Practice Exams:
Home Blog Amazon AWS DevOps Engineer Professional – Incident and Event Response (Domain 5) & HA, Fault T… part 10

Amazon AWS DevOps Engineer Professional – Incident and Event Response (Domain 5) & HA, Fault T… part 10

  1. Multi Region – CloudFormation StackSets

So how can we deploy an application across multiple regions consistently and even multiple accounts? For this you can use stack sets in cloud formation. So stack sets allow you to create, update or delete stacks across multiple accounts and multiple regions with a single operation. The administrator account has access to create stack sets and then trusted accounts allow the administrator account to create, update and delete delete stack instances directly from the stack sets. So when you update the stack sets in the administrator account, all the associated stacks instances are updated throughout all the accounts and region. We’ll see this in hands on, don’t worry.

And you have the ability to set a maximum amount of concurrent actions on the targets as a number or a percentage. And you also have the ability to say the number of failures you can tolerate as a number or a percentage. So this is extremely helpful once you start having a global architecture and you want to have global confirmation templates deployed in multiple regions and multiple accounts. So let’s have a go at how this works. So let’s go into cloud formation. And in cloud formation we’ve seen all there is to see about stacks, but what about stack sets? And so the stack sets are right here and we have never used them. So let’s go ahead and use those right now. But first we need to do some iam permissions.

So as I said, there was an administrator account and then there were some trusted accounts. And so we need to create the iam roles that will be necessary for these accounts to exist. And so thankfully, this documentation page has some confirmation templates that will allow us just to do that. So here is a confirmation templates and I’m going to copy the link address and this will create an im role named AWS cloudformation stack set administration role. So let’s assume that we have the administrator account and we’ll create a stack and I’ll say the stack is here, I’ll click on next and I’ll say administrator account confirmation stack sets, okay, and I’m going to click on next and finally everything looks good.

I’m going to acknowledge that this will create im roles and click on create Stack. So this goes ahead and creates the first im role we need. And then the trusted account is also going to be the same account as we have here because we actually need this account to be doing the multiregion stuff. We don’t do multirecount in this, hands on, just multiregion. And so for this we need to go to a target account so ours and we can just copy this template, okay? And then we’ll be prompted to provide the name of the instrument accounts on which we have a trusted relationship. Okay? So let’s have a look at this. So we’ll have the execute on this role.

So I’ll refresh this page, everything is beginning created right now. So I’ll just wait a second and now the create is complete. So we have a resource being created and that’s an im role that does everything we need to do. And so we’ll go ahead and create a new stack. And I’ll put the url for the stack set execution role. Click on next. And here we need to put a parameter which is the administrator account ID. So this is where we need to provide our own ID. But I think I could have this from here. Here we go. So I’m just going to be the ID. I’ll just copy this entire thing and then get the ID out of it. So here we go. We have the administrator account ID and this is the accounts where the stack sets will be created.

And this one, I’ll say target account im role stack sets. Okay. And click on Next. Click on Next and scroll all the way down. This will create another im role. So that’s perfect. And click on Create Stack. So let’s wait for this to be over. Okay, so this stack is created and now if I go back to my stack sets, I should be able to create my first tag sets. So let’s talk about a problem that we have. Say for example, we go to Config and you may remember that we did Config in this course. And so if we go to Config, we can see that we can track all the resources within my region. And I’m in EU West one, but if I go to say Us East one, for example, in this example, well, Config is not configured and if I go to Us East Two, well Config is not configured either.

And so what I’m trying to show you here is that I would like conflict to be deployed in every single region that I’m operating in, right? So what I’m going to do is use a sample template in here because the template is already created for me, but this is just a normal confirmation template that we have in here. And I’m going to choose a template enable AWS config. If you’re curious, you can go to this url and see what it creates. It creates just a bunch of resources that are needed to create a configuration to track the resources within the account. So let’s click on Next and I’m going to here in the stack name say enable AWS config and the stack set description is the exact same. And now for the parameters. So include global resource types yes.

Resource types all Notification email none topic ARN none new topic sorry deliver channel name generated frequency 24 hours and all supported all resource types. Yes. So we don’t touch any of these parameters. They all work just fine. Click on next. And here we should say the Im role execution name. So this AWS cloud formation stack set execution role is the one we have created directly from the cloud formation stacks from before. So let’s go to roles and let me look for this role. And right now it doesn’t exist because you haven’t refreshed. Here we go. It exists, here it is. And so it’s going to use this role to execute on the account Excellence.

Click on next. And now I can say in which accounts do I want to deploy this. And so I can deploy in different accounts or different organizational units if I’m using AWS Organization to manage my account. But I’m just using accounts right now and I’ll specify the account number I’m currently in, so I’ll just copy this and extract the account number. So here is my account number and I could have multiple account numbers by just having commas, so I can just have many commas and have many different accounts, but for now I’ll just have one because we want to deploy only within my accounts. And then for a specific region I’m going to say, okay, deploy it to Us East North veranda and deploy it to Us and I’m going to say EU London.  

