# AWS4study ### Let's begin to study AWS * [AWS Cloud Practitioner Essentials Course link](https://explore.skillbuilder.aws/learn/course/134/play/85854/aws-cloud-practitioner-essentials) ## Module 1: Introduction to Amazon Web Services. * EC2 instances: a virtual server * Key Concept: U only pay for what u use ### What is cloud computing? * **On-demand delivery**: AWS có những resources khi bạn cần sử dụng (nếu ko sử dụng thì tắt) * IT resources: những dịch vụ/products về IT mà business cần * Undiffrentiated heavy lifting of IT: Ko cần cài đặt nhiều, chỉ cần focus on những tác vụ trên đấy (make you unique) * Over the Internet: access resources securely on Internet * Pay-as-you-go pricing: pay what u use (fpt ko trả lương cho intern :D :D :D) ### Three **cloud computing deployment models**: cloud-based, on-premises, and hybrid. * cloud-based * All parts of app on cloud * move exist app to cloud * create new app on cloud * Can build **higher-level services** and **low-level infrastructure** * example, a company might create an application consisting of virtual servers, databases, and networking components that are fully based in the cloud. * On-premises * private cloud deployment * deploy using virtualization and resource management tools * For example, you might have applications that run on technology that is fully kept in your on-premises data center. Though this model is much like legacy IT infrastructure, its incorporation of application management and virtualization technologies helps to increase resource utilization. * Hybrid * cloud-based resources are connected to on-premises infrastructure. * For example, you have legacy applications that are better maintained on premises, or government regulations require your business to keep certain records on premises. * For example, suppose that a company wants to use cloud services that can automate batch data processing and analytics. However, the company has several legacy applications that are more suitable on premises and will not be migrated to the cloud. With a hybrid deployment, the company would be able to keep the legacy applications on premises while benefiting from the data and analytics services that run in the cloud. ### Benefits of cloud computing * Trade **upfront expense** for **variable expense** * No money for mantain data center * Stop guess capacity * Massive economies at scale * increase speed of releasing an application * go global ### Quiz       * EC2 là IaaS, Elastic Beanstalk là PaaS. ## Module 2: COMPUTE IN THE CLOUD ### Learning objectives * In this module, you will learn how to: * Describe the benefits of Amazon EC2 at a basic level. * Identify the different Amazon EC2 instance types. * Differentiate between the various billing options for Amazon EC2. * Summarize the benefits of Amazon EC2 Auto Scaling. * Summarize the benefits of Elastic Load Balancing. * Give an example of the uses for Elastic Load Balancing. * Summarize the differences between Amazon Simple Notification Service (Amazon SNS) and Amazon Simple Queue Service (Amazon SQS). * Summarize additional AWS compute options. ### **Introduction to EC2 (Amazon Elastic Compute Cloud)** * **AWS Nitro System** là hypevisors để chạy các máy ảo EC2 (trc đó là Xen Hypervisor) * Server environments are called **instances.** * Package OS and additional installations in a reusable template called **Amazon Machine Images.** * Secure login information for your instances using **key pairs** * **instance store volumes**: temporary data storage, lost data when you STOP or TERMINATE. you can stop an EBS-backed instance but not an Instance Store-backed instance. * Add a script that will be run on instance boot called **user-data**. * EC2 là server bạn dùng để truy cập vào server ảo. * EC2 Provides **secure, resizable** compute capacity in the cloud as Amazon EC2 instances. * Việc bạn cần làm là **request EC2 instances** bạn cần và dùng nó. * **Only pay for running,stoping instances, not for terminated instances** * Does not need the host, **share host** with other instances (các VM) * **Multitenancy**: Share hardware between VMs (managed by hypervisor) * **hypervisor** cô lập các VM, secure chúng (các VM ko care nhau) * **Full control** what happen on instances * **Vertical scaling**: resize the instances (can give more resources like memory/CPU or decrease them) * **Control the networking aspect**: type of requests, public/private * **CaaS (compute as a service)** #### **When working with traditional on-premises resources, you have to do:** * Purchase hardware. * Wait for the servers to be delivered. * Install the servers. * Make all configurations. #### **Benefits when working with EC2:** * Provision and launch within minutes. * Stop using it when finish running a workload. * Pay only for the compute time you use. * Paying only for server capacity you need or want. * security best practice for giving an Amazon EC2 instance access to an Amazon S3 bucket is option C: Have the EC2 instance assume a role to obtain the privileges to upload the file. This involves using AWS Identity and Access Management (IAM) roles to grant temporary permissions to the EC2 instance, rather than hard-coding or storing access keys directly in the application or on the instance. ### How EC2 works: * Launch * Can choose configuration * Operations (Linux, Windows) * Application server * Can choose instance type (type of hardware) * Can choose type of security settings to the control network traffic (private, public) * Connect * Many methods to connect * Can log in and access to desktop * Use * After connecting, you can install software, add storage, copy, organize, etc. ### **Amazon EC2 Instance Types** * configurations of CPU, memory, storage, and networking capacity for your instances, There are 5 types of Instances: * General purpose (t-type and m-type) * Provide a balance of compute, memory, and networking resources * Diverse workloads * Web servers * Code repositories * etc * Compute optimized (c-type) * Ideal for compute-bound applications that benefit from high-performance processors. (Intensive computing task) * Gaming server * High Performance computing * Scientific modeling * etc * Memory optimized (r-type, x-type, and z-type) * Designed to deliver fast performance for workloads that process large datasets in memory. (Intenseive memory task) * Accelerated computing (f-type, g-type, and p-type) * Use hardware accelerators, or coprocessors to perform efficienly * floating-point number calculations * graphics processing * data pattern matching. * etc * Storage optimized (d-type, h-type, and i-type) * Lưu trữ nụ cười của chị HR :D * Designed for workloads require high, sequential read and write access to large datasets on local storage. * distributed file systems * data warehousing applications * high-frequency online transaction processing (OLTP) * etc #### Knowledge check     ### **Amazon EC2 Pricing** * Price depends on instance types and OS bạn dùng =)) * On-demand * pay for the instances that you use by the second, with no long-term commitments or upfront payments. * Duration: per hrs/sec * Get started as playground * Saving Plans (rất tiết kiệm - nhà nghèo) * Compute Savings Plans reduce your costs by up to 66% * 1 or 3 year term * EC2 Instance Savings Plans provide the lowest prices, offering savings up to 72% * * Reserved Instances *  * up-front payment for an instance, reserve it for a one– or three-year term * Suitable for On-Demand Instances. * Two types: * **Standard Reserved Instances**: * Standard class **provides the most significant discount** * can also be **sold in the Reserved Instance Marketplace.** * you **can only modify some of its attributes** during the term * Requires some qualifications: * Instance type and size: * Platform description (operating system) * Tenancy * **Convertible Reserved Instances**: * **lower discount** than Standard Reserved Instances * **can be exchanged for another Convertible Reserved Instance** with different instance attributes * **cannot be sold** in the Reserved Instance Marketplace. *  * determine its scope (regional or zonal). *  * Spot Instances * request **unused EC2 instances** * **90% discount** compared to On-Demand prices. * a defined duration (also known as **Spot blocks**), designed not to be interrupted, run continuously for the duration you select. * **Spot Fleet** is a collection of Spot Instances and optionally On-Demand Instances * A **Spot Capacity pool** is a set of unused EC2 instances with the same instance type, operating system, Availability Zone, and network platform. * **Allocation strategy**: LowestPrice (default), Diversified, CapacityOptimized, InstancePoolsToUseCount. * Dedicated Host * Dedicated Hosts can help you address compliance requirements and reduce costs by allowing you to use your existing server-bound software licenses. * have the option to launch instances onto a specific Dedicated Host, or you can let Amazon EC2 place the instances automatically. * Dedicated Instances *  * There is a **data transfer charge** when copying AMI from one region to another * If data is transferred between these two instances, it is charged at “Data Transfer Out from EC2 to Another AWS Region” for the first instance and at “Data Transfer In from Another AWS Region” for the second instance. * Amazon Machine Image (AMI) includes the following: * One or more Amazon Elastic Block Store (Amazon EBS) snapshots * a template for the root volume of the instance (for example, an operating system, an application server, and applications). * Launch permissions that control which AWS accounts can use the Amazon Machine Image (AMI) to launch instances. * A block device mapping that specifies the volumes to attach to the instance when it's launched. #### Knowledge Check   ### **Scaling Amazon EC2** * Bài toán đặt ra, làm thế nào để tối ưu tài nguyên sử dụng để có thể đáp ứng nhu cầu sử dụng ? * Question: What is the amount of hardware to buy? * Method buy the average: cannot serve the high demand  * Method buy tới nóc: trung bình sử dụng thấp => lãng phí  * **Can not solve on premises**  * Chuẩn bị cho tình huống xảy ra sự cố. * Giả sử trường hợp 1 instance bị dead trong