Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
AWS Solution Architect Associate Study Notes (Late 2017, Early 2018)
___ _____ ___ _ _ _ _ _ _ _ _ _ _ _
/_\ \ / / __| ___ / __| ___| |_ _| |_(_)___ _ _ /_\ _ _ __| |_ (_) |_ ___ __| |_ /_\ ______ ___ __(_)__ _| |_ ___
/ _ \ \/\/ /\__ \ |___| \__ \/ _ \ | || | _| / _ \ ' \ / _ \| '_/ _| ' \| | _/ -_) _| _| / _ \ (_-<_-</ _ \/ _| / _` | _/ -_)
/_/ \_\_/\_/ |___/ |___/\___/_|\_,_|\__|_\___/_||_| /_/ \_\_| \__|_||_|_|\__\___\__|\__| /_/ \_\/__/__/\___/\__|_\__,_|\__\___|
Notes taken between Dec-2017 and Jan-2018, from acloud.guru and AWS FAQs.
Solution Architect Associate - Need to Know:
- AWS Global Infrastructure
- Compute
- Storage
- Databases
- Migration
- Networking & Content Delivery
- Management Tools
- Analytics
- Security & Identity & Compliance
- Application Integration
- Desktop & App Streaming
___ _ __ __
|_ _| /_\ | \/ |
| | / _ \| |\/| |
|___/_/ \_\_| |_|
---
IAM
---
- Identity Federation (AD, Facebook, Linked IN)
- MFA
- Provide temporary access
- Supports PCI DSS Compliance
- Terms:
- User = people
- Group = collection of users of shared permissions
- Roles (**) - Grant permissions to entities you trust (e.g IAM user in account, App code running on EC2 hat needs to perform actions on AWS resources)
- Policies = document that define permissions (attach to user / group / roles)
- IAM is GLOBAL - not tied to regions
- Access Key ID & Secret access key only allow Programmatic access / API
___ ____
/ __|__ /
\__ \|_ \
|___/___/
---
S3
---
---------
S3 - 101:
---------
- Simple Storage Service
- Object storage - Videos/Photos/PDF (flat files) - cannot install OS/DB (that needs Block storage)
- Data is spread across multiple devices and AZs (but within a region)
- Files 0 bytes - 5 TB
- Files are stored in Buckets (like a folder)
- Unlimited storage
- S3 names must be unique globally (like DNS)
- s3-<region>.amazonaws.com/<bucketname>
- HTTP 200 is received on successful upload
- Manage S3 buckets globally - don't need to change regions
- Allows access across AWS accounts
- Objects DO NOT inherit bucket tags
- Data Consistency Model for S3.
- Read after write consistency for PUTS for *new* Objects
- Eventual Consistency for *overwrite* PUTS and DELETES (and take some time propagate)
- "Atomic" - either the new version or the old version, no in-between
- Key Value Store:
- Key (filename) - lexical (i.e. alphabetical order)
- Value (data - sequence of bytes)
- Version ID
- Metadata (e.g. date)
- Subresources:
- ACL
- Torrent
- Storage tiers/classes:
- S3 Standard - 99.99% availability, Eleven 9s durability. Concurrent facility fault tolerance: 2
- S3 Standard IA (infreq access) - 99.9% availability, Eleven 9s durability. Lower fee, but you are charged a retrievel fee. Concurrent facility fault tolerance: 2
- RRS (Reduced redundancy stoarge) - 99.99% availability, 99.99% durability. reduced durability, cheaper. (e.g. regeneratable thumbnail images). Concurrent facility fault tolerance: 1
- Glacier - Very cheap ($0.01 per gigabyte per month), archival only. ** Takes 3-5 hours to restore.
- S3 Charges
- Storage
- # of Requests
- Storage Management Pricing
- Data Transfer Pricing (move data around within S3/AWS)
- Transfer Acceleration (Uses cloudfront/edge locations)
- Uploading to S3 is much faster by enabling multipart upload
- Up to 100 S3 buckets per account (by default) *LIMIT
- S3 CLI & Regions - use --region flag
- S3 FAQ
- Individual Amazon S3 objects can range in size from a minimum of 0 bytes to a maximum of 5 terabytes.
- The largest object that can be uploaded in a single PUT is 5 gigabytes
- You can use Multi-Object Delete to delete large numbers of objects from Amazon S3
- By default, customers can provision up to 100 buckets per AWS account
- You can securely upload/download your data to Amazon S3 via SSL endpoints using the HTTPS protocol
- With query string authentication, customers can create a URL to an Amazon S3 object which is only valid for a limited time
- Amazon S3 objects that are stored using the Amazon Glacier option are only accessible through the Amazon S3 APIs or the Amazon S3 Management Console.
- Amazon S3 event notifications can be sent in response to actions in Amazon S3 like PUTs, POSTs, COPYs, or DELETEs. Notification messages can be sent through either Amazon SNS, Amazon SQS, or directly to AWS Lambda.
------------------------
S3 security & encryption
------------------------
- By default all new buckets are PRIVATE, and so are objects
- Access control via:
- Bucket policies
- ACLs
- Can be configured to create access logs to another bucket (even across account)
Encryption:
- In Transit:
- SSL/TLS
- At rest:
- SSE (Service Side Encryption)
- S3 managed keys (AES-256) - SSE-SS3
- AWS Key Management Service, Managed Keys - SSE-KMS (includes Audit Trail), allows for Envelope key.
- SSE with customer provided keys - SSE-C (Customer manages the keys)
- Client side encryption (encrypt on client side, then upload to S3)
-------------
S3 Versioning
-------------
- Once you enable Versioning - it cannot be disabled - can only suspend
- MFA can be enabled for DELETION or removal of VERSIONING
- Integrates with Lifecycle rules
- Only OWNER can delete versioned objects
---------------------------------
S3 Cross Region Replication (CRR)
---------------------------------
- Versioning must be enabled on source and destination bucket
- Regions must be unique
- Existing files are not replicated automatically, only updates subsequent
- Cannot replicate multiple buckets / daisy chain
- Delete markers ARE replicated
- Deleting versions or Deleting delete markers ARE NOT replicated
-----------------------
S3 Lifecycle management
-----------------------
- CAN be used in conjunction with versioning
- CAN be applied to both current version and previous version
- Possible to transition to S3 Standard IA (128kb and 30 days after creation date)
- Possible to archive to Glacier (30 days after IA)
- Possible to permanently delete after X duration
------------------------
S3 Transfer Acceleration
------------------------
- Utilizes CloudFront Edge Locations
- For Uploads
------------------------
Static Web page with S3
------------------------
- Serverless
- Static Content only
- <s3bucket>.s3-website-<region>.amazonaws.com
- No need for ELB, massively scalable
___ _ _ ___ _
/ __| |___ _ _ __| | | __| _ ___ _ _| |_
| (__| / _ \ || / _` | | _| '_/ _ \ ' \ _|
\___|_\___/\_,_\__,_| |_||_| \___/_||_\__|
----------
CloudFront
----------
- CDN (Content Delivery Network)
- Edge Location - This is the location where content will be cached. This is separate to an AWS region/AZ. More than 50 around the world
- Origin - Is the origin of all files the CDN is going to distribute (e.g. S3 bucket, EC2 instance, ELB, Route53)
- CAN have a non-AWS origin
- Distribution
- Web Distribution (typically used for websites)
- RTMP (Used for media streaming) - Adobe Flash
- Supports: Dynamic / Static / Streaming and Interactive Content
- Edge locations are NOT just for Read only, you can write to them too - will replicate back to origin
- Objects are cached for the duration of the TTL
- You can clear cached objects (Will be charged)
- Default cache TTL is 86400 seconds (24 hrs) - important design consideration
- Restrict Viewer Access (Use Signed URLs or Signed Cookies)
- CAN do GEOgraphic restriction (white list or black list) - prevent users in specific geographic locations from accessing content that you're distributing through a CloudFront web distribution
___ _ ___ _
/ __| |_ ___ _ _ __ _ __ _ ___ / __|__ _| |_ _____ __ ____ _ _ _
\__ \ _/ _ \ '_/ _` / _` / -_) | (_ / _` | _/ -_) V V / _` | || |
|___/\__\___/_| \__,_\__, \___| \___\__,_|\__\___|\_/\_/\__,_|\_, |
|___/ |__/
---------------
Storage Gateway
---------------
- Connects on-premise software application (VM) with cloud based storage (S3/Glacier)
- Supports VMWare ESXi and Microsoft Hyper-V
- File Gateway:
- Not on premises, all on S3
- Files are stored as objects in S3 buckets, access via NFS. Ownerhip, permissions and timestamps are durably in S3 metadata
- Volume Gateway
- iSCSI disk volumes (block based) for OS,Applications, Databases (like a virtual HDD)
- CAN BE asynchronously backed up as point in time snapshots, and stored in the cloud as EBS (Elastic Block Store) snapshots
- Snapshots are incremental backups (only changed blocks)
- Snapshots are compressed
- Types:
- Stored Volumes - actual storage is on-premise (via storage gateway), however async backups to AWS. 1GB to 16TB. Complete copy of data on site.
