DEVELOPyo

Amazon MemoryDB for Redis 는 OpenSource 인 Redis 를 Amazon 클라우드 컴퓨팅 자원을 사용해 AWS 에서 지원하는 것으로, Redis 와 거의 모든 면에서 동일합니다.

다만 AWS Redis 를 사용할 경우, Redis 서버를 직접 구축하는 것 보다 Performance와 Durability 면에서 이점을 가지며, 설정이 편리한 장점이 있습니다.

이 글에선 Redis의 Persistence(영속성)/Durability(내구성) 측면을 중점적으로 다뤄보겠습니다.

[ Redis RDB vs AOF  ] 

메모리는 휘발성이므로 memory DB 인 Redis 프로세스를 종료하게 되면 데이터가 모두 유실됩니다.

따라서 단순 캐시용도가 아닌 Persistence 한 DB로 활용하기 위해서는 데이터를 Disk 에 저장하여 데이터 유실이 발생하지 않도록 해야합니다.

이를 위해 Redis 엔 RDB(snapshot) 와 AOF(Append Only File) 기능이 존재합니다.

1. RDB

• RDB 는 memory snapshot 파일의 확장자인 .rdb 를 의미
• 특정 시점/간격 마다 메모리의 전체 데이터를 디스크에 바이너리 파일로 저장(snapshot)하는 방식
• 특정 시점마다 백업을 받을 때 사용
• AOF 파일보다 사이즈가 작다는 특징이 있고 사이즈가 작으므로 로딩 속도도 AOF 보다 빠른 장점이 있습니다.
• RDB 관련주요 redis.conf 파라미터

• RDB 방식의 문제점
  Redis 장애 발생시 .rdb 백업 시점 이후에 발생한 데이터는 유실됨

# .rdb 데이터 유실 예시
> SET key val
> SET key1 val1
> SAVE
> SET key val2 #SAVE 이후로 데이터 유실
> SET key1 val3 #SAVE 이후로 데이터 유실

2. AOF

• Append Only File 이라는 의미에서 알 수 있듯이 .aof 파일에 모든 쓰기 명령을 기록 (조회는 제외)
• redis client 가 redis 에 쓰기 명령을 요청하면 Redis 는 해당 명령을 .aof 파일(디스크)에 저장한 후, 해당 명령을 수행하는 방식으로 RDB 방식과 달리 특정 시점이 아닌 항상 현재 시점까지의 로그를 기록
• CUD 를 계속 append 하며 기록하게 되므로 파일 크기가 계속 커지게 되는데, Rewrite 를 하게 되면 최종 데이터만 기록되어 파일 크기가 작아진다

# 기존 appendonly.aof 파일 예시
SET key value
SET key value2
SET key value3
SET key value4

# AOF REWRITE 실행 후 appendonly.aof 파일
SET key value4 # 최종 데이터인 key value4 만 남게된다

• AOF 관련 주요 redis.conf 파라미터

• AOF 를 사용한 복구 예시 
  .aof 파일에서 문제가 되는 명령어를 수정/제거한 후 redis 서버를 재시작하면 데이터 손실없이 DB를 살릴 수 있다

# .aof 를 사용한 복구 예시
*1
$8
flushall #문제가 되는 해당 명령어 삭제 후 저장

• AOF 방식의 문제점
  모든 쓰기 기록이 남아있는 파일이므로 RDB 방식에 비해 백업 데이터 크기가 크고, 모든 라인이 한 줄 씩 재수행 되므로 서버자원을 많이 사용

[ RDB vs AOF 무엇을 써야하는가? ]

특정 시점을 기준으로 메모리 DB의 데이터를 백업하는 snapshot 방식의 RDB 방식과

조회 명령을 제외한 모든 쓰기 명령을 기록하는 AOF 방식은

각각의 장단점이 명확하므로 AOF 를 default로 사용하고 RDB 를 optional로 사용하는 방식으로 둘을 조합하여 사용합니다.