khi có yêu cầu, thì ngay lập tức phải có 1 instance khác thế vào vị trí của instance để khác hàng không bị mất service. * Vì bạn không cần quan tâm tới computing capacity, vì đã có Amazon lo, và bạn chỉ cần trả cho những thứ bạn cần. Bạn có thể mở rộng khả năng xử lý ra và thực hiện order của khách hàng. Đây chính là **Scalability**. * Vì vậy Amazon có chức năng **Amazon EC2 Auto Scaling** để xử lý trường hợp này. * * **Amazon EC2 Auto Scaling** * Tình huống: Nếu bạn truy cập vào 1 website mà bị request time out hoặc trong quán cà phê chỉ có 1 chị HR để xử lý đơn hàng, thì điều này sẽ dẫn tới quá tải. * EC2 Auto Scaling cho phép bạn add hoặc remove EC2 instance tùy thuộc vào yêu cầu. Có 2 cách tiếp cận: * Dynamic scaling: phản hồi theo sự thay đổi của yêu cầu * Predictive scaling: automatically schedules the right number of Amazon EC2 instances based on predicted demand. ( Only available for EC2 Auto Scaling groups.) * To scale faster, you can use dynamic scaling and predictive scaling together. * Example: *  * Khi chúng ta tạo 1 Auto Scaling Group, chúng ta có thể set up số instance tối thiểu. Số instance này đảm bảo sau khi tạo xong, sẽ chạy ngay để thực hiện các tác vụ. * Như hinh trên, chúng ta set up 1 instance tối thiểu. * Tiếp theo chúng ta có thể set **desired capacity**. Đây là số instance mà chúng ta mong muốn chạy mà chúng đáp ứng đủ nhu cầu. Nếu không set, thì mặc định **desired capacity bằng minimum capacity**. * Trong hình trên, chúng ta set up 2 desired instance. * Cuối cùng chúng ta set **maximum capacity**, đây là số instance dự kiến tối đa cần để xử lý tất cả khả năng có thể xảy ra. Lúc này số instance thiếu để hoàn thành tác vụ sẽ được thêm vào. * Trên hình chúng ta set up 4 maximum instances. * AWS sẽ auto scaling để phù hợp với số instance hoàn thành tác vụ. Và chính sách pay-on-demand sẽ giúp tối ưu chi phí vận hành. Dùng thì trả, không dùng thì thôi :))) *  ### Elastic Load Balancing * Distributes incoming application or network traffic across multiple targets, such as EC2 instances, containers (ECS), Lambda functions, and IP addresses, in multiple Availability Zones. * Deleting ELB won’t delete the instances registered to it. * **Cross Zone Load Balancing** – when enabled, each load balancer node distributes traffic across the registered targets in all enabled AZs. * Situation: All EC2 instances run the same programs, the requests come in, they cannot know which istances to go to (dẫn đến có mấy thằng instances ở ko và thằng quá tải) => Vì thế cần route(dẫn đường) các requests đến chỗ cần đến * Load balancing: solve the above situation * Load balancer: take in requests and route them to the instances to be processed * Các tiêu chí: high performance, Cost-efficient, high available, Auto scalable #### Types * Application Load Balancer ( ALB ) * 7th layer of the Open Systems Interconnection (OSI) model. * Allows HTTP and HTTPS. * At least 2 subnets * Network Load Balancer ( NLB ) * Functions at the 4th layer of the Open Systems Interconnection (OSI) model. * Uses TCP and UDP, Transport Layer Security (TLS) connections. * At least 1 subnet must be specified * Gateway Load Balancer ( GWLB ) * deploying, scaling, and running third-party virtual appliances. * Elastic Load Balancing: * Regional construct: (giải thích sau); vì nó run ở region level thay vì individual nên nó sẽ có tính high available * Auto scalable: traffic growth => auto scalable with no change the hourly cost * ELB phối hợp với Auto-scaling để handle traffic * Cơ chế hoạt động *  * Khi có quá nhiều request cần được xử lý (lượng traffic cao), EC2 sẽ **Autoscaling**, trong trường hợp này là **Scale Out (Mở rộng quy mô bằng cách thêm Instance)**, để có thể chia sẻ lượng xử lý với các instance khác. * Ảnh dưới đây mình họa việc EC2 sẽ AutoScaling, (scale out) bằng cách thêm instance vào, lúc này trạng thái của các instance là offline *  * Ảnh dưới đây minh họa việc các instance mới được thêm vào sẽ thông báo cho ELB biết được việc chúng đã sẵn sàng để xử lý luồng traffic *  * Ảnh dưới đây minh họa trạng thái sau khi sẵn sàng của các instance mới, ELB sẽ điều hướng luồng traffic sang các instance khác để hỗ trợ. *  * Ảnh dưới đây minh họa, khi lượng traffic giảm, thì EC2 sẽ AutoScaling (scale in) bằng cách dừng hoạt động của 1 vài instance. Đầu tiên EC2 sẽ dừng (terminate) các instance và chờ lệnh dừng. *  * Ảnh dưới đây minh họa, sau khi terminate các instance không hoạt động, EC2 sẽ tự động điều hướng traffic sang các instance còn hoạt động. *  ### Messenges and Queing * Ý tưởng: Việc giao tiếp giữa 2 application có thể sẽ không được đồng bộ. Ví dụ theo hình sau *  * Hình trên mô tả nhân viên thu ngân nhận order từ khác hàng, nhưng nhân viên pha chế đang bận làm order cho khách hàng khác, dẫn đến bị mất order. * Bài toán đặt ra, làm sao để giải quyết điều này ? * The idea of placing messenges into a buffer is called messenging and queing *  * Lúc này board như trong hình sẽ đóng vai trò như 1 buffer để lưu trữ tất cả order và chờ barista xử lý. * 2 apps phải hoạt động đồng thời * **Tightly coupled architecture**: app communicate directly *  * It is also called **monolithic application** * Drawback: 1 app fails => other app can fail even a system * Example: A send messenges to B, if B not receive (error) => A error too * **Loosely coupled architecture**: * To help maintain application availability when a single component fails, you can design your application through a **microservices** approach. *  *  * A send messenges to B through a messenge queue, if B doesn't work, A still send and it can store in the queue, if B comeback, it will process them. * 1 app fails => isolated => not affect * AWS làm theo cách này * 2 services: Amazon SNS, Amazon SQS #### Amazon SNS * **Amazon Simple Notification Service (Amazon SNS)** * event-driven * AWS event sources (including EC2, S3, and RDS) and AWS event destinations (including SQS, and Lambda). * **Message filtering**: allows a subscriber to create a filter policy so that it only gets the notifications it is interested in. * **Message fanout**: occurs when a message is sent to a topic and then replicated and pushed to multiple endpoints. * Theo mô hình subcribe (giống youtube): publishers send messenges to subcribers * In Amazon SNS, subscribers can be web servers, email addresses, AWS Lambda functions, or several other options. *  * Ban đầu, chỉ có 1 publisers gửi tất cả các messenges cho các subcribers, nhưng nó ko hiệu quả vì họ ko có nhu cầu nhận hết, chỉ nhận những messenges họ want/subcribe. Nên phải change. *  * Cách làm thứ 2 là chia thành nhiều publishers, mỗi cái sẽ có chức năng đảm nhận các topic riêng, như thế thì đã giải quyết vấn đề. Mỗi subcribers có thể nhận từ nhiều topics, mỗi topics có thể có nhiều subcribers (many-to-many) #### Amazon SQS * **Amazon Simple Queue Service (Amazon SQS)** * A hosted queue that lets you integrate and decouple distributed software systems and components. * message queuing service * Users can access Amazon SQS from their VPC using **VPC endpoints**, without using public IPs, and without needing to traverse the public internet. VPC endpoints for Amazon SQS are powered by AWS PrivateLink. * control who can send messages to and receive messages from an SQS queue. * Supports **server-side encryption.** *  * **Long polling** helps reduce the cost by eliminating the number of empty responses and false empty responses * regular **short polling** returns immediately, even if the message queue being polled is empty, long polling doesn’t return a response until a message arrives in the message queue, or the long poll times out. * Amazon SQS allows you to: *  * **Process**: In Amazon SQS, an application sends messages into a queue. A user or service retrieves a message from the queue, processes it, and then deletes it from the queue. *  * Kiểu mô hình **Tightly coupled architecture** *  * Kiểu mô hình **Loosely coupled architecture** đã nói trên **Quiz:** *  ### Additional Compute Services * If you have an app that you want to run on EC2: 1. provide instances (virtual servers). 2. Upload your code. 3. manage the instances #### Serverless Computing * **Severless**: You cannot see or access the underlying infrastructure * The term “serverless” means that **your code runs on servers, but you do not need to provision or manage these servers.** With serverless computing, you can focus more on innovating new products and features instead of maintaining servers. * Compare Serverless Computing with Computing Virtual Server (EC2) *  #### AWS Lambda *  * AWS Lambda is SOC, HIPAA, PCI, ISO compliant. * serverless computing * service that lets you **run code** * Pay for compute time (when code is running) * Any type of application or backend service, all with **zero administration**. * For example, a simple **Lambda function** might involve automatically resizing uploaded images to the AWS Cloud. In this case, the function **triggers** when uploading a new image. You pay only for the compute time that you use when uploading new images. Uploading the images triggers Lambda to run code for the image resizing function. * Quy trình hoạt động *  * Components: * **Function**: Lambda passes invocation events to your function, unction processes an event and returns a response. * **Execution environment**: where a Lambda function is executed * **Runtimes**: Lambda runtimes allow functions in different languages to run in the same base execution environment. * **Environment variable**: key-value pairs store configuration settings * **Layers**: libraries, custom runtimes, and other function dependencies. #### Containers * In AWS, you can also build and run **containerized** applications. * Định nghĩa về containers * Containers provide you with a standard way to **package your application's code and dependencies into a single object.** * You can also use containers for processes and workflows in which there are **essential requirements for security, reliability, and scalability.