# AWS Cloud Solutions Architect PRO Exam **Exam blueprint:** - 170 Questions, ~74 questions -> 2 mins per question - Multiple-choice and multiple answer - No partial credit for multiple choice multiple answer - Can mark questions for review later - Score between 100 and 1000 with a minimum passing of 750 **Breakdown:** - Design for Organizational Complexity - 12.5% - Design for New Solutions - 31% - Migration Planning - 15% - Cost Control - 12.5% - Continuous Improvement for Existing Solutions - 29% **NOTE:** In an exam, a service has to be generally available for 6 months to be asked in the exam #### PRO Exam: - Justify a Stand or Decision - Draw Connections among ideas - Use information in new solutions #### Associate Exam: - Understand ideas - Analyze the ideas **Hang in There:**  The depth of knowledge needed for AWS is deeper than you think - If you cannot do the labs on your own or with some hints, revise previous notes ## Module 1: Data Stores ##### Concepts - Store data - Three types - Persistent data store: Persistant, stays until deleted - Example S3, RDS, Glacier - Transient data store: Temporary store - SQS, SNS - Epherical data store: data lost after stopping - EC2 instance store, MemcacheD - *IOPS:* Speed of read and write - *Throughput:* Volume of data movement a fixed time - *Consistancy:* Rules of behavior of the DB - Two Types: ACID & BASE - ACID: - Atomic: All or Nothing - Consistent: Transactions must be valid - Isolated: Transactions cannot mess with one another - Durable: Completed Transactions must stick around - BASE: - Base Availability: Values availability even if stale data - Soft State: Might not be instantly consistant across all stores - Eventual Consistency - will achieve conistancy at some point - Base is not inconsistent, it has a property of eventual consistency ### S3 - Object Store - Used in many other services - Max Object size is 5TB, max Put Object is 5GB - Use multipart upload if object is more than 100mb - Consistency - Provides read-after-write consistency for PUTs of new objects - HEAD or GET requests of the key before an object exists will result in eventual consistency: *Caveat in AWS, if you make a GET or HEAD request before the object exists, then PUT the object, and finally make a GET again shortly after the PUT, you might get blank data due to eventual consistency* - Eventual consistency for Overwrite PUTS and DELETES - Updates to a single key are atomic: Two people cannot use the same key at the same time - Security - Resource based(object ACL, Bucket Policy) - User Based(IAM policies) - Optional MFA before delete - Order of check by S3 for access ``` NO User permissions ---------V | | V Yes NO | Bucket Policy permissions V | \| V Yes | ACL permissions | | \ | V Yes V NO V Access No - Access denied ``` - Versioning - New version on each write - Enables Roll Back and undelete capabilities - Old versions count as billable - S3 supports Integrated lifecycle management - Supports S3 bucket Cross Region Replication - Lifecycle Management - Optimize Storage Costs - Adhere to data retention policies - keep S3 volumes well maintained - S3 Analytics capabilities - Data Lake like usage: Redshift, Athena, Quicksight - IoT Streaming Data Repo: kinesis firehose - ML and AI Storage: Rekognition, Lex, MXNet - Storage Class Analysis: S3 management Analytics - S3 encryption at rest - SSE:S3 - SSE:C - SSE:KMS - SSE:Client Side - Other Nifty S3 tricks - Transfer Acceleration using Cloudfront - Requester Pays: Requester pays not bucket owner for requests and data transfer - Tags: Assign tags to objects for costs, security, segregation and billing - Events: Trigger Notifications - Static Web Hosting - BitTorrent: Supports Bittorrent Protocol ### Glacier - Cheap, slow to respond, Seldom accessed - Cold Storage - used by AWS Storage Gateway's tape gateway - Integrated with AWS S3 Lifecycle management - Faster Retrival speed options if you pay more - Components - Glacier Vault: Like a bucket - Archive: Like an S3 object, file, zip, tar, etc - Policies and Access: Policies defines the rules that the Vault must live by maintained by the Glacier Vault Lock - Example, only MFA delete any object in vault - Access control is managed by IAM - Process of Glacier Vault Lock - When you create a new vault and define a new vault lock, you need to confirm the policies in the lock within 24 hours otherwise the vault lock gets aborted ### Amazon elastic block storage EBS - Think Virtual HDD - Can only be used with EC2, can be attached from one EC2 to another EC2 - Tied to a single AZ - Variety of throughout, iops, optimized spaces - Provide snapshots - **AN EC2 instance can have an attached EBS volume or an attached Instance Store or Both** - EBS can be attached and detached to an EC2 while persisting the data while instance store is only temporary and data gets deleted if instance is stopped or terminated - Instance store is faster, EBS volumes can get attached over the network ##### EBS Snapshots - Cost effective and easy backup strategy - Share data with other users or accounts - Migrate System to a new AZ or region - Convert Unencrypted volume to encrypted volume  - Snapshots only keep a diff - AWS can revert to snapshot 2 even if Snapshot 1 is deleted - EBS Snapshots also have a lifecycle manager - Schedule snapshots for volumes or instances every X hours - Retention rules to remove stale snapshots - In the image above, the EBS is 8\*8 = 64 units of size. **You will be paying for all 64 units** even though you are not using all 64 units ### Elastic File Service - Implementatoin of NFS file share protocol - Elastic Storage Capacity, and pay for only what you use (in Contrast to EBS) - EFS is multi-AZ - Configure mount points in one, or many AZs - Can be mounted from on-premises systems (caution here, NFS is not encrypted, open mount over internet can be dangerous) - Alternatively, use AWS DataSync - Uses a purpose built custom protocol to keep data secure over the internet or direct connect. Also supports EFS to EFS share - Does not support all features of NFS4 protocol SAMPLE USECASE  - Multiple developers => On-Prem Staging Area - Using AWS DataSync to Sync to AWS EFS - Create mount points in 2 regions of one AZ - Mount to EBs hosting website **Cost Compare:** 1 EFS is ~3\*EBS and ~20\*S3 ### AWS Storage Gateway - Virtual Machine that you run on-premises with VMWare or Hyper-V OR via a specially configured Dell Appliance Hardware - Provides local storage resources backed by AWS S3 and Glacier - Often used in disaster recovery preparedness to sync to AWS - useful in cloud migrations - > You can spin up a VM in your data center that provides AWS S3 as a disk in the data center for mounting Available in 3 flavors - File Gateway - Interfaces Via NFS or SMB - function to allow on-PREM or EC2 instances to store objects in S3 via NFS or SMB mount point - Volume Gateway Stored Mode or Gateway Stored Volumes - Interfaces iSCSI - Functtion Async replication of on-prem data to S3 - Volume Gateway Cached Mode or Gateway Cached Volumes - interface iSCSI - function to cache data locally, primary storage is S3 - Tape Gateway or Gateway-Virtual Tape Library - interface iSCSI - function virtual media center and tape library for use with existing backup software **Interesting Use case:** Use the AWS storage Gateway VM in Volume Gateway Stored Mode and after the sync is completely done, you can switch the VM to Volume Gateway cached mode where most of the storage happens on S3 and frequently accessed files are cached Another sample usecase, multiple users of frequent data in AWS  ### Amazon WorkDocs - Secure fully managed file collaboration service like DropBox or Google Drive among teams - Can integrate with