- Cached Volumes - uses S3 storage. No complete copy of data on pre-premise. Only recent data is cached on-premise. Up to 32TB
- Tape Gateway
- Used for backups using VTL interface (over iSCSI)
- Use your existing backup software (netbackup, backexec, veeam etc)
___ _ _ _
/ __|_ _ _____ __ _| |__ __ _| | |
\__ \ ' \/ _ \ V V / '_ \/ _` | | |
|___/_||_\___/\_/\_/|_.__/\__,_|_|_|
--------
Snowball
--------
- Types:
- Snowball
- Petabyte-scale data transport solutions. 80TB is all regions
- Previous service was called 'Import Export' - precedes Snowball
- Tamper-resistant enclosures
- 256 AES encyption
- TPM
- Import to S3
- Export from S3
- Snowball Edge
- Looks like a regular snowball
- Includes compute capabilities (e.g. Lambda functions) - like AWS DC in a box
- Snowmobile
- Sea container behind a semi-truck
- Petabyte to Exabyte scale data
___ ___ ___
| __/ __|_ )
| _| (__ / /
|___\___/___|
---
EC2
---
-------
EC2 101
-------
- Elastic Compute Cloud
- Pay as you use
- Failure resistant
- Types:
- On Demand - pay fixed rate by hour (more recently to by the second - linux). Good for unpredictable workloads.
- Reserved - capacity reservation. pay upfront for discounts. Predicable workloads
- Spot - Bid for instance capacity (based on supply/demand). Set bid price (by hour/second). Good for applications with flexible start and end times.
- Dedicated hosts - Physical EC2 servers - often used for licensing cost optimization. Not multi-tenant. Good for regulatory requirements.
- Instance Types:
- D - Dense Storage
- R - RAM (Memory Optimized)
- M - General Purpose (Main)
- C - CPU (Compute optimized)
- G - Graphics (Graphics intensive)
- I - IOPS storage
- F - Field Programmable Gate Arrays (FPGA)
- T - Lowest Cost
- P - Graphics/General Purpose GPU (ML/Mining)
- X - Extreme Memory optimized (SAP HANA, Apache Spark)
- Learn the above as 'DR Mc GIFT PX'
- Bootscrap Scripts - #!/bin/bash
- EC2 Instance Metadata - curl http://169.254.169.254/latest/meta-data
Read EC2 FAQ
- Think of an Elastic IP address as a STATIC public ipv4 address
- limited to 5 Elastic IP addresses per region
- you can configure the reverse DNS record of your Elastic IP address
- One Availability Zone name (for example, us-east-1a) in two AWS customer accounts may relate to different physical Availability Zones.
- You can retrieve metrics data for any Amazon EC2 instance up to 2 weeks from the time you started to monitor it. After 2 weeks, metrics data for an Amazon EC2 instance will not be available if monitoring was disabled for that Amazon EC2 instance. If you want to archive metrics beyond 2 weeks you can do so by calling mon-get-stats command from the command line and storing the results in Amazon S3 or Amazon SimpleDB.
- Q. Can I use a Spot instance with a paid AMI for third-party software (such as IBM’s software packages)? Not at this time.
- Q. What is the difference between Stop and Hibernate interruption behaviors? In the case of Hibernate, your instance gets hibernated and the RAM data persisted. In the case of Stop, your instance gets shutdown and RAM is cleared.
- Can I use my existing Windows Server license with EC2. Yes you can. After you’ve imported your own Windows Server machine images using the ImportImage tool, you can launch instances from these machine images on EC2 Dedicated Hosts
- NTP endpoint at a link-local IP address (169.254.169.123) accessible from any instance running in a VPC
-------------------
EC2 Placement Group
-------------------
- A logical group of instances within a single AZ
- Low latency, 10 GBps network
- Example: Hadoop clusters.
- CANNOT span across AZ - hence single point of failure
- Name you specify must be Unique
- ONLY certain types of instances can be launched in a placement group
- C - Compute Optimized
- G - GPU
- R - Memory optimized
- D - Storage optimized
- AWS RECOMMENDS homogenous instances (same size, same family) with placement groups
- You CAN NOT merge placement groups
- CAN NOT move an existing instance into a placement group - BUT create an AMI, and launch it in a placement group
-------------------------
EBS (Elastic Block Store)
-------------------------
- EBS (Elastic Block Storage)
- Storage of OS, Databases and Applications
- Automatically replicated WITHIN an AZ
- Types:
- General Purpose SSD (GP2). Balance price/performances. Ratio of 3 IOPS per GB, up to 10000 IOPS, can burst to 3000 IOPS for volumes >= 3334GB
- Provisioned IOPS SSD (I01). Use if > 10000 IOPS is required, can go up to 20000 IOPS
- Throughput Optimized HDD (ST1). Log processing, Data warehousing. Good for sequenced data. CANNOT be boot volumes.
- Cold HDD (SC1). Low cost - for infrequently access workloads. CANNOT be a boot volume
- Magnetic (Standard). Lowest cost per gigabyte. IS bootable.
- You CAN NOT mount 1 EBS volume to multiple ECS 2 instances - instead use EFS
- Termination Protection is turned OFF by Default
- On EBS backed instance, the default for root volume will be deleted when the instance is terminated
- Using the default AMI Root volumes on EC2 - they are NOT encrypted. Or create a copy of the AMI, then encrypt the root device volume. Additional volumes (non-root) can be encrypted.
- If you take a snapshot of a EBS volume in a RAID array the cached data is not included - You need to take an application consistent snapshot.
------------------------------
EBS Volumes - Upgrading/Moving
------------------------------
- EC2 and it's EBS volume MUST BE in the same AZ
- Can modify volumes for everything except Standard Magnetic
- To Migrate EBS volume from one AZ to another, must snapshot first then create volume off the snapshot
- To Migrate EBS volume from one Region to another, must snapshot then copy to the new region
- Image from snapshot makes it bootable
- Volumes exist on EBS (Virtual Hard Disk)
- Snapshots exist on S3
- Snapshots are point in time copies of the Volumes
- Snapshots are incremental (only changed blocks moved to S3)
- It's recommended that then you snapshot a root EBS volume, SHOULD stop the instance before taking snapshot
- However you can take a snap while the instance is running (memory cached data will be lost)
- You can create AMI (Amazon Machine Images)'s from both Volumes and Snapshots
- You CAN change EBS volumes sizes on the fly, including change the size and storage type
- To move an ECS volume from one AZ/Region to another, take a snap or an image of it, then copy it to the new AZ/Region
- Security
- Snapshots of encrypted volumes, the snapshots are encrypted automatically
- Volumes restored from encrypted snapshots are encrypted automatically
- You can share snapshots, but only if un-encrypted
- Can be shared with other AWS accounts (or made public)
-------------------------
EC2 and Roles
----------------------
- Roles are GLOBAL not regional
- Roles allow you to attach access and privilege to EC2, without creating a user and storing the credentials on the host
- Prevent managing/rotating keys on a fleet of hosts
-------------------------------------------------------
AMIs Types - EBS Root Device Volumes vs Instance Store
--------------------------------------------------------
- AMI's are regional!
