AWS Labs

aws-labs.md

Design a good architecture with AWS

Lab1 : Build and deploy secure rest api

Config DNS

1. Create Hosted Zone

2. Change NS to Amazon Route53

Create RestAPI with API Gateway

Create VPC, Subnets, Security Group, Network ACL, EC2 Instances

• Create VPC
• Create Subnets
• Create Security Group

Create VPC

Create subnet

Create EC2 Instances

Select EBS

EBS Types

gp3

gp2

io2

io1

sc1

st1

magnetic(standard)

Create EC2 Instance

Create EC2 Instance in your subnet

Overview EC2 Instance Connection

Overview the EBS Volume of your EC2 instance

Your EC Instance doesn't have public IPv4 Address, so how can we connect it to install a web server software?

AWS Client VPN

1. Generate server and client certificates and keys
2. [x]

Generate server keys

https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/mutual.html

git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa/easyrsa3
...

Create your VPN Endpoint using generated keys

Assigned associated network(Subnet) with your VPN Endpoint

Create security group and config inbound, outbound rules

Open Access from internet

Create InternetGateway and Attach to your VPC

Add new record to your route table that redirect all request from the attached internet gateway to your VPC network

How grant access to internet for your private subnet?

• https://repost.aws/knowledge-center/nat-gateway-vpc-private-subnet

Create NAT Gateway and Allocate Elastic IP Address, then attach with your private subnet

Add new route table + add associated subnet

How to create a secure AWS RDS instances in private subnet

You can't select subnet for your AWS DB Instances

Managed-RDS: MYSQL, PostgreSQL ( Full Managed )
RDS Aurora (Full Managed and ServerLess)

All you need to do is

• Create subnets in diffrent AZs
• Create subnet group
• Select VPC
• Select AZs
• Select Subnets

Create subnets in diffrent AZs

Create subnet group and select your VPC, AZs, Subnets

Create your RDS instance with selected VPC, subnet group, AZ

Grab a cup of coffee while you're waiting for your RDS instance is ready to used

After few minutes

Test connection with nodejs and mysql2 package

const mysql = require("mysql2");

var connection = mysql.createConnection({
  host: "jsguru-rds-us-east-1a-main.c5u2qmocqh5e.us-east-1.rds.amazonaws.com",
  user: "jsguru",
  password: "12345678",
  port: 3306,
});

connection.connect(function (err) {
  if (err) {
    console.error("Database connection failed: " + err.stack);
    return;
  }

  console.log("Connected to database.");
});

connection.end();

Create and connect with read replicate DB Instance

How to create an encrypted Database Instances

You can't change encryption mode after database created, so the way to convert an uncrypted database into encrypted database in make a snapshot via ebs, s3, then create an encrypted version of them to create an encrypted database

RDS Proxy

Any DB instance that encounters "too many connections" errors is a good candidate for associating with a proxy. This is often characterized by a high value of the ConnectionAttempts CloudWatch metric. The proxy enables applications to open many client connections, while the proxy manages a smaller number of long-lived connections to the DB instance

Load Balancing your RDS with Route53

Create private hosted zone

Example network of EC2 Instances connect to AWS RDS in private network

Create ALB for your EC Instances

Add new CNAME record into your hosted zone

Monitor with CloudWatch

Install CloudWatchAgent

Create an IAM Role

Install CloudWatch

wget https://amazoncloudwatch-agent.s3.amazonaws.com/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb
sudo dpkg -i -E ./amazon-cloudwatch-agent.deb

Attach IAM Role

Install aws cli and test

sudo apt install unzip 
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

Create config file

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard

Start

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.json

Sample config

{
  "agent": {
    "metrics_collection_interval": 60,
    "run_as_user": "cwagent"
  },
  "metrics": {
    "aggregation_dimensions": [["InstanceId"]],
    "append_dimensions": {
      "AutoScalingGroupName": "${aws:AutoScalingGroupName}",
      "ImageId": "${aws:ImageId}",
      "InstanceId": "${aws:InstanceId}",
      "InstanceType": "${aws:InstanceType}"
    },
    "metrics_collected": {
      "cpu": {
        "measurement": [
          "cpu_usage_idle",
          "cpu_usage_iowait",
          "cpu_usage_user",
          "cpu_usage_system"
        ],
        "metrics_collection_interval": 60,
        "resources": ["*"],
        "totalcpu": false
      },
      "disk": {
        "measurement": ["used_percent", "inodes_free"],
        "metrics_collection_interval": 60,
        "resources": ["*"]
      },
      "diskio": {
        "measurement": ["io_time"],
        "metrics_collection_interval": 60,
        "resources": ["*"]
      },
      "mem": {
        "measurement": ["mem_used_percent"],
        "metrics_collection_interval": 60
      },
      "statsd": {
        "metrics_aggregation_interval": 60,
        "metrics_collection_interval": 10,
        "service_address": ":8125"
      },
      "swap": {
        "measurement": ["swap_used_percent"],
        "metrics_collection_interval": 60
      }
    }
  }
}

Stress Test

sudo apt install stress
sudo apt install stress-ng

stress-ng --cpu 4 --io 2 --vm 1 --vm-bytes 250m --timeout 60s --metrics-brief

CloudWatch Labs

Command to access AWS CLI

sudo apt update -y
sudo apt install unzip -y
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

Command to do stress test

sudo apt update -y
sudo apt install stress-ng -y
stress-ng --cpu 4 --io 2 --vm 1 --vm-bytes 250m --timeout 60s --metrics-brief

CloudWatch Metrics

CloudWatch Standard Metrics

CloudWatch Custom Metrics

Create Policy, Create Role, and Attach IAM Role for EC2 Instance

Test

aws cloudwatch list-metrics

Test put-metric

[
  {
    "MetricName": "New Posts",
    "Timestamp": "Tuesday, January 08, 2024 8:28:20 AM",
    "Value": 0.50,
    "Unit": "Count"
  }
]

aws cloudwatch put-metric-data --namespace "JSGuruCustomMetric" --metric-data file://metric.js
aws cloudwatch put-metric-data --metric-name CloudWatchAlarmValue --namespace JSGuruCustomMetric --unit Percent--value 50 --dimensions InstanceID=$(curl -s -X GET -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id),InstanceType=$(curl -s -X GET -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-type)

Request EC2 API Token

• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
echo $TOKEN

Get EC2 meta-data and user-data

curl -X GET -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data
curl -X GET -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id

curl -X GET -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/user-data

Create Alarm

Notification

Trigger Lambda Function

Trigger AutoScale Group with Action