AWS Architect Associate - Reminder
General purpose SSD have a maximum of 10.000 IOPS.
It is possible to detach non-root volume from running EC2 instance.
An EC2 placement group is used to determin how far are instances placed between each other. In cluster mode, they will be placed to reduce the latency inside a single AZ. In spread mode, they will be placed on different underlying hardware (and potentially in different AZ).
It is impossible to migrate Reserved Instances accross regions but doable accross AZ.
EC2 uses Xen hypervisor.
There are 2 types of virtualization types for EC2: Paravirtual (PV, older) and Hardware Virtual Machine (HVM, newest).
HVM provides a completely virtualized environement for the OS (unaware of being a VM) while PV requires kernel modifications but offers better performances (especially for I/O).
It is possible to sell your remaining Reserved Instances on Reserved Instances Marketplace.
A Golden image refers to an AMI that has been constructed from a customized image.
The maximum ratio of IOPS to volume size is 50:1 (8Gb:400IOPS).
All EBS volumes are stored in a single availability zone, EBS Snapshots are stored on S3 in the same region as the instance. You can then enable cross region replication.
From AWS doc, massive parallele computations should be done on spot instances.
VM Import/Export enables customers to import Virtual Machine (VM) images in order to create Amazon EC2 instances.
An EC2 instance can launch the User Data script at boot to download the latest version of your app.
It is not possible to encrypt an EBS volume once mounted.
EC2 supports 2 block devices: Instance store volumes and EBS.
To choose an EC2 instance type, you basically needs to know both memory and I/O requirements.
In order to sell the Reserved Instance on the RI Marketplace, you need to terminate them first (stop is not enough).
An ENI (Elastic Network Interface) is a virtual network interface that you can attache to an instance in a VPC, while running (hot attach), while stopped (warm attach) or while being launched (cold attach).
An EBS volume can still be used while the snapshot is in progress.
Maximum size of an EBS Provisioned IOPS SSD volume is 16TiB.
There is a limit of 20 EC2 instances per region.
A NAT Gateway can only deployed in a public subnet.
An account can start a maximum of 5 VPC per region by default.
Inside a VPC, an instance does not retain its private IP.
Inside a VPC, a subnet is public if it has an Internet Gateway.
VPC can assign DNS name to instances by configuration.
Auto-assign public IP feature is available per subnet (not VPC scope).
To protect your VPC against remote attacks, use ACL to deny IPs.
There are 3 options available when creating a VPC with the wizard: Public & Private subnets and Hardware VPN Access.
An Internet Gateway is a logical connection between a VPC and Internet. It does not limit the bandwith. If a VPC does not have an IG, it can NOT be accessed from the Internet.
A Nat Instance is an EC2 instance configured to forward traffic to the internet. Instances from a private subnet can access the Internet if a route is configured to the NAT Instance via the route table.
A Nat Gateway is a NAT Instance fully managed service.
Autoscaling and ELB
An ELB is not accessible from the internet by default. To get public access, you need to have an Internet Gateway and a properly setup route table.
It is impossible to update a launch configuration for ASG once created. To update, create a new one and update the ASG with latest launch configuration.
The 3 types of ASG scaling are: Manual Scaling (update by hand), Schedule Scaling (based on time of the week = predictable) and Dynamic Scaling (based on resources such as CPU).
Perfect Forward Secrecy is used to offer TLS cipher suites to Cloudfront and ELB.
ELB has its own access logs, that needs to be enabled. Those are not in CloudWatch.
To connect to S3 securely, use a S3 VPC endpoint.
There is a limit of 100 S3 buckets per account.
To enable cross-region replication for S3 buckets, Versionning must be enabled on both source and destination buckets.
Glacier has 3 types of data retrieval: Expedited (minutes), Standard (hours) and Bulk (less than a day).
To maximize S3 performances, use a random string as prefix string for each key.
S3 RRS have a 99.99% for durability and availability.
Direct Connect is NOT an encrypted connection to S3.
AWS Storage Gateway simply allows to integrate on-premises IT environments with Cloud Storage.