- You can select your AMI based on:
- Region
- OS
- Architecture (32/64bit)
- Launch Permissions
- Storage for the Root Device (Root Device Volume)
- Instance Store (Ephemeral Storage)
- EBS Backed Volumes
- All AMIs are categorized as either backed up EBS or backed by Instance store
- For EBS volumes: the root device for an instance launched from the AMI is an EBS volume created from an EBS snapshot
- For Instance Store Volumes: the root device for an instance launched from the AMI is an instance store volume created from a template stored in S3
- Instance Store Volumes are sometimes called Ephemeral Storage
- Instance Store volumes CANNOT be stopped If the underlying host fails, you will lose your data
- EBS instances can be stopped, and Data will not be lost
- By default, both ROOT volumes will be deleted on termination, however with EBS volumes, you can tell AWS to keep the root device volume
___ _ _ ___
/ __| ___ __ _ _ _ _(_) |_ _ _ / __|_ _ ___ _ _ _ __ ___
\__ \/ -_) _| || | '_| | _| || | | (_ | '_/ _ \ || | '_ (_-<
|___/\___\__|\_,_|_| |_|\__|\_, | \___|_| \___/\_,_| .__/__/
|__/ |_|
---------------
Security Groups
---------------
- Virtual Firewall
- All inbound is blocked by default
- All outbound traffic is allowed by default
- Any number of EC2 instances within a security group
- Can have multiple security groups attached to EC2 instances
- Rule changes/additions apply immediately
- Security groups are STATEFUL - don't need to have an outbound rule for allowed established connection
- WHITELIST only (Allow rules), no deny rules
_ _ ___ _
| | ___ __ _ __| | | _ ) __ _| |__ _ _ _ __ ___ _ _
| |__/ _ \/ _` / _` | | _ \/ _` | / _` | ' \/ _/ -_) '_|
|____\___/\__,_\__,_| |___/\__,_|_\__,_|_||_\__\___|_|
-------------------------------
Load Balancers & Health Checks
-------------------------------
- Instances monitored by ELB are reported as:
- InService OR OutofService
- Have their own DNS name - WILL NOT be given an IP address
- Read the ELB FAQ - concentrate on the Classic Load Balancers
___ _ _ __ __ _ _
/ __| |___ _ _ __| | \ \ / /_ _| |_ __| |_
| (__| / _ \ || / _` | \ \/\/ / _` | _/ _| ' \
\___|_\___/\_,_\__,_| \_/\_/\__,_|\__\__|_||_|
---------------
Cloud Watch EC2
---------------
- Basic monitoring is every 5 mins
- Detailed monitoring is every 1 mins (costs more)
- Metrics available by default - No RAM monitoring by default
- Capabilities
- Dashboards
- Alarms
- Events - response to state changes -> lambda etc
- Logs - aggregate monitor and store logs (requires agent)
___ ___ ___
| __| __/ __|
| _|| _|\__ \
|___|_| |___/
-------------------------
EFS (Elastic File System)
-------------------------
- Block based
- File storage service for EC2
- Storage capacity is elastic (up and down)
- Supports NFS v4
- Only pay for the storage you use
- 30c per GB
- Scales to Petabytes
- Supports 1000's of concurrent NFS
- Data is stored across multiple AZ within a region
- No durability rating (yet)
- Read after Write Consistency
- Use case: File server - Centralized repository - shared across multiple EC2 instances. Can do user and directory level permissions.
_ _ _
| | __ _ _ __ | |__ __| |__ _
| |__/ _` | ' \| '_ \/ _` / _` |
|____\__,_|_|_|_|_.__/\__,_\__,_|
---------------
Lambda Concepts
---------------
- Event driven compute source
- In response HTTP requests
- Serverless
- Scales OUT automatically (not UP)
- Triggers:
- API Gateway
- AWS IoT
- Alexa Skills Kit
- Alexa Smart Home
- CloudFront
- CloudWatch Events
- CloudWatch Logs
- CodeCommit
- Cognito Sync Trigger
- DynamoDB
- Kinesis
- S3
- SNS
- Langauge:
- NodeJS
- Javascript
- C#
- Java 8
- Python
- Pricing:
- # of requests:
- 1 million requests (free)
- $0.20 per 1 million requests thereafter
- Duration - MAX of 5 mins. calculated from the time your code beings executing until it returns or otherwise terminates.
- Use AWS X-ray for debugging
___ _ ___ ____
| _ \___ _ _| |_ ___ | __|__ /
| / _ \ || | _/ -_) |__ \|_ \
|_|_\___/\_,_|\__\___| |___/___/
--------
Route 53
--------
- DNS
- TLD (Top Level Domain) .com .gov. Controlled by IANA
- Domain Registrars. Authority can assign domain names under TLD. Enforce uniqueness.
- SOA (Start of Authority) record:
- Name of the server that supplied the data of the zone
- The administrator of the zone
- Current version of the data file
- TTL for all resource records
- etc etc
- NS (Name Server Records) - used by Top Level Domain servers to direct traffic to the Content DNS server which contains the authoritative DNS records.
- A (Address) - Contains the IP address(es)
- TTL record - caching duration (seconds)
- CName (Canonical Name)- Resolve one domain to another
- Alias Records - created by AWS for Route53
- Alias Records - can be used to map to ELB, CF distributions or S3 buckets
- Alias records work like CName records. Key difference is that CName cannot be used for naked domains names (no www) (aka zone apex record) must use A record or Alias
Exam tips
- ELB don't have static (or visible) IPv4 address
- Difference between Alias Record and CName (i.e Alias records support naked domains)
- In exam use ALIAS records, instead of CNAME
- Route53 Routing Policies
- Simple - Default - One destination.
- Weighted - x% to one destination and x% to another. Good for A/B testing website. Split your traffic based on weights.
- Latency - Route to destination with the lowest latency
- Failover - Uses healthchecks for active/passive
- Geolocation - Routing traffic based on the geographic location of customers (e.g. push euro customers to your euro focused website)
- Route53 has a default limit of 50 domains. Can be increased - request from AWS support
___ _ _
| \ __ _| |_ __ _| |__ __ _ ___ ___ ___
| |) / _` | _/ _` | '_ \/ _` (_-</ -_|_-<
|___/\__,_|\__\__,_|_.__/\__,_/__/\___/__/
----------
Databases
----------
- RDS - OLTP (Online Transaction Processing)
- SQL
- MySQL
- PostgreSQL
- Oracle
- Aurora
- MariaDB
- DynamoDB - No SQL
- RedShift - OLAP (Onlone Analytics Processing) - Data warehousing
- Elasticache - In Memory caching
- Memcached
- Redis
- DMS (Database Migration Service)
- MySQL port - 3306
------------------------------------------
RDS - Backups, Multi AZ & Read Replicas
------------------------------------------
- Backups
- Automated backups (full daily snapshot, and store transaction logs throughout the day) - enabled by default, stored in S3. Storage is free equal to DB size.
- Snapshots - manually
- Restore Backups
- Creates new RDS instance (with new endpoint)
- Encryption at rest for MySQL, Oracle, SQL Server, PostgreSQL & MariaDB - using AWS KMS
- Underlying storage is encrypted
- Backups, Read replicas and snapshots are encrypted
- You CANNOT encrypt an existing DB instance - will have to create a new instance
- Multi-AZ - Synchronous replication to another AZ. Auto failover (no connection string changes required). It's for Disaster Recovery only. Supported by:
- SQL Server
- Oracle
- MySQL Server
- PostgreSQL
- MariaDB
- Read Replicas
- For scaling!, not DR
- READ ONLY!
