Adrian Cantrill Cards Flashcards
CLB VS ALB
- ALB can route based on Layer 7
- can handle multiple domains and can understand URL path
- can handle multiple SSL Certs so permits consolidation onto a single ALB
- CLB cannot understand Layer 7!
- ALB Supports ECS, Lambda, etc.
When to use site-to-site VPN
- Managed Service
- HA by design
- Connect non-AWS to AWS
- Quick to set up and secure
Reserved instance billing
- Used for constant steady-state usage
- You exchange flexibility for discounts
- Generally 1- or 3 year commitment, with options for 0 upfront or partial upfront, or full upfront.
Lambda key facts
- Billed for execution time: max 15 mins.
- Cold start (running environment created from new)
- Warm start (environment reused)
- Execution policy = IAM role providing permissions.
Service control policies
Account permissions boundaries. Limit what all users in an account can do, even the root user. Do not apply to the master account.
Relational databases
- RDS Oracle
- RDS MySQL
- RDS MariaDB
- RDS PostgreDB
- RDS Aruora
- RedShift (column)
VPC
- Isolated network
- network blast isolation
- One or more IPv4 CIDRs (/28->/16)
- Can have IPv6 allocated
- Region resilient
CloudHSM
- Uses industry standard API
- Same architecture as KMS (CMK/DEK)
- FIPS 140-2 level 3
- Exclusive control
CLB end-to-end encryption
- For an unbroken end-to-end encryption connection, pick a TCP listener so that the LB won’t decrypt the connection. The CLB doesn’t need any SSL cert installed on it.
7-Layer ISO model
- Layer 7: Application
- Layer 6: Presentation
- Layer 5: Session
- Layer 4: Transport
- Layer 3: Network
- Layer 2: Data Link
- Later 1: Physical
Please Do Not Throw Salty Peanut Away
When not to use Site-to-Site VPN
- Low latency
- Consistent latency
- High Speed
- Non-internet transit
CloudFront geo restriction
- White list/Black list
- Location only (country code)
- Cannot use any other field/aspect of customer sessions
What is an edge location?
- A smaller infrastructure unit. Edge locations are capable of running limited edge computing and are generally used by CloudFront for content distribution. They are located as close to major population center as possible.
What is an AZ
- An availability zone (an isolated unit of AWS infrastructure).
- A region can have one or more AZs.
- One failing AZ should be isolated from others.
- AZs might be 1 building or more.
- AZs can have many isolated units of compute, storage, and networking.
Internet gateway
- Associated with one VPC and a VPC can have one IGW
- Translate Private IP to and from Public/EIP
- Needs an RT (Route Table) route
- Highly available by design across all AZs used for public internet access IPv4/6
S3 transfer acceleration
- Provides new endpoint (via CloudFront).
- ````````````````````````````````````````
S3 transfer acceleration
- Provides new endpoint
- Uses the AWS global network for transit
- Entry point is a local CF (CloudFront) location, backhauled to bucket location
- MUCH faster than using S3 directly
EMR types
- Master Node (can only have one in a EMR cluster)
- Core Nodes
- Task Nodes
CLB vs ALB
- ALB can route based on Layer 7
- ALB can handle multiple domains and can understand URL paths
- ALB can handle multiple SSL Certs, so permits consolidation onto a single ALB
- CLB cannot understand Layer 7
- ALB supports ECS, Lambda, etc.
Persistent Data
- Data that exists beyond the lifetime of the thing it’s attached to. An EBS volume continues operating after a machine is shut down, restarted, or terminated (if that option is selected)
Cross-zone load balancing
- A setting that is default on ALB and optional on CLB. Allows an ELB node to distribute connections to instances/targets outside its AZ for a more even distribution of connections across AZs.
X-Forwarded-For
The ‘X-Forwarded-For’ request header helps you identify the IP address of a client when you use an HTTP or HTTPs load balancer. It adds the source IP of the original front-end viewer (The originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer).
CloudFormation stack
- Created from a template. Maps logical resources in a template to physical resources in AWS. The lifecycle of a stack is linked to resources. Creations, updates, and deletions to the stack do the same to physical resources.
IAM Group
- Not a principle; cannot be referenced in policies
- Has IAM users as members
- Can have policies associated (inline or managed)
- cannot be “logged in to” - has no credentials.