→ 서버가 실행될 때 백업된 .rdb 를 reload 하여 복구하고, snapshot 시점과 shutdown 사이의 데이터만 AOF 로그로 복구하여 서버 재기동 시간과 서버자원을 절약

그렇다면 RDB 와 AOF 방식을 통해 memory DB 인 Redis 를 Persistence 하게 사용 할 수 있을까요?

모든 쓰기 명령을 로그로 기록하는 AOF 방식도 아래와 같은 데이터 손실 가능성이 있다고 합니다.

아래는 AWS memoryDB 관련 가이드 발췌 글입니다. (출처: https://aws.amazon.com/ko/memorydb/faqs/)

How is MemoryDB’s durability functionality different from open source Redis’ append-only file (AOF)?
MemoryDB leverages a distributed transactional log to durably store data. By storing data across multiple AZs, MemoryDB has fast database recovery and restart. Also, MemoryDB offers eventual consistency for replica nodes and consistent reads on primary nodes.
Open source Redis includes an optional append-only file (AOF) feature, which persists data in a file on a primary node’s disk for durability. However, because AOF stores data locally on primary nodes in a single availability zone, there are risks for data loss. Also, in the event of a node failure, there are risks of consistency issues with replicas.

How does MemoryDB durably store my data?
MemoryDB stores your entire data set in memory and uses a distributed Multi-AZ transactional log to provide data durability, consistency, and recoverability. By storing data across multiple AZs, MemoryDB has fast database recovery and restart. By also storing the data in-memory, MemoryDB can deliver ultra-fast performance and high throughput.

위 글에서 알 수 있듯이 Redis AOF는 .aof 파일을 마스터 노드 디스크(싱글 AZ라 할 수 있는)에만 저장하여 데이터 loss risk가 있으며 노드 장애시 슬레이브 노드와 데이터 일관성 문제가 있을 수 있다고 합니다.

AWS memoryDB for Redis 는 모든 메모리 데이터를 분산된 multi AZ 에 transaction log 로 기록하여 durability 와 마스터 노드 ↔ 슬레이브 노드간의 데이터 일관성을 보장한다고 합니다.

아래는 Redis 와 AWS MemoryDB for Redis 의 차이를 정리한 차트입니다.

참고 :

https://redis.io/docs/management/persistence/

https://docs.aws.amazon.com/memorydb/latest/devguide/what-is-memorydb-for-redis.html

https://aws.amazon.com/ko/memorydb/faqs/

https://hyunki1019.tistory.com/169

https://rmcodestar.github.io/redis/2018/12/10/redis-persistence/

https://www.youtube.com/watch?v=Jbq_XZMZEKY

[ AWS STS (Security Token Service) ]

AWS 리소스에 대한 임시 접근 권한 부여(임시토큰)

토큰은 최대 1시간 유효 (refresh 필요)

AssumeRole/AssumeRoleWithSAML/AssumeRoleWithWebIdentity/GetSessionToken

- Allows to grant limited and temporary access to AWS resources

- Token is valid for up to one hour (must be refreshed)

1. AssumeRole

  Within your own account: for enhanced security

  Cross Account Access : assume role in target account to perform actions there

2. AssumeRoleWithSAML

  return credentials for users logged with SAML

3. AssumeRoleWithWebIdentity

  return creds for users logged with an IDP(Identity Provider) (Facebook/Google Login..)

  AWS recommends against using this, and using Cognito instead

4. GetSessionToken

  for MFA(MultiFactorAthentication), from a user or AWS account root user

[ Using STS to Assume a Role ]

1. IAM Role 생성

2. IAM Role 에 대한 principal 생성

3. AWS STS 를 사용하여 자격 취득

4. 임시 자격은 15분에서 1시간 까지 유효

1. Define an IAM Role within your account or cross-account

2. Define which principals can access this IAM Role

3. Use AWS STS (Security Token Service) to retrieve credentials and impersonate(가장하다) the IAM Role you have access to (AsumeRole API)

4. Temporary credentials can be valid between 15 minutes to 1 hour

[ Identity Federation in AWS ]

