by Daniel Pohl, Director of Product Management

Read the other posts in this series:

1. Part 1: IaC Makes Your AWS CI/CD Pipelines Run Smoothly
2. Part 2: Why IaC + CI/CD Pipelines Are Simpler for Containerized Applications
3. Part 3: IaC + CI/CD Pipelines for Applications on Amazon EC2
4. Part 4: IaC + CI/CD Pipelines for Kubernetes Apps (Amazon EKS)

If your application requires EC2 hosting, Logicworks offers services that provide similar benefits as container technologies, but for applications not architected for containers.  Let’s consider these benefits within the context of your application’s IaC & CI/CD pipeline.

As discussed in Part 1, your cloud native application’s CI/CD pipeline process creates both the application and its needed cloud infrastructure.

As discussed in Part 2, your CI/CD pipeline must consider that any changes to EC2 instances’ complete operating systems (e.g. O/S patching) might affect the executing application.  The pipeline process should execute whenever any O/S or application changes occur.

Logicworks’ customers commonly use 3 different IaC and CI/CD pipeline methodologies to reliably and repeatedly build, test, and deploy their EC2-hosted applications whenever application or O/S changes occur:

• • Single Golden AMI: 1 base AMI for all EC2 instances
  • Hybrid (most common): Separate AMI for each application role
  • Immutable Infrastructure: Pre-baked AMIs with zero post-launch configuration

All these pipeline methodologies can make use of Logicworks Image Factory to create secure AMIs with the current O/S patches.  These methodologies differ in how much of the application and configuration is pre-baked into the AMI versus applied during the EC2 instance launch.

The Logicworks team offers opinionated expert advice to help our customers select the optimal pipeline methodology given technical, commercial, and compliancy requirements.

Single Golden AMI pipeline

In the Single Golden AMI pipeline methodology, the IaC defines a single golden AMI that is the foundation for all the application’s EC2 instances.  Then, as the instances launch, the CI/CD and bootstrap processes dynamically configure the instances’ operating systems and installed applications.  Once the launched instance is configured according to its intended compute role (e.g. “frontend webserver”), then the system can start distributing workload to the new instance.

Distinct steps in the Single Golden AMI methodology:

1. 1. (periodically) Logicworks Image Factory creates 1 golden AMI for entire application
      1. Hardening to achieve security standards set by the Center for Internet Security
      2. Anti-malware and intrusion detection agents
      3. Logicworks Configuration Management and AWS CodeDeploy agents
      4. Latest O/S patches
   2. (on launch of new EC2 instance) Logicworks Configuration Management
      1. Initialization of anti-malware and intrusion detection agents
      2. O/S configurations needed given instance’s compute role
      3. CodeDeploy your application

A benefit of the Single Golden AMI methodology is the simplicity of only baking and validating only 1 AMI.

A downside can be the time and complexity of the various on-launch configurations given the instance’s compute role.  For example, the installation & configuration of the nginx webserver delays the introduction of newly launching “frontend webserver” instances into an overloaded load-balanced resource pool.

Hybrid pipeline

The desire for faster Auto Scaling EC2 instance launch times drives Logicworks to recommend a Hybrid AMI IaC and CI/CD pipeline methodology.

In the Hybrid methodology, the IaC defines a separate golden AMIs per compute role.  An application typically has different roles like “frontend webserver”, “backend appserver”, and “worker”.  Each of these roles has unique configuration requirements and therefore benefits from starting from a role-specific AMI.

For example, “frontend webservers” may have the nginx webserver component pre-installed and be configured to allow inbound traffic on ports 80 and 443.  Whereas, “backend appservers” might only allow inbound traffic on port 443 and “worker” might not allow inbound traffic on any port.  In the Hybrid methodology, most if not all installations and configurations can be pre-baked into the role-specific AMI.

The Logicworks team recommends the optimal number of unique compute roles to balance performance versus maintainability.

When Auto Scaling triggers and additional EC2 instances launch, Logicworks Configuration Management quickly performs the final agent initializations and the CodeDeploy of your application.

Distinct steps in the Hybrid methodology:

1. 1. (periodically) Logicworks Image Factory creates a golden AMI per compute-role
      1. Hardening to achieve security standards set by the Center for Internet Security
      2. Anti-malware and intrusion detection agents
      3. Logicworks Configuration Management and AWS CodeDeploy agents
      4. Latest O/S patches
      5. Role-specific component installations and configuration management
   2. (on launch of new EC2 instance) Logicworks Configuration Management
      1. Initialization of anti-malware and intrusion detection agents
      2. CodeDeploy your application

Logicworks often recommends the Hybrid AMI methodology for having the optimal balance of flexibility, maintainability, and Auto Scaling launch speed.