AD for SSO - Web, mobile and Native clients (no Linux Client) - HIPAA, PCI DSS and ISO compliant - Available Complementry SDK ### Databases on EC2 - Run any DB with full control and flexibility - Must manage everything like backups, redundancy, patching, scale - Good option if you require a database not yet supported by RDS: IBM DB2 or Netezza, SAP HANA - Good option if you cannot migrate to RDS ### AWS RDS - Managed DB option for MySQL, MariaDB, PostgresSQL, SQL Server, Oracle and MySQL Compatible Aurora - Best for structured, relational data store needs - Aims to be drop-in replacement of Existing on-prem instances of same DBs - Automated backups and patching in customer defined maintainance windows - Push button scaling, replication and redundancy **Don't use RDS if:** - Lots of large binary objects (BLOBs) - Use S3 instead - Automated Scalability - Use DynamoDB - Name Value Data Structure - Use DynamoDB - Unstructured - DynamoDB - Other DBs or complete control on DB - DB on EC2 SAMPLE Usecase  - The Dotted lines are SYNC replication - The continuous line is ASYNC replication ### AWS DynamoDB - Massively scalable, managed, multi-AZ, NoSQL data store with cross region replication option - Defaults to eventual consistency reads but can request strongly consistent read via SDK parameter - Priced on throughput, rather than compute - Provision read and write capacity in anticipation of need - Can also perform ACID compliance - Can use Autoscaling - DynamoDB watches a table and if the throughput increases, a CW alarm is triggered, triggers a scale up of Table - But this does not scale back down, DynamoDB does not know when the demand falls back to normal, some methods in DOCS are to use Synthetic Transactions that taper down but does not always work - Also provides On-Demand capacity at a small premium cost ##### Relational vs NoSQL - R -> Relationships in structure in form of tables - NoSQL -> Designed to excel in storage of name value pairs  - A name value pair is called an **attribute** - A collection of attributes forms an **item** - Many of these **items form records in a table** - Every record or Item should have a unique attribute called the primary key - DynamoDB uses this primary key attribute to create an internal hash, uses the internal hash to map a data value of arbitrary size to fixed size. It uses this hash to decide which partition to put the data into - Primary key also called hash attribute - Example unique sales order number - In addition to primary key, dynamodb also supports **sort key, the key which decides the order to store items** - Then the primary key comprises of two components -> partition key (sales order number) and sort key (timestamp) - When the primary key is a complex stricture, you can have same primary key if the sort key is different - The same hash is done to every record of partition key, but stored in order of the sort key ##### Secondary indexes - Global secondary index - Partition key and sort key can be different from those on the table - **I can choose my partition key and sort key** - **When to use:** when you want fast query of attributes outside the primary key - without having to do a table scan - Example: sales order by customer number instead of order number - Local secondary index - Same partion key as the table but different sort key - **I have to stick to table partition key, but I can choose whatever sort key I want** - **When to use:** When you already know the partition key and want to quickly query on some other attibute - Example: Sales order number of those records only that have certain material number - Limit to number of indexes and attributes per index - Indexes take up storage space - Suppose we created a global secondary index using `customerNum` - We could query by Customer Number at light-speed - If we created a local secondary index of material number, we can query by sales order number and material number at lightening speed - **When you create an index, you need to select the attributes that are projected onto that index, you can choose upto 20 attributes** - Projecting index is similar to creating a view in RDS ##### Use cases - frequent access to only a few attributes quickly - Project those attributes to a global secondary index - Cost incurred is minimal - Low latency advantage - Frequent access to a few non-key attributes - Project those items to a global secondary index - Cost incurred is moderate, goal to avoid table scans - Low latency advantage - Frequent access to most non-key attributes - Projecting those attributes or even the entire table in a global secondary index - Cost incurred can double - Maximum flexibility advantage - Rarely access but write frequently - Projecting keys only for the global secondary index - cost increase is minimal - Very fast writes ##### Design practices Sample records   - The records have same partition key but different sort key - Now when you query the DB, it will query lightening quickly on the Partition Key and the Sort Key - But if you want to aggregate period and total purchases, you can create a global secondary index on period and total purdchases - **Sparse Index:** trick of dynamoDB where it creates an index of only those records that have the keys needed to create the projection, saving monry - **Replicas via secondary indexes:** - You can create a replica of the table using the global secondary index, use the same partition and sort key - Now you can create different Read and Write CUs for each of the tables, based on your performance needs - **Replicas will become eventually consistent**, so there might be a time lag   ### Redshift - Fully managed, custered Peta-byte scale data warehouse - Extremely cost-effective - PostgresSQL compatible with JDBC and ODBC drivers available - Features parallel processing and columnar data stores which are optimized for complex queries and analytics - Option to query directly from data files on S3 via **Redshift Spectrum** ##### Data Lake - Query raw data with out extensive processing - Lessen time from data collection to data value - Identify correlations between disparate data sets - Data store with some kind of framework built on it - Example S3 bucket <- redshift spectrum <- quicksight ### Neptune - Fully managed graph database - Optimized to deal with relationships between data and can quickly navigate between those databases - Supports open Graph APIs for both Gremlin and SPARQL ### Amazon Elasticache - Fully managed in-memory datastores - Redis - Memcached - Push button scalability for memory, writes and reads - In Memory key/value store - not persistant data store - Billed by node size and hours of usage ##### Use cases - Serving web session store info - Store session data in a redis data store and commonly used eith Redis - Memcached is also used for DB caching or use memcached in place of a small DB - Redis is also used for leaderboards in apps for millions of users - Streaming data dashboards, can use both ##### Redis vs Memcached Memcached - Simple, no frills, straight forward - You need to scale in and out as demand changes - You need to run multiple CPU cores and threads - You need to cache objects like DB queries Redis - You need Encryption - Hipaa compliance - Complex data types - high Availability - Pub/sub capability - Geospatial indexing - Backup and Restore A cache is a cache, use the right tool for the job, dont use cache to do the job of RDS or S3 ### AWS Athena - SQL engine on S3 based on presto - query raw data that is on S3 bucket which are readable by presto like csv, json and parquet - Most performace comes if data stored as parquet for Athena - Similar to redshift spectrum but - Use athena if data is stand alone - Use