All Flashcards
S3 - How is a key defined?
A key acts as a file name.
It can include (back) slashes, dots or dashes.
S3 - What is the durability / accessibility of S3 Standard?
- 999999999% durability and
99. 99% availabiliy
S3 - How is data consistency handled?
For PUT of new items AWS provides read-after write concistency.
For DELETE and PUT on existing objects eventual concistency (Because the files are stored across multiple data centers)
S3 - Describe S3 Standard - Infrequent Access?
Same duability as Standard.
Storage costs are lower, but there is a retrieval fee.
Also the size min. is 128KB and the duration is set to a min. of 30 days
S3 - What is a typical object lifecycle?
- Initially store in S3 Standard
- After 30 days transition to S3 IA
- After 90 days transition to Glacier
- After 3 years delete the file
S3 - What is SSE-S3?
“Check-Box style” ecryption
AWS handles key management and key protection
S3 - What is SSE-KMS?
Fully integrated solution, Amazon handles the users key management und protection, but the user manages the keys
S3 - What is SSE-C?
User maintains own encryption keys, but Amazon handles the library implementation
S3 - What is Client-Side encryption?
Data is ecrypted on the client side before the data is sent to S3
S3 - What is MFA Delete Protection?
For a delete request the authorization with a MFA device is needed alongside the normal user/password route
S3 - What are Pre-Signed URLs?
Private items be made “public” for a certain time duration
S3 - What is cross-region replication?
For latency and performance reasons objects can be located in S3 buckets across different regions.
Required:
- IAM policy to enable S3 to sent the files to another region
- Versioning must be turned on
EC2 - What defines an instance type?
- Count of virtual CPUs
- Memory
- Storage in type and size
- Network performance
EC2 - What is enhanced networking?
Reduces impact of the virtualization on the networking capabilities.
Results in lower latency, more packets and less jitter
EC2 - What defines an AMI?
- The operating system
- The state of patches
- The installed applications or other system software
EC2 - What are the typs of AMIs?
- Published by AWS
- Maketplace AMIs
- AMIs from existing instances or backups
- From AWS VM Import/Export
EC2 - How can you access an instance from the web?
- Assign a public or elastic IP or use the DNS for the instance
- Make sure that the route table, security group and NACL allow access
EC2 - Does an EC2 instance need a security group?
Yes, at least one security group must be attached to the instance
EC2 - What kind of source/destinatons are allowed in a Security Group?
CIDR IP blocks or other security groups
EC2 - Can you export a VM and import it to AWS?
Yes, using AWS VM Import/Export.
Instances from AMIs cannot be exported (and used in another data center)
EC2 - How can an instance be resized?
Stop the instance.
Change the type using the “Change Instance Type” setting
EC2 - Can you change the Security Group on a running instance?
Yes, also rules in a security group can be changed and take effect immediately
EC2 - What is Termination Protection?
No instance can be terminated before this setting is manually deselected.
Does not prevent Spot Instances to be terminated.
EC2 - How can an EC2 reserved instance be modified?
- Switch the AZ in the same region
- Change the instance type in the same instance family
EC2 - Describe the tenancy options for instances
Shared Tenancy: Host has instances from all customers
Dedicated Instance: Instance (Server) is used by the custome
Dedicated Host: Entire rack is used by the customer
EC2 - What is Instance Store?
Storage located directly on the hadware (Not netwok storage like EBS)
Storage and usage costs are included in the instance costs.
Data will be lost if the instance goes down.
Instances can only be terminated, not sopped.
EC2 - Are EBS volumes replicated on the Availability Zones?
They are replicated inside their AZ, but not across them
EC2 - Can you use muliple EBS devices on a single instance?
Yes, they can also be combined using RAID.
But while one instance can have multiple volumes, a volume can only be attached to a single instance. (Use EFS for that case)
EC2 - What is a magnetic EBS volume?
They are using magnetic hard disks, which are cost-effective and range from 1GB to 1TB.
By default it has (only) 100 IOPS, but can burst.
EC2 - What is a magnetic EBS volume used for?
- If data is accessed infrequently
- For sequential reads
- Low storage costs are required
EC2 - How are (max.) IOPS calculated for standard EBS volumes?
Based on the storage capacity, 3 IOPS are given to every GB (300 IOPS for 100GB e.g.)
But the IOPS are capped to 10.000.
EC2 - How are EBS volumes billed?
Based on the allocated storage capacity (regardless what is really used)
EC2 - What are the max. volume sizes and throughputs of the EBS volume types?
General: 1GB - 16TB/ 160MB
Provisioned: 4GB - 32TB / 320MB
Magnetic: 1GB - 1TB / 40-90MB
EC2 - Where are EBS snaphots located?
In S3, but they are not visible to the customer in the buket
EC2 - Can you use an EBS snapshot in another region?
No, they can only be attached to an instance in the same region.
But they can be copied and therefore transferred to another region.
EC2 - What does it mean that data is “lazily loaded”?
When a volume is restored the volume is accessible but the data might not be present, but is loaded on request.
Therefore on restoring all the blocks should called and therefore be present when customers are using it
EC2 - How can you increase the size of a running EBS volume?
- Create a snaphot
2. Create another volume (if increased size) form that volume
EC2 - Are files on a EBS volume encrypted at rest?
Yes, using KMS.
The are also encrypted on transit between the instance and the volume
VPC - What is the smallest/largest IP range in a VPC?
/28 (16 IPs)
/16 (65.536 IPs)
VPC - What are the core components of a VPC?
- Subnets
- Route Table
- Security Groups
- Network Control Access Lists
VPC - What is the difference between a public and private subnet?
Route table does / does not route traffic to/from the internet
VPC - What is the “local” route in the route table?
It enables communication within the VPC.
The local route cannot be modified or removed.
VPC - What is the purpose of the Internet Gateway?
Handles requests form / to the internet from the Route Table.
It translates the internal IPs from services and instances to the public IPs (EC2 instances only know their internal IP)
VPC - How to create a public subnet with access to the internet with an IGW?
- Attach the Internet Gateway
- Create a route to/from 0.0.0.0/0
- Configure NACL and Security Groups
VPC - Can you transfer an Elastic IP to anotther region?
No, they are locked to a region (used for local routing etc.)
VPC - What is the purpose of a VPC endpoint?
Enables a private connection for AWS Services without the need to access the internet or a NAT gateway
VPC - What is the purpose of VPC Peering?
Connection with other VPC, in your own account or with someone else.
But is always limited to the same region
VPC - What are the restrictions for VPC Peering?
- There cannot be overlapping CIDR blocks
- Must be in the same region
- Transitive routing is not allowed
- Only one connection from VPC to VPC
VPC - What are the default Security Group rules for in-/outbound traffic ?
Per default no inbound traffic is allowed
Outbound traffic is allowed, but can be changed.
VPC - Can (per default) instances with the same Security Group talk to each other?
No, only if this is set up
VPC - Will be changes to the Security Group have immediate effect?
Yes
VPC - What are the differences between Security Groups and the NACL?
Instance Level / Subnet Level
Only allow rules / allow and deny rules
Stateful / Stateless
Evaluates all rules / Processes in ordered list
VPC - What is a NAT instance?
EC2 Instance with a special AMI.
Allowed private instances to communicate to the internet (for updates e.g.)
The source/destination check needs to be disabled for the connection to work.
VPC - How can you connect AWS to another data center?
Using a Virtual Private Gateway (VPG) or a Customer Gateway (CGW)
CloudWatch - What are the two packages?
Basic: Free, data point every 5min, limited preselected metrics
Detailed: every minute, more and custom metrics, data aggregation
ELB - Can you target more than one AZ?
Yes, but not regions (use Route53)
ELB - What is Idle Connection Timeout?
When using the ELB, there is one connection to the client and one to the backend servers.
This connection will be automatically closed once there was no message after a certain time
ELB - What is Cross-Zone Load Balancing?
Being enabled it is possible to handle all instances as if they would be in one AZ, meaning there could be 1 instance in one AZ and 5 in another.
It is still recommended that there should be an equal amount of instances in each AZ
ELB - What is Connection Draining?
It stops sending requests to unhealthy instances, but does not cancel open connections
ELB - What is a Proxy Protocol?
It sends anoter header with information about the request to the backend instance
ELB - What are Sticky Sessions?
Binds the session to a specific instance, so the customer will always be directed to this instance.
ELB can use it’s own cookie or use a custom cookie
ELB - What are Health Checks?
ELB checks if the instance is responding (InService) or not (OutOfService)
There are three types of checks: Ping, loading a page o opening a connection
CloudWatch - Limits of Cloudwatch
5000 Alarms per Account
Metrics are retained for two weeks (can be stored in S3 to keep longer)
Auto Scaling - What is scheduled scaling?
Scale up or down based on scheduled events, for example the release of a product or an end of the month event
Auto Scaling - What are the basic components?
Launch configuration, Autoscaling Group and scaling policy (optional)
Auto Scaling - What is the Launch Configuration?
Which AMI, what instance type, what security group and the key pair.
Auto Scaling - What is needed for the Auto Scaling Group?
Required: Min. Size and max. capacity
Optional: Desired capacity
Auto Scaling - What instance groups can be used?
On-Demand or Spot
Auto Scaling - How does the scaling policy work?
The Auto Scaling is associated with CloudWatch to monitor the instances, when a certain threshold is reached it will scale in or out
Auto Scaling - Why should be scaling in be slower than scaling out?
- Instances are billed for one hour, so it does not make sense to waste that
- Maybe there will be another spike in a short time, then another instance would be needed
IAM - What is the best practice for the root account?
Only use it once to create individual IAM users and then store the root credentials safely away
IAM - How does an EC2 instance communicate to S3?
EC2 assumes a role that has the adequate rights to use S3
IAM - How can other accounts be granted access?
By assigning them with (temporary) roles for the services they need to communicate to
IAM - What is Identity Federation?
Authentication is done by another service, like Facebook
IAM - How can you authenticate to AWS?
With Username/Password, Access Key/AcessID, or Access Key/Session Token
IAM - What is included in a policy?
Effect (allow / deny) Service Resource Action (Read, write e.g.) Condition (schedule, IP range)
DB - How are licences handled for oracle and MS SQL Server?
They can either be included in the instance, or brought in by the user
DB - How is Aurora structured?
Aurora comes automatically with a cluster that has instances in multiple AZs.
There is one primary Instance (read/write) and up to 15 replicas (read)
DB - What two options does RDS provide for backups?
Automated backups and manual snapshots
DB - Why should you use Multi-AZ for snapshots?
Backups are taken from the standby, therefore not shorten the latency from the main
DB - For which cases is Multi-AZ the failover?
- AZ is not reachable
- Network failure to the primary database
- Compute unit failed
- Storage unit failed
DB - Can you perform a manual failover?
Yes
DB - How can a running RDS instaced be scaled out?
Scheduling it with the next maintenance window or manually trigger it.
The database will be migrated with not much loss in performance
DB - Describe a scenario for Read Replicas?
Blog with a lot of read, but not much write traffic
DB - Is it possible to have Read Replicas in different Regions?
Yes
DB - What is a Redshift cluster?
A cluster is composed of a leader node and multiple compute nodes.
Client Applications only interact with the leader node.
DB - What happens when Redshift is resized?
Redshift creates a new cluster and migrates all the data to it
DB - How to set up / change DynamoDB
User will define the read / write capacity, AWS will provide the right hardware.
Infrastructure will be added in runtime when the requirements change
DB - How is Multi-AZ set up for DynamoDB?
It is automatically configured inside the region
DB - In DynamoDB, what is a Eventually Consistent Read?
Since the data is replicated some of the written data might be inconsistent (1sec window)
DB - In DynamoDB, what it a Strongly Consistent Read?
Before giving out data it makes sure all nodes have the same data
SQS - Describe the message lifecyle in three steps
Message is send and distributed across multiple SQS Servers
Being taken and processed, it remains in the queue, but is not visible to be received again.
The “taker” sends a request to delete the message
SQS - What is a Delay Queue?
A time where is message is in the queue, but invisible for the consumers
SQS - How to trigger the deletion of the message
Send a request with the handle ID
SQS - What is long polling?
If no message is in the queue wait a certain amount of time until breaking the connection.
This reduces CPU load.
SQS - What is a dead letter queue?
If a service cannot process a message, for whatever reason, it can move the message to another queue, the “dead letter queue”
SWF - What is SWF?
Is a task organiser for workloads with multiple tasks that cannot be done synchronously .
Tasks are assigned to workers, who do the task and return the info to the Decider
Route53 - What is a host?
Individual computer or service accessed through a domain
Route53 - What is a Name Server?
Computer designated to translate names into IP addresses
Route53 - What three steps are taken for DNS resolution?
- Check host file
- Check DNS cache
- Contact DNS Server
Route53 - What is A / AAAA?
Mapping of a host to a IPv4/IPv6 address
Route53 - What is a CNAME?
Points subdomains to a domain
Route53 - What is a Pointer (PTR)?
Maps IPs to DNS names
Route53 - What is the Sender Policy Framework?
Ensures that mails are send from the server the DNS name is mapped to
Route53 - What are the three main functions for Route53?
DNS Service
Domain registration
Health checks
Route53 - What resources can Route53 route to?
CloudFront
ElasticLoadBalancers
S3
EC2
Route53 - What are public/private Hosted Zones?
Private: Information about how to route traffic in the VPC
Public: How to route traffic on the Internet
Route53 - What is a routing policy?
Determines how Route53 handles queries.
Can be simple, weighted, latency based, failover or geolocation based
Route53 - What is Simple Routing?
Directly routes to one resource
Route53 - What is Weighted Routing?
Multiple resources.
Every resource gets a value which determines their priority in the routing
Route53 - What is Latency Based Routing?
Pings all resources, smallest value will be the target
Route53 - What is Failover Routing?
Determines what happens if the main resource is not available
Route53 - What is Geolocation Routing?
Based on the IP of the user.
Routes to Continents, Countries or even States
Elasticache - What is the cache-aside pattern?
App checks the cache first, if no entry found the the value is taken from the database and then stores in the cache
Elasticache - Difference Redis / Memcached?
Memcached is easier to set up and can scale very easily by using partitions.
Redis has more data types, can be persisted and uses read replicas
Elasticache - How to vertically scale Elasticache
It is not possible to scale to runtime.
You need to create a new cluster.
For memcached that means losing the whole cache, for redis a snapshot can be used
Elasticache - Is it possbile to create Multi-AZ in Elasticache?
Yes
CloudFront - What is a CDN?
Distributed network of caching servers to speed up content delivery world wide
CloudFront - What happens when a file is not in an edge location?
It will be retrieved from the origin server and then cached
CloudFront - Explain Distribution, Origin and Cache Control
Distributions: Name under which the CDN can be accessed
Origins: Where the files come from
Cache Control: How long items should be in cache