** * Ví dụ về Cách containers hoạt động *  * Suppose that a company’s application developer has an environment on their computer that is different from the environment on the computers used by the IT operations staff. The developer wants to ensure that the application’s environment remains consistent regardless of deployment, so they use a containerized approach. This helps to reduce time spent debugging applications and diagnosing differences in computing environments. *  * When running containerized applications, it’s important to consider scalability. Suppose that instead of a single host with multiple containers, you have to manage tens of hosts with hundreds of containers. Alternatively, you have to manage possibly hundreds of hosts with thousands of containers. At a large scale, imagine how much time it might take for you to monitor memory usage, security, logging, and so on. #### Amazon Elastic Container Service (Amazon ECS) * **Amazon Elastic Container Service (Amazon ECS)** is a highly **scalable, high-performance** container management system that enables you to run and scale containerized applications on AWS. * **Amazon ECS** là một nền tảng của Amazon Web Services, giúp **điều phối container** và có thể mở rộng linh hoạt để chạy, dừng và quản lý các container trong một **cluster**. Các container được coi như một phần của Task definition. * management service to run, stop and manage Docker containers on a cluster. * regional service. * create a clusters in VPC, After a cluster is up and running, you can define task definitions and services that specify which Docker container images to run across your clusters. * **Amazon ECS Exec**: execute commands in a container running on Amazon EC2 instances or AWS Fargate. * two deployment strategies in ECS * **Rolling Update:** replacing the currently running version of the container with the latest version. * **Blue/Green Deployment**: configured to use either an Application Load Balancer or Network Load Balancer., verify a new deployment of a service before sending production traffic to it. #### Amazon Elastic Kubernetes Service (Amazon EKS) * **Amazon Elastic Kubernetes Service (Amazon EKS)** is a fully managed service that you can use to run Kubernetes on AWS. * Kubernetes is **open-source software** that enables you to deploy and manage containerized applications at scale. A large community of volunteers maintains Kubernetes, and AWS actively works together with the Kubernetes community. As new features and functionalities release for Kubernetes applications, you can easily apply these updates to your applications managed by Amazon EKS. * run Kubernetes on AWS without installing, operating, or maintaining your own Kubernetes control plane or nodes. *  *  #### AWS Fargate * **AWS Fargate** is a serverless compute engine for containers. It works with both Amazon ECS and Amazon EKS. * It simplifies the process of managing clusters, scheduling tasks, and handling environment maintenance for containerized applications. * When using **AWS Fargate**, you do **not need to provision or manage servers**. **AWS Fargate manage your server infrastructure for you**. You can focus more on innovating and developing your applications, and you pay only for the resources that are required to run your containers. * Fargate task receives the following storage: * *  10 GB of Docker layer storage + An additional 4 GB for volume mounts. * Amazon ECS task definitions for Fargate require that the network mode is set to awsvpc * You pay for the amount of vCPU and memory resources #### Options to choose services: * **Choose EC2** *  * **Choose AWS Lambda** *  * **If want to run docker** *  ### Summary: https://explore.skillbuilder.aws/learn/course/134/play/85854/aws-cloud-practitioner-essentials * **Quiz**:      ## Module 3: GLOBAL INFRASTRUCTURE AND RELIABILITY ### Learning objectives In this module, you will learn how to: * Summarize the benefits of the AWS Global Infrastructure. * Describe the basic concept of Availability Zones. * Describe the benefits of Amazon CloudFront and edge locations. * Compare different methods for provisioning AWS services. ### AWS global infrastructure * AWS **build many data centers** in order to adapt the criteria that: **high availability and fault tolerance** (1 chỗ gặp nạn thì mấy ae khác thay phục vụ) - giống mô hình chuỗi cafe highlands, starbucks, .... trà sữa =)))) * **Four Factors** to choose Region * **Compliance**: Depending on your company and location, you might need to run your data out of specific areas * **Proximity**: Selecting a Region that is **close to your customers** will help you to get content to them **faster**. * **Feature Availability**: You have to ensure the region you choose must have all features, products that the customers need. * **Pricing**: Bạn hãy kiểm tra giá dịch vụ ở region bạn chọn xem chúng có fit với yêu cầu của bạn không. * **Availability Zone**: * A single data center or a group of data centers * Located **tens of miles apart** from each other. * **Low latency** between Availability Zones. * Reduce the chance that multiple Availability Zones are affected. * fault isolation * AWS khuyến nghị nên triển khai ứng dụng tối thiểu trên 2 AZ. * **Region**: * Tối thiểu 3 AZ * Các region connect bằng backbone của aws * Data và services ở các Region độc lập với nhau (trừ 1 số quy mô global) * To improve the durability of your data, you can also replicate it in two or more regions. * **AWS Local Zones** * Có những dịch vụ cốt lõi nhất của AWS (ko bao gồm all services) * < 10 mili seconds latency * Price khác với region * single datacenter designed to bổ sung an existing AWS Region. * It's a way that AWS can provide more geographic coverage without having to create yet another multi-AZ region (which is rather expensive!). * An **AWS Local Zone** places AWS compute, storage, database, and other select services closer to large population, industry, and IT centers where no AWS Region exists today. *  *  * Local Zones provide a subset of AWS services to run workloads closer to end-users, while edge locations are primarily used for caching and accelerating content delivery. * Quiz *  ### Amazon CloudFront * **CDN (content delivery network)**: copy the data from 1 place to another (Amazon sử dụng CloudFront) * Deliver API,data,... to customers with low latency and high transfer speeds * Points of Presence * **Edge Location** is a site that Amazon CloudFront uses to **store cached copies** of your content closer to your customers for faster delivery. * Các services hoạt động dc ở Edge Location (PoP): CDN (CF), WAF, Route 53 (DNS service) * **AWS outposts**: kêu thằng AWS đến build cho users * **Regions**: là những địa điểm địa lý bạn access services, contain **Availability Zones** * Mô tả cách hoạt động của Edge Location *  * (1):  * (2):  * (3):  *  ### Key points *  ### How to provision AWS Resource * Some ways to interact with AWS services *  * Bản chất của dùng console và CLI là gửi API requests đến AWS services endpoint. * **AWS Management Console**: A web-based interface for accessing and managing AWS services. * **AWS Command Line Interface (AWS CLI)**: AWS CLI enables you to control multiple AWS services directly from the command line within one tool. AWS CLI is available for users on Windows, macOS, and Linux. * **Software development kits (SDKs)**: SDKs make it easier for you to use AWS services through an API designed for your programming language or platform.  *  ### Cost Optimization in AWS * Lựa chọn cấu hình tài nguyên phù hợp EX: cloud có thể cần ít cpu, ram hơn onprem vì thế hệ mới hơn, hoặc việc bóp tài nguyên ít lại phục vụ dc nhu cầu * Tận dụng: RI, Saving plans, spot. * Spot là AWS luôn có dư resources để cho thuê lại với giá rẻ (90% discount), hạn chế: AWS lấy lại trong vòng 2 phút từ khi báo. Phù hợp với những ứng dụng microservices có khả năng fault tolerance thì dùng tiết kiệm. * Tự động hóa tắt các resources không dùng * Tận dụng services serverless: ko cần lo về phần vận hành system, giảm số lượng nv, chỉ tính tiền khi chạy, tự tắt. * Thiết kế kiến trúc tối ưu: quan trọng, cần con người đưa ra quyết định để thiết kế mang tính hiệu quả. * Cài đặt và use AWS budget * Cost allocation tag: gán thẻ theo account/department để bk chi phí tiết kiệm * Liên tục tối ưu từng tháng (cần người quản lý) (Có role DevSecFinOps) * Tính toán chi phí dùng AWS Pricing Calculator ### More automated tools to provision * **AWS Elastic Beanstalk**: * PaaS service * With AWS Elastic Beanstalk, you provide code and configuration settings, and Elastic Beanstalk deploys the resources necessary to perform the following tasks: * Adjust capacity * Load balancing * Automatic scaling * Application health monitoring * Elastic Beanstalk supports Docker containers. * There is no additional charge for Elastic Beanstalk. You pay only for the underlying AWS resources that your application consumes. * **AWS CloudFormation**: you can treat your infrastructure as code ### Quiz *  *  *  *  *  ## Module 4: Networking ### Learning objectives In this module, you will learn how to: * Describe the basic concepts of networking. * Describe the difference between public and private networking resources. * Explain a virtual private gateway using a real life scenario. * Explain a virtual private network (VPN) using a real life scenario. * Describe the benefit of AWS Direct Connect. * Describe the benefit of hybrid deployments. * Describe the layers of security used in an IT strategy. * Describe the services customers use to interact with the AWS global network.  * Use AWS resources on the virtual network that you defines * Private (no internet access usually with databases, application server) and public subnets(can communicate qua internet). ### Amazon Virtual Private Cloud (Amazon VPC) * **your own private network in AWS** * allows you to **define your private IP range for your AWS resources** * EC2 instances and ELBs,... được đặt trong VPC * You place them **into different subnets** * **Subnets** are **chunks of IP addresses** in your VPC that allow you to **group resources together**. * **Subnets cùng với networking rules sẽ cho bk resouses public hay private** * you **can control what traffic gets into your VPC** * **public-facing resources:** * In order to **allow traffic from the public internet to flow into and out of your VPC**, you must attach what is called an **internet gateway**, or IGW, to your VPC. * An internet gateway is like **cánh cửa** that is **open to the public** . **Without it, no one** can reach the resources placed inside of your VPC. *  #### AWS VPC peering connection * A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them privately. * Instances in either VPC can communicate with each other as if they are within the same network. * create a VPC peering connection between your VPCs, with a VPC in another AWS account, or with a VPC in a different AWS Region. *  * **internal private resources**: * **Chúng ta muốn ko ai đụng vào resources => ko gateway** * **virtual private gateway:** * AWS VPN is comprised of two services: **AWS Site-to-Site VPN and AWS Client VPN.