SAA-C02 - HackMD

# SAA-C02 ## ACloudGuru ### Designing resilient architectures - this topic around 30% of SAA-C02 - Cloud Computing Criteria - on-demand self service: provision and terminate services using the console or CLI with no human interaction - network access: access services over any network and any device while using the standard methods and protocols - resource pooling: AWS economies of scale means cheaper services - elasticity: scale up and down automatically in response to the demand or system load - measure service: usage is measured and you pay for what you use - One Region consist 2 or more AZ [Availability Zones] - Edge locations: use for caching content #### AWS Shared Responsibility Model & AWS Well-Architected Framework ![](https://i.imgur.com/DbYVUVf.png) - AWS Well-Architected Framework - Operational Excellence - Security - Reliability - high availability: minimize outages - fault tolerance: operate through failures - disaster recovery: recover when high availability and fault tolerance do not work - Performance Efficiency - Elasticity + Scaling [Auto Scaling] - Cost Optimization [AWS Budgets, AWS Cost & Usage Report, AWS Cost Explorer, Reserved Instance Reporting, Spot Instance, S3, S3 Glacier, AWS Lambda, Auto Scaling, AWS Trusted Advisor] - **right-sizing**: coerrect instances for our current resources - **increase elasticity**: pay-for-what-we-use model [Auto scaling] - **choose the right pricing model** [Reserved, On-Demand, Spot] - **match storage to usage**: multiple storage classes [S3, ELB, EFS, AWS Storage Gateway] - **Measure, Monitor and Improve** [CloudWatch, AWS Trusted Advisor, AWS Cost Explorer, Tagging] ![](https://i.imgur.com/OZDMGZu.png) #### Public and Private AWS Services define by network - VPC [Virtual Private Cloud] - NACLs add rule for inbound / outbound - NACLs can block specific IP [Can block at WAF too] - Security Group cannot block specific IP - internet gateway talk to our router to allows traffix in and out of our VPC to the open internet - VPC peering: using private network, diff region, diff account - transit gateway can use to communicate between VPC - 1 subnet = 1 AZ - SG = stateful - NACLs = stateless #### AWS Organization - MFA [Multifactor Authentication] recommend --- ### Default VPC Structure - VPC - can have only one default VPC per region - CIDRs cannot overlap - can add IPv6 CIDR, but VPC must be enabled for IPv6 - IPv6 CIDR subnet range: /64 - IPv6 CIDR range: /56 - local route is used for communications between subnets --- ### Exam Guide **Design Resilient Architectures** - 30% - Design a multi-tier architecture solution - Design highly available and/or fault-tolerant architectures - Design decoupling mechanisms using AWS services - Choose appropriate resilient storage **Design High-Performing Architectures** - 28% - Identify elastic and scalable compute solutions for a workload - Select high-performing and scalable storage - Select high-performing networking - Choose high-performing database **Design Secure Applications and Architectures** - 24% - Design secure access to AWS resources - Design secure application tiers - Select appropiate data security options **Design Cost-Optimized Architectures** - 18% - Identify cost-effective storage solutions - Identify cost-effective compute and database services - Design cost-optimized network architectures --- ### Key Services to Know for the Exam - Compute: EC2, Lambda, Elastic Beanstalk - Storage: S3, EBS, EFS, FSx, Storage Gateway - Databases: RDS, DynamoDB, Redshift - Networking: VPCs, Direct Connect, Route53, API Gateway, AWS Global Accelerator --- ### IAM - manage users and their level of access tro AWS resources - **root account** is the email address you used to sign up for AWS - root account has full administrative access to AWS - 4 steps to secure your AWS root account - enable MFA for root account - create admin group for administrators and assign appropriate permissions to group - create user accounts for administarators - add your user to admin group - users: a physical person - groups: function such as administrator, developer etc. contains users - roles: internal usage within AWS - the principle of least priviledge: only assign a user the minimum amount of privileges they need to do their job - if create user by default that user has no permissions, no privileges - IAM federation: you can combine your existing user account with AWS. ex. log on to your PC (usually using Microsoft Active Dircetory), you can use the same credentials to log in to AWS if you set up federation - identity federation: uses the SAML standard, which is Active Directory - always set up password rotations - inline policy is a policy that's assigned to just one user or one group typically used to apply permissions in one-off situations - in policy if there's a Deny that Deny will alaways override any Allow that a user might be granted in any other policy --- ### S3 - store static files - unlimited storage - object up to 5 TB in Size - S3 buckets = folders - universal namespace: all AWS account share the S3 namespace each S3 bucket name is globally unique - example S3 urls: https://BUCKET-NAME.s3.REGION.amazonaws.com/KEY-NAME - S3 hightly available and highly durable ! - Tiered Storage - S3 Standard-Infrequent Access [S3 Standard-IA] - rapid access - pay to access the data - great for long-term storage, backups, and as a data store for disaster recovery files - S3 One-Zone-Infrequent Access - costs 20% less than regular S3 Standard-IA - great for long-lived, infrequently accessed, non-critical data - Glacier - long-term data archiving with retrieval times 1 minute to 12 hours - historical data only accessed a few times per year - Glacier Deep Archive - rarely accessed data with default retrieval time 12 hours - records that may be accessed once or twice per year - S3 Intelligent-Tiering - automatically moves your data to the most cost-effective tier based on how frequently your access each object - ![](https://i.imgur.com/ikg7WY6.png) - Lifecycle Management - can use lifecycle management to move different versions of objects to different storage tiers - Versioning: all versions of an object are stored and can be retrieved including **deleted objects** - cannot be disabled: once enabled versioning cannot be disabled - only suspended - Server-side encryption:can set default encryption on a bucket to encrypt all new objects when they are stored in the bucket - can use