- Async replication which is available for READ.
- Supported by:
- MySQL Server
- PostgreSQL
- MariaDB
- Must have automatic backups turned on to deploy a read replica
- Can have UP to 5 read replicas copies for any databases
- Can daisy chain read replicas (watch out for latency)
- Each read replica has it's own DNS end point
- You CANNOT have Read Replicas that have Multi-AZ
- You can create Read Replicas of Multi-ANZ sources databases
- Read Replicas can be promoted to be their own databases (i.e. both READ/Write)
- Read Replica in a second region for MySQL and MariaDB - not for PostgreSQL
DynamoDB vs RDS
- DynamoDB can scale on the fly ("push button")
- RDS requires that you create new instance with later instance size (or add read replica)
--------
DynamoDB
--------
- NoSQL database
- PUSH BUTTON scaling with no downtime
- Fully managed
- Document and Key-Value pair
- Storage is SSD
- Spread across 3 geographically distinct data centres
- Eventual Consistency Reads (Default) - usually 1 second
- Strongly Consistency Reads - Returns a result that reflects all writes that recieved a succesful response prior to the read
- Generally "Expensive" for writes, but "Cheap" for reads
--------
RedShift
--------
- Data Warehousing
- OLAP (Online Analytics Processing)
- RedShift Configuration options:
- Single Node (160gb)
- Multi Node
- Leader Node
- Compute Node (up to 128)
- Columnar Data Storage. Optimized for data warehousing and analytics (lower IO)
- Advanced Compression. Due to column storage - i.e. more likely to have 'similar' data
- MPP (Massive Parallel Processing) - Grid for performance. Require Multi-node configuration
- Encryption
- In-transit SSL/TLS
- At rest - AES-256
- Key management
- Manage your own keys via CloudHSM
- AWS Key Management Service (KMS)
- Availability
- Single AZ
- Can restore snapshots to another AZ in event of outage
-----------
Elasticache
-----------
- Web service to deploy, operate and scale an in-memory cache
- Improve latency/through-put for read heavy workloads - and compute intensive workloads (e.g. recommendation engine)
- Supported Engines:
- Memcached - Memory object caching systems.
- REDIS - Open-source in-memory key-value store (sorted sets / lists). Supports Master->Slave replication, and Multi-AZ for cross-ANZ redundancy
------
Aurora
------
- DB engine in RDS
- Created by Amazon, can only run on AWS
- MySQL compatible
- MUCH cheaper than Oracle
- Aurora Scaling
- Starts with 10GB, Scales in 10GB increments (auto scales)
- Compute can scale up to 32vCPUs and 244GB RAM (DOES have downtime)
- 2 copies of your data in EACH AZ, with a min of 3 AZ. i.e. 6 Copies of your data!
- Designed to transparently handle the loss of up to 2 copies without impacting write availablity, and up to 3 copies without impacting read availablity
- Storage are self-healing
- Aurora Replicas
- Aurora Replicas (currently 15) - Auto-failover
- MySQL read replicas (currently 5) - Manual failover
----------------
Database Summary
----------------
- RDS - OLTP
- SQL
- MySQL
- PostgreSQL
- Oracle
- Aurora
- MariaDB
- DynamoDB - No SQL
- Redshift - OLAP (Data warehousing)
- Elasticache - in memory caching
- memcached
- redis
- Read FAQ for DBS
__ _____ ___
\ \ / / _ \/ __|
\ V /| _/ (__
\_/ |_| \___|
----
VPC
----
- Think of a VPC (Virtual Private Cloud) as a logical datacentre in AWS
- Consists og Internet Gateways (or Virtual Private Gateways), Route Tables, Network ACLs, Subnets & Security Groups
- By default 5 VPCs are allowed in each AWS Region *LIMIT
- 1 Subnet = 1 AZ - NO cross AZ subnet.
- Security Groups are STATEFUL
- NACLS are STATELESS
- NO TRANSITIVE PEERING
- Only allow 1 internet gateway per VPC
- CIDR is *fixed* on VPC creation (cannot change after!)
- Largest supported VPC is /16 (65,536). 255.255.0.0
- Smallest supported VPC is /28 (16 addresses, 14 hosts). 255.255.255.240
- By Default all subnets in a VPC are routed to 'talk' to each other (use Security Groups for isolation)
---
NAT
---
- NAT Instances
- When creating NAT instance, DISABLE Source/Destination check on the instance
- NAT instance must be in the public subnet
- Must have a route out of private subnet to NAT instance to work
- Amount of supported traffic depends on the instance type
- Can create HA using Autoscaling groups, multiple subnets in different AZs, and a script to automate failover
- Behind a security group
- NAT Gateways
- Preferred by enterprise
- Scale automatically to 10Gbps
- No need to patch
- Not associated with Security Groups
- Automatically assigned a public ip address
- Update your route tables
- Takes 10-15 mins to provision
- A single NAT gateway is within a Single AZ
- No need to disable source/destination checks
- More secure than NAT instance (no SSH access, no patching, no AV - AWS manages)
-----
NACLS
-----
- VPC automatically comes a default NACL, by default ALLOWS ALL in and outbound traffic
- Custom NACLs, by default DENIES ALL in and outbound traffic
- Each subnet in your VPC must be associated with a network ACL. If you don't explicitly associate - it will automatically be associated with the default NACL
- Possible to associate a NACL with multiple subnets, however:
- A subnet can only be associated with a single NACL
- When you associate a NACL with a subnet, the previous association is removed
- Numbered list of rules - evaluated in order
- Have separate inbound and outbound rules, each line can Allow or Deny traffic
- STATELESS! - remember to add ephemeral ports to OUTBOUND
- You can BLOCK ip addresses with NACLS, cannot with Security Groups
-------------------------------
ALB (Application Load Balancer)
-------------------------------
- You will need at least 2 public subnets in order to deploy an application load balancer
-------------
VPC Flow logs
-------------
- You cannot enable flow logs for VPCs that are peered with your VPN unless the peer VPC is in your account
- Forwards to CloudWatch
- You cannot tag a flow log
- After you've created a flow log, you cannot change its configuration; for example, you can't associate a different IAM role with the flow log
- Not ALL IP traffic is monitored:
- Traffic to Amazon DNS servers
- Traffic for a Windows instance for license activation
- Traffic to and from 169.254.169.254 for instance metadata
- DHCP traffic
- Traffic to the reserved IP address for the default VPC router
----------------
NATS vs Bastions
----------------
- NAT instance/gateway is used to provide internet access to EC2 instances in private subnets
- A Bastion is used to securely admin EC2 instances (using SSH or RDP) in private subnets (aka Jump Boxes)
--------------
VPC End Points
--------------
- Allow access to AWS services (e.g. S3) from a private subnet, and not route via public internet
- 2 types:
- Gateways (more resilient)
- Interfaces (mapped to ENI)
___ ___ ___
/ __|/ _ \/ __|
\__ \ (_) \__ \
|___/\__\_\___/
---------------------------
Applications Services - SQS
---------------------------
- Simple Queue Service
- PULL based system
- Web service that gives you access to a message queue, that can be used to store messages whilst awaiting processing
- Distributed queue system
- Basically a temporary repository for messages that are awaiting processing
- First ever publicly available AWS service
- Good for decoupling application components
- Fail-safe queue
- Messages 256KB of text in any format
- Messages can be kept in the queue from 1 minute to 14 days (default is 4 days)
- Visibility time out is the amount of time that the message is invisible in the SQS queue after a reader picks up that message. Provided the job is processed before the visibility time out expires, the message will then be deleted from the queue. If the job is not processed within that time, the message will become visible again and another read will process it. This could result in the same message being delivered twice.