Identity Federation 을 통해 외부 사용자가 AWS 자원에 대한 임시 접근 권한을 가질 수 있음

이를 사용하여 IAM 유저 생성 없이 AWS 접근 허용이 가능

- Federation lets users outside of AWS to assume temporary role for accessing AWS resources

- These users assume identity provided access role

- Federations can have many flavors

  -- SAML 2.0

  -- Custom Identity Broker

  -- Web Identity Federation with Amazon Cognito

  -- Web Identity Federation without Amazon Cognito

  -- Single Sign On

  -- Non-SAML with AWS Microsoft AD

- Using federation, you don't need to create IAM users (user management is outside of AWS)

[ SAML 2.0 Federation ] 

- To integrate Active Directory/ADFS with AWS (or any SAML 2.0)

- Provides access to AWS Console or CLI (through temporary creds)

- No need to create an IAM user for each of your employees

* SSO (Single Sign On) : 여러 AWS 계정 및 비지니스 앱에 대한 액세스를 중앙에서 관리 및 사용자에게 Single Sign-On 액세스 제공하여 할당된 모든 계정 및 앱을 한곳에서 액세스 가능케 하는 서비스

(AWS STS 사용하기(좌측) : https://gnidoc.tistory.com/entry/%EB%A7%A5%EC%97%90%EC%84%9C-AWS-STS-CodeCommit-%EC%82%AC%EC%9A%A9%ED%95%98%EA%B8%B0)

(SSO 사용 하기(우측 그림) : https://cloudest.tistory.com/62)

[ SAML 2.0 Federation - Active Directory FS ] 

Same process as with any SAML 2.0 compatible idp

[ SAML 2.0 Federation ]

IAM 과 SAML 간의 양방향 신뢰 설정 필요

SAML2.0 은 웹기반에서만 동작

AssumeRoleWithSAML STS API 사용

가급적 SSO 사용

- Needs to setup a trust between AWS IAM and SAML (both ways)

- SAML 2.0 enables web-based, cross domain SSO

- Uses the STS API : AssumeRoleWithSAML

- Note federation through SAML is the old way of doing things

- Amazon Single Sign On(SSO) Federation is the new managed and simpler way

[ Custom Identity Broker Application ]

SAML 2.0 사용 불가할 경우 사용

AssumeRole/GetFederation 토큰 등 STS API 사용

Use only if identity provider is not compatible with SAML 2.0

The identity broker must determine the appropriate IAM policy

Uses the STS API : AssumeRole or GetFederation Token

[ Web Identity Federation - AssumeRoleWithWebIdentity ]

Not recommended by AWS - use Cognito Instead (allows for anonymous users, data synchronization, MFA)

[ AWS Cognito ]

Goal :

- Provide direct access to AWS Resources from the Client Side(mobile/web app)

Example :

- provide (temporary) access to write to S3 bucket using Facebook Login

Problem :

- We don't want to create IAM users for our app users

How :

- Log in to federated identity provider - or remain anonymous

- Get temporary AWS credeantials back from the Federated Identity Pool

- These credentials come with a pre-defined IAM policy stating their permissions

[ AWS Monitoring : CloudWatch Alarms ]

Alarm은 metric 값에 대한 알림을 주기위해 사용

- Alarms are used to trigger notifications for any metric

- Various options (sampling, %, max, min, etc..)

- Alarms States :

  1) OK

  2) INSUFFICIENT_DATA

  3) ALARM

- Period :

  -- Length of time in seconds to evaludate the metric

  -- High resolution custom metrics : 10 sec, 30 sec, or multiples of 60 sec

[ CloudWatch Alarm Targets ]

CloudWatch 가 Alarm 이 울리면(metric 값에 의해) EC2 를 Stop, Terminate, Reboot, or Recover 할 수 있음

Auto Scaling 실행

SNS 로 알림

- Stop, Terminate, Reboot, or Recover an EC2 Instance 

- Trigger Auto Scaling Action

- Send notification to SNS (from which you can do pretty much anything)

[ EC2 Instance Recovery ]

- Status Check :