bucket policy to encrypt or use console - x-amz-server-side-encryption: AES256 (S3-managed keys) or x-amz-server-side-encryption: aws:kms (KMS-managed keys) add this to request header when PUT request - can create bucket policy that deny objects that doesn't include encryption in header - Access Control Lists (ACLs): define AWS accounts or groups are granted access and type of access **object ACLs work on an individual object level** - Bucket Policies: specify what actions are allowed or denied **bucket policies work on an entire bucket level** - Strong Read-After-Write Consistency - After a successful write of a new object or an overwrite of an existing object any subsecquent read request immediately receives the lastest version of the object - Strong consistency for list operations, so after a write you can immediately perform a listing of the objects in a bucket with all changes reflected - S3 can use to host static websites: S3 scales automatically to meet demand - S3 Object Lock: use to store objects using a write once, read many model prevent objects from being deleted or modified - Governance Mode: users can't overwrite or delete an object version or alter its lock settings permission to alter the retention settings - Compliance Mode: a protected object version can't be overwritten or deleted by any user can't be overwritten or deleted - **retention periods** protects an object version for a fixed amount of time - **legal holds** S3 object lock prevents an object versionm from being overwritten or deleted - Glacier Vault Lock: easily deploy and enforce compliance controls for individual S3 Glacier vaults with valut lock policy - S3 Prefixes: bucket/**folder1/sub_folder1**/file.jpg - more folders and sub_folders the better performance you can get from S3 - KMS request rates - uploading/downloading will count toward the KMS quota - cannot request a quota increase for KMS - region-specific - multipart uploads - recommended for files over 100MB - required for files over 5GB - parallelize uploads (increase efficiency) - S3 Byte-Range Fetches - parallelize downloads - S3 Replication - replicate objects from one bucket to another - objects in an existing bucket are not replicated automatically - delete markers are not replicated by default - **tips** - bucket are private by default - HTTP status code: when you upload an object to S3 and it's successful, you will receive and HTTP 200 code - encryption might want to consider just using the native S3 encryption that's built-in rather than using KMS --- ### EC2 - on-demand: pay by the hour or the second, depending on the type of instance you run - flexible: low cost and flexibility of EC2 without any upfront payment or long-term commitment - short-term: spikey or unpredictable workloads that cannot be interrupted - application being developed or tested for the first time [POC phase] - reserved: reserved capacity for 1 or 3 years up to 72% discount on the hourly charge - predictable usage: applications with steady state or predictable usage - specific capacity requirements - pay up front - standard RIs up to 72% off the on-demand price - convertible RIs up to 54% off the on-demand price. has option to change to different RI type of equal or greater value - scheuled RIs launch within the time window you define match your capacity reservation to a predictable recurring schedule that only required a fraction of a day, week, month - operate at region level - spot: purchase unused capacity at a discount of up to 90% prices fluctuate with supply and demand - applications that have flexible start and end times - applications that are only feasible at very low compute prices - users with an urgent need for large amounts of additional computing capacity - to use spot instances you must first decide on your maximum spot price the instance will be provisioned so long as the spot price is below your maximum spot price if the spot price goes above your maximum you have 2 minutes to choose whether to stop or terminate your instance - spot block use to stop your spot instances from being terminated can set spot block from 1 to 6 hours - not good for persistent workloads, critical jobs, databases - spot fleet is a collection of spot instances an on-demand instances spot fleet attempts to launch the number of spot instances and on-demand instances to meet the target capacity you specified in the spot fleet request - spot fleet will try and match the target capacity with your price restraints - dedicated: physical EC2 server dedicated for your use the most expensive option - compliance regulatory requirements that may not support multi-tenant virtualization - on-demand can be purchased on-demand - licensing greate for licensing that does not support multi-tenancy or cloud deployments - reserved can be purchased as a reservation for up to 70% off the on-demand price - **any question that talks about special licensing requirements** - AWS Calculator: Explore AWS services and pricing using the AWS Pricing Calculator - subnet when create EC2 represent different AZ - security group: virtual firewall - AWS Command Line interact with AWS using command line - secret access key can only see once if you lose it you can delete and regenerate them - don't share key pairs - supports linux, windows, macOS - IAM Role - role doew not have standard long-term credentials when you assume a role it provides you with temporary security credentials for your role session - roles can allow cross-account access this allows one AWS account the ability to interact with resources in other AWS accounts - **security groups** are virtual firewalls for your EC2 instance by default everything is blocked if you want to communicate to your EC2 instance via SSH/RDP/HTTP you will need to open up to correct ports - **bootstrap scripts** a script that runs when the instance first runs - **tips** - changes to security groups take effect immediately - can have any number of EC2 instances within a security group - can have multiple security group attached to EC2 instances - all inbound traffic is blocked by default - all outbound traffic is allowed - **metadata** is simply data about your EC2 instance `curl http://169.254.169.254/latest/meta-data` - **user data** where we add bootstrap scripts - **networking with EC2** - ENI: Elastic Network Interface for basic day-to-day networking - private IPv4 addresses - public IPv4 addresses - many IPv6 addresses - MAC address - 1 or