Immutable Infrastructure pipeline

Logicworks customers that require the fastest possible Auto Scaling EC2 instance launch speeds select the Immutable Infrastructure IaC and CI/CD pipeline methodology.

In the Immutable Infrastructure methodology, the IaC defines a pre-baked AMI per compute role.  For example, the “frontend webserver” role-specific AMI already will have nginx and the application’s frontend components installed and will have all O/S configurations (e.g. opened ports 80 & 443) complete.

EC2 Auto Scaling speed is optimized because no additional configurations or application installations are needed at launch time.

Distinct steps in the Immutable Infrastructure methodology:

1. (periodically) Logicworks Image Factory creates a golden AMI per compute role
   1. Hardening to achieve security standards set by the Center for Internet Security
   2. Anti-malware and intrusion detection agents
   3. Logicworks Configuration Management and AWS CodeDeploy agents
   4. Latest O/S patches
   5. Role-specific component installations and configurations
   6. Installation of your application
2. (on launch of new EC2 instance)
   1. (nothing more to do)

A downside of Immutable Infrastructure is that some software, including components that your application may rely on and certain anti-malware and intrusion detection agents, cannot be initialized within the pre-baked AMI.

Logicworks helps our customers select between the different IaC and CI/CD pipeline methodologies given their technical, commercial, and compliancy requirements.

Create secure AMIs with Logicworks Image Factory

Logicworks customers can use the Logicworks Image Factory to generate AMIs to match their needs in all these IaC and CI/CD pipeline methodologies.

Our Logicworks Image Factory can apply CIS hardening controls to meet your compliancy requirements.  The Image Factory also keeps track of and applies your O/S configurations, latest O/S patches, security agents, and networking configurations.

Our Image Factory automatically tests its newly generated AMIs and offers compliance reports that make audits go smoothly.

Balance performance vs. cost with Auto Scaling logic

Logicworks codes best-practice Auto Scaling logic into your IaC to optimally scale your EC2 hosted application.  The Logicworks team offers opinionated expert advice on what rules should govern the expansion (scale out) or contraction (scale in) of your application to best balance performance versus cost.

Rules typically check for low memory, high disk use, high bandwidth use, slow application responses, or some combination of these.  Different components of your application might have different performance needs and thus require unique Auto Scaling logic.

Logicworks ♥ CodeDeploy for Continuous Deployment (and you will too)

Logicworks’ Auto Scaling logic uses AWS CodeDeploy to automated the deployment of your application’s code to launching EC2 instances.

Our combined Auto Scaling & CodeDeploy IaC logic validates that new EC2 instances launched successfully before joining the new instances into your application’s pool of compute resources.  If not, our logic automatically rolls-back and retries the Auto Scaling launch.

Logicworks also has developed CodeDeploy libraries for “blue/green” deployments.  Some Logicworks customers use “blue/green” to release new application code to only half of their EC2 instances within a load balanced pool.

What if we use the (fill in the blank) Continuous Integration Tool?

Our customers’ application dev teams use a wide range of Continuous Integration (CI) tools including Jenkins, TravisCI, GitLab CI, and Bamboo.  Any CI tool can be used with our recommended IaC and CI/CD pipeline methodologies.

Your CI tool automates the steps that follow your developers’ code commits, including:

1. Application build
2. Trigger Logicworks Image Factory to generate new AMIs (as needed)
3. Trigger CodeDeploy Continuous Deployment (CD) process
4. Automated Testing

Validate compliance of running EC2 instances

After EC2 instances launch, Logicworks Configuration Management continuously validates that these running instances maintain the desired O/S configurations, security agents, and networking configurations.

Logicworks Configuration Management uses puppet and SSM agent to periodically validate each running EC2 instance and to automatically perform any corrective actions.

For example, Logicworks Configuration Management might detect that an anti-malware agent has crashed on an EC2 instance.  Logicworks automatically restarts the agent and then re-runs the validation test.

Recap of Logicworks services for your EC2 hosted applications

The Logicworks team offers opinionated expert services including:

• Infrastructure as Code architecture
  • Organize your application’s components into compute roles
  • Optimize Auto Scaling logic to balance performance vs. cost
• Select the optimal IaC & CI/CD pipeline methodology
• Create secure AMIs with Logicworks Image Factory
• Integrate AWS CodeDeploy Continuous Deployment with your Continuous Integration process

These Logicworks services help your cloud-native development teams reliably and repeatedly build, test, and deploy applications and their cloud infrastructure, so they can focus on their application development.

If you want to learn more about Logicworks, visit our website or contact us. Stay tuned for Part 4 of this series: IaC + CI/CD for Kubernetes (EKS) Apps.