1
00:00:00,090 --> 00:00:00,930
Hello and welcome back.

2
00:00:01,050 --> 00:00:07,050
Let's not talk about a very important feature for monitoring patching connecting to your infrastructure

3
00:00:07,050 --> 00:00:09,450
whether it is on premise or in it oblivious.

4
00:00:09,450 --> 00:00:14,460
And that is database systems manager used to be called different names.

5
00:00:14,460 --> 00:00:19,830
Simple system manager and this is where the acronym comes or the abbreviation SS M that we are going

6
00:00:19,830 --> 00:00:22,740
to use extensively throughout the lectures.

7
00:00:22,740 --> 00:00:27,580
But the current name is system of manager until further notice by us.

8
00:00:27,600 --> 00:00:30,200
So what are we going to learn during this lecture.

9
00:00:30,210 --> 00:00:30,990
It is going.

10
00:00:30,990 --> 00:00:32,790
We are going to learn what it is.

11
00:00:32,790 --> 00:00:35,840
What is systems manager.

12
00:00:35,940 --> 00:00:37,780
We will learn how it works.

13
00:00:37,800 --> 00:00:44,270
We will learn about the SSA agent and will know about the capabilities what can I do with systems managers

14
00:00:44,310 --> 00:00:48,630
why it is important we learn also about what is a managed instance.

15
00:00:48,630 --> 00:00:54,600
Basically when system manager starts controlling or managing an instance it becomes a managed instance

16
00:00:54,630 --> 00:00:56,820
and we learn how that happens.

17
00:00:56,850 --> 00:01:03,260
We'll also talk about how the managed instances connect to the SS M or the systems manager service.

18
00:01:03,930 --> 00:01:10,440
And we'll also learn about the IAM roles or permissions that are required for users or administrators

19
00:01:10,440 --> 00:01:17,130
to access systems managers to do some configurations and also for the managed instances to be accessed

20
00:01:17,220 --> 00:01:19,800
or to access systems manager.

21
00:01:19,830 --> 00:01:21,370
So let's dive in.

22
00:01:21,390 --> 00:01:22,230
So what is it.

23
00:01:22,230 --> 00:01:27,510
It is a collection of capabilities different services bundled into one bigger service.

24
00:01:27,510 --> 00:01:33,140
The systems manager in order to manage your infrastructure beat on premise or on it abuse.

25
00:01:33,150 --> 00:01:38,820
So these are used to configure and manage Amazon easy to instances on premise servers and virtual machines

26
00:01:38,970 --> 00:01:41,970
and other resources at scale.

27
00:01:41,970 --> 00:01:47,820
So now wherever you are going to do you are going to monitor and manage patch and all that an extensive

28
00:01:47,910 --> 00:01:56,320
number of instances and they could be as we mentioned on premise and in Italy as it includes a unified

29
00:01:56,320 --> 00:02:02,440
interface so the console basically that allows to easily centralize operational data and automate tasks

30
00:02:02,500 --> 00:02:05,260
across the client WMC Resources.

31
00:02:05,260 --> 00:02:08,430
As we learn also that could be across different regions.

32
00:02:08,770 --> 00:02:12,700
Systems Manager shortens the time to detect and resolve operational problems.

33
00:02:12,700 --> 00:02:19,690
How by finding out changes in configuration by finding out devices that are not patched are not up to

34
00:02:19,690 --> 00:02:24,980
date in terms of security patches or as patches antivirus is not running stuff like that.

35
00:02:24,980 --> 00:02:30,160
Since a manager gives a complete view of the client's infrastructure performance and configuration simplifies

36
00:02:30,160 --> 00:02:37,840
the resource and application management and it can be used with Windows Linux or SBN instances or virtual

37
00:02:37,840 --> 00:02:41,570
machines case or if in the exam you are given some options and the hotel.

38
00:02:41,640 --> 00:02:44,590
Are told that this is only with Linux doesn't support Windows.

