In part 1 of 6 in my latest series showcasing the six pillars of the AWS Well-Architected Framework, we take a look at the Reliability pillar. If you’d like to learn more about the other pillars of the Well-Architected Framework, check out the other blogs in this series via the links below.
What we will be covering
- AWS Well-Architected overview
- AWS Well-Architected: Reliability pillar deep dive
- Defining recovery objectives
- Defining availability terms
- Intersection of availability terms and recovery objectives
- Evaluating reliability requirements
- Architecture examples
- Architecting to requirements
Why we are learning this
- To help others understand how to design and implement architecture that aligns to availability and reliability requirements
- Using the AWS Well-Architected: Reliability pillar for guidance to build reliable infrastructure
How this will help me
You will:
- Be able to successfully define availability requirements
- Have a better understanding of the intersection of reliability and availability
- Have a better understanding of correct use of availability terms
- Be able to build effective solutions aligned to the AWS Well-Architected: Reliability pillar
AWS Well-Architected Overview
AWS Well-Architected is a framework comprising six “pillars” for building infrastructure with good practice in mind.
By aligning architecture and infrastructure to the AWS Well-Architected Framework, customers can ensure their solutions are secure, reliable, efficient, sustainable, cost-effective and operationally supportable.
Aligning to the framework is not mandatory; however doing so creates good architecture and can help in making critical decisions and risk mitigation.
Comprised of six pillars of excellence:
- Security
- Reliability
- Operational excellence
- Performance efficiency
- Cost optimisation
- Sustainability
The AWS Well-Architected Wheel
The following infographic depicts the components and focus areas for each of the six pillars:
Well-Architected: Security
The Security pillar covers:
- Incident response
- Data protection
- Encryption in flight
- Encryption at rest
- Data classification
- Infrastructure protection
- Compute protection
- Network protection
- Detective controls
- Event management
- Security awareness
- Identity Access Management (IAM)
- Who should/can access solution
- How they access solution
Well-Architected: Reliability
The Reliability pillar covers:
- Change management
- Monitoring
- Alerting
- Failure management*
- Disaster recovery
- Data backup
- Resiliency
- Resiliency testing
- Scaling to demand
*This is what we will cover in depth today
Well-Architected: Operational Excellence
The Operational Excellence pillar covers:
- Operational readiness
- Deployment methods
- Automation at core
- Integration methods
- Workload insights
- Operate
- Workload health
- Operation health
- Event response
- Patching and upgrades
- Inventory management
- Evolve
- Operational evolution
Well-Architected: Performance Efficiency
The Performance Efficiency pillar covers:
- Selection of resources
- Architecture choice (server/serverless)
- Compute
- Storage
- Database
- Networking
- Performance monitoring
- Performance tradeoffs
- Reviewing architecture choices over time
Well-Architected: Cost Optimisation
The Cost Optimisation pillar covers:
- Expenditure awareness
- Cost tracking
- Total Cost of Ownership (TCO)
- Usage governance
- Resource decommissioning
- Cost effective resources
- Service selection
- Right-sizing workloads
- Data transfer optimisation
- Licensing cost reduction
- Matching supply with demand
- Scaling and efficiency
- Reviewing architecture choices over time
Well-Architected: Sustainability
The Sustainability pillar covers:
- Resource selection
- Right-sizing workloads
- Effective use of infrastructure architecture
- Reducing impact to environmental factors
- Power and cooling efficiency
- Elastic resources
- Awareness of and reduction to the carbon footprint
- Often supported by cost reduction
Reliability: Common Terms
Recovery Objective Terms
Often, we don’t have a clear understanding of the requirements applications and systems have in context to the business or customers. It is helpful to understand the objectives we want to achieve:
- Recovery Point Objective (RPO)
- Defines how much data you are willing to lose
- Influences how often data needs to be backed up / snapshot intervals
- Recovery Time Objective (RTO)
- Defines how long an outage can be tolerated from failure to recovery
- Influences the method used for recovery of resources in an outage
- Together, the RPO and RTO effectively defines what an architecture solution should look like and significantly influences architectural choices if correctly implemented
Recovery Terminology
Disaster Recovery (DR)
- Often used interchangeably / confused with “HA”
- Longest recovery time
- Cheapest to implement
- Doesn’t have to have an immediately available resource
High-Availability (HA)
- Often confused with “FT”
- Shorter recovery time than “DR”
- Can be cheap to implement; more expensive than “DR”
- Doesn’t mean no outage – just faster to recover
Fault-Tolerance (FT)
- May still have diminished performance
- Most expensive to implement
- Highest availability target
Recovery Terminology Analogies
Sometimes it can be helpful to remember these terms using real-world analogies. These are some of the analogies I have used to help understand the differences between each term in an effort to be more conscience about using the correct terminology:
- Fault Tolerance (FT):
- A guitar with many strings
- Continue operating with reduced performance for a period of time
- High Availability (HA):
- A spare tube on a bicycle
- Some downtime while the new tube is fitted
- Disaster Recovery (DR):
- A puncture repair kit
- Find the leak, patch the leak and reinflate
- Continue on your journey some time later
Intersection of RPO/RTO and Recovery Strategy
There is synergy with reliability and availability as discussed further here. There is a benefit-cost ratio depending on what your specific requirements are.