more security groups - common usecases - create management network - use network and security appliances in your VPC - create dual-homed instances with workloads/roles on distinct subnets - create a low-budget, high-availability solution - EN: Enhanced Networking uses single root I/O virtualization to provide high performance - for high-performance networking between 10 - 100 Gbps - single root I/O virtualization higher I/O performance and lower CPU utilization - higher bandwidth, higher packet per second, consistently lower inter-instance latencies - ENA: Elastic Network Adapter supports network sppeds of up to 100 Gbps for supported instance types - Intel 82599 virtual function interface supports network speeds of up to 10 Gbps for supported instance types typically used on older instances - **in any scenario question**: choose **ENA** over VF interface - EFA: Elastic Fabric Adapter accelerates high performance computing and machine learning applications - a network device you can attach to your EC2 to accelerate HPC and ML applications - provides lower and more consistent latency and higher throughput that the TCP transport traditionally used in cloud-based HPC systems - can use os-bypass in Linux to makes it a lot faster with much lower latency - **tips** - ENI for basic networking perhaps you need a separate management network from your production network or a separate logging network and you need to do this at a low cost - Enhanced Networking for when you need speeds between 10 Gbps and 100 Gbps anywhere you need reliable, high throughput - EFA accelerate HPC and ML need to do an OS-bypass - **Placement Groups** - cluster placement groups: grouping of instances within a single AZ recommended for applications that need low network latency, high network throughput - spread placement groups: each placed on distinct underlying hardware recommended for applications that have a small number of critical instances that should be kept separate from each other tips: used for individual instances - partition placement groups: EC2 divides each group into logical segments called partitions [no two partitions within a placement group share the same racks] HDFS, HBase, Cassandra tips: used for multiple instances - **tips** - a cluster placement group can't span multiple AZ whereas a spread placement group and partition placement group can - only certain types of instances can be launched in a placement group - AWS recommends homogenous instanes within cluster placement groups - cannot merge placement groups - can move an existing instance into a placement group --- ### EBS - Elastic Block Store: storage volumes you can attach to your EC2 instances - virtual hard disk in the cloud some use cases - create a file system - run a database - run an operating system - store data - install applications - can add storage to EC2 don't have downtime - mission critical - production workloads - highly available - scalable - General Purpose SSD (**gp2**) - 3 IOPS per GiB up to maximum of 16000 IOPS per volume - gp2 volumes smaller than 1 TB can burst up to 3000 IOPS - **good for boot volumes** or development and test appications that are not latency sensitive - General Purpose SSD (**gp3**) - 3000 IOPS baseline performance - require high performance at a low cost - can scale up to 16000 IOPS and 1000 MiB/s - gp3 is 4 times faster than gp2 - Provisioned IOPS SSD (**io1**) - the high-performance option and the most expensive - 64000 IOPS per volume 50 IOPS per GiB - use if you need more than 16000 IOPS - designed for I/O-intensive applications, large databases, and latency-sensitive workloads - Provisioned IOPS SSD (**io2**) - latest generation - higher durability and more IOPS - 500 IOPS per GiB - applications that need high levels of durability - Throughput Optimized HDD (**st1**) - low-cost HDD volume - baseline throughput 40 MB/s per TB - burst up to 250 MB/s per TB - frequently accessed, throughput-intensive workloads - big data, data warehouses, ETL, and log processing - cost-effective way to store mountains of data - cannot be a boot volume - Cold HDD (**SC1**) - lowest cost option - baseline throughput of 12 MB/s per TB - burst 80 MB/s per TB - max 250 MB/s per volume - a good choice for colder data requiring fewer scans per day - good for applications that need the lowest cost and performance is not a factor - cannot be a boot volume - IOPS vs Throughput - IOPS - measures the number of read and write operations per second - important metric for quick transactions, low-latency apps, transactional workloads - the ability to action reads and writes very quickly - choose provisioned IOPS SSD (io1 or io2) - Throughput - measures the number of bits read or written per second (MB/s) - important metric for large datasets, large I/O sizes, complex queries - the ability to deal with large datasets - choose throughput optimized HDD (st1) ![](https://i.imgur.com/UG6ntVU.png) ![](https://i.imgur.com/bdMGDL7.png) - Snapshots are point in time copy of a volume exist on S3 - consistent snapshots: recommended to stop the instance before take a snap - encrypted snapshots: automatically encrypted - sharing snapshots: can share only in same region if share to other regions you need to copy them to the destination region first - location: EBS volumes will always be the same AZ as EC2 - resizing: can resize on the fly - volume type: switch volume types on the fly - EBS Encryption - encrypts your volume with a dta key using AES-256 use AWS KMS customer master keys - data at rest is encrypted inside the volume - all data in flight moving between the instance and the volume is encrypted - all snapshots are encrypted - all volumes created from the snapshot are encrypted - 4 steps to encrypt an unencrypted volume - create a snapshot of the unencrypted root device volume - create a copy of the snapshot and select the encrypt option - create an AMI from the encrypted snapshot - use the AMI to launch new encrypted instances - if we stop instance the data is kept on the disk with EBS wil remain on the disk until the EC2 instance is started - if the instance is terminated then by default the root device volume will also be terminated - EC2 hibernation saves then contents from RAM to EBS root volume - the instance boots much faster - for long-running processes - services that take time to initialize - much faster to boot up because do not need to reload os - RAM must be less than 150 GB - instance families