39
00:02:44,590 --> 00:02:45,420
This is not the case.

40
00:02:45,430 --> 00:02:50,620
It allows the systems manager allows for remotely and securely manage on premises servers and virtual

41
00:02:50,620 --> 00:02:56,540
machines both in cloud and on premise and you can also manage virtual machines in other cloud environments

42
00:02:56,540 --> 00:02:58,030
so that's one good thing.

43
00:02:58,030 --> 00:03:05,080
I have a customer who has easy to insist on it yes but it also has Azure instances or virtual machines

44
00:03:05,080 --> 00:03:07,240
on Azure or in Google Cloud.

45
00:03:07,240 --> 00:03:10,570
Can I manage that through that through systems manager.

46
00:03:10,600 --> 00:03:11,140
Yes you can.

47
00:03:11,140 --> 00:03:15,100
Because it's treated as if it is on premise system and hybrid environments.

48
00:03:15,100 --> 00:03:17,050
Why would I use it with hybrid environments.

49
00:03:17,080 --> 00:03:25,300
First of all you are creating a consistent and secure way to remotely manage patch connect to your hybrid

50
00:03:25,300 --> 00:03:31,600
workloads from one location and using the same tools and scripts using I am for centralized exec control

51
00:03:31,600 --> 00:03:34,810
for actions that can be performed on servers and beams.

52
00:03:34,810 --> 00:03:41,000
So you are not only managing centrally but also having access control centrally and you can use it as

53
00:03:41,020 --> 00:03:46,300
cloud trail for centralized auditing so all the logs all the API calls on all that will be on cloud

54
00:03:46,300 --> 00:03:46,660
trail.

55
00:03:46,660 --> 00:03:52,630
Not only that but you can use cloud cloud watch logs to send all your logs and you can use cloud watch

56
00:03:52,630 --> 00:03:58,230
events to turn on or to trigger actions by systems manager.

57
00:03:58,390 --> 00:03:59,080
Here's how it looks.

58
00:03:59,080 --> 00:04:03,430
Here's a typical workflow or a typical setup for systems manager.

59
00:04:03,430 --> 00:04:07,480
So we have a system of manager in the middle inside it obvious cloud.

60
00:04:07,720 --> 00:04:08,270
OK.

61
00:04:08,500 --> 00:04:19,030
It can manage Linux instances when instances on a WS but it also can deal with workloads that are on

62
00:04:19,030 --> 00:04:23,710
premise or in different clouds and they could be virtual machines and they could be servers as well

63
00:04:24,100 --> 00:04:26,590
Linux or Windows so they could be both.

64
00:04:26,650 --> 00:04:33,340
And then it integrates with cloud which it can send logs and command outputs to S3 and it and all the

65
00:04:33,340 --> 00:04:35,200
API calls would be in cloud trail.

66
00:04:35,890 --> 00:04:38,080
And it has built in insight.

67
00:04:38,110 --> 00:04:43,480
How can you trigger manage or configure E.W. a systems manager from the console the systems manager

68
00:04:43,480 --> 00:04:49,570
console through SD case through command line interface and with Windows powerful tools.

69
00:04:49,800 --> 00:04:51,000
Okay so what are the steps.

70
00:04:51,010 --> 00:04:52,720
I'm happy I won't use the servers.

71
00:04:52,720 --> 00:04:53,700
What do I do.

72
00:04:53,710 --> 00:04:58,210
The first thing you do is you need to configure systems manage through one of the tools we talked about

73
00:04:58,540 --> 00:05:02,880
in order to start configuring scheduling automating and executing system manager actions.

74
00:05:02,890 --> 00:05:08,770
And we are going to come to what actions can we do with system managers on database resources.

75
00:05:09,000 --> 00:05:11,620
The ESM agent and configure permission so you need.

76
00:05:11,620 --> 00:05:16,080
Also on the easy two instances and that's how the whole control happens.

77
00:05:16,240 --> 00:05:22,000
You need to have SS agent configure on your easy to instances or your servers.

78
00:05:22,030 --> 00:05:25,240
But for the on premise there is one extra step we'll talk about shortly.

79
00:05:25,270 --> 00:05:26,100
So we did that.

80
00:05:26,110 --> 00:05:28,750
The second is verification and processing.

81
00:05:28,750 --> 00:05:34,000
Now we have done the configuration and automation and setup and all that to a systems manager now system

82
00:05:34,000 --> 00:05:39,190
manager will verify the configuration including the permissions to all try to connect and find out if

83
00:05:39,190 --> 00:05:44,980
the permissions are working and will send the request to the SS agent training on the instances or the

84
00:05:44,980 --> 00:05:50,610
servers in hybrid environments the ones the connectivity between the server systems manager and SSN

85
00:05:50,680 --> 00:05:57,430
is established to secure the permissions are there everything is OK then systems manager starts controlling

86
00:05:57,430 --> 00:06:03,460
or managing your instances through the use of systems manager and then we get to the reporting phase.

87
00:06:03,460 --> 00:06:07,930
Basically I need to find out I need to find out the inventory about everything I need to know about

88
00:06:07,930 --> 00:06:13,300
the configuration complaints I need to know about the status of or dispatching or security patching.

89
00:06:13,300 --> 00:06:19,600
Then SSA agent will give all this information to systems manager that it can show it or it can integrate

90
00:06:19,600 --> 00:06:21,060
with other services.

91
00:06:21,220 --> 00:06:26,710
As we mentioned it can send logs to cloud watch logs where you can start searching these logs using

92
00:06:26,770 --> 00:06:33,700
Athena querying them or you can start visualizing stuff as well using quick site and other case or SSA

93
00:06:33,790 --> 00:06:38,560
Asian reports the status of the configuration changes and actions to systems manager.

94
00:06:38,560 --> 00:06:43,960
So it's not only the status of the instance but also when systems manager is trying to perform something

95
00:06:43,960 --> 00:06:49,780
whether it was successful or not changed or not then that is reported back to systems manager and system

96
00:06:49,780 --> 00:06:56,030
manager can then send the status to the user and various services if configured to do so.

97
00:06:56,270 --> 00:06:57,140
So this is amazing.

98
00:06:57,170 --> 00:06:58,780
Let's talk a little bit more about that.

99
00:06:58,790 --> 00:07:03,080
This is a vision doesn't exist on any NWS or in any operating system.

100
00:07:03,080 --> 00:07:03,860
The answer is no.

101
00:07:04,070 --> 00:07:10,580
So for Windows MDI published before November 16 use the E C to configure Service to process requests

102
00:07:10,770 --> 00:07:11,560
and for Linux.

103
00:07:11,560 --> 00:07:15,870
Am I manually install agent on non base images.

104
00:07:15,890 --> 00:07:16,400
Like what.

105
00:07:16,400 --> 00:07:18,000
Like the all oh yes optimized.

106
00:07:18,010 --> 00:07:18,470
Am I.

107
00:07:18,500 --> 00:07:20,420
So there are some that have it by default.

108
00:07:20,420 --> 00:07:23,060
There are some that don't have it as is a managed instance.

109
00:07:23,060 --> 00:07:24,040
What is that.

110
00:07:24,050 --> 00:07:26,480
So how can I call the instance that it is managed.

111
00:07:26,480 --> 00:07:33,530
When you install SS on the instance and it connects to says the manager or it is able to communicate

112
00:07:33,530 --> 00:07:36,740
with systems manager it becomes a managed instance.

113
00:07:36,740 --> 00:07:42,170
Is that all four on LW as an on premise for on premise you need one extra step.

114
00:07:42,170 --> 00:07:48,590
The next step is to do a verification and you generate what we call a verification code and I.D. the

115
00:07:48,590 --> 00:07:54,830
verification code an idea is very similar to the Access IDEA and secret key that is allowed to connect

116
00:07:54,830 --> 00:07:56,660
to an instance in it abuse.

117
00:07:56,760 --> 00:07:57,000
Okay.

118
00:07:57,020 --> 00:08:02,930
One problem and we'll talk about that later on is if I have an older version of SSN and I'm trying to

119
00:08:02,930 --> 00:08:07,580
run a command or a capability that does not is not support.

120
00:08:07,610 --> 00:08:12,030
But that version of SS and then that process could fail or that action could fail.

121
00:08:12,080 --> 00:08:17,630
So what is database recommendation for this that you have to automate or you need to automate that whenever

122
00:08:17,630 --> 00:08:23,180
there is a new version updated version then it will be installed or updated on your managed instance

123
00:08:23,270 --> 00:08:28,710
connectivity to assess and the systems manager has public endpoints.

124
00:08:28,730 --> 00:08:33,830
So by default if you want your instances to connect to the systems manager they have to go through the

125
00:08:33,830 --> 00:08:34,640
Internet.

126
00:08:34,670 --> 00:08:38,930
So if your instance are on a private subnet you need to do exactly you need another instance on that

127
00:08:38,930 --> 00:08:42,170
gateway to allow that to reach the Internet.

128
00:08:42,170 --> 00:08:47,570
If they are on public subnets you want to make sure that you have an AGW attached and there are tables

129
00:08:47,570 --> 00:08:51,530
are configured to be able to go to the internet from those instances.

130
00:08:51,530 --> 00:08:51,760
OK.

131
00:08:51,790 --> 00:08:56,400
But we know that we have VPC and points right and systems manager supports that.

132
00:08:56,540 --> 00:09:03,740
So why not configure VPN points and allow the easy two instances or the SS and on the easy two instances

133
00:09:03,770 --> 00:09:10,140
that are managed to communicate your system manager through a secure way which is database infrastructure.

134
00:09:10,160 --> 00:09:11,260
So that's much better.

135
00:09:11,450 --> 00:09:17,630
And it is supported in our case so you need to allow the Internet access from the same agent or the

136
00:09:17,720 --> 00:09:19,760
instances into systems manager.

137
00:09:19,760 --> 00:09:25,660
So that is outbound Internet access and not systems manager initiating from the Internet.

138
00:09:25,670 --> 00:09:30,020
What are the required permissions that I need to configure for the users who will be configuring or

139
00:09:30,020 --> 00:09:35,000
the administrator who will be configuring systems manager and also what about the managed instances

140
00:09:35,120 --> 00:09:38,550
that will be used for the user permissions you need it.

141
00:09:38,690 --> 00:09:43,910
You need to configure the right I am permissions in order to allow the user administrator to you to

142
00:09:43,910 --> 00:09:50,360
access SSN if any user has the full administrative access then they will be able to access the system

143
00:09:50,510 --> 00:09:52,230
and then we need instant profiles.

144
00:09:52,340 --> 00:09:56,860
We need roles for I I am roles for the instances basically why.

145
00:09:56,870 --> 00:10:02,690
Because the SSA am Asian that exists on the instances is going to reach the permissions through the

146
00:10:02,690 --> 00:10:10,760
instance profile that has the right I am permissions incase if you have changed the instance profile

147
00:10:10,850 --> 00:10:16,890
you need to restart the SSA manager in order for changes to take effect quickly and then we need an

148
00:10:16,910 --> 00:10:18,480
I am service role for what for.

149
00:10:18,620 --> 00:10:22,640
On premises servers and V EMS and they will assume this role.

150
00:10:22,940 --> 00:10:27,260
All right time to take a break and I'll see you in the next lecture and we'll learn more about systems

151
00:10:27,260 --> 00:10:32,620
manager and the critical actions or the important actions that might feature in the exam.

152
00:10:32,630 --> 00:10:33,890
I'll see you after the break.

153
00:10:33,890 --> 00:10:34,240
Thank you.