  Instance status = check the EC2 VM

  System status = check the underlying hardware

Recovery : Same Private, Public, Elastic IP, metadata, placement group

[ CloudWatch Alarm : good to know ]

CloudWatch Logs Metrics Filter 에 의해 알람이 생성되며 알람은 SNS 를 통해 adm에게 알림

- Alarms can be created based on CloudWatch Logs Metrics Filters

- To test alarms and notifications, set the alarm state to Alarm using CLI

aws cloudwatch set-alarm-state --alarm-name "myalarm" --state-value ALARM --state-reason "testing purposes"

[ CloudWatch Events ]

AWS 서비스 관제기능

EC2 인스턴스 기동 등의 AWS 서비스로부터 이벤트 인터셉트. 스케쥴링이나 크론으로 설정 가능

* EC2 인스턴스 실행시 관제 메시지 발생시키거나 하는 등의 기능

Event Pattern : Intercept events from AWS services (Sources)

- Example sources: EC2 Instance Start, CodeBuild Failure, S3, Trusted Advisor

- Can intercept any API call with CloudTrail integration

Schedule or Cron

A JSON payload is created from the event and passed to a target

- Compute : Lambda, Batch, ECS task

- Integration : SQS, SNS, Kinesis Data Streams, Kinesis Data Firehose

- Orchestration : Step Functions, CodePipeline, CloudBuild

- Maintenance : SSM, EC2 Actions

[ AWS Monitoring : CloudWatch Logs ]

- Applications can send logs to CloudWatch using the SDK

- CloudWatch can collect log from :

  1) Elastic Beanstalk : collection of logs from application

  2) ECS : collection from containers

  3) AWS Lambda : collection from function logs

  4) VPC Flow Logs : VPC specific logs

  5) API Gateway

  6) CloudTrail based on filter

  7) CloudWatch log agents : for example on EC2 machines

  8) Route53 : Log DNS queries

- CloudWatch Logs can go to :

  1) Batch exporter to S3 for archival

  2) Stream to ElasticSearch cluster for further analytics

[ AWS CloudWatch Logs ]

- Logs storage architecture :

  -- Log groups : arbitrary(임의의) name, usually representing an application

  -- Log stream : instances within application/log files/containers

- Can define log expiration policies (never expire, 30 days, etc..)

- Using the AWS CLI we can trail CloudWatch logs

- To send logs to CloudWatch, make sure IAM permissions are correct!

- Security : encryption of logs using KMS at the Group Level

[ CloudWatch Logs Metric Filter & Insights ]

- CloudWatch Logs can use filter expressions

  -- For example, find a specific IP inside of a log

  -- Metric filters can be used to trigger alarms

※ CloudWatch Logs Insights (new - Nov 2018) can be used to query logs and add queries to CloudWatch Dashboards

[ CloudWatch Logs for EC2 ]

- By default, no logs from your EC2 machine will go to CloudWatch

- You need to run a CloudWatch agent on EC2 to push the log files you want

- Make sure IAM permissions are correct

- The CloudWatch log agent can be setup on-premises too

※ On-premise : 자사가 보유한 서버에 서비스 구축

※ Off-premise : AWS와 같은 원격 클라우드 등에 서비스 구축

[ CloudWatch Log Agent & Unified Agent ]

- For virtual servers (EC2 instances, on-premise servers..)

1. CloudWatch Logs Agent

   - Old version of the agent

   - Can only send to CloudWatch Logs

-2. CloudWatch Unified Agent

   - Collect additional system-level metrics such as RAM, processes, etc...

   - Collect logs to send to CloudWatch Logs

   - Centralized configuration using SSM Parameter Store

[ CloudWatch Unified Agent - Metrics ] 

- Collected directly on your Linux server / EC2 instance

1) CPU (active, guest, idle, system, user, steal)

2) Disk metrics (free, used, total), Disk IO (writes, reads, bytes, iops)

3) RAM (free, inactive, used, total, cached)

4) Netstat (number of TCP and UDP connections, net packets, bytes)

5) Processes (total, dead, bloqued, idle, running, sleep)

6) Swap Sapce (free, used, used &)

※ Reminder : out-of-the box metrics for EC2 - disk, CPU, network (high level)

[ AWS Monitoring : CloudWatch ]

[ CloudWatch Metrics ]

- CloudWatch provides metrics for every services in AWS

- Metric is a variable to monitor (CPUUtilization, NetworkIn..)