C, M, R - instances can't be hibernated for more than 60 days - EFS: Amazon Elastic File System - managed NFS (network file system) that **can be mounted on many EC2 instances** - EFS works with EC2 in multiple AZ - highly available and scalable however it is expensive - use cases - content management - web servers - uses NFSv4 protocol - compatible with Linux-based AMI (Windows not supported) - encrpytion at rest using KMS - file system scales automatically no capacity planning required - pay per use - read-after-write consistency - performance - 1000s concurrent connections - 10 Gbps throughput - petabytes scaling - types - general purpose used for thins like web servers, CMS - max I/O used for big data, media processing - storage tiers - storage - infrequently accessed - can have lifecycle management like S3 - scenario based question around highly scalable shared storage using NFS - FSx for Windows - fully manged native microsoft windows file system easily move your windows-based applications that require file storage to AWS - runs windows server message block (SMB) - designed for windows - FSx for Lustre - fully managed file system that is optimized for compute-intensive workloads - high performance computing - machine learning - media data processing workflows - electronic design automation - launch and run a Lustre file system that can process massive datasets at up to hundreds of gigabytes per second of throughput, millions of IOPS, and sub-millisecond latencies - AMI: Amazon Machine Image provides the information required to launch an instance - 5 thigns you can base your AMI on - region - OS - architecture (32-bit or 64-bit) - launch permissions - storage for the root device (root device volume) - instance store volumes are sometimes called ephemeral storage instance store volumes cannot be stopped if the underlying host fails you will lose your data you can however reboot the instance without losing your data if you delete the instance you will lose the instance store volume - AWS Backup - it can include other services such as database - benefits - central management - automation - improved compliance - **tips** - gp2 or gp3 usually using to install an operating system - EFS when you need distributed, highly resilient storage for Linux instances and Linux-based applications - Amazon FSx for Windows when you need centralized storage for Windows-based applications - Amazon FSx for Lustre when you need high-speed, high performance copmputing ![](https://i.imgur.com/YyNdHl7.png) --- ### Databases - relational databases - RDS advantages - is a EC2 instances that cannot access to OS only access to DB - up and running in minutes - multi-az - failover capability - automated backuups - RDS is generally used for online transaction processing (OLTP) workloads - online transcation processing (OLTP) vs online analytical processing (OLAP) - OLTP - processes data from trainsaction in real time - all about data processing and completing large numbers of samll transactions in real tim - OLAP - processes complex queries to analyze historical data - all about data analysis using large amounts of data that take long time to complete - with multi-az creates an exact copy of your production database in another AZ - RSA types can be configured as multi-az - SQL Server - MySQL - MariaDB - Oracle - PostgreSQL - RDS will automaitcally fail over, resume quickly without administrative intervention - multi-az is for disaster recovery not improving performance - **Read Replica** is a read-only copy of your primary database - read replica can be cross-az or cross-region - use for improve performance - each read replica has its own DNS endpoint - can be promoted to be their own db - scaling read performance - requires automaic backups - can have multiple read replica - Amazon Aurora - MySQL and PostgreSQL-compatible relational database engine - speed and availability of high-end commercial db - 5x perfomance better than MySQL - 10 GB to 128 TB - 2 copies of your data are contained in each AZ with minimum 3 AZ [6 copies of your data] - sacling Aurora transparently handle the loss of up to 2 copies of data - storage is also self-healing - backups - automated backups are always enabled - take a snapshots does not impact performance - can share snapshots with other AWS accounts - Aurora serverless - DB cluster automatically starts up, shuts down and scales capacity up or down based on your applications' needs - relatively simple, cost-effective, unpredictable workloads - DynamoDB fast and flexible NoSQL database - supports document and key-value data models - fit for mobile, web, gaming, ad-tech, IoT - stored on SSD storage - spread across 3 geographically distinct data centers - eventually consistent reads: copies of data is usually reached within a second - strongly consistent reads: returns a result that reflext all writes - DynamoDB Accelerator (DAX) 10x performance improvement - pay-per-request - security - encryption at rest using KMS - VPN - direct connect - IAM - fine-grained access - CloudWatch and CloudTrail - DynamoDB transaction - ACID with DynamoDB - provide developers ACID across 1 or more tables within a single AWS account and region - all or nothing - usecases - financial transactions - fulfilling and mangeing orders - building multiplayer game engines - coordinating actions across distributed components and services - on-demand backup and restore - full backups at any time - zero impact perf - consistent within seconds and retained until deleted - operates within same region as the source table - Point-in-Time Recovery - protects against accidental writes aor deletes - restore to any point in the last 35 days - incremental backups - not enabled by default - latest restorable: 5 minutes in the past - streams: time-orderd sequence of item-level changes in a table - stored for 24 hours - global tables managed multi-master, multi-region replication - globally distributed applications - based on DynamoDB streams - multi-region redundancy for disaster recovery or high availability --- ### VPC - logically isolated part of AWS cloud where you can define your own network - complete control of virtual network, IP range, subnets, route tables, network gateways - fully customizable network - Virtual Private Network (VPNs) - what can we do with a VPC - launch instances - custom IP addresses - route tables - internet gateway - more control - access control lists - can use network