- Visibility time out maximum is 12 hours
- SQS long polling is a way to retrieve messages from SQS queues where it doesn't return a response until a message arrives in the message queue, or the long poll times out (i.e if it's empty at the time it's polled, it will hold off on a response until a message arrived or the long poll times out)
- Long poll save you money, by reducing the amount of time polled.
- Think of it as a 'BUFFER'
- Queue types:
- Standard Queues (default)
- Nearly unlimited TPS
- Guarantee's a message is delivered atleast once, however:
- Occasionally (due to distributed arch) more than 1 message may be delivered out of order
- Best effort ordering - ensures the messages are generally delivered in the same order they were sent
- FIFO (First in First Out) Queues
- First-In-First-Out
- Gaurantee's order is preserved
- No duplicates
- Limited to 300 TPS
- Read FAQ!
_____ _____
/ __\ \ / / __|
\__ \\ \/\/ /| _|
|___/ \_/\_/ |_|
---------------------------
Applications Services - SWF
---------------------------
- Simple Work Flow service
- Workers - Workers are programs that interact with SWF to GET tasks, process tasks, and return results
- Deciders - Program that controls coordination of tasks. i.e. their ordering, concurrency and scheduling according to the application logic
- Task is ONLY assigned only ONCE and NEVER duplicated
- Domain - Isolated set of tasks, executions and task lists from others within the same account
- Maximum Workflow can be 1 year and the value is always measured in seconds
- SWF vs SQS
- SWF retains data for up to 1 year; SQS has a retention period max of 14 days
- SWF present a task oriented API; SQS offers a messaged oriented API
- SWF ensures a task is assigned only once and never duplicated; SQS you need to handle duplicated messages, and may also need to ensure that a message is processed only once
- SWF keeps of tracks of all tasks and events in an application; SQS you need to implement your own a application-level tracking, especially if your app has multiple queues
- SWF Actors
- Workflow starter
- Deciders
- Activity workers (can include humans)
___ _ _ ___
/ __| \| / __|
\__ \ .` \__ \
|___/_|\_|___/
---------------------------
Applications Services - SNS
---------------------------
- Simple Notification Service
- Messaging service
- PUSH
- Web service to setup operate and send notifications from the cloud
- Publish / Subscribe (pub-sub)
- Supports:
- Push notifications
- SMS
- Email
- SQS
- Any HTTP endpoint (includes Lambda)
- Push notification support:
- Apple
- Google
- Fire OS
- Windows
- Android devices in China with Baidu Cloud Push
- SNS Topics allow you to group multiple recipients supports multiple formats (push, sms) within a group
- SNS Benefits
- Instant
- Push
- APIs
- Inexpensive, pay as you go
- SNS vs SQS
- Both are messaging services
- SNS is PUSH, SQS is PULL (Polls)
- SNS data-format is JSON
___ _ _ _ _____ _
| __| |__ _ __| |_(_)__ |_ _| _ __ _ _ _ ___ __ ___ __| |___ _ _
| _|| / _` (_-< _| / _| | || '_/ _` | ' \(_-</ _/ _ \/ _` / -_) '_|
|___|_\__,_/__/\__|_\__| |_||_| \__,_|_||_/__/\__\___/\__,_\___|_|
-------------------------------------------
Applications Services - Elastic Transcoder
-------------------------------------------
- Media transcoder in the cloud
- Convert from source format to a different format
- Had templates for popular devices (e.g. iPad, phones etc)
_ ___ ___ ___ _
/_\ | _ \_ _| / __|__ _| |_ _____ __ ____ _ _ _
/ _ \| _/| | | (_ / _` | _/ -_) V V / _` | || |
/_/ \_\_| |___| \___\__,_|\__\___|\_/\_/\__,_|\_, |
|__/
-----------------------------------
Applications Services - API Gateway
-----------------------------------
- Fully managed
- Publish, maintain, monitor and secure APIs at any scale
- API caching (for TTL duration)
- CORS (Cross Origin Resource Sharing)
- Server can relax the Same origin policy
- Enable CORS on your API gateway
- Exam tips
- API gateway has caching capabilities
- Low cost, auto-scales
- You can Throttle requests to prevent attacks
- Can log results to CloudWatch
- If using multiple domains - enable CORS
_ ___ _
| |/ (_)_ _ ___ __(_)___
| ' <| | ' \/ -_|_-< (_-<
|_|\_\_|_||_\___/__/_/__/
-------------------------------
Applications Services - Kinesis
-------------------------------
- Streaming Data - generated continuously by thousands of data sources, sending records simultaneously, and generally small sizes
- Purchase from online stores
- Stock Prices
- Game data (as they play)
- Social network data
- Geospatial data (think uber - continuous driver position data)
- IoT sensor data
- 'Producers' (e.g. EC2, phone, etc) send data to Kinesis
- 'Consumers' (e.g. EC2 - then store in S3, DB etc)
- Kinesis
- Streams
- Consists of Shards (default storage is 24hrs, can be increased to 7 days)
- Can have multiple Shards in a streams
- Firehouse
- 'Automated' in comparison with Streams
- Don't need to manage shards (doesn't have them) / retention
- Analysis via Lambda
- Results to S3, then onwards to Redshift
- Or Results to Elastic search
- Analytics
- Bolt onto 'Streams' or 'Firehouse'
- Takes SQL queries
- Results to S3, Redshift or Elasticsearch Cluster
__ ___ _ _
\ \ / / |_ (_) |_ ___ _ __ __ _ _ __ ___ _ _ ___
\ \/\/ /| ' \| | _/ -_) '_ \/ _` | '_ \/ -_) '_(_-<
\_/\_/ |_||_|_|\__\___| .__/\__,_| .__/\___|_| /__/
|_| |_|
------------------------------------------------------------------
Overview of Security Processes (Whitepaper) ~75 pages - must read
------------------------------------------------------------------
- Covers about 20% of exam
- Shared Security Model - AWS is responsible for the AWS Global Infrastructure
- AWS is responsible for managed services (e.g. DynamoDB, RDS etc) - but account management and user access is customer responsibility
- IaaS (e.g. EC2, VPC, S3) are customer responsibility.
- Storage Decommissioning - AWS destroy customer data inline within DoD and NIST media sanitizations. Magnetic devices are degaussed and physically destroyed inline with industry practices
- Network Security
- Transmission protection - HTTPS (SSL/TLS) & VPC and IPsec tunnel between VPC and your DC
- Amazon Corporate Segregation - AWS Prod Network is segregated from AWS Corporate network. (i.e. Amazon.com network is separated from AWS)
- Network Monitoring and Protection
- DDoS mitigation
- MiTM
- Ip Spoofing - AWS controlled host based firewall, prevent invalid source IP or MAC addresses
- Port Scanning - Violation of AWS Acceptable Use Policy, must request a vuln scan in advance.