** *  *  * allows you to **create a VPN connection** between a private network (on-premises data center or internal corporate network) to your VPC. * The bodyguard is like a virtual private network (VPN) connection that **encrypts (or protects) your internet traffic** from all the other requests around it. * **VPN connections:** * They are private and they are encrypted, but they still use a regular internet connection that has bandwidth that is being shared by many people using the internet. *  * You want the **lowest amount of latency** possible with the **highest amount of security** possible. * **AWS Direct Connect** is a service that lets you to establish private connection between your data center and a VPC. * The private connection that AWS Direct Connect provides helps you to **reduce network costs** and **increase the amount of bandwidth** that can travel through your network. *  * It's also important to note that **one VPC might have multiple types of gateways** attached for multiple types of resources all residing in the same VPC, just in different subnets.  ### Subnets and Network Access Control Lists * AWS has a wide range of tools that cover every layer of security: network hardening, application security, user identity, authentication and authorization, distributed denial-of-service or DDoS prevention, data integrity, encryption #### Subnets *  * subnet is a section of a VPC in which you can **group resources based on security or operational needs.** * technical reason to use subnets in a VPC is to **control access to the gateways.** * The public subnets have **access to the internet gateway**; the **private subnets do not**. * subnets can also **control traffic permissions.** * In a VPC, subnets can **communicate with each other.** * For example, you might have an application that involves Amazon EC2 instances in a public subnet communicating with databases that are located in a private subnet. #### Network traffic in a VPC * When a **customer requests data** from an application hosted in the AWS Cloud, this request is sent **as a packet**. A packet is a unit of data sent over the internet or a network. * Check permissions to leave or enter the subnet = **sender + communicate method** * The **VPC component** that checks **packet permissions** for subnets is called a network access control list or **network ACL** #### Network ACLs * A network ACL: **virtual firewall**,**controls inbound and outbound traffic** at the subnet level. * By default, **allows all inbound and outbound traffic** * Rule: * **all inbound and outbound traffic is denied** until you add rules to specify which traffic to allow. * if a packet doesn’t match any of the other rules on the list, **the packet is denied**. #### Stateless packet filtering  * Network ACLs perform stateless packet filtering * remember nothing * Operation: When a packet comes back to the subnet, the **network ACL does not remember your previous request**. The network ACL **checks** the packet response against its **list of rules** to determine whether to allow or deny. * Works like passport control (The list gets checked on your way into a country and on the way out) * you were let in doesn't necessarily mean they're gonna let you out #### Security groups * A security group is a virtual firewall that controls **inbound and outbound traffic** **for an Amazon EC2 instance.** * By default, a security group **denies all inbound traffic** and **allows all outbound traffic**. * add custom rules to configure which traffic should be allowed; any other traffic would then be denied * **Ex**: As guests arrive, the door attendant checks a list to ensure they can enter the building. However, the door attendant does not check the list again when guests are exiting the building * If you have **multiple Amazon EC2 instances** within the same VPC, you can **associate them with the same security group** or **use different security groups** for **each instance**. #### Stateful packet filtering  * **Security groups** perform stateful packet filtering * They **remember previous decisions** made for incoming packets. * When a **packet returns** to the instance, the security group **remembers your previous request**. The security group **allows the response to proceed**, **regardless of inbound security group rules.**  #### VPC component recall * **Private subnet**: Isolate db contain user info * **Virtual private gateway**: create VPN connection between VPC and internal network * **Public subnet**: Support the customer-facing web * **AWS direct connect**: create a special/private connection between VPC and on-premise data center ### Domain Name System (DNS): * DNS giống như **1 chiếc máy thông dịch**. Khi bạn **cung cấp 1 tên miền** lên DNS, thì chúng sẻ **trả về địa chỉ IP** của tên miền. * Ví dụ: *  * Giả sử PC của bạn có **muốn truy cập vào 1 tên miền**. Lúc này bạn gõ tên miền và PC của bạn sẽ **request lên customer DNS resolver** * Lúc này Customer DNS Resolver sẽ **request địa chỉ IP tên miền** muốn truy cập lên **Company DNS server**. * Lúc này **Company DNS Resolver sẽ trả về địa chỉ IP tương ứng**. Thế là bạn có thể truy cập rồi :))) ### Route 53 - Đường vào tim chị HR * Là 1 **domain name web service**. Chúng sẽ **cung cấp tên miền có độ tin cậy cao** để định tuyến người dùng đến các ứng dụng được lưu trữ trên AWS. * 1 số **policy** của Route 53: *  * Ngoài ra bạn có thể sử dụng Route 53 để **register domain name hoặc transfer domain name.** * Ví dụ về cách Route 53 và Amazon CloudFront hoạt động cùng nhau để deliver content: *  * Giải thích: * Giả sử ứng dụng của 1 công ty được **host trên EC2 instance** và các EC2 instance này **nằm trong Auto Scaling Group**. Và **Auto Scaling Group này được kết nối với Load Balancer**. * Theo sơ đồ trên, người dùng sẽ **request data từ ứng dụng của công ty** bằng cách vào website của công ty. * Lúc này Amazon Route 53 sẽ sử dụng DNS để **trả về địa chỉ IP tương ứng**, ví dụ: 192.1.1.1. Và địa chỉ IP này sẽ **trả về máy của người dùng**. * Lúc này **yêu cầu của người dùng** sẽ truy cập qua địa chỉ IP và sẽ được **chuyển đến nơi có dữ liệu gần nhất** (Nearest Edge Location) thông **qua Amazon CloudFront** * Lúc này Amazon CloudFront sẽ **chuyển yêu cầu cho App Load Balancer** và Load Balancer sẽ **chuyển packet cho EC2 instance**. Đương nhiên chúng sẽ tuân thủ các nguyên tắc về Auto Scaling, điều hướng của Load Balancer và Auto Scaling Group. #### Quiz *  ### TOTAL QUIZ *  *  *  *  *  ## Module 5: Storage and Databases ### Learning objectives In this module, you will learn how to: * Summarize the basic concept of storage and databases. * Describe the benefits of Amazon Elastic Block Store (Amazon EBS). * Describe the benefits of Amazon Simple Storage Service (Amazon S3). * Describe the benefits of Amazon Elastic File System (Amazon EFS). * Summarize various storage solutions. * Describe the benefits of Amazon Relational Database Service (Amazon RDS). * Describe the benefits of Amazon DynamoDB. * Summarize various database services. ### Instance Stores and Amazon Elastic Block Store (Amazon EBS) Các EC2 instances khi hoạt động thì cần truy cập vào các tài nguyên khác nhau, cụ thể là storage. #### Instance Stores ##### Block Level Storages * Các EC2 sẽ truy cập vào các Block-Level Storage. * Block-Level Storage hoạt động giống như các hard-disk trên máy của bạn. * Các EC2 instance cũng truy cập vào storage, tùy vào loại EC2 instance bạn chạy, mà chúng có thể chia thành các loại: * **Instance Store Volumes**: *  * Chúng được kết nối vật lý với EC2 instance. * Chúng được thao tác giống như 1 hard-disk thông thường * Khi EC2 instance dừng hoặc terminate, Instance Store Volumes cũng sẽ dừng. Điều này có nghĩa là bạn sẽ mất tất cả data có trong storage. * Cách hoạt động: *  *  *  #### Amazon Elastic Block Store (Amazon EBS) * Cung cấp các **block-level Storage**. * Well-suited to both database-style applications (random reads and writes), and to throughput-intensive applications (long, continuous reads and writes). * Termination protection is turned off by default and must be manually enabled (keeps the volume/data when the instance is terminated) * You can have up to 5,000 EBS volumes by default * You can have up to 10,000 snapshots by default * You can **mount multiple volumes on the same instance**, and **you can mount a Provisioned IOPS volume to multiple instances** at a time using Amazon EBS Multi-Attach. * You can **create point-in-time snapshots of EBS volumes**, which are **persisted to Amazon S3**. Similar to AMIs. **Snapshots can be copied across AWS regions.