access control lists (NACLs) to block specific IP addresses - NAT Gateway (Network Address Translation) - enable instaces in a private subnet to connect to the internet or other AWS services - redundant inside the AZ - 5 Gbps - 45 Gbps - no need to patch - not associated with security group - automatically assigned public IP address - NACLs - default NACLs allows all outbound and inbound traffic - custom NACLs each custom NACLs denies all inbound and outbound traffic until you add rules - subnet associations each subnet in VPC must be associated with NACL if don't explicitly associate it will automatically associated with default NACLs - **block IP addresses using NACLs not security groups** - can associate a NACL with mulyiple subnet however subnet can be associated with only 1 NACL - rules in NACLs evaluated in order starting with the lowest rule number - separate inbound and outbound rules each rule can either allow or deny traffic - stateless - VPC Endpoints - enables you to privately connect your VPC to supported AWS services and VPC endpoint services without requireing an internet gateway, NAT, VPN or AWS Direct Connect - instances in VPC do not require public IP to communicate with resources in the service - endpoints are virtual devices allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic - use case: when want to connect AWS services without leaving the Amazon internal network - 2 types of VPC Endpoints: interface and gateway - gateway endpoints support S3 and DynamoDB - Multiple VPCs for different enviroments - VPC Peering - allows you to connect 1 VPC with another via a direct network route using private IP addresses - instances behave as if they were on the same private network - can peer VPCs with other AWS accounts - peering is in a star configuration no transitive peering - can peer between regions - AWS PrivateLink - like vpc peering but can scale open your VPC to many customer VPC - doesn't require VPC peering, no route tables, NAT gateways, internet gateways - requires a NLB on the service VPC and ENI on the customer VPC - AWS VPN CloudHub - for multiple sites each with its own VPN connection - hub-and-spoke model - low cost and easy to manage - it operates over the public internet but all traffic between the customer gateway and AWS VPN CloudHub is encrypted - AWS Direct Connect - makes it easy to establish a dedicated network connection from your on-premises to AWS - can provide private connectivity to reduce network costs, increase bandwidth throughput and more consistent network - 2 types of direct connect connection - dedicated connection: a physical ethernet connection associated with a single customer - hosted connection: a physical ethernet connection that an AWS Direct Connect Partner provisions on behalf of a customer - VPNs vs Direct Connect - VPNs allow private communication but still traverse the public internet - direct connect is fast, secure, reliable, able to take massive throughput - **tips** - Direct Connect directly connects your data center to AWS - useful for high-throughput workloads - stable and reliable secure connection - Transit Gateway - connects VPCs and on-premises networks through a central hub act as a cloud router - can use route tables to limit how VPCs talk to one another - works with Direct Connect as well as VPN connections - suppors IP multicast --- ### Route53 - DNS = used to convert human-friendly domain names into an IP - IPv4 32-bit - IPv6 128-bit - top-level domain = last word in the domain name - top-level domain control by IANA (Internet Assigned Numbers Authority) - each domain name becomes registered in a central database known as the WHOIS database - domain registrars is an authority that can assign domain names directly under one or more top-level domains - popular domain registrars: domain.com, GoDaddy, Hoover, AWS, Namecheap - An A (or address) record is the fundamental type of DNS record used by a computer to translate the name of the domain to an IP address - TTL (time to live): the length that a DNS record is cached - CNAME (canonical name) can be used to resolve on domain name to another - Alias records: are used to map resource record sets in your hosted zone to aws resouces - CNAME cannot used for naked domain names / A Reocrd and Alias can used for a naked domain name - 7 routing policies - simple routing - weighted routing - latency-based routing - failover routing - geolocation routing - geoproximity routing (traffic flow only) - multivalue answer routing - can buy domain names directly with AWS - it can take up to 3 days to register depending on the circumstances - simple routing policy: one record with mulitple IP addresses Route 53 returns all values in **random order** - weighted routing policy sending certain amount traffic to specific region - failover routing policy are used when want to create an active/pasive set up - geolocation routing policy lets you choose where your traffic will be sent based on the geographic location of your users - route 53 traffic flow build a routing system that uses a combination of geographic location, latency, availability to route traffic - geoproximity routing (traffic flow only) route traffic to your resouces based on geographic location of your user and your resources, can add bias to route more or less traffic - latency routing policy traffic based on lowest network latency for your end user - multivalue answer routing lets you configure route 53 to return multiple values --- ### ELB - automatically distirbutes incoming application traffic across multiple targets - application load balancer: best suited for load balancing of HTTP/HTTPS operate at layer 7 - network load balancer: operateing at the connection level (level 4) handle millions of requests per second while maintaining ultra-low latencies - classic load balancer: legacy load balancers balance HTTP/HTTPS use layer 7 - health checks: load balancer routes requests only the healthy instances - listeners: checkes for connection requests from clients using the protocol and port - rules: the conditions for rule are met then its action are performed - https load balancing: to use https listener you must deploy at least one SSL/TLS server certificate on your load balancer, the load balancer uses a server certificate to terminate the frontend conncetion and then decrypt requests from clients before sending them to the targets - target groups: each target group routes requests to one