Before getting into the details, by the way, we talk a lot about AWS on our weekly podcast Mobycast.
Over the years as Kelsus and it’s employees have developed applications, we’ve walked the path from on-premises cluster installations, to hosted virtual machine deployments on Rackspace, to platforms as a service like Heroku, and Google App Engine. We’ve finally landed on AWS and containerized Docker deployments on ECS. We’ve not seen anything with a better balance of customizability and developer productivity. As such, we’ve begun climbing the ladder of the AWS tiered partnership model and are committed to performing the highest level of AWS quality work possible.
AWS IAM is nothing more than the user management feature of AWS. You almost can't use AWS without touching IAM. That said, it's sophisticated, endlessly configurable, and easy to use without paying attention to security best practices. Kelsus always makes sure that all users including software agents have their own IAM accounts and we use accounts with appropriate privileges rather than wide open privileges at all times.
If you've ever dealt with SSL certificates outside of AWS you know that it's a pain. You have to buy the certificate, then do a strange dance between email and websites to actually get the certificate and then deploy it which varies by load balancer or web server. AWS Certificate Manager can turn this whole process into under 2 minutes of effort.
Kelsus typically uses CloudFront to deploy static content for websites in cases where there are many users distributed across the country or world. The nice thing about CloudFront is that it include an instant invalidation feature so no more 'waiting for the CDN to propagate' when updating content.
ETL (extract, transform, and load) is a very common point of failure in enterprise applications. Data gets stuck because some unexpected data enters the ETL process and no one notices that the OLAP DB is out of date until it's a problem. AWS Data Pipeline makes the whole process more transparent, easy to troubleshoot, and easy to monitor with CloudWatch.
EC2 is the original core services of AWS and underlies almost everything Kelsus does on AWS. If code is getting run, it happens on EC2. We rarely use bare EC2 instances anymore because ECS does a great job of commissioning and decommissioning compute resources as needed.
If you use Docker and AWS, then ECS is an obvious choice. It's as efficient and nearly as flexible (within AWS) as Kubernetes. It makes things easy for a competent devops team. Kelsus has been using it for all new applications and is working to migrate older applications to it.
Kelsus uses elastic load balancing not just for scaling but for very easy to manage SSL deployment and in some cases for path-based routing when we want different paths in a URL to point to different microservices or applications.
There are times when a very fast key-value store either in-memory or on disk comes in handy. Whenever the need arises, Kelsus uses Redis via ElastiCache. By keeping the Redis installation inside AWS and managed by AWS on a private VPC, issues of security and monitoring -- which can be a problem with self-hosted Redis -- go away.
Amazon Neptune is a fast, reliable, fully-managed graph database service that makes it easy to build and run applications that work with highly connected datasets. The core of Amazon Neptune is a purpose-built, high-performance graph database engine optimized for storing billions of relationships and querying the graph with milliseconds latency.
Kelsus urges all customers toward Postgres. It's the best database in the world. And since we're already in AWS, using postres inside RDS is a foregone conclusion. RDS takes care of some of the mundane tasks of scheduled backup and recovery and it also makes high multi-zone availability as easy as a button click.
Read anything about Redshift recently and what you'll find is that data scientists, BI experts, and data warehouse managers of all kinds praise it as a game changer in speed and performance. The only downside ever mentioned is that it's only available on AWS. Kelsus, though, is sold on AWS for the long term, and we believe in it's reliability and performance for your data.
If you've ever used another DNS provider, and god forbid GoDaddy, then tried Route 53, you know it's so superior that it's almost laughable. It also has the added benefit that if you're using AWS load balancers, they'll show up automatically in drop downs for CNAME records.
If there are any photos, videos or data files that need to be kept safely for your project, Kelsus will naturally put them in S3. It's 99.999999999% durability is good enough durability. It's also extremely secure when combined with AWS-KMS, so we use it to securely store deployment secret keys and passwords for APIs that your system needs to talk to. Less experienced dev shops often end up putting these in code in clear text.
Kelsus used to point clients in the direction of sendgrid for transaction email sending and management. Now, though, SES offers better pricing, control, and deliverability. Not to mention that since it's already on AWS, connecting to it from other AWS systems is extremely easy.
The Kelsus journey with push notifications started with us writing our own server-side code for push notificaitons, then we moved to Parse when it became available. These days, the easiest and best choice is AWS's SNS. It offers all the capability and control we need with the added benefit of compatibility and security with other AWS services.
AWS networking is endlessly flexible. Best practices dictate that you should keep your application servers and databases in private VPCs that are not accessible from the internet. Kelsus definitely follows these security practices and has taken over projects more than once from software shops that did not.