** * Volumes are **created in a specific AZ, and can then be attached to any instances in that same AZ** * Volume available outside of the AZ, you can create a snapshot and restore that snapshot to a new volume anywhere in that region. * EBS khác với Instance Store Volumes ở chỗ, khi EC2 instance dừng hoạt động, thì data ghi trong EBS không bị mất. * Điều này có được là do EBS không kết nối trực tiếp với EC2 *  * Để khởi tạo EBS, bạn chỉ cần set up size, type và configuration và sau đó attach với EC2 instance. *  * EBS còn hỗ trợ tạo ra các bản backup bằng cách sử dụng **Amazon EBS SnapShot** * EBS snapshot giúp chúng ta lưu lại các snapshot trong trường hợp EBS xảy ra sự cố. *  #### Quiz  ### Amazon Simple Storage Service (Amazon S3) *  * Sinh ra là để lưu trữ nụ cười của em * S3 stores data as objects within **buckets**. * **object** consists of a file and optionally any metadata that describes that file. * A **key** is a unique identifier for an object * object là file, bucket là directory * Can upload maximum object size of 5TB #### Buckets * Control access to it (create, delete, and list objects in the bucket) * View access logs * Choose the geographical region where to store the bucket and its contents. * name must be unique across all existing bucket names in Amazon S3. * After you create the bucket you cannot change the name. * you can create up to 100 buckets in each of your AWS accounts. * can’t change its Region after creation. * You can’t delete an S3 bucket using the Amazon S3 console if the bucket contains 100,000 or more objects. You can’t delete an S3 bucket using the AWS CLI if versioning is enabled. ### Storage Classes * Có nhiều class cho S3 storage, tùy vào mục đích sử dụng. Khi chọn các tier, chúng ta xét các tiêu chí: * Tần suất bạn dự định truy xuất dữ liệu (frequency) * Bạn cần sự sẵn sàng về dữ liệu của bạn #### Storage Classes for Frequently Accessed Objects * **S3 STANDARD** for **general-purpose** storage of frequently accessed data. * **S3 EXPRESS ONEZONE** * deliver consistent single-digit millisecond data access for frequently accessed data, latency-sensitive applications (access nhanh) * improve data access speeds by 10x and reduce request costs by 50% compared to S3 Standard #### Storage Classes for Infrequently Accessed Objects * **S3 STANDARD_IA** for long-lived, but **less frequently accessed** data. stores the object data redundantly across multiple geographically separated AZs. * **S3 ONEZONE_IA** stores the object data in **only one AZ**, cheaper than STANDARD_IA 20%, data is **not resilient** to the physical loss of the AZ. * These two storage classes are suitable for objects **larger than 128 KB** that you plan to store for **at least 30 days.** * If an object is less than 128 KB, Amazon S3 charges you for 128 KB. If you delete an object before the 30-day minimum, you are charged for 30 days. #### Amazon S3 Intelligent Tiering * want to optimize storage costs automatically when data access patterns change * **first** cloud object storage class that delivers automatic cost savings by **moving data between two access tiers — frequent access and infrequent access** * monitors access patterns and moves objects that have **not been accessed for 30 consecutive days** to the **infrequent access tier**. If an object in the infrequent access tier is accessed later, it is automatically moved back to the frequent access tier. * supports the archive access tier. * objects **haven’t been accessed for 90 consecutive days**, it will be moved to the **archive access tier.** * **180 consecutive days of no access**, it is automatically **moved to the deep archive access tier.** #### S3 GLACIER * long-term **archive** * S3 Glacier provides the following storage classes: S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval, and S3 Glacier Deep Archive. * Archived objects are not available for real-time access. restore the objects before you can access them. * cannot specify GLACIER as the storage class at the time that you create an object. * Glacier objects are visible through S3 only. * **For S3 Standard, S3 Standard-IA, and Glacier storage classes**, your objects are automatically stored across multiple devices spanning a **minimum of three Availability Zones.** ##### Amazon S3 Glacier Instant Retrieval * long-lived data that are rarely accessed * retrieved in milliseconds. * data is accessed only once every quarter, can save costs on storage compared to using S3 Standard-IA. * resilient in the event of the destruction of one entire Availability Zone. ##### Amazon S3 Glacier Flexible Retrieval * toring archive data that is accessed once or twice per year. * access times ranging from minutes to hours and free bulk retrievals. ##### Amazon S3 Glacier Deep Archive * provides secure and durable object storage for long-term retention of data that is accessed rarely in a year. * offers the lowest cost storage in the cloud * lower than storing and maintaining data in on-premises magnetic tape libraries or archiving data offsite. * replicated and stored across at least three geographically-dispersed Availability Zones, 99.999999999% durability * offers a bulk retrieval option, where you can retrieve petabytes of data within 48 hours. #### Amazon S3 on Outposts * uses S3 APIs to deliver object storage to an on-premises AWS Outposts environment. * The data is encrypted with SSE-C and SSE-S3 and redundantly stored across Outposts servers. * AWS DataSync, you can automate data transfer between Outposts and AWS Regions. #### Amazon S3 Versioning #### Quiz  ### Amazon Elastic File System (Amazon EFS) * A scalable file system used with AWS Cloud services and on-premises resources * As you add and remove files, Amazon EFS grows and shrinks automatically. (Auto Scaling) * So sánh giữa EBS và EFS] <table> <tr> <th>Amazon EBS</th> <th>Amazon EFS</th> </tr> <tr> <td>An Amazon EBS volume stores data in a <strong>single</strong> Availability Zone. </td> <td>To attach an Amazon EC2 instance to an EBS volume, both the Amazon EC2 instance and the EBS volume must reside within the same Availability Zone.</td> </tr> <tr> <td>Amazon EFS is a regional service. It stores data in and across <strong>multiple</strong> Availability Zones. </td> <td>The duplicate storage enables you to access data concurrently from all the Availability Zones in the Region where a file system is located. Additionally, on-premises servers can access Amazon EFS using AWS Direct Connect.</td> </tr> </table> ### Amazon Relational Database Service (Amazon RDS) * A service that enables you to run relational databases in the AWS Cloud. * Automates tasks such as hardware provisioning, database setup, patching, and backups. * Hỗ trợ các engine: * Amazon Aurora * PostgreSQL * MySQL * MariaDB * Oracle Database * Microsoft SQL Server * Tích hợp trên Amazon AUORA #### Amazon Aurora * A fully managed relational database engine that’s compatible with MySQL and PostgreSQL. * Aurora can deliver up to five times the throughput of MySQL and up to three times the throughput of PostgreSQL. * The minimum storage is 10GB, up to 128 terabytes. * ## **Module 6: Security** :laughing:  ### AWS Shared Responsibility Model * We have learned resources include Amazon EC2 instances, Amazon S3 buckets, and Amazon RDS databases. * treat the environment as a collection of parts that build upon each other. * AWS responsible some parts of your environment and you (the customer) responsible for other parts. * AWS: security of the cloud * User: security in the cloud  * think this model giống như phân chia trách nhiệm giữa cô chủ nhà và anh thợ xây nhà "may mắn" =)). #### User: security in the cloud * Read more #### AWS: security of the cloud * Read more * ![Uploading file..._056lb4hug]() #### Quiz  ### User Permission And Access (IAM) * **AWS Identity and Access Management (IAM)** * Control who is authenticated (signed in) and authorized (has permissions) to use resources. * **root user**: single sign-in identity that has complete access to all AWS services and resources in the account. * can allow users to use **identity federation** to get temporary access to your AWS account. #### access key * access key (**an access key ID and secret access key**) sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). * access key ID (for example, AKIAIOSFODNN7EXAMPLE) * secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). * * IAM features * IAM users, groups, and roles * IAM policies * Multi-factor authentication #### AWS account root user * Create account của bạn => Bạn là root user (owner) * It has complete access to all the AWS services and resources in the account. *  * Do not use the root user for everyday tasks. * use the root user to create your first IAM user and assign it permissions to create other users. * Examples of these tasks use root user: changing your root user email address and changing your AWS support plan #### IAM users * It represents the person or application that interacts with AWS services and resources. * consists of a name and credentials. * create a new IAM user in AWS, it has no permissions (by default) * you must grant the IAM user the necessary permissions to do tasks. * recommend that you create individual IAM users for each person who needs to access AWS. * Even if you have multiple employees who require the same level of access, you should create individual IAM users for each of them. This provides additional security by allowing each IAM user to have a unique set of security credentials. #### IAM policies * You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. * * document that allows or denies permissions to AWS services and resources. * Follow the security principle of **least privilege when granting permissions.** * prevent users or roles from having more permissions than needed to perform their tasks. * For example, if an employee needs access to only a specific bucket, specify the bucket in the IAM policy. Do this instead of granting the employee access to all of the buckets in your AWS account. ##### Example  #### IAM groups  * IAM group is a collection of IAM users * Apply policy => All users có permissions đó * Assigning IAM policies at the group level also makes it easier to adjust permissions when an employee transfers to a different job. * This ensures that employees have only the permissions that are required for their current role. #### IAM roles * An IAM role is similar to an IAM user * it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. * However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. * An IAM role is an identity that you can assume to gain temporary access to permissions. * IAM roles are ideal for situations in which access to services or resources needs to be granted temporarily, instead of long-term.    #### Multi-factor authentication * you might have needed to provide your password and then a second form of authentication, such as a random code sent to your phone. * In IAM, multi-factor authentication (MFA) provides an extra layer of security for your AWS account.    ## **Module 7: Monitoring And Analytics** ### Amazon CloudWatch * A web service that enables you to **monitor and manage various metrics** and configure alarm actions based on data from those metrics. * Use metric to create graphs automatically that show how performance has changed over time. #### CloudWatch Alarm * With CloudWatch, you can create alarms that **automatically perform actions** if the **value** of your metric has gone **above or below** a predefined **threshold**. #### CloudWatch Dashboard * The CloudWatch dashboard feature enables you to access all the metrics for your resources from a single location *  ### AWS CloudTrail * records API calls for your account. *  * info: * identity of the API caller * the time of the API call * the source IP address of the API caller * Events are typically updated in CloudTrail within 15 minutes after an API call. * can filter events by specifying the time and date that an API call occurred, the user who requested the action, the type of resource that was involved in the API call, and more. *  #### CloudTrail Insights * you can also enable CloudTrail Insights(opens in a new tab). This optional feature allows CloudTrail to automatically detect unusual API activities in your AWS account. * For example, CloudTrail Insights might detect that a higher number of Amazon EC2 instances than usual have recently launched in your account.  ### AWS Trusted Advisor Benefits of Trusted Advisor: • Cost optimization - Trusted Advisor can help you save cost with actionable recommendations by analyzing usage, configuration and spend. • Performance - Trusted Advisor can help improve the performance of your services with actionable recommendations by analyzing usage and configuration. • Security - Trusted Advisor can help improve the security of your AWS environment by suggesting foundational security best practices curated by security experts. • Fault tolerance - Trusted Advisor can help improve the reliability of your services. • Service quotas - Service quotas are the maximum number of resources that you can create in an AWS account. *  *  *  *  *  * provides real-time recommendations in accordance with AWS best practices. * five categories: cost optimization, performance, security, fault tolerance, and service limits. *  *  ### Quiz *  *  *  ## Pricing and Support ### AWS free tier * 12 months từ ngày đăng ký aws ### AWS Pricing Concepts * Pay for what u use (dùng thì trả) * Pay less when you reserve (dùng lâu thì rẻ) * Pay less with volume-based discounts when u use more (dùng càng to thì rẻ) ### AWS Pricing Calculator * You can organize your AWS estimates by groups that you define. ### Billing dashboard * pay your AWS bill, monitor your usage, and analyze and control your costs. ### Consolidated Billing * AWS Organizations also provides the option for consolidated billing(opens in a new tab). * AWS * default maximum number of accounts allowed for an organization is 4 * you can easily track the combined costs of all the linked accounts in your organization. *  ### AWS budgets * gửi cảnh báo cho bạn khi chi phí vượt quá chi phí mà ngân sách cho phép * you can create budgets to plan your service usage, service costs, and instance reservations. * Types of Budgets: * Cost budgets – Plan how much you want to spend on a service. (gửi cảnh báo khi tổng chi phí vượt qua ngưỡng chi phí trong ngân sách) * Usage budgets – Plan how much you want to use one or more services. (tổng mức sử dụng theo từng dịch vụ bạn lựa chọn vượt qua ngưỡng mức sử dụng): Ví dụ: Mức sử dụng theo số giờ chạy của dịch vụ EC2 * RI utilization budgets – Define a utilization threshold and receive alerts when your RI usage falls below that threshold. * RI coverage budgets – Define a coverage threshold and receive alerts when the number of your instance hours that are covered by RIs fall below that threshold. * Savings Plans budget * Amazon CloudWatch Billing vs AWS Budgets *  *  * Amazon CloudWatch Billing Alarms: Sends an alarm when the actual cost exceeds a certain threshold. * AWS Budgets: Sends an alarm when the actual cost exceeds the budgeted amount or even when the **cost forecast** exceeds the budgeted amount. ### AWS Cost Explorer * AWS Cost Explorer(opens in a new tab) is a tool that lets you visualize, understand, and manage your AWS costs and usage over time. * includes a default report that helps you visualize the costs and usage * forecast how much you’re likely to spend for the next three months ### AWS Support Plans *  * Kỹ thuật thứ 2 là tạo 1 account phụ để replicate problems (dùng IaC) sang và mua 1 gói support y chang accout chính thì tiền trả ít hơn (tính tiền theo quy mô sử dụng) * AWS offers four different Support plans to help you troubleshoot issues, lower costs, and efficiently use AWS services. #### Basic Support * You have 24×7 access to customer service, AWS documentation, whitepapers, and support forums. * **AWS Trusted Advisor**: You are only provided access to the **7 core Trusted Advisor checks.** * **AWS Personal Health Dashboard**: personalized view of the health status of each AWS service, provides an alert when your resources are impacted by an AWS-initiated activity. #### A Technical Account Manager (TAM) * a technical point of contact who provides advocacy and guidance to assist you in planning and building solutions in AWS using industry best practices. * Take note that a designated TAM is **only available if you opt for the AWS Enterprise Support plan.** #### Developer, Business, Enterprise On-Ramp, and Enterprise Support *  *  *  *  *  *  ### AWS Marketplace * AWS Marketplace(opens in a new tab) is a digital catalog that includes thousands of software listings from independent software vendors. You can use AWS Marketplace to find, test, and buy software that runs on AWS. #### Quiz *  *  *  *  *  ## Module 9: Migration and Innovation ### AWS Cloud Adoption Framework (AWS CAF) *  * https://docs.aws.amazon.com/whitepapers/latest/overview-aws-cloud-adoption-framework/foundational-capabilities.html * framework provided by AWS to assist you in adopting cloud computing for your enterprise infrastructure. * framework that contains various perspectives that are based on years of extensive experience and best practices in AWS * 6 perspectives: * Business * People * Governance * Platform * Security * Operation * Each of these perspectives consists of a set of capabilities that particular stakeholders own or manage * Perspectives: 6 areas to focus * Business, People, and Governance Perspectives focus on business capabilities * Platform, Security, and Operations Perspectives focus on technical capabilities. #### Cloud Transformation Phases in AWS CAF * Envision * involves identifying and prioritizing transformation opportunities that align with strategic objectives * Align * creating strategies for improving cloud readiness, ensuring stakeholder alignment, and facilitating relevant organizational change management activities. * Launch * involves delivering pilots in production and demonstrating incremental business value. * Learning from pilots helps businesses adjust their approach before scaling to full production. * Scale * this ensures that the business benefits associated with cloud investments are realized and sustained. ### 6 strategies for migration * Rehosting * Replatforming * Refactoring/re-architecting * Repurchasing * Retaining * Retiring  --- ## AWS SNOWBALL trong **AWS Snow Family** hiện có 4 loại thiết bị chính: 1. **AWS Snowcone** 2. **AWS Snowball** 3. **AWS Snowball Edge** (bao gồm hai phiên bản chính: Storage Optimized và Compute Optimized) 4. **AWS Snowmobile** Dưới đây là chi tiết về từng loại thiết bị: ### 1. **AWS Snowcone** - **Mục đích**: Thiết bị nhỏ gọn nhất, dùng cho các tác vụ **tính toán và chuyển dữ liệu** quy mô nhỏ tại biên (edge). - **Thông số kỹ thuật**: - 2 vCPUs, 4 GB RAM. - Dung lượng lưu trữ tối đa 14 TB. - **Ứng dụng**: Thích hợp cho các môi trường từ xa hoặc kết nối kém, nơi cần một thiết bị di động nhỏ gọn để thu thập và xử lý dữ liệu. --- ### 2. **AWS Snowball** - **Mục đích**: Thiết bị để **chuyển dữ liệu lớn** vào hoặc ra khỏi AWS mà không cần kết nối Internet. - **Thông số kỹ thuật**: - Các phiên bản 50 TB (42 TB khả dụng, chỉ tại Mỹ) và 80 TB (72 TB khả dụng, phổ biến hơn). - **Tính năng**: Chỉ dùng để lưu trữ dữ liệu, **không hỗ trợ tính toán**. - **Ứng dụng**: Phù hợp cho các tác vụ di chuyển dữ liệu lớn khi không có yêu cầu xử lý tại chỗ. --- ### 3. **AWS Snowball Edge** - **Mục đích**: Không chỉ chuyển dữ liệu mà còn hỗ trợ **tính toán tại biên (edge computing)**. - **Phiên bản**: - **Snowball Edge Storage Optimized**: - Tập trung vào lưu trữ với **dung lượng lên tới 80 TB**. - Thích hợp cho các tác vụ yêu cầu lưu trữ lớn, nhưng tính toán nhẹ. - **Snowball Edge Compute Optimized**: - Tích hợp tính năng tính toán cao với **52 vCPUs, 208 GiB RAM, 7.68 TB NVMe SSD**. - Phù hợp cho các tác vụ yêu cầu xử lý dữ liệu mạnh mẽ trước khi gửi lên AWS. - **Ứng dụng**: Dùng trong các môi trường ngoại tuyến, nơi cần xử lý và lưu trữ dữ liệu lớn ngay tại chỗ, ví dụ như các ứng dụng IoT hoặc trong môi trường hẻo lánh. --- ### 4. **AWS Snowmobile** - **Mục đích**: Thiết kế cho các dự án **chuyển dữ liệu khổng lồ** (lên đến hàng trăm petabyte) vào AWS. - **Thông số kỹ thuật**: - Dung lượng lên tới **100 petabyte** cho mỗi thiết bị. - Snowmobile là một container dài 45 foot (13.7 m), được kéo bởi một xe tải chuyên dụng. - **Ứng dụng**: Dùng cho các tổ chức có nhu cầu di chuyển lượng dữ liệu rất lớn, như các kho lưu trữ dữ liệu truyền thông, nghiên cứu khoa học hoặc trung tâm dữ liệu lớn. --- ### Tổng quan so sánh | Thiết bị | Mục đích | Dung lượng lưu trữ | Tính năng tính toán | Ứng dụng | |--------------------------|----------------------------------|----------------------|-----------------------|----------| | **AWS Snowcone** | Tính toán và lưu trữ nhỏ | 14 TB | Có | Môi trường từ xa | | **AWS Snowball** | Chuyển dữ liệu lớn | 50-80 TB | Không | Di chuyển dữ liệu lớn | | **AWS Snowball Edge** | Tính toán và lưu trữ tại biên | 80-100 TB | Có | Tính toán tại chỗ | | **AWS Snowmobile** | Chuyển dữ liệu rất lớn | 100 petabyte | Không | Trung tâm dữ liệu lớn | --- Các thiết bị