Redshift Spectrum if data needs joins with other tables, even if data in S3 or Redshift ### Amazon Quatum Ledger database (QLDB) - Based on Blockchain concepts - Provides an immutable and transparent journal as a service without having to setup and maintain an entire blockchain network - Centralized design (as opposed to decentralized consensus based design for common blockchain frameworks) allows for higher performance and scalability - Append only concept is enforced where each record contributes to the integrity of the chain - Running tally of hash depends on previous hashes, if any modification happens to previous hash, the system curropts the chain of hashes ### Amazon Managed Blockchain - QLDB is great if you only want a ledger - True blockchain with distributed consensus-based concept consisting of a network, members (Other AWS accounts), nodes (instances) and potentially applications which might not be within AWS - Fully managed blockchain framework supporting opensource frameworks of Hyperledger fabric and Ethereum - Uses the Amazon QLDB ordering service to maintain complete history of all transactions ### Amazon timestreeam database - Fully managed database service specifically built for storing and analyzing time-series data - Alternative too DynamoDB or Redshift and includes some built-in analytics like interpolation and smoothing - Usecases - Industrial Machinery - Sensor Networks - Equipment Telemetry #### Amazon DocumentDB - Compatible with MongoDB - AWS's invention that emulates the mongoDB API so it acts like mongoDB to existing clients and drivers - Fully managed with the goiod stuff (multi-AZ, scalable, integrated with KMS, backed up to S3) - An option if you use MongoDB and want to get out of the server management business #### Amazon Elastic Search (ES) - Not elastic cache - Mostly a search engine but also a document store - Indexes the documents it stores and stores those indexes as documents - Stores documents as JSON just like mongoDB or DynamoDB - *It is more useful as a search or analytics store* - Components are commonly referred to as an **ELK Stack** * Analytics -> Kibana * Intake -> Log Stash, Cloudwatch, Firehose, IoT Greengrass * Search and Storage -> Elastic Search Sample Usecase: create IoT dashboards **NOTE:** - A similar usecase for IoT can also be achieved by S3 and Quicksight - There are always functional overlaps with AWS components and you as architect have to decide which service best fits and is easy to use ### Comparing DB options - DB on EC2 - Ultimate control over DB - Preferred DB ot available in RDS - Amazon RDS - Need traditional relational database for OLTP - Your data is wel formatted and structured - Amazon DynamoDB - Name/Value pair data or unpredictable data structure - InMemory performance with persistance - Redshift - Massive amounts of data - Primarily OLAP workloads - Amazon Neptune - Relationships between objects a major portion of data value - Elastic cache - Fast temporary storage for small amounts of data - Highly volatile ### Exam tips - Read the AWS Storage options white paper - re:Invent Videos - Both Exam tips video for storage ### Pro Tips - Storage - Archiving and Backup often a great "pilot" to build AWS business case - Make use of end points within your VPC - Learn how to properly secure your S3 bucket - Encrypt, Encrypt, Encrypt - Consider Aurora for your prod MySQL/Maria or PostgreSQL - Better optimization in terms of performance, redundancy and cost - Ex: Automatic failover to read replicas - Consider NoSQL if you dont need relational DBs - DBs on Ec2 cost less compared to RDS but RDS is a managed service vs DB on EC2 is not so consider the cost savings - You can have a performance hit when you are running RDS of single AZ Instance - No performance hit when running multiAZ as backup is from redundant DB ### AWS Storage Services Overview White Paper - AWS provides low cost data storage with high durability and availability. AWS offers choices for back-up, archiving, disaster recovery use cases and provides block, file and oject storage. Types: - **S3** Scalable and highly durable object storage in the cloud - **Glacier:** low cost highly durable archive storage in the cloud - **Amazon EFS:** Scalable network File storage for EC2 instances - **Amazon EBS:** Block Storage volumes for EC2 instances - **Amazon EC2 Instance Storage:** Temporary block storage volumes for EC2 instances - **AWS Storage Gateway:** An on-prem storage appliance that integrates with the cloud - **AWS Snowball:** A service that transports large amounts of data to and from the cloud - **AWS Cloudfront:** A service that provides a global content delivery network #### S3 - Storage Classes - Standard - S3 Standard-IA - Glacier - Common Use patterns -> **4 Patterns** - Store and distribute web content and media - Each object in S3 has a unique HTTP URL - Can serve as origin store for a CDN - Elasticity of S3 makes it particularly well suited for fast growing websites that require bandwidth for addressing extreme demand spikes - Host static websites - Low cost highly available highly scalable solution for storage of static sites - Data Store for computation and large scale analytics such as financial transaction analysis, clickstream analytics and media transcoding - Because of the horizontal scalability of S3, you can access your data from multiple computing nodes concurrently without being constrained by a single connection - Finally, S3 is often used as a highly durable, scalable and secure solution for backup and archiving of critical data. You can easily move cold data to Glacier using lifecycle management rules on data. - You can also use **S3 Cross Region Replication** to automatically copy objects across S3 buckets in different regions async, providing disaster recovery - Not applicable use cases - File System: AWS EFS - Structured data with queries: DynamoDB, RDS, Cloud Search - Rapidly changing data: EBS, EFS, DynamoDB, RDS - Archival data: Glacier - Dynamic Website: EC2, EFS - Performance - Same Region EC2 and S3 is designed to be fast - If you access S3 usign multiple threads, multiple applications or multiple clients, tital throughput far exceeds what any single server can generate or consume - To improve upload performance, you can use multipart upload and upload in parallel - To speed up access to relevant data, many developers pair AWS S3 with a search engine such as AWS Cloudsearch or DynamoDB. In suhch scenarios, S3 stores the actual data and the DB serves as the data repo for the metadata - **Transfer Acceleration:** - Allows for secure transfer of files over long distances between - Leverages Cloudfront globally distributed edge locations to route traffic to your S3 bucket - To use - enable on S3 - Use endpoint **\<bucketname>.s3.accelerate.amazonaws.com** - Scalability: Highly scalable - Highly secure - Provides mechanisms for fine grain control of access - Supports encryption - Protect the data in transit by using client side encryption or SSL - Supports versioningm MFA delete - Access logging - Interfaces ## Module 2: Networking - You are expected to know networking across an enterprise as well as migration ### Networking Refresher Concepts you should know - Physical layout of AZ and region - VPC concept and how to create - Create private and public subnets - What a NAT is and what "Disable Source/Destination check" means - Route table and routing terminology (default routes/local routes) - IPv4 Addressing and Subnet Mask Notation (/16, /24 etc) - Intermediate networking technology (MAC address, port, gateway and router) OSI Model (PDNTSPA)  - AWS operates on a **shared responsibility model** where the yellow line decides where the user's and where AWS's