08 - Networking and Content Delivery Flashcards
API Gateway
1) AWS service for REST, HTTP, and WebSocket APIs
* Creates
* Publishes
* Maintains
* Monitors
* Secures
2) Lambda + Gateway = No infrastructure to manage
3) Handles API versioning
4) Handles Authentication and Authorization
5) Integrates with: Lambda, Endpoints on EC2, Load Balancers, Any AWS service, External and public HTTP endpoints
API Gateway Part 2
1) API Deployment: point-in-time snapshot of your API Gateway resources and methods; Must be deployed in order for clients to use
2) API endpoints: rest-api-id.execute-api.region.amazonaws.com
3) API Key: Used by an app developer who uses your API
4) API Stage: Logical reference to a lifecycle state of your API
5) Private Integration: Client accesses resources inside customers VPC through private API endpoint. No travelling of the Internet
6) Proxy Integration: Can pass request and response to HTTP backed or sent request as an input to Lambda
API Gateway Part 3
1) Method Requests
* The public interface of your API; defines what your endpoint expects, required elements, etc
* Can specify requirements such as Authorisation header here for AA
2) Integration Request
* Method request authenticated the request, we validated the structure, now we have to transform it
* Not necessary for HTTP proxy or Lambda Proxy integration
3) Integration Response
* Used to standardize the response so the method response can handle it
* Inverse of the integration request
* Use a regex pattern to identify the status code of your response
4) Method Response
* Not necessary if using Lambda Proxy or HTTP proxy integration
* Much like method request; used to validate output to client
* Returns 200 OK by default
* You must create method responses before you can use a give status code in an integration response
API Gateway Caching
1) Default TTL is 300 (Min of 0, Max of 3600)
2) Caches are defined per stage
3) Caches can be encrypted and have a capacity between 0.5GB and 237GB
4) Clients can invalidate an existing cache entry and reload it from the integration endpoint for each individual requests
5) Client must send request with Cache-Control: max-age=0 header
API Gateway Deployments
1) Making changes in API Gateway doesn’t mean they are in effect
2) You need to make a deployment for them to come in effect
3) Changes are deployed to “Stages” using a name that you wish
4) Each stage has its own configuration parameters
5) Stages can be rolled back, as history is kept
6) Stage variables are passed to the “context” object when using Lambda
API Gateway CORS
1) The OPTIONS pre-flight request must contain the following headers
* Access-Control-Allow-Methods
* Access-Control-Allow-Headers
* Access-Control-Allow-Origin
Amazon Route 53 Cheat Sheet
1) Route53 - Highly available and scalable Domain Name System (DNS) web service
2) Type of Routing Policy:
* Simple Routing - Default routing policy, multiple addresses result in a random endpoint selection
* Weighted Routing - Split up traffic based on different ‘weights’ assigned (percentages)
* Latency based Routing - Directs traffic based on region, for lowest possible latency for users.
* Failover Routing - Primary site in one location, secondary data recovery site in another. (change on health check)
* Geolocation Routing - Routes traffic based on the geographic location of a requests origin
* Geo-proximity Routing - Route traffic based on geographic location using ‘Bias’ values (needs Route53 Traffic Flow)
* Multi-value Answer Routing - Return multiple values in response to DNS queries (using health checks)
3) Traffic Flow - visual editor, for chaining routing policies, can version policy records for easy rollback
4) AWS Alias Record - AWS’ smart DNS record, detects changed IPs for AWS resources and adjusts automatically
5) Route53 Resolver - Lets you regionally route DNS queries between your VPCs and your network Hybrid Environments
6) Health checks can be created to monitor and automatically over endpoints. You can have health checks monitor other health checks
Amazon Virtual Private Cloud (VPC) Endpoint CheatSheet
1) VPC - Provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define
2) VPC Endpoint help keep traffic between AWS services within the AWS Network. There are 2 kinds of VPC Endpoints; Interface Endpoints and Gateway Endpoints
3) Interface Endpoints cost money, Gateway Endpoints are free
4) Interface Endpoints uses an Elastic Network Interface (ENI) with Private IP (powered by AWS PrivateLink)
5) Gateway Endpoints is a target for a specific route in your route table
6) Interface Endpoints support many AWS services
7) Gateway Endpoints only support DynamoDB and S3
Amazon VPC Flow Logs CheatSheet
1) VPC Flow Logs monitor the in-and-out traffic of your Network Interfaces within your VPC
2) You can turn on Flow Logs at the VPC, Subnet or Network Interface level
3) VPC Flow Logs cannot be tagged like other AWS resources
4) You cannot change the configuration of a flow log after it’s created
5) You cannot enable flow logs for VPC which are peered with your VPC unless it is in the same account
6) VPC Flow Logs can be delivered to an S3 or CloudWatch Logs
7) VPC Flow Logs contains the source and destination IP addresses (not hostnames)
8) Some instance traffic is not monitored:
* Instance traffic generated by contacting the AWS DNS servers
* Windows license activation traffic from instances
* Traffic to and from the instance metadata address *169.254.169.254)
* DHCP Traffic
* Any traffic to the reserved IP address of the default VPC router
Amazon VPC Network Access Control List (NACL) CheatSheet
1) NACL - An (optional) layer of security that acts as a firewall for controlling traffic in and out of subnet(s)
2) VPCs are automatically given a default NACL which allows all outbound and inbound traffic
3) Each subnet within a VPC must be associated with a NACL
4) Subnets can only be associated with 1 NACL at a time. Associating a subnet with a new NACL will remove the previous association.