- Prevent packet sniffing from other tentants
- AWS Credentials
- Passwords
- MFA
- Access Keys
- Key Pairs (SSH login, CloudFront signed Urls)
- X.509 Certificates (Digitally signed SOAP requests to AWS APIs, SSL server certs for HTTPS)
- AWS Trusted Advisor
- Inspects your AWS environment and makes recommendations for saving money, improve performance and close security gaps
- Provides alerts on common security misconfigurations
- Instance Isolation
- Different instances on the same physical machine are isolated from each other via Xen hypervisor
- AWS firewall resides within the hypervisor layer, between the physical network interface and the instance's virtual interface
- All packets pass thru this layer, thus an instance's neighbors have no more access than other internet hosts
- Physical RAM is separated using similar mechanisms
- Customer instances have no access to raw disk devices, but are presented with virtualized disks
- The disk virtualization layer automatically resets every block of storage used by the customer, so not exposed to another customer
- Memory allocated to guests is scrubbed (Set to zero) by the hypervisor when it's unallocated. Memory is not returned to the pool until scrubbing is compete
- Guest OS's are controlled by the customer (including root instances - AWS has no rights)
- Firewall - EC2 provides firewall solution, mandatory inbound firewall is configured by default as DENY-all, customer must explicitly open ports
- Guest OS - encryption of sensitive data - AWS provides option to encrypt EBS volumes (and snapshots) with AES-256. Only available on more powerful instance types (M3, C3 etc) due to performance
- ELB - SSL Termination on the ELB is supported. Allows you to identify the originating IP address of a client connecting to your servers on HTTPS or TCP load balancing
- Direct Connect
- Bypass ISPs
- Uses 802.1q VLANs, allows partitions into multiple virtual interfaces
---------------------
AWS Risk & Compliance
---------------------
- Shared Responsibility model
- Risk
- AWS management has a risk management plan - re-evaluated at least once every 6 months
- AWS management identifies risk, and implement appropriate measures to address the risks
- AWS security regulatory scans all internet facing service endpoint IP address for vulns (NOT customer instances)
- Customers can request permission to do a vuln scan of their own instances
- Compliance
- SOC1/ 2 / 3
- FISMA, DIACAP and FedRAMP
- PCI DSS Level 1 (Infra level only)
- ISO 270001
- ISO 9001
- ITAR
- FIPS 140-2
Industry
- HIPAA
- Cloud Security Alliance (CSA)
- MPAA
----------------------------
Storage Options in the Cloud
----------------------------
Types:
- S3
- Glacier
- EBS
- EFS
- Snowball
- EC2 Instance Storage (Ephemeral)
- AWS Import/Export - Accelerates moving large amounts of data into/out-of AWS using portable storage. Pay for what you use
- Storage Gateway - Connects on-premise software appliance with cloud-based storage. Provided as VMs. Gateway cached (Stored in S3, cached at gateway) or gateway-stored (Stored locally, async backedup to S3 as EBS snapshots)
- CloudFront
- SQS
- RDS
- DynamoDB
- ElastiCache
- Redshift
- Databases on ECS (self managed databases)
-------------------------------------------
Architecting for AWS Cloud: Best Practices
-------------------------------------------
- Business benefits of cloud
- Almost zero upfront infra investment
- Just-in-Time infrastructure
- More efficient resource utilization
- Usage-based costing / Utility billing
- Reduced time to market
- Technical benefits
- Automation - "Scriptable infrastructure" / Infrastructure as Code
- Auto-scaling
- Proactive scaling
- More efficient development lifecycle
- Improved Testability
- DR and Business Continuity (e.g. Route53 failover)
- "Overflow" the traffic to the cloud
- Design for failure
- Be a pessimist
- Assume failures/disasters
- Decouple your components (think SQS) - Loose Coupling
- Implement Elasticity
- Proactive *Cyclic* Scaling - Periodic scaling that occurs at fiexe intervals (daily, weekly, monthly)
- Proactive Event Scaling - Due to a event (Black Friday / New product launch)
- Auto-scaling based on demand. (Think Auto-scaling based on Network IO/CPU etc)
- Secure Your Application
- Tiered security model (web vs app vs db)
__ __ _ _ _ _ _ _ _ _
\ \ / /__| | | /_\ _ _ __| |_ (_) |_ ___ __| |_ ___ __| |
\ \/\/ / -_) | | / _ \| '_/ _| ' \| | _/ -_) _| _/ -_) _` |
\_/\_/\___|_|_| /_/ \_\_| \__|_||_|_|\__\___\__|\__\___\__,_|
----------------------------------
Well Architected Framework - Intro (---)
----------------------------------
- Evaluate how well your architecture meets the AWS best practices
- 5 Pillars
- Security
- Reliability
- Performance Efficiency
- Cost Optimization
- Operational Excellence
Design Principles:
- Stop guessing your capacity needs
- Test systems at Production scale
- Automation to make architectural experimentation easier
- Allow for evolutionary architectures
- Data-driven architectures
- Improve through "game days" (simulate events - e.g. black friday)
-------------------------------------
Well Architected Framework - Security
-------------------------------------
- Design Principles:
- Apply security at all layers (defensive in depth)
- Enable traceability (CloudTrail)
- Automate responses to security events
- Focus on securing your system
- Automate security best practices (e.g. hardened AMI)
- Shared responsibility model
- Definition in the cloud consists of 4 areas:
- Data protection
- Basic data classification should be place (public/internal/department/board etc)
- Implement least privilege
- Encrypt everything (rest/transit) if possible
- AWS provides encryption, detailed logging is available (CloudTrail), Durable storage is available
- Versioning on S3
- AWS never initiates the movement of data between regions
- Privilege management
- Only authorized and authenticated users are able to access your resources
- ACLs
- Role Based Access controls
- Password management (e.g. strength)
- MFA
- Infrastructure Protection
- Outside of AWS - lockable cabinets, CCTV etc
- Inside of AWS VPC
- Network and Host-level boundary protection (Security Groups, NACLS, Subnet, Jump boxes)
- AWS service level protection (Groups, MFA, Strong password)
- Integrity of OS on ECS (AV)
- Detective controls
- CloudTrail (audit logs)
- CloudWatch (system logs)
- AWS Config
- S3
- Glacier
- Applies to these AWS services:
- Data Protection - Encryption (ELB, EBS, S3, RDS)
- Privilege (IAM, MFA)
- Infra Protection (VPC)
- Detective controls (Cloudtrail, AWS Config, CloudWatch)
----------------------------------------
Well Architected Framework - Reliability
----------------------------------------
- Design Principles:
- Test recovery procedures
- Automatically recover from failure
- Scale horizontally to increase aggregate system availability (scale out - instead of up)
- Stop guessing capacity
- 3 areas:
- Foundations
- E.g. bandwidth/latency
- AWS manages most of the foundations for you (within AWS service limits)
- How are you managing AWS service limit within your account
- How are you planning your network topology on AWS
- DO you have an escalation path?
- Change management
- Use CloudWatch to monitor environment change
- Automate in response to change
- How does your system adapt to changes in demand
- How are you monitoring your AWS resources
- How are you executing change management
- Faulure mangement
- Assume failure
- How are you backing up your data
- How does your system withstand component failures
- Are you planning for recovery
- Applies to:
- Foundations (IAM, VPC)
- Change management (CloudTrail)
- Failure Management (CloudFormation)
---------------------------------------------------
Well Architected Framework - Performance Efficiency
---------------------------------------------------
- Design Principles:
- Democratize advanced tech (easy consumption as a service)
- Go Global in minutes (e.g. CloudFormation deploy to another region)
- Use serverless architectures
- Experiment more often
- 4 areas:
- Compute (Autoscaling)
- Choose the right instance type (server) - on none - ie. serverless / lambda
- How you select the right instance type
- How to continue you have the most appropriate instance type
- How do you monitoring your instances post launch
- How do you ensure the quantity of instances matches demand
- Storage (EBS, S3, Glacier)
- Factors:
- Access Method - Block, Object
- Patterns - Random or Sequential
- Throughput
- Frequency of access
- Frequency of update
- Availability Constraints
- Durability Constraints
- Database (RDS, DynamoDB, Redshift)
- How do you select the appropriate DB solution for system?
- How do you ensure you take advantage of newer offerings
- How do you monitor performance
- How do you ensure capacity and throughput matches demand
- Use Read replicas
- Use direct connect
- Space-time trade-off
- Proximity and caching solutions
- Use global infra - to put content close to your customers
- Cloudfront, Elasticache, direct connect, RDS Read replicas
----------------------------------------------
Well Architected Framework - Cost Optimization
----------------------------------------------
- Design Principles:
- Transparency attribute expenditure (attribute costs to owners/department etc)
- Use managed services to reduce cost of ownership
- Trade capital expense for operating expense
- Benefit from economies of scale
- Stop spending money on data centeer operations
- 4 areas:
- Matched supplied and demand (Autoscaling)
- Think Auto-scaling
- Serverless - Lambda
- Use cloudwatch to keep track of demand
- Cost effective resources (EC2 - reserved instances, TrustedAdvisor)
- Use the correct instance type
- It possible that a larger instance type may SAVE money, if it completes a job in less time than a lower instance
- Expenditure awareness (CloudWatch Alarms, SNS)
- Use cost allocation tags to track
- Use billing alerts
- Consolidated billing
- How are you decommissioning resources that are not in need
- How do you consider data transfer charges?