responsibilities exist - This does not mean that the user cannot get to the data link layer on the OSI model or AWS cannot get to the network layer, just not done theoritically - To prohibit this behavior, AWS has blocked certain features at the network level such as multicast **(Multicast happens at layer 2)** - Unicast: Example Phone call - Multicast: Example loudspeaker to everyone ##### Different Protocols TCP vs UDP vs ICMP - TCP (layer 4) - Characteristics: Connection based, stateful, acknoledges receipt - E: Web, Email, File Transfer - UDP (layer 4) - Characteristics: Stateless, connectionless, simple, no retransmission delays - Example: Streaming media, DNS - ICMP (Layer 3 but debated) - Characteristics: Used by network devices to exchange info - Example: Traceroute, ping ##### Ephemeral ports - Short lived transport protocol ports used in IP communications - Above the well known ports (Above 1024) - AKA Dynamic ports - Suggested Range OS based - 49152 - 65535 - Linux: 32568 to 61000 - Windows default from 1025 - These have NACL and Security group implications - The request on a server for SSH might be on port 22 but the response from that server to the client is on an ephemeral ports - Same for 443 and 80 **Example: Only TCP for web pages:** Webserver Client 192.168.1.1 192.168.1.6 Listening on Dialing 192.168.1.1 port 80 on port 80 for a http / Session. Use port 56784 / to respond v Hello this is Server, Here is web page on port 56784, session kept open <--> Thank you server New Web page request / V I know who you are, I am going to use our existing session **TCP and UDP for pages and media:** Webserver Client 192.168.1.1 192.168.1.6 Listening on Dialing 192.168.1.1 port 80 on port 80 for a http / Session. Use port 56784 / to respond v Hello this is Server, Here is media file on port 56784, -> More data -> More data -> More data -> There is no response from client AWS reserved Addresses - 5 IPs are reserved in every VPC Subnet (example 10.0.0.0/24) - 10.0.0.0 -> Network Address - 10.0.0.1 -> VPC Router - 10.0.0.2 -> Amazon DNS - 10.0.0.3 -> Reserved - 10.0.0.255 -> Broadcast address hence locked ### AWS Network to VPC Connectivity - AWS Managed VPN - AWS Direct Connect - AWS Direct Connect + VPN - AWS VPN Cloudhub - Software VPN - Transit VPC ##### Managed VPN - WHAT: Managed VPN is an IPSec VPN connection over your existing internet - WHEN: Quick and usually simple way to establish a secure tunneled connection to a VPC - Also used as redundant link for direct connect - PROS: Advantage to use Static routes or BGP Peerign and routing - CONS: Disadvantage depends on your internet connection - HOW: ###### How to create a managed VPN  - Choose endpoint gateway appliance, usually on-prem router) - Create VPN and download config file - AWS can create config files automatically for some popular routers like cisco or juniper - Config gateway as per conf file, generally IPSec as default security protocol - Generate synthetic traffic to establish connection - Set up BGP routing as needed ##### AWS Direct Connect - WHAT: Dedicated network connection over private lines straight to AWS backbone - WHEN: Require a "big pipeline" into AWS, lots of resources and services eign provided to your corporatre users - PROS: more reliable, upto 10GBPS provisioned bandwidth - Supports BGP routing and peering - CONS: May require additional telecom and hosting provider relationships - HOW: Work with your existing Data Networing Provider; create Virtual Interfaces (VIF) to connect to VPCs (Private VIF) or AWS Public VIF ##### AWS Direct Connect over VPN - WHAT: IPSec VPN connection over private lines - WHEN: Added Security of encrypted **tunnels (Multiple)** over Direct Connect Lines - PROS: More secure in theory than direct connect alone - CONS: More complexity with data networking provider - USE CASE: Parent company builds hard connection Direct Connect and child companies use connection in VPN ##### AWS VPN CloudHub DIY using public network and AWS VPC as hub - Connect Locations in a Hub and Spoke Manner using AWS's Virtual Private Gateway - Link remote offices for backup or primary WAN Access to AWS resources and each other - PROS: reuses existing internet connection; supports BGP routes to direct traffic (for Example, use MPLS first then Cloudhub VPN as backup) - CONS: Dependent on internet connection; no inherit redundancy - HOW: Assign multiple Customer Gateways to a Virtual Private Gateway, each with their own BGP ASN and Unique IP ranges  ##### Software VPN - WHAT: You provide your own VPN endpoint and software - WHEN: You must manage both ends of the VPN connection for compliance reasons or you want to use a VPN option not supported by AWS - PROS: Untimate flexibility and managibility - CONS: you must design for any needed redundancy - HOW: install VPN software via Marketplace appliance or an EC2 instance  ##### Transit VPC: - WHEN: Common strategy for conneting geographically disperse VPCs and locations in order to create a global networj transit center - WHEN: Locations and VPC deployed assets across multiuple regions that need to communicate with one another - PROS: Ultimate flexibility abd managibility, but aslo AWS managed HUB and SPOKE model between VPCs - CONS: You must design for any needed redundancy across the whole chain - HOW: Providers like Cisco, Juniper, Riverbed, PA Networks .. have offerings that wokr with their equipment and AWS VPC  - **Transit VPC is a box on rack on data center from Cisco or Juniper that gives ec2 instances for routing** Info [here](https://aws.amazon.com/marketplace/solutions/infrastructure-software/transit-VPC) - AWS has another service similar but more managed called **transit gateway** ### VPC to VPC Connectivity - *VPC Peering* - Software VPN - software to AWS Managed VPN - AWS Managed VPN - AWS Direct Connect - *AWS Privatelink* ##### VPC Peering - WHAT: AWS Provided network Connectivity between two VPCs - WHEN: Multiple VPCs need to communicate or access each others resources - PROS: Uses AWS Backbone without touching internet - CONS: Transitive Peering is not supported - Given A <-> B and B <-> C, A cannot talk to C via B - HOW: VPC Peering request is made, accepter accepts request (Either within Account or across Accounts)  **VPC Peering is cheapest, transit gateway is next, transit VPC is based on ec2 size** ##### AWS Privatelink - WHAT: AWS Provided network connectivity between VPCs and/or AWS Services using interface endpoints - WHEN: Keep private subnets truly private by using the AWS backbone to reach other services rather than the public internet - PROS: Redundant - AWS Backbone - CONS: Inter region VPC peering needed - HOW: Create Endpoint needed for AWS or Marketplace service in all needed subnets; access via the provided DNS hostname What you are exposing in Privatelink is only the ENDPOINT (API or GateWay to other NetWork) within that VPC, hence giving you granular access to all services exposed, keeping traffic like VPC peering on AWS Backbone ##### VPC Endpoint - Interface Endpoint - AWS spins up and attaches a private route 53 hosted zone to your VPC when you spin up one of these services and uses DNS trickery to route packets - WHAT: Elastic Network Interface with a privateIP - HOW: Uses DNS entries to redirect traffic - WHAT Products: API GW, Cloudformation, CloudWatch, etc - SECURING: Security groups - Gateway Endpoint - The gateway uses Prefix lists: all IPs that use that service and is kept in your route table and when a call is made to that IP, AWS intecepts it and redirects the call - WHAT: A gateway that is a target for a specific route - HOW: Uses prefix lists in the route table to redirect traffic - AWS S3, DynamoDB - VPC Endpoint Policies (similar to IAM) ### Internet Gateway - Internet access to our VPC, 4 types - Internet Gateway - Egress Only Internet Gateway - NAT Instance - NAT Gateway ##### Internet Gateway - Horizontally scalled, redundant and highly available component between your VPC and the internet - No Availability risk or bandwidth constraints - If your subnet is associated with a route to the internet then it is a public subnet - Supports IPv4 and IPv6 - Serves 2 purposes - Perform route table target for internet bound traffic - Perform NAT for instances with public IP addresses - Does not perform NAT for instances with private IPs only ##### Egress-Only internet gateway - Only for IPv6 - IPv6 addresses are globally unique and are therefore public by default - Provides outbound internet access for IPv6 addressed instances - Prevents inbound access to those IPv6 instances - Stateful - forwards traffic from instance to internet and replies back with response - Must create a custom route for ::/0 to the Egress-Only internet gateway - Use Egress-Only Internet Gateway instead of NAT for IPv6 ##### NAT Instance - EC2 instance from a special AWS Provided AMI - Translate Traffic from many private IP instance to a single public IP and back - Does not allow public initiated connections into private instances - Not supported for IPv6 (use Egress-Only Gateway) - NAT instance must live on public subnet with route to Internet gateway - Private instances in private subnet must have route to NAT instance usually the default route destination of 0.0.0.0/0 ##### Nat Gateway - Managed NAT service - Must be created in a public subnet - Uses an elastic IP for public IP for the life of the gateway - Private instances in private subnet must have route to NAT instance usually the default route destination of 0.0.0.0/0 - Created in specified AZ with redundancy in that zone - For multi-AZ redundancy, create NAT gateways in each AZ with routes for private subnets to use the local gateway - Guaranteed 5Gbps, upto 45Gbps - Cant use NAT gateway to access VPC peering, VPN or Direct Connect, so be sure to include specific routes to those in your route table (remember, most specific route is selected first)  ### Routing - VPC Context: 2 Route Tables, BGP - Route Tables - VPCs have an implicit router and main routing table - You can modify the routing table or create new tables - Each Route table contains a local route for the CIDR block assigned to the VPC - Most specific route for an address wins SAMPLE ROUTE TABLE and DESTINATION  **\*.\*.255.255 is a broadcast addess, ignored by AWS** - Border gateway Protocol - Popular routing protocol for the internet - "propogates" information about the network to allow for dynamic routing - Required for Direct Connect and Optional for VPN - Alternative of not using BGP with AWS VPC is static routes - AWS supports BGP community tagging as a way to control traffic scope and route preference - Autonomous System Number (ASN) = unique endpoint identifier - Weighting is local to the router and higher weight is perferred path for outbound traffic - It can choose a route based on a path and assign it weight SAMPLE Usecase  If we want to switch the traffic from Direct Connect to VPN, we just need to **reduce the weight** of the Direct Connect **from 150 to <100** and the traffic automatically switches to VPN connection ### Enhanced Networking features - Generally used for high performance computing use-cases - Uses single root I/O virtualization (SR-IOV) to deliver higher performance than traditional virtualized network interfaces - Might have to install driver if other than Amazon Linux HVM AMI - Intel 82599F Interface - 10 GBps - Elastic Network Adapter - 25 Gbps ##### Placement groups - Idea being you can choose in some fasion how your instances are arranged on the physical hardware they live on - Three Types: - Clustered: Grouping instances as close as possible in racks - WHAT: Instances placed into a low latency group within a single AZ - WHEN: Need low network latency and/or high network throughput - PROS: Get the most out of Enhanced Networking Instances - CONS: Finite Capacity: Recommend launching all you might needed upfront - Spread: not on same rack, hence rack failure does not matter - WHAT: Instances spread across underlying hardware - WHEN: Reduce risk of simultaneous failure if underlying hardware fails - PROS: Can span multiple AZs - CONS: Max of 7 instances running per group per AZ - Partition: group instanced and spread those groups - WHAT: Instances are grouped into partitions and spread across racks - WHEN: Reduce risk of correlated hardware failure for multi-instance workloads - PROS: Better for large districated workloads than Spread - CONS: Not supposed for Dedicatd Hosts   ### Route 53 - Register Domain names - Check the health of your domain resources - Route internet traffic for your domain ##### Knowledge needed - DNS - DNS record types - Route 53 concepts ##### Route 53 record types: - A record type - IPv4 - AAAA record type - IPv6 - CAA record type - Certificate Authority - CNAME record type - Name to another domain - MX record type - Mail Servers - NAPTR record type - Name authority pointer for DDDS application - NS record type - Identify Nameservers for hosted zone - PTR record type - IP address to Domain names - SOA record type - Domain and its route53 hosted zone - SPF record type - depricated - SRV record type - TXT record type ##### Route 53 routing policies - **Simple:** Simple entry - **Failover:** Normally I would like to use \<primary\> but it appears to be down, so I will use \<back-up\> - **Geolocation:** Looks like you are in Europe, I will route you to a resource closer to that location - Important to have a default route if you cannot determine the user's location - **GeoProximity:** You are closer to US-East-1 than US-East-2 so let me route you to that - Also allows for an added bias that you can adjust - **Latency:** Let me see which resources has lower latency from you, I will try to direct you that way - **MultiValue Answer:** I will return several IP addresses, as a sort of basic load balancer - **Weighted:** You can oset upi multiple resources and I'll route according to the percentage of weight you assign each - Percentage of traffic = $\frac {weight of route}{total sum of weights}$  HOW    ### CLoudFront - Distributed content delivery service for simple static asset caching up to 4k live on demand video streaming - You should already know how to create a cloudfront distribution and understand edge location concept - Integrated with AWS Certificate Manager and Supports SNI ##### Set up cloudfront Distribution - Following settings needed for set up - **Your content origin**that is, the Amazon S3 bucket, MediaPackage channel, or HTTP server - any combination of up to 25 Amazon S3 buckets, channels, and/or HTTP servers - **Access** available to everyone or restrict access to some users - **Security** require users to use HTTPS to access your content - **Cache key** which values, if any, you want to include in the cache key - The cache key uniquely identifies each file in the cache for a given distribution. - **Origin request settings** whether you want CloudFront to include HTTP headers, cookies, or query strings in requests that it sends to your origin - **Geo-restrictions** whether you want CloudFront to prevent users in selected countries from accessing your content - **Access logs** whether you want CloudFront to create access logs that show viewer activity ##### Set up cloudfront  - The certificate is a custom certicate created by AWS certificate manager - Wild card in front of the domain name is to include all sub-domains that might get used in the future - **Custom SSL client