- Metrics belong to namespaces

- Demension is an attribute of a metric (instance id, environment, etc...)

- Up to 10 dimensions per metric

- Metrics have timestamps

- Can create CloudWatch dashboards of metrics

[ EC2 Detailed monitoring ] 

- EC2 instance metrics have metrics "every 5 minutes"

- With detailed monitoring (for a cost), you get data "every 1 minute"

- Use detailed monitoring if you want to scale faster for your ASG

- The AWS Free Tier allows us to have 10 detailed monitoring metrics

※ Note : EC2 Memory usage is by default no pushed (must be pushed from inside the instance as a custom metric)

[ CloudWatch Custom Metrics ]

2주 과거, 2시간 미래의 매츠릭 데이터 포인트 사용 가능 (EC2 instance 시간이 정확하게 맞춰져있어야 함)

PutMetricData API 호출을 통해 커스텀 매트릭을 CloudWatch에  보낼 수 있음

- Possibility to define and send your own custom metrics to CloudWatch

- Example : memory(RAM) usage, disk space, number of logged in users

- Use API call PutMetricData

- Ability to use dimensions (attributes) to segment metrics

  -- Instance.id

  -- Environment.name

- Metric resolution (StorageResolution API parameter - two possible value) :

  -- Standard : 1 minute (60 seconds)

  -- High Resolution : 1/5/10/30 second(s) - Higher cost

※ Important : Accepts metric data points two weeks in the past and two hours in the future (make usre to configure your EC2 instance time correctly)

[ CloudWatch Dashboards ]

여러개의 AWS Account 및 regions 의 그래프를 대시보드에 사용 가능

- Great way to setup custom dashboards for quick access to key metrics and alarms

- Dashboards are global

- Dashboards can include graphs from different AWS accounts and regions ***

- You can change the time zone & time range of the dashboards

- You can setup automatic refresh (10s, 1m, 2m, 5m, 15m)

- Dashboards can be shared with people who don't have an AWS account (public, email address, 3rd party SSO provider through Amazon Cognito)

- Pricing :

  --  3 dashboards (up to 50 metrics) for free

  -- $3 per dashboard per month afterwards

[ Databases in AWS : ElasticSearch ]

주로 다른 DB 를 보완하기위해 사용

필드 상관없이 조회 가능, 부분 매칭이어도 조회가 가능

- Example : In DynamoDB, you can only find by primary key or indexes

- With ElasticSearch, you can search any field, even partially matches

- It's common to use ElasticSearch as a complement to another database

- ElasticSearch also has some usage for Big Data applications

- You can provision a cluster of instances

- Built-in integrations : Amazon Kinesis Data Firehose, AWS IoT, and Amazon CloudWatch Logs for data ingestion

- Security through Cognito & IAM, KMS encryption, SSL & VPC

- Comes with Kibana (visualization) & Logstash (log ingestion) - ELK stack

[ ElasticSearch for Solutions Architect ]

Operations : similar to RDS

Security : Cognito, IAM, VPC, KMS, SSL

Reliability : Multi-AZ, clustering

Performance : based on ElasticSearch project(open source), petabyte scale

Cost : pay per node provisioned (similar to RDS)

Remember : ElasticSearch = Search/Indexing

[ Databases in AWS : Neptune ]

- Fully managed graph database

- When do we use Graphs?