There is alignment between recovery strategy and availability at a high-level as shown below:
- Disaster Recovery (DR)
- Backup and restore
- High-Availability (HA)
- Pilot light
- Warm standby**
- Fault-Tolerance (FT)
- Warm standby**
- Active/Active
**A warm standby environment may allow for continued operation with reduced performance but may require a brief outage to switch over.
Evaluating Reliability Requirements
Despite terms being used interchangeably, there is one hard and fast rule: High availability is not disaster recovery.
- Availability focuses on components of the workload
- Disaster recovery focuses on discrete copies of the entire workload
- There is a need to meet availability objectives for availability related events
- Disaster recovery objectives are built around workload failover during a disaster
- Data and workload may have different requirements to each other
- S3 is highly available across AZ’s – but how do you recover your objects?
- An EC2 instance may be ephemeral but the database is likely not
- Failure scenarios impact your availability and disaster recovery implementation
Defining Requirements
An RPO and RTO is a target set of recovery objectives but it needs to be relevant to the scenarios you are anticipating. Failure scenarios might be:
- Infrastructure: Loss of AZ, loss of instances, data corruption / exhaustion
- Security Event: crypto, DDoS, injection attacks, application-specific attacks
- Frontend: Web or application (instances, containers)
- Backend: Application and/or database (instances, containers, databases)
Understand the impacts each of these has on your application:
- Customers (internal or external)
- Financial
- Reputation
- Business continuity
- The impact should justify the spend on reliability
Example of Poor Implementation
Objective: A target RPO of 1 hour and target RTO of 2 hours
Failure scenarios: Data corruption, loss of AZ
- EC2 writes to persistent storage using distributed storage (EFS)
- EFS across multiple AZ’s
- EFS backed up once per day
- Multiple EC2 instances attached to ALB
- ALB added to multiple AZ’s
- Instances in multi-AZ
Note: This example meets AZ failure but not data corruption scenario
Example of Achievable Implementation
Objective: A target RPO of 1 hour and target RTO of 2 hours
Failure scenarios: Data corruption, loss of AZ
- EC2 is ephemeral built with an AMI
- Multiple EC2 instances attached to ALB
- ALB added to multiple AZs
- Instances in multi-AZ
- Persistent data written to RDS database
- RDS database in single AZ
- Database backed up once per day
Note: This example utilises multiple recovery strategies
Note: RDS utilises log shipping every 5 minutes – this allows for a point-in-time recovery to within 5 mins since the last backup was taken. A backup can be used to restore an RDS database in another AZ and made available to a minimum of 3 AZs due to being stored on S3.
Note: Assumes corruption was caught within an hour of the event occurring.
Example for Thought
Objective: A target RPO of 1 hour and target RTO of 2 hours
Failure scenarios: Data corruption, loss of AZ
- EC2 is ephemeral built with an AMI
- Multiple EC2 instances attached to ALB
- ALB added to multiple AZs
- Instances in multi-AZ
- Persistent data written to custom database
- Custom database on EC2 in single AZ
- Database backed up once per day
See the problem?
A custom database running on EC2 instead of RDS (such as RDS Custom) can’t take advantage of the capabilities. This requires deeper consideration for both availability and recoverability to meet the recovery objectives and the failure scenarios being protected against.
Architect to Requirements
- It is important to architect your solution to meet your own individual needs
- Validate your requirements against business objectives – they aren’t always aligned
- Validate your business continuity plan through testing
- Validate restoration and evaluate if the process meets your RTO/RPO targets
- Use tools to validate a mean time to recovery – then adjust accordingly
- Be flexible with your objectives – they can change over time
- The most successful implementations are when requirements are known, challenged and adopted with flexibility
- Objectives are targets but shouldn’t be considered hard and fast