On AWS Storage Gateway, with Cached Volumes, the data is stored in S3 and a copy of frequently accessed data is stored locally (on-site). This is cost saving on primary storage while keeping low latency for frequently accessed data (storage extension). Use Stored Volumes if you need low latency of all of your data to be stored locally (then asynchronous backups to S3).
Do not confuse AWS Import/Export with Direct Connect, the first one is used to accelerates transferring large amounts of data in and out of AWS bypassing the Internet.
Maximum size of multi-part files upload on S3 is 5TB.
To protect S3 content from CloudFront, you can either use S3 signed URLs or use Origin Access Identify (OAI) for CloudFront.
Glacier archives are immutables.
Route53 provides, in addition to routing (DNS), registartion service and health check.
Route53 supports Multi Answers to randomly returns one out of many resources.
Route53 can be used for failover between an on-premise and AWS environement.
RDS Secondary instances can NOT be used as a standalone read instances.
It is possible to pre-provision up to 30 000 IOPS per database instance on RDS.
RDS default retention period is 35 days.
SQL Server maximum size is 300Gb.
RDS Secondary receives synchronous calls while Read Replicas are asynchronous.
Oracle DOES NOT support read replica (SQL server, PostgreSQL and MySQL does though).
SQL Server DOES NOT support HA/Failover (Oracle, PostegreSQL and MySQL does though).
Database caching can be done on AWS ElastiCache to reduce the number of queries.
Redshift is not designed to handle high concurrency workloads. Use RDS instead.
To reduce costs, disable unecessary manual snapshots.
Aurora supports MySQL and PostegreSQL engines.
On RDS, make sure that the underlying instance supports encryption.
A Read-replica can be launched in a different region from cluster DB.
RDS Multi-AZ failover is done through a DNS health check (CNAME is changed from primary to standby).
SQS default retention is 4 days.
SQS Short pulls returns right away even if the message is empty. Long polling waits for the new message (or long-polling timeout).
Do not consider SQS as a data store, obviously.
It can be a good idea to add SQS in front of DynamoDB (with a EC2 worker) to better handle spikes to avoid outperforming Dynamo capacity.
IAM and AWS Security
AWS Trusted Advisor can be used to monitor AWS service limits (EIP...) in addition to best security practices.
AWS Trusted Advisor gives informations about Performance, Cost Optimizations, Security and Fault Tolerance.
Managing different levels of permissions for users on API Gateway is done through IAM Users permissions.
It is possible to TAG EC2 instances to have more granularity in giving IAM permissions.
You can assign an IAM role per container task on ECS.
Cloudtrail logs are encryped on S3 with SSE by default.
CloudTrail can capture low level DynamoDB requests.
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources.
Elastic Beanstalk can be used to create Web Server and Worker environments.
ElasticBeanstalk updates by having a duplcate with updates ready before swapping.
Elastic Beanstalk is a PaaS-like layer on top of AWS which abstracts away the underlying EC2 instances, ELB, ASG... It is made for developers who do not want to deal with systems.
CloudFormation is simply a way to define all the resources needed in a huge JSON files (great to reduce cost and backup recovery)
AWS EMR is a hosted Hadoop service.
AWS public dataset are free (e.g. human genome).
CloudWatch retention period for 1 minute datapoint is 15 days.
CloudWatch can monitor a VPN endpoint using TunnelState metric.
The only metric that CloudWatch does not print is Memory.
When mentionning disaster recovery, do not think high-availability but failover instead.
SWF might requires human interaction to proceed.
To sign up on 1234 account, use 1234.signin.aws.amazon.com/console.
You are charged for all unused EIP (attached to stop instances for example).
Kinesis retention periods is 24 hours by default but can be extended to 7 days.
Active Director service can redirect traffic to customer's hosted AD.
On AWS KMS, you still manage the master key, which is not the case with S3 SSE.
To reduce cost on easily reproducible data (only!!), it's possible to cancel automated and manual snapshots.
An AMI must be completely copied (not shared) to a different region.