5) IF a NACL is not explicitly associated with a subnet, the subnet will automatically be associated with the default NACL
6) NACL has inbound and outbound rules (just like Security Groups)
7) Rule can either allow or deny traffic (unlike Security Groups which can only allow)
8) NACLs are STATELESS
9) When you create a NACLs it will deny all traffic by default
10) NACLs contain a numbered list of rules that gets evaluated in order from lowest to highest
11) If you needed to block a single IP address you could via NACLs (Security Groups cannot deny)
Amazon VPC Security Groups CheatSheet
1) Security Groups - A virtual firewall that controls the traffic to and from EC2 instances
2) Security Groups acts as a firewall at the instance level
3) Unless allowed specifically, all inbound traffic is blocked by default
4) All Outbound traffic from the instance is allowed by default
5) You can specific for the source to be either an IP range, single IP Address or another security group
6) Security Groups are STATEFUL
7) EC2 Instances can belong to multiple Security Groups
8) Security Groups can contain multiple EC2 Instances
9) You cannot block specific IP addresses with Security Groups, for this you would need a NACL
10) You can have up to 10,000 Security Groups per Region (default 2,500
11) You can have 60 inbound and 60 outbound rules per Security Group
12) You can have 16 Security Groups associated to an ENI (default is 5)
Amazon VPC Network Address Translation (NAT) CheatSheet
1) NAT is the method of re-mapping one IP address space into another
2) NAT Gateways are redundant inside an Availability Zone (can survive failure of EC2 instance)
3) You can only have 1 NAT Gateway inside 1 AZ (cannot span AZs)
4) Starts at 5 Gbps and scales all the way up to 45 Gbps
5) NAT Gateways are automatically assigned a public IP address
6) Route Tables for the NAT Gateway MUST be updated
7) Resources in multiple AZs sharing a Gateway will lose internet access if the Gateway goes down, unless you create a Gateway in each AZ and configure route tables accordingly
Amazon CloudFront Cheat Sheet
1) CloudFront is a CDN (Content Distribution Network). It makes website load fast by serving cached content that is nearby
2) CloudFront distributes cached copy at Edge Locations
3) Edge Locations aren’t just not read-only, you can write to them eg. PUT objects
4) TTL (Time to Live) defines how long until the cache expires (refreshes cache)
5) Refreshing the cache costs money because of transfer costs to update Edge Locations
6) Origin is the address of where the original copies of your files reside eg. S3, EC2, ELB, Route53
7) Distribution defines a collection of Edge Locations and behaviour on how it should handle your cached content
8) Distribution has 2 Types: Web Distribution (static website content), RTMP (streaming media)
9) Origin Identity Access (OAI) is used access private S3 buckets
10) Access to cached content can be protected via Signed Urls or Signed Cookies
11) Lambda@Edge allows you to pass each request through a Lambda to change the behaviour of the response
Amazon API Gateway Cheat Sheet
1) API Gateway is a solution for creating secure APIs in your cloud environment at any scale
2) Create APIs that act as a front door for applications to access data, business logic, or functionality from back-end services
3) API Gateway throttles api endpoints at 10,000 requests per second (can be increase via service request through AWS support)
4) Stages allow you to have multiple published versions of your API eg. prod, staging, QA
5) Each stage has an Invoke URL which is the endpoint you use to interact with your API
6) You can use a custom domain for your Invoke URL eg. api.exampro.co
7) You need to publish your API via Deploy API. You choose which Stage you want to publish your API
8) Resources are your URLs eg. /projects
9) Resources can have child resources eg. /projects/-id-/edit
10) You defined multiple Methods on your Resources eg GET, POST, DELETE
11) CORS issues are common with API Gateway, CORS can be enabled on all or individual endpoints
12) Caching improves latency and reduces the amount of calls made to your endpoint
13) Same Origin Policies help to prevent XSS attacks
14) Same Origin Policies ignore tools like postman or curl
15) CORS is always enforced by the client
16) You can require Authorization to your API via AWS Cognito or a custom Lambda.