or more registered targets ![](https://i.imgur.com/OFLdMa2.png) - path-based routing - NLB support protocols TCP, TLS, UDP, TCP_UDP and ports 1 - 65535 - NLB maintain ultra-low latencies and use for extreme performance - classic load balancer X-Forwarded-For - if your application stops responding the classic load balancer responds with 504 [gateway timeouts] - sticky sessions: allow you to bind a user's session to a specific EC2 instance - deregistration delay allows load balancers to keep existing connections open if the EC2 instances are de-registered or become unhealthy --- ### CloudWatch - monitoring and observability that was designed to give insight into our AWS to identify potential issues - features - system metrics: metrics that you get out of the box - application metrics: install CloudWatch agent to get information from inside EC2 - alarms: alert when something goes wrong - metrics - default: provided by AWS do not require any additional work to configure - custom: need to install CloudWatch agent on the host ![](https://i.imgur.com/sAOedc6.png) - **tips** - any monitoring = CloudWatch - no default alarms - default vs custom [AWS can't see past the hypervisor level for EC2] - managed services - standard vs detailed [standard = 5 mins intervals, detailed = 1 min] - CloudWatch Logs is a tool that allows you to monitor, store and access log files to look for potential issues - log event: record of what happened contains timestamp and data - log stream: collection of log events from same source - log group: collection of log streams - features - filter patterns: look for specific terms in logs - cloudwatch logs insights: query your logs using SQL-like - alarms --- ### High Availability and Scaling - vertical scaling: resize - horizontal scaling: add more instance - 3 W's of scaling - what do we scale? - where do we scale? - when do we scale? - launch template: specifies all the needed settings that go into building out an EC2 - launch templates vs launch configurations - templates - more than just autoscaling - supports versioning - more granularity - AWS recommended - not include networking - configurations - only for autoscaling - immutable - limited configuration options - don't use them - include networking - auto scaling groups: scaling and management collection of EC2 instances - createing a high available application = spread resources over multi AZ - auto scaling steps - define your templates - networking and purchasing - elb configuration - set scaling policies - notifications - scaling types - reactive scaling: measure and determind if you need to create more resources - scheduled scaling: have predictable workload create a scaling event to get your resources ready - predictive scaling: AWS uses machine learning algorithm to determine when you'll need to scale - scaling relational databases - types of scaling - vertical scaling: resizing database - scaling storage: resizing storage (only able to go up not down) - read replicas: read-only copies of data - aurora serverless: offload scaling to AWS with unpredictable workloads - scaling non-relational databases - scaling is simplified when using DynamoDB - provisioned - generally predictable workload - need to review past usage to set upper and lower scaling bounds - most cost-effective model - on-demand - sporadic workload - simply select on-demand - pay small amount of money per read and write less cost effective - **tips** - auto scaling is only for EC2 other services have build-in option but not included in auto scaling groups --- ### Decoupling Workflows - tight coupling - loose coupling - SQS is a messaging queue that allows asynchronous processing - poll-based messaging [like a postman] - sqs settings - delivery delay default 0 can set up to 15 mins - message size up to 256KB - encryption encrypted in transit by default but can add at-rest - message retention default 4 days - short vs long polling [default short] - queue depth trigger for autoscaling - visibility timeout time locked message after someone poll that message and will come back if process does not complete - dead-letter queues - sqs fifo vs standard - fifo - guaranteed ordering - no message duplication - 300 messages per second - standard - best-effort ordering - duplicate messages - nearly unlimited transactions per seconds - SNS is a push-based messaging it will proactively deliver messages to the endpoints subscribed to it can be used to alert system - push-based messaging - sns settings - subscriers kinesis data firehose, sqs, lambda, email, https, sms - message size max 256KB - dlq support - fifo or standard mostly use standard - encryption encrypted in transit by default but can add at-rest - access policy - alerts = sns - API gateways fully managed service that allows to easily publish, create, maintain, monitor and secure your API "front door" on your application - API gateway features - security - limiting - ease to use - **tips** - never tightly couple --- ### Big Data - 3 V's of big data - volume ranges from terabytes to petabytes - variety include data from wide range for sources and formats - velocity data needs to be collected, stored, processed and analyzed in short period of time - **redshift** is a fully managed petabyte-scale data warehouse servie it's a very large realational database - size up to 16PB - relational use standard SQL and BI tools to interact - usage not replacement for standard RDS databases - **EMR** it is AWS's ETL tool - EMR is a managed fleet of EC2 instances running open-source tools - **kinesis** allow you to ingest, process and analyze real-time streaming data - kinesis data streams: real-time streaming for ingesting data - you're responsible for creating the consumer and scaling the stream [real time] - kinesis data firehose: data transfer tool to get information to S3, redshift, elasticsearch or splunk - plug and play with AWS architecture [speed near real time within 60 sec] ![](https://i.imgur.com/t8Dj2A5.png) ![](https://i.imgur.com/jyh00HC.png) - kinesis data analytics using standard SQL real-time serverless and pay for amount of resources you consume as your data pases through - SQS vs Kinesis - SQS easier but kinesis = real-time - transforming data -> kinesis data analytics - kinesis data streams does not auto scale but data firehose does - **athena** interactive query service easy to analyze data in S3 using SQL - serverless SQL can use to query logs stored in S3 - **glue** serverless