- Optimizing over-time (AWS Blog, TrustedAdvisor)
- Keep track of changes (RSS on AWS Blog)
- Re-evaluate your existing architecture
- Use Trusted Advisor
---------------------------------------------------
Well Architected Framework - Operational Excellence
---------------------------------------------------
- Design Principles:
- Perform operations with code
- Align operations processes to business objectives (Collect metrics and map to KPI)
- Make regular, small, incremental changes
- Test for responses to unexpected events
- Learn from operational events and failures
- Keep operations procedures current
- 3 areas:
- Preparation (CloudFormation, AutoScaling, AWS Config, Service Catalog)
- Operations checklist
- Runbooks - daily checks
- Playbooks - guides for unexpected events - response plans - escalation paths and stakeholder notifications
- Keep documentation up-to-date
- Operation (CodeCommit, CodeDeploy and CodePipeline, CloudTrail)
- Should standardize and management
- Automation
- Small frequent changes
- Should not require scheduled downtime
- Responses (CloudWatch Alarms, SNS Notifications)
- Responses should be automated
- User Alerts
- Automatically roll-back failed deployment
- Escalation paths defined, and automated
___ _ _ _ _
| _ |_) | (_)_ _ __ _
| _ \ | | | | ' \/ _` |
|___/_|_|_|_|_||_\__, |
|___/
------------------------------------
Organizations & Consolidated Billing
------------------------------------
- Consolidated Billing
- Paying Account
- Linked Accounts (e.g. Test, Production) - max 20 accounts (more have to request)
- 1 Monthly bill, split by linked accounts
- Volume pricing discount
- Unused reserved EC2 instances are applied across the group
- CloudTrail is on a per account and per region basis, but can be aggregated into a single bucket in the paying account
- Best practices
- MFA on root
- Strong password on root account
- Paying account should be used for billing purposes only. Do not deploy resources into a paying account
- Billing Alerts
- When monitoring is enabled on the paying account the billing data for all linked accounts is included
- You create billing alerts per account
___ _ _ _
/ __|_ _ ___ ______ /_\ __ __ ___ _ _ _ _| |_ /_\ __ __ ___ ______
| (__| '_/ _ (_-<_-< / _ \/ _/ _/ _ \ || | ' \ _| / _ \/ _/ _/ -_|_-<_-<
\___|_| \___/__/__/ /_/ \_\__\__\___/\_,_|_||_\__| /_/ \_\__\__\___/__/__/
--------------------
Cross Account Access
--------------------
- Sign into AWS Console with one IAM user name, then switch the console to manage another account
- Steps
- identify your account numbers
- Create a group in IAM - Dev
- Create a user in IAM - Dev
- Login to Production
- Create the "read-write-app-bucket" policy
- Create the "UpdateApp" Cross Account Role
- Apply the newly created policy to the role
- Login to the Developer Account
- Create a new inline policy
- Apply it to the Developer group
- Login as John
- Switch Accounts
___ ___
| _ \___ ___ ___ _ _ _ _ __ ___ / __|_ _ ___ _ _ _ __ ___
| / -_|_-</ _ \ || | '_/ _/ -_) | (_ | '_/ _ \ || | '_ (_-<
|_|_\___/__/\___/\_,_|_| \__\___| \___|_| \___/\_,_| .__/__/
|_|
-------------------------
Resource Groups & Tagging
-------------------------
- Tags can sometimes be inherited (e.g. Autoscaling, Cloudformation etc)
- Resource Groups
- Group resources that share one or more tags
__ _____ ___ ___ _
\ \ / / _ \/ __| | _ \___ ___ _ _(_)_ _ __ _
\ V /| _/ (__ | _/ -_) -_) '_| | ' \/ _` |
\_/ |_| \___| |_| \___\___|_| |_|_||_\__, |
|___/
-----------
VPC Peering
-----------
- Connection between two VPCs - for routing via private IPs
- Possible across multiple account
- CANNOT go across region
- No single points of failure
- Each VPC must have unique CIDR block
- Transitive Peering NOT support (supports only direct peer routing) 1-1 peering connect
___ _ ___ _ _
/ __|___ _ _ _ _ ___ __| |_ | \(_)_ _ ___ __| |_
| (__/ _ \ ' \| ' \/ -_) _| _| | |) | | '_/ -_) _| _|
\___\___/_||_|_||_\___\__|\__| |___/|_|_| \___\__|\__|
--------------
Direct Connect
--------------
- Dedicated network connection from your premises to AWS
- Benefits
- Reduce cost if large volumes of traffic
- Increase reliability
- Increase bandwidth
- VPN vs Direct Connect
- VPN (internet) vs DC (dedicated private)
- VPN (quick to provision) vs DC (months+)
- Available in 1Gbps and 10Gbps (Sub 1Gbps is available via AWS Direct Connect partners)
- Uses Ethernet VLAN trunking (802.1Q)
___ _____ ___
/ __|_ _/ __|
\__ \ | | \__ \
|___/ |_| |___/
----------------------------
Security Token Service (STS)
----------------------------
- Grants users limited / temporary access to AWS resources
- 3 Sources:
- Federation (typically Active Directory)
- SAML (Secure Assertion Markup Language)
- Federation with Mobile Apps
- OpenID (Facebook/Amazon/Google)
- Cross Account Access
- Federation: Combining/joining a list of users in one domain (eg IAM) with another domain (eg AD)
- Identity Broker: Service that allows you to take an identity from point A and join it (federate it) to point B
- Identity Store : Services like AD, Facebook, Google etc
- Identities - a user of a service like Facebook etc
- Temp duration is between 1 to 36 hours
- Exam Tips:
- Develop an Identity Broker to communicate with LDAP and AWS STS
- Identity Broker always authenticates with LDAP first, then with AWS STS
- Application then gets temporary access to AWS resources
_ _ _ ___ _ _
/_\ __| |_(_)_ _____ | \(_)_ _ ___ __| |_ ___ _ _ _ _
/ _ \/ _| _| \ V / -_) | |) | | '_/ -_) _| _/ _ \ '_| || |
/_/ \_\__|\__|_|\_/\___| |___/|_|_| \___\__|\__\___/_| \_, |
|__/
----------------------------
Active Directory Integration
----------------------------
- AD auth is using SAML
- Must auth to AD first, then AWS
__ __ _
\ \ / /__ _ _| |__ ____ __ __ _ __ ___ ___
\ \/\/ / _ \ '_| / /(_-< '_ \/ _` / _/ -_|_-<
\_/\_/\___/_| |_\_\/__/ .__/\__,_\__\___/__/
|_|
----------
Workspaces
----------
- Basically its a VDI
- Possible to integrate with AD
- Don't have to have an AWS account to login to workspaces
- Quick fasts:
- Windows 7 experience provided by Server 2008
- Users can personalize - can use GPO
- By default you get local admin
- Workspaces are persistent
- All data on D:\ is backed up every 12 hours
___ ___ ___
| __/ __/ __|
| _| (__\__ \
|___\___|___/
-------------------------------
Elastic Container Service (ECS)
-------------------------------
- Docker:
- Benefits
- Escape from dependency hell
- Consistent progressions from DEV -> Test -> QA -> PROD
- Isolation
- Better resource management
- Code portability
- Micro-Services
- Docker components
- Docker image - readonly (like an ISO/AMI) - but no OS
- Docker Container
- Package code, config and dependencies
- Good for version control
- Layers / Union File System
- DockerFile (instructions add layers)
- Docker Daemon / Engine
- Docker client (interface to Docker daemon)
- Docker registries / Docker Hub
- Elastic Container Service:
- Managed serviced service for Docker
- Can Auto-scale
- Good for micro-services
- ECR (EC2 Container Registry) - AWS's own version of Docker Hub, control via IAM
- Task Definition is required to run Docker containers in Amazon ECS
- JSON format
- Which docker images to use
- How much CPU/Mem
- Linkages between
- Networking Mode
- Port mapping
- Restart policies
- Environment variables
- Data volumes to be mounted
- IAM Roles to be used
- Exam Tips
- ECS - Amazon's managed EC2 container service. Allows you to manage Docker containers on a cluster of EC2 instances
- Containers are a method of operating system virtualization that allow you to run an application and its dependencies in resource-isolated processes.