support** - When using **cloudfront**, the instances behind cloudfront give out loads of certificates and we still get a bad certificate exception on the browser  - To ensure that this error does not show up, we have 2 methods - Use clients that support Server Name Indicator (SNI) (All modern browsers support SNI) - Use a dedicated IP Address at each CF edge location ($600 per month) ### Elastic Load Balancers - Distributes inbound connections to one or more backends - 3 options - Application load balancer (OSI model layer 7) - Network load balancer (OSI model layer 4) - Classic load balancer (OLD legacy support, layer 4 or 7) - Can be used for public or private workloas - Consume IP addresses within a VPC subnet - Load balancers are auto scaling and ensure that you have enough spare addresses   ##### Routing on ELB - Network Load Balancers can only route on Port number - TCP connections to the backend are persisted for the duration of the connection - Application Load Balancer - Host based routing - Path based routing - HTTP Header based routing - HTTP method based routing - Query string parameter based routing - Source IP address CIDR based routing   ##### Sticky sessions - Most applications use sticky sessions for identifying clients using session ID for cart - Enable sticky sessions ### Exam tips - Know pros and cons of each on-prem to AWS connection mode - Know the functions of the different VPC components (Customer gateway, Virtual Private Gateway) - Know that Direct Connect is not inherently redundant, so know how to architect a network that is redundant (VPN, secondary direct connect) - Multicast and Broadcast arent supported in VPCs - Know what is meant by 'stateless', 'stateful', 'connectionless' and 'connection-based' in terms of IP protocols - Know what is meant by ephemeral ports and why they might need to be in NACLs or SGs - Routing - Understand BGP and how to use weighting to shift network traffic - Know how routes in a route table are prioritized (most specific first) - What other routing protocols does aws support (none except BGP) - VPC Peering - CIDR ranges cannot overlap - After VPC owner accepts a peering request, routes must also be ato respective route tables - Transitive peering is not supported, but mush or hub-and-spoke architectures are .. with proper NACLs and Routes - A transit VPC is supported - Internet Gateway - Difference between a NAT Instance and a NAT Gateway - Internet Gateway is horizontally scaled, redundant with no bandwidth constraints - NATs do have bandwidth constraints but ... - VPCs can have multiple NATs across AZs and Subnets for scale as long as routes are defined properly - Use Egress Only gateway for IPv6 - Route 53 - Understand different types of routing policies and use cases - KNow the weighted routing formula - Route 53 is a global service - Cloudfront - understand what must happen to use a custom domain with cloudfront - Understand what SNI enables and the necessary alternative - Elastic load balancer - Know the three different types of load balancers and at which OSI Layer they work - Understand which major features each deliver (protocol, SNI, sticky sessions) - Know what sticky sessions are and when they come into play ### Pro tips - Direct Connect may be more complex and costlier option to setup, but it could save big on bandwidth costs - Explicitly deny as much traffic as you can with NACLs and SG like Telnet or SSH if you are never going to use it, principle of least previlege - Think through your VPC layout otherwise it soon becomes a mess - You can use Route 53 for your domain even if AWS isnt your registrar - Elbs Provide a useful layer of abstraction (as does route 53) for blue green deployment, rolling updates etc. ## Module 3: Security - In many different forms and flavors - Focus on cross account and federation - Designing for new services or upgrading existing solutions ### Shared Responsibility model  Lots of customer responsibilities ##### Principle of Least Privilege - Give users or services nothing more than those privileges required to perform their intended function - Give only when needed and not kept for more time ##### security facets - Identity - Who are you - Root user, IAM user, Temporary security credentials - Authentication - Prove that you are who you say - MFA, Client Side SSL certificate - Authorization - Are you allowed to do this - IAM policies - Trust - Do other entities that I trust say that they trust you - Cross account access - SAML based Federation - Web Identity Federation ##### Typical Components  - Identities - People, objects, computers - Identity providers - Keeps identity stores - FB, AWS Cognito, Google - Identity Broker - Take requests from apps and check stores - Federation - One identity provider can call another identity provider to check identity ### Typical Authentication Flow <APP> -> Give me access -> <service provider> | V Get me token from <identity provider> | V <App> to Authenticate at <identity provider> | Authorized, accept token V Use token at <service provider> ##### SAML vs OAuth vs OpenID - SAML - Can handle both authorization and authentication based protocol - Can contain user, group membership and other useful information - Assertions in the XML for authentication, attributes or authorization - Best suited for Single Sign On SSO for enterprse users - OAuth 2.0 - Allow sharing of protected assets without having to send login credentials - Handles **Authorization** only not authentication - Issues token to client - Application validates token against authorization server - delegate access, allowing the access of applications to access information on behalf of user - Best suited for API authorzation between apps - OpenID - Identity layer built on top of Oaiuth adding Authenticaion - Uses rest/JSON - Supports web client, mobile and JS clients - extensible - Best for consumer grade mobile applications Compliance - AWS is highly comliant with a lot of compliance certificates ### Multi Account Management - Most orgs have multiuple accounts - Costs, security, agility - Need methods to build and maintain them ##### AWS tools for Account management - AWS Organizations: Allows for managing multiple accounts straight from the console - Provides Centralized account structures - Service Control Policies: Policies you can apply to sub accounts - Tagging - Resource Groups - Consolidated billing ##### Identity Account Structure - Manage all user accouts in one location - Users trust relationship from IAM roles in sub accont to Identity Account to grant temporary access - Variations include by business unit, deployment env, geography, etc  ##### Logging Account Structure - Centralized logging repository - Can be secured so as to be immutable - Can use Service Contropl policies (SCP) to prevent sub-accounts from changing logging settings  ##### Publishing Account Structure - Common repository for AMI, Containers, code - Permits sub-acount to use pre-approved standardized services or assets  ### Network Controls and Security Groups - Virtual firewalls for individual assets (EC2, RDS, AWS workspaces, Etc) - Controls inbound and oputbound traffic for TCP, UDP, ICMP or custom protocols - Port or port ranges - Inbound rules are by source IP, Subnet or other security group - Outbound rules are by Destination IP, Subnet or Other security Group ### Network ACLS - Additionalk layer of security fro VPC that acts as a firewall - Apply to entire subnets rather than individual assets - Default NACL allows all inbound and outbound traffic - NACLs are stateless - meaning outbound traffic just obeys outbound rules, no connection is maintained - Can duplicate or further restrict access along with security groups - Remember