ASG, ELB & HA

Question 1

Global Architecture components

Answer 1

• Global Service Location & Discovery
• Content Delivery (CDN) and optimization
• Global health checks & Failover

Question 2

Regional Architecture Components

Answer 2

• Regional entry point
• Scaling & Resilience
• Application services and components

Question 3

WEB Tier

Answer 3

WEB Tier - Entry point into an Architecture. An abstraction of the underlying Infrastructure to the customers. Underlying Infrastructure can fail, change, or scale without impacting on customers eg API Gateway, ELB

Question 4

ELB Architecture

Answer 4

ELBs, when deployed, are by default, Configured to run in 2+ AZ’s. 1+ Nodes are placed into a subnet in each AZ and scale with load.
Each ELB is configured with a single
(A) record DNS name. This resolves to the IP Address of the ELB AZ Nodes

Question 5

Internet Facing vs Inward facing Load Balancer

Answer 5

Inward - ELB has only private IP

Internet-facing - ELB has both public and Private IP

It doesnt affect where the ELB is placed within the AZ

Question 6

Cross Zone Load Balancing

Answer 6

Cross Zone Load Balancing is Default in Application Load Balancer

Question 7

EC2/ELB integration

Answer 7

EC2 doesn’t need to be public to work with a LB. his is because an Internet facing Load balancer has both private and public IP addresses

Question 8

Classic Load Balancer issues

Answer 8

• CLBs don’t scale
• HTTPS name requires an individual CLB because SNI isn’t supported

Question 9

ALB

Answer 9

• ALB is a Layer 7 Load balancer .. listens on HTTP and/or HTTPS
• ALB does not understand any other Layer 7 protocols eg.. (SMTP, SSH, Gaming ….)
• Understands L7 content type, cookies, custom headers, user location and app behaviour
• It is able to inspect a Layer7 Application protocol information and makes decision from its components

Question 10

SSL/TLS Termination

Answer 10

Security concerns ensure no end-to-end unbroken ssl conection is allowed.

HTTP HTTPS (SSL/TLS) are always terminated on the ALB - no unbroken SSL isallowed to cross this point into our Application. A new set of security credentials are issued as headers for internal App processing, then the Certificate termination is reversed during Application response.

Question 11

ELB Throughput

Answer 11

ALBs are slower than NLB .. more levels of the network stack to process.

The more levels of networking stacks, the more the complexity, the slower the processing

Question 12

ELB Health Checks

Answer 12

Only available on ALB

Question 13

ALB Anatomy (Routing)

Answer 13

• Rules are processed, forwarding decisions and actions are applied.
• Rules direct connections which arrive at a listener
• Rules are Processed in priority order
• Default rule = catchall
• Rule Conditions:
  
  • Host-header
  • Http-header
  • Http-request-method
  • Path-pattern
  • Query-string &
  • Source-ip
• Actions:
  
  • Forward,
  • Redirect,
  • Fixed-response,
  • Authenticate-oidc(Open ID) &
  • Authenticate-cognito

Question 14

NLB and SSL

Answer 14

To use End-to-end unbroken connection (Pass TCP/SSL encrypted connection down to Application Stack, use NLB.

This Forwards TCP to Application … unbroken encryption

Question 15

NLB

Answer 15

Layer 4 load balancer …

Protocols:
TCP, TLS, UP, TCP_UDP

• No visibility or understanding of HTTP or HTTPS
• No headers, no cookies, no session stickiness

Really Really Really Fast (millions of rps, 25% of ALB latency)

• They don’t deal with computationally heavy upper Layers of the Networking Stack

Question 16

NLB Use cases

Answer 16

SMTP, SSH, Game Servers, financial apps

Question 17

NLB Health Checks

Answer 17

Health checks JUST check IMP / TCP Handshake.

NLB is not App Aware, cannot handle detailed health checknn

Question 18

NLB Static IP

Answer 18

NLB’s can have static IP’s - useful for whitelisting

Question 19

Use NLB or ALB ??

Answer 19

• Unbroken encryption? … NLB
• Static IP for whitelisting? … NLB
• The fastest performance? … NLB (millions rps)
• Protocols not HTTP or HTTPS? … LB
• Privatelink? … NLB
• Otherwise … ALB

Question 20

Launch Configuration / Launch Template

Answer 20

LC&LT
* Allow you to define the configuration of an EC2 instance in advance
* AMI, Instance Type, Storage & Key pair
* Networking and Security Groups
* Userdata & IAM Role
* Both are NOT editable - defined once. LT has versions.
* LT provide newer features - including T2/T3 Unlimited, Placement Groups, Capacity Reservations, Elastic Graphics

Question 21

Launch Configuration

Answer 21

Is used for deploying ASG.

• they are not Editable, Have no versioning capability.
• Launch Templates can have versions

Question 22

Launch Template

Answer 22

• Launch templates can be used to save time when provisioning EC2 instances from the console UI/CLI.
• Can also be used to Launch an ASG

Question 23

ASG Launch Template

Answer 23

Launch templates can be used to save time when provisioning EC2 instances from the console UI/CLI

Question 24

ASG - Scaling Policies

Answer 24

• Manual Scaling - Manually adjust the desired capacity [Default]
• Scheduled Scaling - Time based adjustment - e.g. Sales..
• Dynamic Scaling
• Simple - “CPU above 50% +1”, “CPU Below 50 - 1”
• Stepped Scaling - Bigger +/- based on difference
• Target Tracking - Desired Aggregate CPU = 40% ..ASG handle it

Question 25

Simple Scaling Metrics Types

Answer 25

Simple scale Metrics are not only limited to EC2 CPU it includes metrices from any possible AWS services such as * EC2 Disk usage * Network * SQS Queue length * Disk I/O * Application custom metrics eg, **response time** This is made possible by installing Cloudwatch agent

Question 26

Target tracking Supported Metrics

Answer 26

Average CPU Utilization Average Network In Average Network Out Request Count per target (Relevant to ALB)

Question 27

Cool down Period

Answer 27

use to minimize Autoscaling actions due to rapid spikes in traffic, it helps to avoid costs associated with constantly adding and removing instances(some Instances have minimum charges) **AWS** *As a best practice, we recommend that you do not use simple scaling policies and scaling cooldowns. In most cases, a target tracking scaling policy or a step scaling policy is better for scaling performance. For a scaling policy that changes the size of your Auto Scaling group proportionally as the value of the scaling metric decreases or increases, we recommend target tracking over either simple scaling or step scaling.*

Question 28

ASG Self-Healing

Answer 28

Using EC2 Status checks to replace unhealthy instances(by termination and Provisioning. This helps in fixing most Isolated issues on specific instances.

Question 29

EC2 **Instance Recovery Hack**

Answer 29

AKA Single Instance HA Steps 1. Deploy a single instance per subnet 2. Configure ASG to 1:1:1 3. ASG will replace any failed instance i.e Instance Recovery

Question 30

ASG Key Points

Answer 30

* use more, smaller instances instead of fewer larger instances - granularity * Autoscaling Groups are free * Only the resources created are billed ... * Use cool downs to avoid rapid scaling * Use with ALB's for elasticity - abstraction * ASG defines WHEN and WHERE, LT defines WHAT

Question 31

ASG Life Cycle Hooks

Answer 31

Lifecycle hooks enable you to perform custom actions by pausing instances as an Auto Scaling group **Launches** or **Terminates** them. When an instance is paused, **it remains in a wait state either until you complete the lifecycle action using the complete-lifecycle-action command or the CompleteLifecycleAction operation**, or until the timeout period ends (one hour by default). * LCH can be integrated with EventBridge or SNS Notifications, allowing for the system to perform event driven processes based on a Launch or Termination off EC2 instance within an ASG. **Lifecycle Hook Default time: ** State changes when timeout (3600s default) expires or CompleteLifecycleAction

Question 32

ASG Health Check Types

Answer 32

1. EC2 (Default) 2. ELB (Can be enabled) 3. Custom **EC2 Health checks:** * Stopping, * Stopped, * Terminated, * Shutting Down or * **Impaired** (not passing the 2/2 status) = UNHEALTHY **ELB Health checks** HEALTHY = Running & passing ELB health check * Since ALB is Application-aware, this can be configured flexibly for features such as 1. Text Pattern Matching, 2. Path Based **Custom Health Check** Instances marked healthy & unhealthy by an external system/tool.

Question 33

Health Check grace period

Answer 33

ASG will consider a booting instance Unhealthy and start deploying anotherin order to. deliver it's predefined desired state Configurable value which needs to expire before health check action kicks in. Delay before starting checks. useful for system launch, bootstrapping and application start Default 300s