Operational Excellence Reliability Security Performance Efficiency Cost Optimisation
Edge Locations are AWS data centers located around the world designed to give low latency access to two AWS services: Services that run on Edge Locations Route53 CloudFront
High Availability Refers to architecture that continue to remain available to end users in the event of a component or systems failure. On AWS, multi-AZ architectures allow your applications to remain available in the event of an AZ outage
Fault Tolerance Refers to architectures that not only remain available during an outage (High Availability) but also suffer no degradation in performance. Fault tolerant architectures usually require extra redundancy and should be traded off with cost concerns.
Scalability Refers to the ability of a system to easily increase in size and capacity in a cost effective way (usually based on usage demand). Scaling can be vertical (increase the capacity of a single instance or server) or horizontal (add or terminate the number of instances).
Elasticity Refers to the ease of a system’s ability to change or adapt. Examples include automatically scaling out or in, updating firewall rules, and remapping IP addresses.
Cost Efficient Refers to making the trade-offs required to make a system as inexpensive as possible while meeting all functional requirements.
Secure Refers to following proper security guidelines and practices to secure a system at every layer.
Authenticate users using an identity Broker Application running outside of AWS Custom Identity Provider LDAP / Active Directory Web Identity
EBS Volumes (persistent storage) They can live beyond the life of the EC2 instance they are attached to Can only be attached to one instance at a time Can be backed up as snapshots in S3 Instance Store (ephemeral storage) The volumes only exist for the duration of the life of the instance Data is erased when instance is stopped or shutdown The instance can be rebooted and still maintain its ephemeral data
Elastic File System Can be used by multiple instances For data/application files Can be used to host web application files.This makes deployment easier. Use EFS files sync to copy local files to EFS.
Used for names, grouping by project/department, billing purposes
Is a cluster of instances within the same availability zone Used for applications that require an extremely low latency network between them Use network enhanced instances Launch instances at the same time Not compatible with t-instances
Use cases - batch processing, EMR task nodes, compute intensive simulations Spot block Specify duration in which instances would not be terminated
VPC Architecture Create VPC with IPv4 CIDR block large enough say 192.168.0.0/16 (16 bits - because the highest is /32) the 0.0 can go as high as 256.256 8 bits has 256 (minus 5) IP address AWS reserves 5 addresses by default
Create IGW and attach it to the VPC Create subnets The CIDR block for subnets must be a portion of the CIDR of the attached VPC Subnet 1 192.168.0.0/24 Subnet 2 192.168.2.0/24 Create custom route tables Public route Set destination as 0.0.0.0/0 (the internet) Set target as IGW created above Associate route with public subnets (usually with smaller number of addresses) Private Leave default routes Associate route with private subnets (usually with higher number of addresses due to number resources to use them)
What makes a subnet public or private? Private subnets: Are not associated with a custom route table that is going to have a route out to the internet through the internet gateway Route tables
A route table contains a set of rules, called routes, that are used to determine where network is directed A route table’s rules are comprised of two main components: Destination: The CIDR block range of the target (where data is routed) Target: A name identifier of where the data is being routed to
Network Access Control List Rules are evaluated from lowest to highest based on a rule number Firewalls that operate at the subnet level They support allow and deny rules for traffic travelling into or out of a subnet They process rules in number order when deciding whether to allow traffic (lowest to highest) Stateless: If a rule is added as an inbound rule, it must be allowed as an outbound rule Say when http requests comes in through port 80, the response must be allowed out on port 80 It is best practice to increment numbers by 10 so if you have to place in a rule in a certain order it does not create an issue.
Load balancer Filter out SQL injection or cross-site scripting using AWS WAF (Web Application Firewall)
Network load balancer Designed for extreme performance. It does not need to scale to handle large traffic spikes. Supports static/elastic IP address per AZ
No SSL offloading (important) Use sticky sessions for stateful applications The load balancer adds a cookie to a response the first time and uses it to determine where to send subsequent traffic. It is not recommended to use relational database to store session information. No relation database that is horizontally scalable is more preferred.
Is an EC2 instance that lives in a public subnet, and is used as a “gateway” for traffic that is destined for instances in private subnets This means we can use it as a “portal” to access EC2 instances that are located in a private subnet Use NAT gateway in public subnets to route internet connections from private subnet to the internet gateway and then the internet A NAT Gateway is designed to provide EC2 instances that live in a private subnet with a route to the internet (so they can download software packages and updates) Will prevent any hosts outside of the VPC from initiating a connection with instances that are associated with it. MUST be created in a public subnet Be part of the private subnets route table
VPC VPC Endpoints For services such as S3, DynamoDB to route traffic through a private subnet and not open internet
It is used to create a connection between two or more VPCs They don’t have to be in the same regions/accounts VPC flow logs Allows you to collect information about the IP traffic going to and from network interfaces in your VPC. To see traffic flowing through a VPC
Use case As a back up page when site is down for any reason For a DNS record to use an S3 bucket as an endpoint, the bucket name MUST be the same as the domain name
Can have just primary key (provided it is unique) Must have primary and sort keys, if primary key is not unique Scan returns all the items in the table Query can be used to filter items in a table
A data warehouse - very large Different from other dbs because it is optimized for analytics. Has leader node and compute nodes You connect to the leader node A compute node can only a max of 1.6Petabyte data in total Can use spectrum to extend queries to objects in an s3 bucket Redshift spectrum is a separate service that extends Redshift to query data in S3 buckets
S3 read consistency rules All regions now support read-after-write consistency for PUTs of new objects into s3. Objects can be immediately available after “putting” to s3. All regions use eventual consistency for PUTs overwriting existing objects and DELETEs of existing objects.
Write SQL statements for csv/json files stored in S3. Just to get data out of the csv/json instead of downloading everything
It is an archival storage Objects are called archives Objects can be transitioned into glacier using lifecycle properties Encryption is on by default and cannot be disabled You can restore objects that got transitioned from glacier to s3, to come back to s3 for a short period. And when this period is over, the objects go back to glacier.
Required for objects 5GB and larger Highly suggested for objects of 100MB and more Can be used to upload a file up to 5TB in size
Transfer Acceleration Use transfer acceleration to speed up file uploads to S3 through CloudFront edge location
Helper scripts Cfn-init: to install packages Cfn-signal: to signal back to cloudformation that an action has taken place Cfn-hup: inplace instance update of packages and softwares
RTO (Recovery Time Objective) - how long to recover RPO (Recovery Point Objective) - how much data is lost
Backup and restore Backup data to AWS or second region (AWS) RTO - how long it takes to launch instances, restore data and update DNS RPO - data generated since last backup Route53 failover