data integration service perform ETL - **QuickSight** BI data visualization services easily create dashboards - **amazon elasticsearch** managed version of elastice search allow quickly search over stored data and analyze --- ### Serverless - benefits - ease of use - event based - pay as you go - **lambda** is a serverless compute service - runtime - permissions - networking - resources: limitation 10GB RAM and 15 mins - trigger - container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing enviroment to another - Dockerfile: text document that contains all the commands that used to build an image - Image: immutable file that contains the code, libs, files needed to run an application - Registry: stores Docker images for distribution - Container: running copy of the image that has been created - **ECS** - management of containers at scale - ELB integration - role integraion - easy to use - kubernetes is an open-source container management and orchestration platform - ECS vs EKS - ECS: proprietary AWS container management simple to use - EKS: AWS-managed version of K8s best used when you're not all in on AWS - **Fargate** is a serverless compute engine for containers work with ECS and EKS - EC2 vs fargate - EC2 - you are responsible for operating system - EC2 pricing model - long-running containers - multiple containers share same host - fargate - no operating system access - pay based on resources allocated and time ran - short-running tasks - isolated enviroments - lambda vs fargate - lambda - unpredictable or inconsistent workloads - single function - fargate - more consistent workloads - greater level of control by developers - **EventBridge** is a serverless event bus it allows you to pass events from a source to endpoint can create rule for events - **tips** - any AWS API call can be trigger to kick off and EventBridge rule this is faster than trying to scrape through CloudTrail --- ### Security - DDoS: Distributed Denial of Service attack that attempts to make application unavailable to end users - layer 4 attacks: SYN flood, NTP amplification attack - layer 7 attacks: floods of GET/POST requests - **CloudTrail**: recording AWS Management Console actions and logging API calls, can identify users and accounts called [include source IP] - logged - metadata - identity of API caller - time - source IP - request param - response elements returned - CloudTrail - after-the-fact incident investigation - near real-time intrusion detection - industry and regulatory compliance - **AWS Shield**: free DDoS protection - protect all AWS customers on ELB, CloudFront and Route 53 - protect against SYN/UDP floods, reflection attacks and other **layer 3 and 4 attacks** - **AWS Shield Advanced** ($3000/month) - enchaned protections - always-on, flow-based monitoring - DDoS response team - protects your AWS bill - **AWS WAF** (filtering): configure conditions such as what IP are allowed to make this request or what query string parameters need to passed for the request to be allowed **operates at layer 7** - allow all requests except the ones you specify - block all requests except the ones you specify - count the requests that match the properties you specify - define conditions - IP - country - values - presence of SQL code - presence of a script - strings that appear in requests - **GuardDuty** (guarding network): a threat detection service that uses machine learning to continuously monitor for malicious behavior - unusual API calls - attempt to disable CloudTrail logging - unauthorized deployments - compromised instances - reconnaissance by would-be attackers - port scanning, fail login - **Macie** monitor S3 bucket: Macie uses machine learning and pattern matching to discover sensitive data stored in S3 - recognize sensitive data - alerts unencrypted buckets - alerts public buckets - alerts buckets shared account outside organizations - PII (Personally Identifiable Information) - Macie can sent alerts to Amazon EventBridge - **Amazon Inspector** (securing OS): automated security assessment service that helps improve the security and compliance of applications deployed on AWS - 2 types of assessment - network assessments: network config analysis to check ports reachable from outside the VPC (inspector agent is not required) - host assessments: vulnerable software, host hardening, security best practices (inspector agent is required) - **AWS KMS** (Key Management Service): managed service that makes it easy for you to create and control the encryption key - integration with other AWS services such as EBS, S3 and RDS - **AWS CloudHSM**: hardware security module is a physical computing device that safeguards and manages digital keys and performs encryption and decryption functions - 3 ways to generate a CMK - generated within HSMs - own key management infrastructure - AWS CloudHSM cluster - CloudHSM: easily generate and use your own encryption keys on the AWS Cloud - KMS vs CloudHSM - KMS - shared tenancy of underlying hardware - automatic key rotation - automatic key generation - CloudHSM - dedicated HSM to you - full control of underlying hardware - full control of users groups, keys - no automic key rotation - **Secret Manager**: service that securely stores, encrypts and rotates secrets - encryption in transit - automatically rotates credentials - store in key-value pair - **Parameter Store**: capability of AWS Systems Manager that provides secure, hierarchical storage for configuration data management and secrets management store such as passwords, AMI IDs - free - limit - can store only 10000 keys - no key rotation - **Presigned URL**: all objects in S3 are private by default owner can share objects with others by creating a presigned URL to grant time-limited permission to download the objects - **Presigned Cookies**: provide access to multiple restricted files - **ARNs**: Amazon Resource Name arn:partition:service:region:account_id endwith resource, resource_type/resource, resource_type/resource/qualifier - **IAM Policies** - JSON that defines permissions - identity policy - resource policy - no effect until attached - list of statements - in statment - Sid for readable name of this policy - Effect: Allow or Deny - Action list of service:action - Resource resource the Action is against - **Permission Boundaries** - used to delegate administration to others users - prevent privilege escalation or unnecessarily broad permissions - control maximum permissions