I’m not deploying to my region, Ireland because I don’t know if that’s going to conflict with the configuration I’ve already done, so I know these two haven’t been enabled. So I’ll just enable these two right now. So you can add all regions, you can remove all regions, you can select the regions you want, you’re free to do however you want and then we can say how many concurrent accounts we can have at a time. So we’re saying, okay, one at a time, that means that only one of these two regions will be deployed first, so maybe Northern Virginia, and then when it’s done it will move on to the London.

And if we have failed tolerance, if we say zero, that means that if one of those failed, then everything fails and rolls back. Whereas if we have a number saying one, we allow one region to fail. So we’ll just say zero because we don’t want any failures. And click on next. Okay, we can review everything. So this is a normal confirmation template that’s just going to be deployed in all the regions right here specified here in this account. And let’s say yes, I’m good to go. And click on Submit. And here we go. So this is going on and now we can look at the operation. So the create is running okay, and we can look at stack instances which is okay, where the stack is being created and right now it says outdated, so it’s user engine operation.

So let’s see what happens if we go to stack set info. Okay, so right now the stack is being created, so this is why it says outdated. So we just need to wait a little bit. So what we can do in the meantime though is go to Us East One and see if the stack is being created over there. So I’m in eus East One and I’m going to stacks and we can see this. There’s a stack named Stack Sets and the create is complete. So this stack creation has worked. And if I went into Config console for this region, I should see some configuration and hopefully everything will be configured already. So let’s have a look, get started, and the configuration might already be included. So let’s wait a little bit. Here we go. So we can see from the dashboard that the resources are currently being discovered.

So that means that this Stack set has been applied in Us East One. And because Us East One has now finished its current and now the other region is getting on with the rollout of the confirmation template. And that’s because I choose a configuration, if you remember, of one region at a time for the maximum amount of concurrent operations. So let’s just wait for this to be over. And now they’re both current and my alias Config enable has been done on these two regions. But I can do something really cool. I can add new stacks to Stack sets and say, okay, use the same account, so use the same account number, but I would like you to add a region and please add Singapore. Okay, and I’ll just say next and we’ll have the same parameters.

So we’ll click on next and everything looks good. We submit this and here we go. Now we’re going to have a third stack instance being created in AP Southeast One. So it’s really easy to do multiregion deployment and multi account deployment directly from this ui. Similarly, you can delete stack from the stack sets, so you can say which regions and which accounts you want to delete stacks from. So that could be really handy. And you could altogether delete this stack set which will delete all the stacks from the Stack set, obviously. And when you think about it, the use cases for Stack Set are huge. I mean, any template that works in multiregion will work as a stack set. So it’s quite powerful because this is the same cloud formation templates.

But if we look at the simple templates of what we may want to have enabled by this feature, they’re really nice. For example, enabling Cloud Trail in all the regions. This is done with one Stack sets, config guard duty. And then maybe you want to add config rules like root account, mfa enabled, rule crop trail enabled, eip attached, and encrypted volumes as rules directly on all the config that we have created in all the regions. So those are just some examples that you can have with Stack Set. But anytime you want to deploy a cloud formation template across multiple regions, then you would need to use Stack sets. And then, so we see multiple operations, multiple things are done.

And so when we’re ready, we click on Action delete Stack sets and this will delete everything. And so we need to first delete all the stacks from the stack sets. So I’ll add all the regions in my accounts. Here we go. So this is added. And now I can go ahead and delete three at a time, for example, and click on Next. And then click on Submit. So here we go. Now the operation to delete all the stack set is running. And now this operation has succeeded. And what I can do next and see that I have zero stack instances and now I can go ahead and delete this tax set altogether. So that’s it for this lecture on stack sets. Whenever you see global deployment, think cloud formation stack sets. Hope that was helpful and I will see you in the next lecture.

  1. Multi Region – CodePipeline

Okay, so let’s talk more about multiregion. So we can use code pipeline to perform multiregion deployments. So say we have deployed our application using cloud formation stack sets or just confirmation templates into multiple regions. We could use code pipeline in one region to perform multiregion deployment. So let’s see how that works. So I’m going to scroll down and this is something from the devops blog by the way. So really good blog to have a readthrough on your own. But here is what the architecture looks like. So we are going to have in Us West Two a whole code pipeline that is going to have the source code repository in S three buckets and then deploy in its own region using code Deploy in easy to instance.