ephemeral ports for outbound if you need them Why use SG and NACL - Backup to security group - Covers entire subnet so if you mess upp security group, it is still save ### AWS Directory services - AWS Cloud Dierctory - Cloudnative directory to share control access to hierarchial data between applications - Best for cloud apps that need hierarchial data with complex relationships - AWS Cognito - Sign up and sign in functions thatscales to millions of users and federated to public social media services - Best use for consumer apps or Saas - AWS Direcory service for MS Active Directory - Fully managed Microsoft AD (standard or enterprise) running on Windows Server 2012 R2 - Hosted AD or LDAP - Ad Connector - Allows On-Prem users to log into AWS services with their existing AD Credentials. Alos allows EC2 instance to join AD domain - Best for SSO for on-prem employees and adding EC2 instances to the domain - Must have existing AD - Supports MFA via RADIUS based infrastructure - Simple AD - Low costlow scale AD using Samba - Best for simple user directory, or you need LDAP compatibility - Supports user acounts, groups, group policies and domains - Kerberos based SSO - No MFA - No Trust relationships ### CREDENTIAL AND ACCESS MANAGEMENT - Web Identity: get token from other providers - AWS Security Token Service 'sts' - Gives token for temporary access - Access to sts can be from IAM or AD or from other federated sources  ##### token vending machine concept - Use AWS Cognito in place of TVM concept ##### AWS Secrets Manager - Store passwords, encryption keys, API keys, SSH keys, PGP keys, etc - Alternative to storing passwords or keys in a 'vault' - Can access secrets via API with fine grained access control provided by IAM - Automatically rotate RDS database credentials for MySQL, POstgreSQL and Aurora - Better than hard-coding credentials in scripts or application #### Encryption - encryption at rest, where it is stored - encryption in transit, when it is on network ##### AWS KMS - Key Storage, management and auditing - Tightly integratd into MANY AWS services like Lambda, S3, EBS, EFS, DynamoDB, SQS, etc - You can import your own keys or have KMS generate them - Control who manages and accesses keys via IAM users and roles - Audit use of keys via CloudTrail - Differs from Secret Maanger as its purpose built for encryption key management - Validated by many compliance schemes (PCI DSS Level 1, FIPS 140-2 Level 2) ##### Cloud HSM - Dedicated hardware device, single tenanted - Must be within a VPC and can access via VPC Peering - Does not natively integrate with many AWS services like KMS but rather requires custom application scripting - Offload SSL from web servers, act as an issuing CA, enable TDE for oracle DB - Two services - Classic cloudHSM - Device: safeNet Luna SA - Pricing: Upfront $5000 - High availability: have to buy a second device - FIPS 140-2 : Level 2 - Current Cloud HSM - Device: AWS Proprietary - Pricing: No upfront pay per hour - HA: Clustered - Level 3 ##### Cloud HSM vs KMS - Tenancy - Cloud HSM: single Tenant - KMS: Multitenant - Availability - Customer managed - HA and durable - Root of trust: - Customer managed - AWS managed - FIPS-2 - Level 3 - Level 2/3 in some areas - 3rd party Support - Broad 3rd party support - Broad AWS Service Support ##### AWS Certificate Manager - Managed service that lets you provision, manage and deploy public or private SSl/TLS certificares - Directly integrated into AWS services like cloudfront, ELB and API GW - Free Public Certificates to use with AWS services; no need to register via a 3rd party certificate authority - can use 3rd party certificates ### DDOS - Phishing - DDOS - NTP server attack - Application attacks (layer 7) - Mitigate DDoS - Minimize Attach Surface - NaCL, SG, VPC design - Scale to Absorb Attach - Autoscaling, AWS Cloudfront Static content via S3 - Safeguard exposed resources - Route 53, AWS WAF, AWS Shield - Learn normal behavior - Guard Duty, Cloudwatch - Have a plan - ALL of YOU SAMPLE usage  ### IDS and IPS - Intrusion detection system is a watcher that watches the network and systems for intruders - Intrusion prevention system tryies to prevent exploits by sitting behind firewalls and scanning and analyzing suspicious content for threats - Normally comprised of a collection/monitoring system and monitoring agents on each - Logs collected and analyzed in Cloudwatch, S3 or third party tools (Splunk, Sumologic) also called a Security and Information Event Management (SIEM) ### Cloudwatch and Cloudtrail - CW Log events across, think ops - CT Log API Activity across aws services, think activities - CW Higher level comprehensive monitoring and eventing - CT more low level granular - CW Log from nultiple accounts - CT Log from multiple accounts - CW Logs stored indefinitely - CT Logs stored to S3 or cloudwatch indefinitely - CW Alarms for 14 days - CT Noe native Alarming, can use cloudwatch alarms ### Service catalog - A centralized IT orgaization creates or makes available some services that are available to its end users by the click of a button - Service catalog is a framework for allowing administrators to create pre-defined products and landscapes for their users - Granular control on which usrs have access to which offerings - Makes use if IAM, making use of underlying security needed for user - Allows end users tobe self sufficient and follow enterprise standards - Based on cloudformation - catalog enrty can be deleted without removing resources ##### Needed for service catalog - Launch Constraint - IAM role for service catalog to launch product - Otherwise user must have permissions to launch service - Notification Constraint - Specifies the Amazon SNS topic to receive notifications about stack events - Notifications of deployment - Template Constraint - One or more rules that narrow allowable values an end user can select - Variables for making product based choices ##### Multi Account Scenarions - You can also share a service catalog as a **service portfolio** between accounts and developers can now use that portfolio and build a **local portfolio around it** - Products always stay in sync, IAM users are not in sync ### Exam Tips - Multi Account Management - Know the different models and best practices fro cross account management of security - Know how roles and trusts are used to create cross account relationships and authorizations - NACLs and SGs - KNow the differences of NACLs adn Security groups - NACls are stateless - get some hands on with NACLs and SGs to reinforce your knowledge - Remember the ephemerals - AWS Directory services - understand types of directory services offered by AWS especially AD connector and simple AD - Understand use-cases for each type of Directory Service - Be familiar with how on-prem AD implementation might connect to AWS and what functions that might enable - Credential and access management - KNow IAM and its components - know how to read and write IAM policies in JSON - Understand Identity brokers, federation and SSO - Know options and steps fpr temporary authorization - Encryption - KMS vs cloud HSM and usecases - Understand AWS sertificate Manager and integration with otyher services - DDoS Attacks: - Understand what they are and some best practices to limit exposure - KNow some options to mitigate them using AWS services - IDS/IPS - diff between IDS/IPS - KNow AWS services that help - KNow difference between Cloudwatch and cloudtrail - Service Catalog - **Allows users to deploy assets through inheriting rights** - Understand how Service Catalog can work in a multi-account scenario ### Pro Tips - KNow thaty security will be front of mind, but rarely are there sound practices in place - Cloud Adoption framework is a good start - leverage Assessments and checklists as illustrators of care and best practices ## Module 5: Migrations ### Common migration Strategies - **Re-host** - Desc: Basically a lift and shift - Ex: mySQL from on-prem server to EC2 - **Re-platform** - Lift and Reshape - Ex: mySQL to Managed RDS - **Re-purchase** - Abandon existing platform and purchase new - Migration legacy on-prem CRM to salesforce - **Re-Architect** - Redesign application in a cloud-native manner - Move from Lamp stack to serverless - **Retire** - Get Rid of applications which are not needed - **Retain** - Do nothing  ### Cloud Adoption Framework - **TOGAF** The open Group Architectural Framework - Approach for designing, planning, implementing and governing enterprise architectures  - **Framework** Something to get your mind around a problem - Open for localization and interpretation - Is something you should adapt to your organization - The Cloud Adoption Framework in an Organization  - To fully unlock the potential benefits of a cloud migration, a holistic approach must be considered - Different prespectives of different departments - Business - Create a strong business case for adoption - Business goals are congruent with cloud objectives - Ability to measure benefits (TCO, ROI) - People - Evaluation of Roles - Incentives for training - Governance - Portfolio management - Program management - Align KPIs with newly enabled business - Platform - Standard resource Provisioning - Architecture patterns adjusted to leverage cloud-native - New application development skills and processes enable more agility - Security - IAM modes change - Logging and audit capabilities will evolve - Shared responsibility model removes and adds some facets - Operations - Service monitoring - Performance management - Business Continuity ### Hybrid Architecture - Makes use of cloud and on-prem - Common first steps - Cloud can just augument or or simply be extensions - Ex VMWare - ideally integrations are loosely coupled - meaning each end can exist without extensive knowledge of the other side Sample Hybrid Storage Usecase  sample Hybrid ERP processing  VMWare vCenter hybrid  ### Migration Tools - Storage Migration - Snowball - AWS Storage gateway - Server Migration service - Automates Migration of on_remises VMWare vSphere or MS Hyper-V VMs to AWS - Replicates VMs to AWS, sybcing volumes adn creating preiodic AMI - Supports both windows and linux - Download it as VM and set up on Data center - Database Migration service - Data migration service along with the schema Conversion Tool (SCT) help customers migrate databases to AWS RDS or EC2 based databased - SCT supports both homogenous (ex: mySQL -> mySQL) or heterogenous migrations (mySQL -> DynamoDB) - DMS is used for smaller impler conversions and also supports MongoDB and DynamoDB  - Application Discovery Service - Gathers information about on-prem data centers to help in cloud migration planning - Often customers don tknow the full inventory or status of all their data center assets, so this tool helps with that inventory - Can run as agentless (VMware Env) or agent-based (non VMWare Env) - Supports only AWS supported OSes - AWS Migration Hub - All of these above services can be seen here from the console ### Network Migrations - Ensure Ip ADdress will overlap between VPC and on-Prem - VPCs support IPv4 netmasks range from /16 to /28 - /16 = 65,536 addresses ~ 65,531 Addresses usable - /28 = 16 addresses ~ 11 addresses usable - Remember 5 IP addresses are reserved in a VPC - Most orgainzations start with VPN - Then they move to Direct Connect but keep VPN as a backup - Transition from VPN to Direct Connect using BGP weights ### Snow Products or Snow Family - Evolution of AWS import/export process - Massive amounts of data to and from AWS - Data Transfer as fast as shipping speed from carrier (UPS, FedEx) - Encrypted at rest - Encrypted in transit with the same token - Types 4: - AWS Import/Export: Ship an external hard drive to AWS - AWS Snowball: Rugged NAS in a box AWS ships to you. Can carry upto 80TB - AWS Snowball Edge: Same as snowball, but with onboard lambda and clustering - AWS Snowmobile: A literal shipping container full of storage (upto 100PB) and a truck to transport it ### Exam tips: - Migration Strategies - Understand the different strategies that companies might undertake - Understand the trade-offs of each strategfies - Cloud adoption framework - Understand what the framework is and what should accompany it - Understand the high level components of the cloud adoption framework - Know that cloud adoption is only partially a technology effort - Hybrid Arch: - Sample usage of hybrid architectures - KNow that VMWare has some nifty tools for abstractng workloads across on-prem and could ex import plugin - Migrations - Understand the different services and tools available for migrating servers, storage amd databases - Tools usage specifics wont likely be on the exam except storage gateway - Network Migrations - KNow hybrid networking architecture - Understand that smooth transitions from VPN and Direct Connect can be done using BGP routing, abrupt routing chnages risk downtime ### Pro Tips - Technology is always is a minor part of a cloud migration project - People, processes, policies, etc - Dont underestimake these soft parts - Project management discipline is a must - Adapt the cloud adoption framework and adapt it to your own - Leverage the CAF to get buy-in by acknoledging the enterprise nature of cloud migrations - Be a boundry spanner ## Module 6: Architecting to Scale - Scalability for new and old solutions with respect to cost ### Architecting to Scale - Patterns - Suggestions to use something - **Loosely coupled architecture:** Components that can stand independently and require very little knowledge of inner workings of the other components - Has the following features when it comes to scalability - Layers of abstraction - Permits more flexibility - Interchangeable components - **More Atomic Functional units** ##### Horizontal scaling - H -> "Scale out", opposite "scale in" - V -> "Scale up", opposite "scale down" - H -> add more instances - V -> Add more CPU/RAM to existing resources - H -> No downtime required - V -> Requires restart to scale up or Down - H -> Automatic using Auto-scaling - V -> would require some soft of script - H -> Theoritically unlimited scaling on AWS - V -> Limited by instance size ### Auto Scaling - Several services in AWS that provide Auto-scaling  #### Types of AutoScaling - Amazon EC2 Auto Scaling: - Focused on Ec2 and nothing else - Use Scaling groups for EC2 instances, health checks to remove unhealthy instances - Application Auto Scaling: - API used to control scaling for other resources such as DynamoDB, ECS, EMR - Provides a common way to interact with the scalability of other services - AWS Autoscaling: - Provides centralized way to manage scalability for whole stack - Predictive scaling feature - Console can manage both requirements above ##### Ec2 autoscaling groups - Horizondal scaling (scale out) for your landscape - Triggered by an event or a scaling action to either launch or terminate instances - Availability, cost, system metrics, etc can be used as factors to trigger event for scaling - 4 options - maintain: keet minimum number of instances running - Manual - Use Maximum, minimum or specific number of instances - Schedule - Increase or decrease based on schedule - Dynamic - scale based on system metrics - To create a new autoscaling goups  - **Health Check Grace Period**: time given by the auto scaling group to the new instances for spin up and loading application - If the new instance does not respond in