  -- High relationship data

  -- Social Networking : Users friends with Users, replied to comment on post of user and likes other comments

  -- Knowledge graphs

- Highly available across 3 AZ, with up to 15 read replicas

- Point-in-time recovery, continuous backup to Amazon S3

- Support for KMS encryption at rest + HTTPS

[ Neptune for Solutions Architect ]

Operations : similar to SDS

Security : IAM, VPC, KMS, SSL (similar to RDS) + IAM Authentication

Reliability : Multi-AZ, clustering

Performance : best suited for graphs, clustering to improve performance

Cost : pay per node provisioned (similar to RDS)

※ Remember : Neptune = Graphs

[ Databases in AWS : Glue ]

- Managed extract, transform, and load (ETL) service

- Useful to prepare and transform data for analytics

- Fully serverless service

[ Glue Data Catalog ]

- Glue Data Catalog : catalog of datasets

[ Databases in AWS : Redshift ]

PostgreSQL 기반이지만 OLTP(트랜잭션 프로세싱) 지원하지않음

로우기반이아닌 칼럼기반 데이터 저장

MPP(대규모 병렬 쿼리)를 사용하여 다른 데이터베이스에 비해 월등히 뛰어난 성능

AWS Quicksight/Tableau 등의 BI(Business Intelligence) 툴 제공

- Redshift is based on PostgreSQL, but it's not used for OLTP(Online Transaction Processing)

- It's OLAP(Online Analytical Processing) - online analytical processing (analytics and data warehousing)

- 10x better performance than other data warehouses, scale to PBs of data

- Columnar storage of data (instead of row based)

- Massively Parallel Query Execution (MPP) -> reason why it is such high performance

- Pay as you go based on the instances provisioned

- Has a SQL interface for performing the queries

- BI(Business Intelligence tools such as AWS Quicksight or Tableau integrate with it

- Data is loaded from S3, DynamoDB, DMS, other DBs

- From 1 node to 128 nodes, upto 128TB of space per node

   -- Leader node : for query planning, results aggregation

   -- Compute node : for performing the queries, send results to leader

- Redshift Spectrum : perform queries directly against S3 (no deed to load)

- Backup & Restore, Security VPC / IAM / KMS, Monitoring

- Redshift Enhanced VPC Routing : COPY / UNLOAD goes through VPC

[ Redshift - Snapshots & DR ]

- Redshift has no "Multi-AZ" mode

- Snapshots are point-in-time backups of a clust, stored internally in S3

- Snapshots are incremental (only what has changed is saved)

- You can restore a snapshot into a new cluster

  -- Automated : every 8 hours, every 5 GB, or on a schedule, Set retention

  -- Manual : snapshot is retained until you delete it

- You can figure Amazon Redshift to automatically copy snapshots (automated or manual) of a cluster to another AWS Region

DR(Disaster Recovery) plan : 스냅샷 자동생성 활성화, Redshift cluster 가 자동으로 스냅샷을 다른 AWS Region에 카피하도록 설정

[ Loading data into Redshift ]

[ Redshift Spectrum ]

S3 의 데이터를 Redshift 테이블에 직접 넣지 않고(로딩하지 않고) 쿼리의 실행이 가능하도록 하는 기능

Redshift cluster 가 활성화 되어있어야 사용가능

- Query data that is already in S3 without loading it

- Must have a Redshift cluster available to start the query

- The query is then submitted to thousands of Redshift Spectrum nodes

[ Redshift for Solutions Architect ]

Operations : like RDS

Security : IAM, VPC, KMS, SSL (like RDS)

Reliability : auto healing features, cross-region snapshot copy

Performance : 10x performance vs other data warehousing, compression

Cost : pay per node provisioned, 1/10th of the cost vs other warehouses

vs Athena : faster queries / joins / aggregations thanks to indexes

※ Redshift = Analytics / BI / Data Warehouse

[ Athena Overview ]

Database 는 아니지만 S3위에 query 엔진을 제공

- Fully Serverless database with SQL capabilities

- Used to query data in S3

- Pay per query

- Output results back to S3

- Secured through IAM

※ Use Case : one time SQL queries, serverless queries on S3, log analytics

[ Athena for Solutions Architect ]

Operations : no operations needed, serverless

Security : IAM + S3 security

Reliability : managed service, uses Presto engine, highly available

Performance : queries scale based on data size

Cost : pay per query / per TB of data scanned, serverless