But this pipeline is also going to invoke code deploy in Us East One and AP Southeast oo. And this code deploys will locally deploy to easy to instances in different regions. As you can see here, the code pipeline artifact store must be copied from this region into the other regions so that Code Deploy can find these artifacts and send them or have at least point the easy two instances to them so that easy to instance can retrieve these pipelines artifacts directly, locally in the same region. Okay, so this is something we’re going to do. And to do this there is a bunch of confirmation templates that we need to run. And so the first thing it says is that you need to create Amazon is to keep there in each every single region.

So let’s go to Us West Two and I’m going to go directly into the EC Two service. So I’m going to go to EC Two and within EC Two I’m going to go on the left hand side to click on Key Pair to just create a dummy key pair for each of these regions. So I’m going to click key pair and I’ll call it demo global Pipeline. And I’ll copy this over. So Global label pipeline in this region. Then the second region is us. East one. So let’s go to Us East One and we’ll do the exact same thing. I’m going to create a key pair. Here we go. And then finally, the last region is AP Southeast Two which is Sydney. So let’s go into Sydney AP Southeast Two Excellence and we’re going to also create a key pair in there.

This is so that the confirmation templates we’re going to launch later on will work correctly. So Sydney is quite far from me. So this is why there is a bit of lag. Obviously we can’t beat the internet, so let’s create a key pair. And now we have created the three key pairs. Okay, excellent. So next what we have to do is launch some cloud formation templates that will create easy two instances and an aws code deploy application. So we need to launch these templates in us two, us east one and AP southeast two. So for this we’re going to go straight into the cloud. Watch the cloud formation console, sorry. And we’re going to copy these urls. So what we need to do though is to download each of these files.

So I’m going to download these files right here. So I’ll click on Raw in here and then you can save this file into a download directory. So I’ll take the second file, click on Raw and save this into my directory. And then finally click on this file on Raw and save this into my directory. Okay, excellent. So now let’s go back into the first region. So us west Two, I believe that was So this is us. West Two. Yes, Oregon. And create a stack and I’ll upload a template template file. I’ll take some of my downloads and this is going to be this one. So this tag is going to be uploaded. I’ll enter code deploy and EC two Excellence. So the application name in the target group, what does the thing recommend? It says crossregion action support, for example.

Then for the deployment group name, enter this and then the easy to keep pair name, you can enter whatever you want. And for the easy to tag tag key name value, we’ll say name and then for Ectag value we’ll say Northern Virginia. This is actually not in Northern Virginia, this is in Oregon. So I’ll say Oregon Cross region instance. So region instance and click on Next and then click on Next. And I’ll do this three times. So I’ll just create the stack, acknowledge everything. And this is the first one. So I’ll do it in Oregon, I’ll do it in uss West One and I’ll do it in Sydney. So let me just pause the video and do this while this happens.

Okay, so our cloud formation template has been deployed in the three different regions. And as a result we have an easy two instance in Oregon, in Northern Virginia and in Sydney. Okay, and I think I was wrong with some parameters, but that’s still fine. So next we have to go with the artifact store. And so we need to create an S three bucket in every single region. And the S three buckets will be regional and versioned. Why version? Because code pipeline will probably name the artifacts the same way. And so if we don’t have versions, there could be some issue with code deploy. So we’ll download these templates again. So click on Raw and then save this file to wherever we want.

So in downloads. And this will create a resource for test like artifact buckets service role and so on. So let’s go ahead and create this. We go to cloud formation and I’m going to do this three times. So once we view twice offline. So I’m going to create this one. Click on Next and the stack name, I’ll call it S three Buckets. And for the bucket name prefix. I’m just going to use the region name. So us west two like this. Click on Next, Next and click on Create Stack and one is done. So I’m going to do the other two now. And so they all failed because the S three bucket name was already taken, obviously because the S three buckets are global.

So let’s just do it all again, but this time just include some random characters, really. Hopefully they will do it. So I will say S three buckets again. But here for the prefix I’ll just say S TIFFAN, s TIFFAN one and I’ll do Stefan one, stiff on two and Stefan Three and hopefully that does it. So I’ll click on Next and Create Stack and I’ll do it in the other two regions and this is done. So as we can see now we have three S three buckets being created in three different regions. And every S three buckets will have versioning enabled. So you can see versioning is enabled already. So let’s go back and type cross region. And here we go.

So that’s the next step that’s been done. And then for step three, we need to provision the code pipeline with cloudformation again. And so this time we will launch this into our primary region, Us West Two. So make sure you download the templates. So you go to github and then you do Raw and then you do Control S to save this. And here we go. Now what I’m going to do is go directly into my Oregon region, create a new stack, and I’m going to upload this template that I just downloaded. Here we go. Click on Next and then for the parameters, for the source code bucket name prefix, you need to enter a prefix that you want so you can choose whatever you want.

But again, make sure to choose something unique, otherwise things won’t work. So let’s go back in here and I’m going to say Source s three buckets and I’m going to say stiff and four just in case stefan source. This way it’s the source bucket. And click on Next. And then click on Create Stack. So the source code bucket has been created. Excellent. And I need to upload the sample application, which is right here into it. So what I’m going to do is go here, click on Download to download this sample application and then I’m going to go to S Three and upload this sample application and click on Upload. Okay, so we are almost getting to the end. So now we need to provision finally the code pipeline templates.

So for this we’ll stay in the Oregon region and we’ll just download the template to an intercourse pipeline. So let’s just go ahead and find this. So where’s the link? So it seems the link is missing from this blog at this time. So let’s go into this file and we’ll find the right template in here. So we’re looking for the cfn template and we’re looking for the code pipeline cross region. So this is the template we’re looking for. I’ll click on Raw and then save this as a file in my downloads. And now I’m able to go to Oregon, create a stack and then I’ll upload the template file, which is the one I have just downloaded, that will create the code pipeline and that code pipeline will be multiregion.

So to click on next I’ll say code pipeline multiregion. And here we need to put all the right parameters for the store buckets. So let’s go back into S Three and I’m going to go back into my cross region. So you need to make sure you have the right bucket names every time. So I’ll copy this one. This is for Southeast two. So for Southeast ooh, I’m going to say this is the name right here. Okay, this looks good. Then for the application name you need to go into confirmation and find the application name. So for this I look at my parameters and for this code deploy stack and the application name was Cross Region Action Support. So I think I put it cross region action support everywhere.

So I’ll just say this is good. The deployment group name again is what I had in my parameters. So you need to make sure that it is the same everywhere. So I’ll copy this one and we’re good. Make sure you remove the space and then the S Three source bucket. This is where my data was being created. So in this case I need to type source and I’ll find here this bucket name that I’ll copy into my parameters, the source bucket key, which is the name of my file within my bucket. So if we go in here and look at the key, this is S Three applinx zip. So I’ll just go ahead and copy oops copy the path. So I’ll click on the file and say copy path, go to confirmation and say okay, source app linux, then Us East One artifacts store bucket.

So let’s go back into S Three and we’ll find it. So cross. So this is us. East one. I’ll copy the bucket ARN remove all that I need. Okay. And then finally for Us West Two, one last time we’ll go back and for Us West Two, this is the one. Here we go. So this is a lot of configuration, but what this does is that we’ll see when we’ll go to code pipeline is that it makes sure that we do have code pipeline. sourcing the code from this bucket, from this key and then when it deploys to multiple regions, it uses different artifact store buckets for Us One, Us West Two, and finally AP Southeast Two.

So if everything is correctly done, and I hope it is, then you click on Next and then Next, and then you say that you might create im resources, which is fine, because it needs a role to do all the deployments across multiple regions. So now we have to wait for this to be done. And my code by planned multiregion has now created and if I look at the resources, it has created a code by planned service role and a multiregion pipeline. So why don’t we go ahead and see what we have created, the monster that we have just deployed and there will be a nightmare to undo. But that’s okay.

So we’re going into code pipeline and we’ll find the newly created pipeline which is right here and it’s being executed. So the source is from Amazon S three which has worked. Then it did a prod deployment into all these different regions, so many different regions, the primary and some secondary regions. And so how can we make sure that this has worked? Well, if we go to the instances in here and if I look at do they have inbound rules that works? Yes, they have port 80. So that’s perfect. So if I go to this public dns in here, then I should see that my application has been deployed, but also that if I go to this other dns, the application will have been deployed as well.

So it says you have successfully created a pipeline that retrieved the source application from this three buckets and deployed it into three Amazon E, two instances in different regions and the last instance as well should have worked. Definitely should have worked. And here we go. So we have deployed a multiregion code pipeline and so if we want to have a look at how this works in the back end, if I edit this pipeline and look at this stage, so I edit the stage and I can look at this action. As you can see here, the action provider is code deployed but the region target is Us East One, which is different from the region of the pipeline itself. We’re in Oregon right now.

You need to say what the source artifacts are, the application name and the deployment group and everything’s good. So you can have multiregion actions within one code pipeline. You need to make sure obviously that all the im roles are correct and so on. This is quite nice. And then one last thing that can be quite cool to see. As we can see in here, we have three stages. All of them are parallel. So I already mentioned this to you. But let’s see this again. If we go to cloud formation and then we look at this template, we can see here that at the very bottom, the run order is one. The run order here is one and the run order here is one.

And what this means is that all these actions right here will be executed in parallel because they have the same run order. So I’ve already mentioned this, but I think this is a good example to see how that works. And so to delete this entire stack, when you’re done, you start with Code Pipeline. Then you need to go to every s three bucket and you need to empty every sb bucket. Then you can delete the s three buckets from the cloud formations, and then finally, you can delete the nested stack that did create a code deploy in EC two. So go ahead and do this, and I will see you in the next lecture.

Related Posts