an IAM policy can grant - IAM Policies - not explicitly allowed == implicitly denied - explicit deny > everything else - only attached policies have effect - AWS joins all applicable policies - **AWS Certificate Manager** allows you to create, manage, and deploy public and private SSL certificates for use with other AWS services --- ### Automation - benefits - time - security - consistency - **CloudFormation**: allows you to provision resources quickly and consistently, and manage them throughout their lifecycles, by reating infrastructure as code - step 1: write code [support either JSON and YAML] - step 2: deploy your template - can create one template used in multiple regions - CloudFormation ise perfect for creating immutable architecture - parameters: input custom values to template - mappings: values that fill themselves in based on something like VPC or region - resources - Paas: Platform as a Service is a single-stop application deployment model - **Elastic Beanstalk**: easy-to-use all in one service for deploying and scaling web applications and services developed with a variety of supported languages "bring your code and that's it" simple one-stop solutions - **Systems Manager**: gives you the ability to easily patch, update, manage and configure your EC2 instances along with on-premise architecture - automation documents - run command - patch manager - hybrid activations - session manager --- ### Caching - **CloudFront**: CDN helps reduce latency and provide higher transfer speeds using AWS edge locations - important settings - security HTTPS - global distribution - endpoint support - expiring content TTL - cloudfront fixes all connection issues - **cannot pick specific edge locations** - can block connection from individual countries but WAF is better - **ElasticCache**: managed version of Memcached and Redis - memcached - simple database caching solutin - not a database by itself - no failover or multi-az support - no backups - redis - supported as a caching solution - functions as a standalone database - failover and mulit-az support - supports backups - **DAX** [DynamoDB Accelerator] - in-memory cache reduce DynamoDB respons time from millisec to microsec - location live in specific VPC - many config eg. node size, TTL - **GlobalAccelerator**: networking service that sends your user's traffic through AWS's global network infrastructure it can increase performance and help deal with **IP caching** - masks complex architecture - speeds things up - weighted pools --- ### Governance - **AWS Organizations**: governance tool allows you to create and manage multiple AWS accounts can control your accounts from a single location - logging accounts - programmatic creation - reserved instances - consolidated billing - service control policies - service control policy (SCP) restrict control - **AWS RAM** (Resource Access Manager): free service that allows you to share AWS resources with other accounts and within your organization - can shared - transit gateways - vpc subnets - license manager - route 53 - dedicated hosts - RAM vs VPC Peering - if sharing resources within the same region **use RAM** - if sharing across regions **use vpc peering** - **Assume role**: cross-account role access - auditing - temporary - **AWS Config**: inventory management and control tool it allows you to show the history of your infrastructer along with creating rules to make sure it conforms to the best practices you're laid out - config = standards: standard that needs to be managed across your accounts - standards - deleted resources - enforcement - **AWS Directory Service**: allows you to offload painful parts of keeping AD online to AWS giving full control and flexibility AD provides - managed microsoft AD - AD connector: tunnel between AWS and on-premises AD - simple AD: standalone directory powered by Linux Samba Active Directory compatible server - **Cost Explorer** track cost, generate report, predict etc. - use **tags** to track spending - budgets - predictive - **AWS Budgets**: allows organizations to easily plan and set expectations around cloud costs, track ongoing spend and create alerts when close to exceeding their allotted spend - 4 types - cost: how much spending - usage: how much using - reservation budget: are we being efficient with RIs - saving plan budgets is what we're doing coverd by our saveing plan - **Trusted Advisor**: auditing tool recommended best practices - cost optimization - preformance - security - fault tolerance - service limits - **tips** - service control polices is the only way to restrict root account - centralized logs: CloudTrail --- ### Migration - snow family service provide petabyte-scale data to move data into and out of AWS - **snowcone** 8TB of storage, 4GB of memory and 2vCPUs - easily migrate data to AWS after you've processed it - IoT sensor integration - perfect for edge computing where space and power are constrained - **snowball edge**: 48 - 81TB in storage - storage, compute, and GPU flavors - perfect for off-the-grid computing or a migraion to AWS - **snowmobile**: 100PB of storage - **Storage Gateway**: hybrid cloud storage servie help with migration or long-term pairing of architechure with AWS - **File Gateway**: NFS or SMB mount - network file share - keep local copy of recently used file - extend on-premises storage - help migrations to AWS - **Volume Gateway**: backup drivers - iSCSI mount - cached or stored mode - create EBS snapshots - perfect for backup or migration - **Tape Gateway**: ditch the tapes - replace physical tapes - doesn't change current workflow - encrypted communication - **AWS DataSync**: agent-based for migrating on-premises storage to AWS allows you to easily move data between NFS and SMB - provide secure transmission data ![](https://i.imgur.com/ufPXTO7.png) - DataSync = one time migration - Storage Gateway = continuous sync, hybrid architecture - **AWS Transfer family**: move files in and out of S3 or EFS using SFTP, FTPS, FTP - **AWS Migration Hub**: track the progress of application to AWS integrates with Server Migration Service (SMS) and Database Migration Service (DMS) - schema conversion [migrate to Aurora or RDS] --- - AWS Architecture Center: https://aws.amazon.com/architecture/ --- ### something from test - ENI attach - warm: attach when stopped - cold: attach when being launched - hot: attach when running - CloudFormation: IaC [provided version control, template] - NFS: EFS -