này giúp cho các tổ chức có thể chuyển và xử lý dữ liệu vào AWS một cách hiệu quả, tùy thuộc vào nhu cầu về quy mô và yêu cầu tính toán của dự án. ### Innovation with AWS #### serverless applications * serverless refers to applications that don’t require you to provision, maintain, or administer servers #### ML * Amazon SageMaker to remove the difficult work from the process and empower you to build, train, and deploy ML models quickly #### AI * Get code recommendations while writing code and identify security issues in your code with Amazon CodeWhisperer. * Convert speech to text with Amazon Transcribe. * Discover patterns in text with Amazon Comprehend. * Identify potentially fraudulent online activities with Amazon Fraud Detector * Build voice and text chatbots with Amazon Lex ### AWS Well-Architected Framework * provides a way for you to consistently measure your architecture against best practices and design principles and identify areas for improvement. * This framework is composed of six pillars that help you understand the pros and cons of the decisions you make while building cloud architectures and systems on the AWS platform. * The Well-Architected Framework is based on six pillars: *  #### Operational Excellence * The ability to run and monitor systems to deliver business value * There are four best practice areas and tools for operational excellence in the cloud: * Organization – AWS Cloud Compliance, AWS Trusted Advisor, AWS Organizations * Prepare – AWS Config * Operate – Amazon CloudWatch * Evolve – Amazon Elasticsearch Service * Key AWS service: * AWS CloudFormation for creating templates #### Security * The ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies. *  #### Reliability * The ability of a system to recover from infrastructure or service disruptions *  #### Performance * The ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve. *  #### Cost Optimization * The ability to avoid or eliminate unneeded cost *  #### Sustainability * The ability to increase efficiency across all components of a workload by maximizing the benefits from the provisioned resources. *  ### Advantages of cloud computing * Trade upfront expense for variable expense. * Benefit from massive economies of scale. * Stop guessing capacity. * Increase speed and agility. * Stop spending money running and maintaining data centers. * Go global in minutes. ### Amazon Athena * interactive **query service** that makes it **easy to analyze data directly in Amazon S3 and other data sources** using **SQL**. * serverless * Uses Presto, an open source, distributed SQL query engine * data formats such as CSV, JSON, ORC, Avro, or Parquet. * Athena integrates with **Amazon QuickSight** for easy data visualization. * Athena integrates out-of-the-box with **AWS Glue**. * You pay only for the queries that you run. You are charged based on the amount of data scanned by each query. * not charged for failed queries. * simply point to your data in Amazon Simple Storage Service (Amazon S3), define the schema, and start querying using standard SQL. * there’s no need for complex ETL jobs. * Used for sometimes data query ### Amazon Redshift * petabyte-scale data warehouse * Redshift only supports Single-AZ deployments. * Fully managed data warehouse service for running complex queries on large datasets. Not used for data discovery, transformation, or visualization. * Use for frequent data query ### Amazon Rekognition * two services under Amazon Rekognition * Rekognition Image * detects objects, scenes, and faces; extracts text, and many more. * search and compare faces. * uses deep neural network models to detect and label thousands of objects and scenes in your images. * supports the JPEG and PNG image formats. You can submit images either as an S3 object (up to 15MB) or as a byte array (up to 5MB). * * Rekognition Video * detects activities; understands the movement of people in frame; and recognizes objects, celebrities, text, scenes, and many more in a video. ### Amazon Lightsail * cloud-based virtual private server (VPS) solution. * includes everything you need for your websites and web applications – a virtual machine (choose either Linux or Windows OS), SSD-based storage, data transfer, DNS management, and a static IP address. * monthly payment plans and does not support per second billing ### Amazon EMR * A managed cluster platform that simplifies running big data frameworks, such as Apache Hadoop and Apache Spark, on AWS to process and analyze vast amounts of data. * EMR enables you to quickly and easily provision as much capacity as you need ### AWS Step Functions * provides serverless orchestration * Step Functions are based on the concepts of tasks and state machines. *  ### AWS Batch * Enables you to run batch computing workloads on the AWS Cloud. * It is a regional service that simplifies running batch jobs across multiple AZs within a region. * Batch manages compute environments and job queues, allowing you to easily run thousands of jobs of any scale using EC2 and EC2 Spot. * Jobs is A unit of work (such as a shell script, a Linux executable, or a Docker container image) that you submit to Batch. * AWS Step Functions and AWS Batch: * AWS Batch runs batch computing workloads by provisioning the compute resources. * AWS Step Functions does not provision any resources. * AWS Step Functions only orchestrates AWS services required for a given workflow. * You cannot use AWS Step Functions to plan, schedule and execute your batch computing workloads by provisioning underlying resources. ### AWS Organizations * A free service * offers policy-based management for multiple AWS accounts. * With Organizations, you can create groups of accounts and then apply policies to those groups. * set up a single payment method for all the AWS accounts in your organization through consolidated billing * Create an AWS account and add it to your organization, or add an existing AWS account to your organization. * Organize your AWS accounts into groups called organizational units (OUs).  ### AWS WAF * A web application firewall that helps protect web applications from attacks by allowing you to configure rules that **allow, block, or monitor (count) web requests** based on conditions that you define. * Conditions: * IP addresses * HTTP headers * HTTP body * URI strings * SQL injection * cross-site scripting. * WAF charges based on the number of web access control lists (web ACLs) that you create * **AWS WAF Security Automations**: automatically deploys a single web access control list (web ACL) with a set of AWS WAF rules designed to filter common web-based attacks. ### AWS Global Accelerator * A service that uses the AWS Global Network to improve the availability and performance of your applications to your local and global users. * provides static IP addresses that act as a fixed entry point to your application endpoints in a single or multiple AWS Regions, such as your Application Load Balancers, Network Load Balancers or Amazon EC2 instances. * monitors the health of your application endpoints and will detect an unhealthy endpoint and redirect traffic to healthy endpoints in less than 1 minute. *  ### AWS EFS vs FSx *  ### AWS CloudHSM * A computing device that enables you to provision and manage your own single-tenant HSMs for the generation and use of encryption keys. * A hardware security module (HSM) performs cryptographic operations and provides secure storage for cryptographic keys. ### AWS Storage Gateway * AWS Storage Gateway: Connect [on premises] with [AWS S3] * file gateway:one of the AWS Storage Gateway's interface * AWS Storage Gateway is a hybrid storage service * The service enables hybrid storage between on-premises environments and the AWS Cloud. * The service stores files as native S3 objects, archives virtual tapes in Amazon Glacier, and stores EBS Snapshots generated by the Volume Gateway with Amazon EBS. *  ### Amazon Neptune * Amazon Neptune is a fully managed graph database service used for building applications that work with highly connected datasets. * Provide milliseconds latency when querying the graph. * Common Use Cases: * Social Networking * Recommendation Engines * Knowledge Graphs * Identity Graphs ### AWS Compute Optimizer * AWS Compute Optimizer is a service that recommends optimal AWS resources for your workloads. It analyzes the historical utilization of your Amazon EC2 instances and provides recommendations for rightsizing, which involves changing the instance type to a better fit based on the workload's requirements. * Generates recommendations for the following resources: * Amazon EC2 instances * Amazon EC2 Auto Scaling groups * Amazon EBS volumes * AWS Lambda functions * Uses machine learning to analyze historical utilization metrics. * You can view findings and recommendations across AWS Regions and accounts. ### Amazon MQ * AWS offering for a managed message broker service for Apache ActiveMQ * Amazon MQ also supports RabbitMQ, a popular open-source message broker. * Migrate your existing RabbitMQ message brokers to AWS without having to rewrite code. ### AWS Health * Provides ongoing visibility into the state of your AWS resources, services, and accounts. * delivers alerts and notifications triggered by changes in the health of AWS resources. ### AWS Kinesis * collect, process, and analyze real-time, streaming data. * can ingest real-time data **such as video, audio, application logs, website clickstreams, and IoT telemetry data** for machine learning, analytics, and other applications. #### Kinesis Video Streams *  * You pay only for the volume of data you ingest, store, and consume through the service. #### Kinesis Data Stream * highly durable data ingestion and processing service optimized for streaming data. * can configure hundreds of thousands of data producers to continuously put data into a Kinesis data stream. *  #### Kinesis Data Firehose * The easiest way to load streaming data into data stores and analytics tools. *  #### Kinesis Data Analytics * Analyze streaming data, gain actionable insights, and respond to your business and customer needs in real time. * You can quickly build SQL queries and Java applications using built-in templates *  ### Fundamentals of pricing *  ### AWS OpsWorks * A configuration management service that helps you configure and operate applications in a cloud enterprise by using **Puppet or Chef**. * Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. * automate how servers are configured, deployed and managed across your Amazon EC2 instances or on-premises compute environments. ### AWS DynamoDB * DynamoDB : fully managed Data service , encrypts data by default * Amazon RDS : encrypts data when user select it * This means that the customer is responsible for managing and controlling access to their DynamoDB tables, including setting up appropriate IAM (Identity and Access Management) permissions and policies. * AWS is responsible for: A. Physical security of DynamoDB B. Patching of DynamoDB D. Encryption of data at rest in DynamoDB * key-value and document database * delivers single-digit millisecond performance * fully managed, multi-Region, multi-master, durable database with built-in security, backup and restore, and in-memory caching for internet-scale applications. * can restore that table to any point in time during the **last 35 days.