- Containers are create from a ready-only template called an Image
- An Image is a read-only template with instructions for creating a Docker container
- Images are stored in a Registry, such as Docker Hub or AWS ECR (EC2 Container Registry)
- Amazon ECR is a managed AWS Docker registry service
- A Task definition is required to run Docker containers in ECS
- Task definitions are text files in JSON format that describe one or more containers that form your application
- Think of a task definition as a cloud formation template but for docker. Configure things such as the amount of CPU, RAM, Port mappings etc
- ECS allows you to run and maintain a specified number (or, the "desired count") of instances of a task definition simultaneously in an ECS cluster
- Think of Services link Auto-Scaling groups for ECS
- An ECS cluster is a logical grouping of container instances that you can place tasks on
- Clusters can contain multiple different container instance types
- Clusters are REGION specific
- Container instances can only be part of one cluster at a time
- Can create IAM policies for your clusters to allow/restrict user's access to specific clusters
- You can schedule ECS in 2 ways:
- Service Scheduler
- Custom Scheduler
- ECS agent to connect EC2 instances to your ECS cluster. LINUX ONLY
- IAM with ECS to restrict access
- Security Groups operate at the instance level, not at the task or container level
___
| __|_ ____ _ _ __
| _|\ \ / _` | ' \
|___/_\_\__,_|_|_|_|
-------------------
Exam Practicalities
-------------------
- 80 mins
- 55 Questions
- USD150
- Online, at an approved centre
- Arrive 15 minutes early, bring your authorization code!
- Two forms of ID (Photo ID/Passport + Credit Card, Debit Card)
- If you reschedule with less than 72 hours notice, will incur a penalty
-----------------------------------
Exam Tips based on Student feedback
-----------------------------------
- Kinesis
- Used to consume big data
- Stream large amounts of social media, news feeds logs etc in to the cloud..then think Kinesis.
- Process large amounts of data from Kinesis:
- Redshift for business intelligence
- Elastic Map Reduce for Big Data Processing
- EC2
- EBS backed vs instance store
- EBS backed are persistent
- Instance are not persistent (Ephemeral)
- EBS volumes can be deattached and reattached to other ECS2 instances
- Instance store volumes CANNOT be deattached and reattached to other ECS2 instances
- EBS volumes can be stopped; data will persist
- Instance store volumes cannot be stopped - if you do the data will be lost.
- OpsWorks
- Orchestration Service that uses Chef (infrastructure as code)
- Chef consists of recipes to maintain a consistent state
- Look for the term "chef" or "recipes" or "cook books" and think OpsWorks
- Elastic Transcoder
- Convert media files from original source to formats that will play on smartphones, tables, PCs
- Pay based on minutes and resolution
- SWF Actors
- Workflow Starters - App that can start a workflow
- Deciders - Control the flow of activity in workflow execution. If finished, decides what to do next.
- Activity Workers - Carry out activity tasks.
- EC2 - Get Public IP address
- curl http://169.254.169.254/latest/meta-data/
- it's the instances Metadata, NOT the user data
___ _ ___
/ __| ___ _ ___ _(_)__ ___ / __|_ _ _ __ _ __ __ _ _ _ _ _
\__ \/ -_) '_\ V / / _/ -_) \__ \ || | ' \| ' \/ _` | '_| || |
|___/\___|_| \_/|_\__\___| |___/\_,_|_|_|_|_|_|_\__,_|_| \_, |
|__/
++ = important for this certification
-- = not important for this certification
Management Tools:
- CloudWatch - Monitoring Service (important for sys ops) (--)
- CloudFormation - Scripting infrastructure (++)
- CloudTrail - Audit change logging (API) (++)
- Config - Monitors configuration / point in time snapshots / visualize environment (++)
- OpsWorks - Similar to ElasticBeanstak (Chef & puppet) automation (-)
- Service Catalog - Manged a list of 'approved' list of services to use in AWS (uesd by Enterprise) (--)
- Systems Manager - Manage resources (e.g. patching of EC2), group resources by departments etc (--)
- Trusted Advisor - Security / Capacity / Code reduction advise (++)
- Managed Services - ???? (--)
Media Services (--):
- Elastic Transcoder - video transcoding across device types
- MediaConvert
- MediaLive
- MediaPackage
- MediaStore
- MediaTailor
Machine Learning (--):
- SageMaker (Allows devs to use Deep learning) (-)
- Comprehend (Sentiment Analysis)
- DeepLens (AI Camera - hardware)
- Lex (Powers the Alexa Service - chat)
- Machine Learning (Predict based on previous data)
- Polly (Text to Speech)
- Rekognition (Image/Video object classifier)
- Amazon Translate (language translation)
- Amazon Transcribe (speech to text)
Analytics:
- Athena (SQL queries aginst objects in S3 bucket) - serverless (--)
- EMR Elastic Map Reduce (++)
- CloudSearch (--)
- ElasticSearch Service (--)
- Kinesis (++) - Ingesting large amounts of data into AWS (e.g. Tweets)
- Kinesis Video Streams (--) - Ingesting large amounts
- QuickSight - BI Tool (--)
- Data Pipleine - Move data between AWS services (--)
- Glue - ETL extract, transform and load (--)
Security & Identity & Compliance:
- IAM - Identity Access Management (++)
- Cognito - Device auth for temp access to AWS resources
- Guard Duty - Monitors for malcious (--)
- Inspector - Agent to install on EC2 (check for security vulns) (--)
- Macie - Scan S3 buckets for PII
- Certificate Manager - SSL Certs (+)
- CloudHSM - Store keys, dedicated (+)
- Directory Services - Integration AD services with AWS (+)
- WAF - Layer 7 firewall for XSS, SQLi prevention
- Shield - DDoS Mitigation (+)
- Artifact - Audit/Compliance portal for on-demand download of compliance reports
Mobile Services (--):
- Mobile Hub - management console (--)
- Pinpoint - target push notifications (--)
- AWS AppSync - keeps web/mobile in sync (--)
- Device Farm - testing your apps on live devices (Android/iphone etc) (--)
- Mobile Analytics (--)
AR / VR (--):
- Sumerian (--)
Applicatiom Integration:
- Steps Functions - Mangeing your lambda functoins (--)
- Amazon MQ - Message Queues (--)
- SNS - Notificaiton Services (++)
- SQS - Decouple imfra with Queuing Services (++)
- SWF - Simple Workflow Service (++)
Customer Engagement -
- Connect - Contact Centre as As service (--)
- Simple Email Service - bulk email (+)
Business Productivity:
- Alexa for Business (--)
- Chime - Video conferencing (--)
- Work Docs - like DropBox for AWS (+)
- Work Mail - like Office 365 / Gmail (--)
Desktop and App Streaming (--)
- Workspaces - VDI solution (--)
- AppStream 2.0 - Stream applications (aka Citrix) (--)
IOT (--)
- iOT (--)
- iOT Device Management (--)
- Amazon FreeRTOS (micro controller OS) (--)
- Greengrass - ???? (--)
Game Development (--)
- GameLift (--)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment