. Allow httpd to connect to database:

setsebool -P httpd_can_network_connect_db=1

9. test connection to mysql database (create a .php page with the following contents)
$link = mysql_connect("$dbinstance", "$user", "$pass");
if (!$link)
die('Could not connect the database: ' . mysql_error());
echo 'database connected successfully';

10. Go to this website:, install the php portions on the web server and the sql schema on the RDS database.

11. Perform some CRUD actions and assure you are able to see the data in both the database and are exposed on the web servers.

Call me or e-mail with any questions!

Wednesday, April 9, 2014

AWS Lab - Phase 2 Launching EC2 and RDS instances

AWS services used: Key Pairs, Security Groups, EC2, RDS

* Create a keypair
* Create two security groups, one for the web layer and one for the database layer
* Launch our first instance

In this phase we will launch our first instances. We will use the VPC and the subnets that were created in the first phase to launch these instances into. Before we launch the instances we will need to create a key pair in order to access the linux servers from a ssh and/or putty console. Next we will create two security groups, one for the web layer servers and one for the database layer servers. We will create some ingress rules and implement least privilege best practices to secure the instances in those groups. Once the framework is setup we can launch our web and database instances in the appropriate security groups.

Create a keypair
From Mac/Linux:
# aws ec2 create-key-pair --key-name orkp --query 'KeyMaterial' --output text > //device/path/orkp.pem

From Windows (must use PowerShell)

If you are using Putty to access your Linux instances you will need to convert the .pem file to a .ppk file (google it)

Create security groups
Here we are going to create two security groups, one will be the web layer which allows http/s traffic from everywhere, and another group for the database layer which allows MySQL traffic from only the web layer group. For the sake of this lab we will also open up port 22 from the world, you would never do this in a production environment but the examples should show you how to lock this down to only allow traffic from certain IP ranges.

Make sure you document your security group id's as you will need them when opening up access in upcoming commands.

Create the "weblayer" security group:

Create the "dblayer" security group:

If you forgot your vpc-id you can retrieve it with:

Add ingress rules
These next two commands will allow ports 80 and 22 from the internet, remember never allow port 22 from the internet for security groups in a production environment: Next we will open up the MySQL port 3306 and allow traffic from only the weblayer:

Launch EC2 Instance
Now with the following command we will launch an EC2 instance into our newly created security groups, in my commands you are going to be seeing the ARN's of my security groups, remember to replace those with the ones specific to your environment.Let's dissect this command a little bit as well so you can see what is going on:

*First we are issuing the run-instances command and pulling up a specific AMI, in this case it is a RedHat 6.4 64bit instance.
*Next we are launching this as a micro instance and using our keypair that we created earlier in this lesson.
*Finally on the network side of things we are placing this into a subnet in our VPC (from lesson 1), into the weblayer security group and associating a public IP address so it is accessible from the internet.

Launch RDS instance
Next we will launch our RDS instance in the dblayer security group, but before we do so we need to create a subnet group for RDS. RDS requires that at least two subnets in two separate availability zones be present so that you can implement replicas of your RDS instances. In the previous lesson we already fulfilled this requirement and now we just need to tell RDS about them. The following command will accomplish this:

Now let's launch the RDS instance:

Finally, let's now login to the web layer instance and make sure we can connect to the MySQL database, you will first need to install the MySQL client tools in the instance, do that with this command:
Now connect to the DB instance:
You can run some common MySQL commands (show databases;) just to make sure you are connected, but at this point you should be good to go. In the next lab we will step away from AWS for just a bit and configure a simple PHP/AJAX application that manipulates data in the MySQL DB. Do not worry if you have no coding experience, this is going to be some very simple copy/paste actions and just making sure you have files in the right place. Questions/problems? Drop them in the comments section and I will be glad to help!
Loading ....

Wednesday, March 19, 2014

AWS Lab - Phase 1 Laying Down the Foundation

Phase I - Lay down the foundation
AWS services used: VPC, CLI tools

* Create VPC
* Create associated subnets
* Create an Internet Gateway
* Associate Internet Gateway to VPC
* Create route to internet for the VPC

In this phase we will be creating a VPC which is our own network within AWS, a VPC is region specific. We will create two smaller subnets, both in different Availability Zones within that specific region. Once this is all setup we need to create an internet gateway and a route to the internet in the route table. Below is an illustration of what we are going to build in this phase. I would suggest saving the resource names and building a small diagram as below to keep your environment documented as we move through the lessons:

Create the VPC - This command will create a VPC with the specified CIDR block in the us-west-2 region, the region switch can be omitted if you have the region you want selected in your cli tools (see "aws configure" from your cli for more details).

The output of this command will look like this:
From the actual AWS web console you can see your newly created VPC, go to "services > VPC > Your VPC's" and you should now see your new VPC created as shown above:

Create Subnets Next we are going to create a subnet in two of the availability zones, you can create as many as you like that will fit in to the original VPC you specified. One of the inputs you need is the vpc-id, if you did not document this you can retrieve all the of the vpc-ids with the following command:

Now, let's create a /24 subnet in two of the availability zones:

The output of this command will look like this:
From the actual AWS web console you can see your newly created subnets, go to "services > VPC > Subnets" and you should now see your new subnets created as shown above:
Create Internet Gateways Now we need to create an internet gateway so that instances in our VPC subnets can communicate with the internet, this simple command will create an IGW for us: Output will look like this:
From the actual AWS web console you can see your newly created IGW, go to "services > VPC > Internet Gateways" and you should now see your new Internet Gateway created as shown above:
Associate IGW to VPC Now we need to associate the IGW with the VPC we created so that instances in this subnets are able to connect to the internet with this gateway, this is done with the following command: Output will looks like this:
Not much to see there, here is a better representation of what happened when that command was run with this command: You can also see this in the web console, go to "services > VPC > Internet Gateways" and you should now see your new Internet Gateway no associated with a VPC:
Create route table entry to direct internet traffic to IGW Now that we have an IGW and it is associated with our VPC, we need to re-direct all internet bound traffic to the IGW.

First lets find all of the route tables and figure out which one is associated with our VPC: From that output collect the route table id and the execute the following:

AWS Lab - Overview

Below is an illustration of the overall environment we are going to build in AWS. I wanted to take advantage of as many feature of AWS as possible.

In Phase I we will lay down the foundation and create a VPC, all of the associated subnets, an internet gateway and proper entries into the route table. This allows us to control the IP allocation utilized in our environment.

In Phase II we will create a keypair, security groups and then launch our first ec2 instance into the weblayer security group. Once we have that up and running we will launch an AWS RDS MySQL instance into the database security group. The security groups will have proper ACLs attached to them that will allow only the needed traffic to provide the services we want.

Phase III, will be a little bit less AWS and more focused on LAMP. We will setup Apache and PHP on the web instance then assure it can connect to the RDS MySQL instance. Once we have verified connectivity from the Apache/PHP front end to the backed MySQL DB we will configure a simple CRUD application.

Phase IV, we will return to AWS and take an EBS snapshot of our configured Web Server and save that up to S3. Once that is done we will create another instance and place them both behind a load balancer. To make that more secure we will make some modifications to the security groups and setup some DNS on Route53 to make routing to the ELB a little more pleasant.

Phase V, once we have a good 3 tier infrastructure in place we will configure an auto-scaling group and watch magic happen as we throw artifical load at the web front ends and watch the environment scale up/down. We will use CloudWatch here to monitor the instances and take action based on certain criteria.

Phase VI, Once we have a good grasp on ELB and autoscaling, we will another tier to the application that takes input from the web front end and does some simple text manipulation before storing the final results into the RDS instance. We will use SQS to decouple the workloads and autoscaling again to scale up/down the text manipulation tier. We will also create a read replica of the RDS instance and will re-direct reads from the application layer. Once this is all up and running we will introduce some of NetFlix's Chaos simian army members into the infrastructure and see how our environment adapts.

AWS Lab - Intro

In my mission to dissect AWS and eventually take and pass the solutions architect exam I have put together this blog to document and help others along their journey to understanding and building highly available and scalable solutions on AWS. 

As part of trying to truly understand the AWS ecosystem I am going to build a simple application attempting to use as many AWS services as possible and lay the foundation for further in depth learning.

I will go through building a simple 3 tier application using Linux, Apache, MySQL and PHP that performs CRUD commands on a MySQL database. Most everything in these lab exercises can be accomplished with the AWS free-tier.

So before we get started go sign up for a free AWS account, a domain name (optional) from GoDaddy and then get the CLI tools setup on your MAC or PC using this link

Everything I do is going to be via the CLI, I think it really forces you to learn the inside guts of the environment. From the CLI commands you should be able to figure how to do it from the console if you prefer the GUI method.

After you have that all setup go on to my next post which will give an overview of the infrastructure we are going to build and then we will go right in and start building it all out.

Friday, November 15, 2013

UCS configuration end-to-end, GUI, CLI and PowerShell part 2

In today's part 2 of my continuing series we will cover configuring the unified ports on the Cisco 6248 FI's to be set as "server" ports, basically this means what Cisco calls east-west traffic and are the ports that the FEX's in the Chassis's connect to. First let's see how we do this in the

1. From UCS manager, in the right pane window expand "Fabric Interconnects" and then highlight "Fabric Interconnect A (primary)" as show in the pic below

2. The in the right pane, make sure the "general" tab is highlighted and in the picture of the FI you can right click on a port and then select "configure as server port".
Once you are done you will need to go back and configure FI-B with all those lovely mouse clicks. If you have not guessed by now, I am not a fan of configuring via GUI so next up let's do it with our keyboards.
For each port you would like to configure execute the following commands, note the first digit denotes the slot number. If you are on the base this will be 1 and if you are on the expansion module it will be 2

And even better than the command line is to stuff all of this in a nice powershell script as shown below, note that one of the points of this series is to have one full blown script that will configure UCS from end-to-end in about 5 minutes.

In the next post we will look at configuring everything related to the SAN

Wednesday, November 13, 2013

UCS configuration end-to-end, GUI, CLI and PowerShell part 1

In my next series of posts I am going show you how to configure UCS end-to-end with the GUI, CLI and PowerShell. These posts will assume you already have the initial configuration up and running. Let start with something simple, configuring the Chassis Discovery and Power Policy.
1. Go to the "equipment" tab in the left pane of the screen, make sure you have "equipment" highlighted

2. On the right side, select the "policies tab", in the area below the tabs you can set the "chassis discovery policy" and the power policy with the convenience of your mouse...but, why do all those clicks when you can do it much faster with your keyboard from the...

Set the discovery policy:
Set the power policy:
In part 2 we will cover configuring unified ports as server ports and keep building on the powershell script above. In the end we will have a script that can configure an entire ready to use cisco UCS domain.