** * DynamoDB Auto Scaling ### AWS Wavelength * create applications with ultra-low latencies for mobile devices and end users. * Wavelength Zones provide a high-bandwidth, secure connection to the parent AWS Region, allowing developers to seamlessly connect to the full range of services in the AWS Region through the same APIs and toolsets. * can be used to extend an Amazon VPC in order to run ultra-low latency applications that use the same AWS services, APIs, tools, and functionalities. * support a wide range of compute instances for general purpose, gaming, and machine learning inference. * Connectivity to 5G networks using VPC and Carrier Gateway. * Use cases: * Create and distribute augmented/virtual reality (AR/VR) apps, as well as HD live video streaming. * Use AI and ML-powered video and image analytics at the edge to accelerate 5G applications in medical diagnostics, retail, and smart manufacturing settings. * With near-real-time communication between automobiles and the cloud, you’ll be able to create advanced driver assistance, autonomous driving, and in-vehicle entertainment experiences. ### AWS Migration Evaluator *  ### AWS ElastiCache ### Amazon Kendra * search service powered by machine learning. * your employees and customers can easily find the content they are looking for, even when it’s scattered across multiple locations and content repositories within your organization. * Amazon Kendra supports unstructured and semi-structured data in .html, MS Office (.doc, .ppt), PDF, and text formats. ### Amazon Personalize * Amazon Personalize enables developers to build applications with the same machine learning (ML) technology used by Amazon.com for real-time personalized recommendations. ### AWS Device Farm * service that allows you to test and interact with your Android, iOS, and web apps on real, physical devices hosted by Amazon Web Services (AWS). * Device Farm is only available in the us-west-2 ### AWS Artifact * self-service central repository of AWS’ security and compliance reports and select online agreements. * All AWS Accounts with AWS Artifact IAM permissions have access to AWS Artifact. * AWS Artifact Reports: * ISO, * Service Organization Control (SOC) reports, * Payment Card Industry (PCI) reports, * certifications that validate the implementation and operating effectiveness of AWS security controls. ### AWS CodeDeploy * service that **automates application deployments** to a variety of compute services including Amazon EC2, AWS Fargate, AWS Lambda, and on-premises instances. * CodeDeploy **protects your application from downtime** during deployments through rolling updates and deployment health tracking. ### AWS CodeBuild * AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy. ### AWS GuardDuty * Amazon GuardDuty is a powerful security tool that helps to detect suspicious activities and threats in your AWS environment. * This allows you to identify security vulnerabilities and take necessary actions to secure your environment. * One of the key features of Amazon GuardDuty is its ability to send notifications about potential security threats. * These notifications can be sent to various destinations such as Amazon SNS, Amazon CloudWatch, or AWS Lambda. *  ### Amazon Inspector *  * Amazon Inspector là một service tự động đánh giá bảo mật cho application, giúp cải thiện về bảo mật và hoạt động của app được deployed lên trên AWS. * phân tích những hành vi trạng thái của app, từ dó phát hiện những vấn để bảo mật tiềm tàng. * bạn cần thông báo toàn bộ những AWS resources sử dụng trong app. Sau đó là đến chọn các rule package để đánh giá như Application Security, Network Security... và thời gian đánh giá trong 1 giờ, 2 giờ * một Inspector Agent chạy trên mỗi một instance EC2 sẽ thu thập thông tin *  ### AWS DataSync * An online data transfer service that simplifies, automates, and accelerates copying large amounts of data to and from AWS storage services over the internet or AWS Direct Connect. * DataSync can copy data between: * Network File System (NFS) or Server Message Block (SMB) file servers, * Amazon Simple Storage Service (Amazon S3) buckets, * Amazon Elastic File System (Amazon EFS) file systems, * Amazon FSx for Windows File Server file systems ### Amazon CodeGuru * developer tool that provides intelligent recommendations to improve code quality and identify an application’s most expensive lines of code. * Integrate CodeGuru into your existing software development workflow to automate code reviews during application development ### AWS X-Ray * AWS X-Ray analyzes and debugs production, distributed applications, such as those built using a microservices architecture. * AWS X-Ray can be used with applications running on Amazon EC2, Amazon ECS, AWS Lambda, AWS Elastic Beanstalk * You pay based on the number of traces recorded, retrieved, and scanned. A trace represents a request to your application and may include multiple data points, such as for calls to other services and database access. *  ### Amazon Macie * A **security service** that uses machine learning to automatically discover, classify, and **protect sensitive data** in AWS. * Macie recognizes **sensitive data such as personally identifiable information (PII) or intellectual property.** * You are charged based on the amount of content classified, and the amount of AWS CloudTrail events assessed by Amazon Macie for anomalies ### AWS Secrets Manager * A secret management service that enables you to easily **rotate, manage, and retrieve database credentials, API keys, and other secrets** throughout their lifecycle. * AWS Secrets Manager **encrypts secrets** at rest using encryption keys that you own and **store in AWS Key Management Service** * You can rotate secrets on a schedule or on demand by using the Secrets Manager console, AWS SDK, or AWS CLI. * Secrets Manager natively supports rotating credentials for databases hosted on Amazon RDS and Amazon DocumentDB and clusters hosted on Amazon Redshift. ### Amazon ElastiCache * ElastiCache is a distributed **in-memory cache environment** in the AWS Cloud. * ElastiCache works with both the Redis and Memcached engines. *  *  ### AWS KMS * A managed service that enables you to easily **encrypt your data.** * KMS provides a highly available key storage, management, and auditing solution for you to encrypt data within your own applications and control the encryption of stored data across AWS services. * KMS is integrated with CloudTrail, which provides you the ability to audit who used which keys, on which resources, and when. * Customer master keys (CMKs) are used to control access to data encryption keys that encrypt and decrypt your data. * To help ensure that your keys and your data is highly available, KMS stores multiple copies of encrypted versions of your keys in systems that are designed for 99.999999999% durability. *  * Each customer master key that you create in KMS, regardless of whether you use it with KMS-generated key material or key material imported by you, costs you until you delete it. ### AWS Partner Solutions (formerly Quick Starts) * . Partner Solutions help you deploy popular technologies to AWS according to AWS best practices. * Each Partner Solution launches, configures, and runs the AWS compute, network, storage, and other services required to deploy a specific workload on AWS, using AWS best practices for security and availability. ### Amazon Connect * Amazon Connect is an omnichannel cloud contact center. * You can set up a contact center in a few steps, add agents who are located anywhere, and start engaging with your customers. ### AWS IAM Identity Center ### AWS service catalog * [image](https://hackmd.io/_uploads/rkaamXYqp.png) ### AWS Glue * AWS Glue: AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy to discover, prepare, and load data for analysis. It automates the time-consuming tasks of data discovery, transformation, and job scheduling, allowing users to focus on analyzing the data. ### Amazon QuickSight * Amazon QuickSight is a fully managed business intelligence (BI) service that enables users to create and visualize interactive dashboards and reports. It connects to various data sources, making it suitable for visualizing data prepared by services like AWS Glue. ### Amazon Quantum Ledger Database (Amazon QLDB) * Fully managed ledger database service for ensuring data integrity. Not designed for data discovery, transformation, or visualization. ### AWS Professional Services * Global team of experts for hands-on assistance with planning, executing, and optimizing AWS migrations. * The AWS Professional Services organization is a global team of experts that can help you realize your desired business outcomes when using the AWS Cloud. We work together with your team and your chosen member of the AWS Partner Network (APN) to execute your enterprise cloud computing initiatives. ### AWS Principles 1. Customer Obsession (dat khach hang la so 1) 2. Ownership (chat luong hon so luong) 3. ...