AWS 12, 13, 14

Question 1

What is the Origin Access Identity in CloudFront?

Answer 1

It is a special CloudFront user that has access to origins for CloudFront;
We configure the S3 bucket permissions so that CloudFront can use the OAI to access the files in your bucket;
Generally we would want to restrict access to our S3 origin so that only the OAI has access.

Question 2

EC2 Instances MUST be public when using them with CloudFront, true or false?

Answer 2

True. Unless we introduce an ALB. Then the ALB can be public and the EC2 instances can be private.

Question 3

What is the major difference between CloudFront and S3 CRR?

Answer 3

S3 Cross Region Replication is read only and great for dynamic content that needs to be available at low-latency in few regions;
CloudFront files are cached for a TTL (maybe a day) and is great for static content that must be available everywhere;
Also note that in S3 CRR, files are copied to a different bucket, so users would still need to know that URL (or possibly use Route53?)

Question 4

What is a common strategy for maximizing cache hits in CloudFront?

Answer 4

We can separate Dynamic and Static content distributions

Question 5

What is the Viewer Protocol Policy in CloudFront?

Answer 5

It sits between the client and the edge location. It redirects HTTP to HTTPS or requires use of HTTPS only. Suggested is a redirect.

Question 6

What is the Origin Protocol Policy in CloudFront for HTTP or S3?

Answer 6

Sits between the Edge Location and Origin. Either set HTTPS only or Match Viewer, which keeps the request of the client.

Question 7

S3 Bucket “websites” support HTTPS, true or false?

Answer 7

False. If you want to support HTTPS access you can use CloudFront to serve a static website hosted on Amazon S3.

Question 8

Setting a CloudFront Origin Access Identity sets up a bucket policy for S3 bucket, however, we can keep the Block Public Access settings up for the bucket. How?

Answer 8

CloudFront hits the origin (S3 Bucket) from Amazons private network.

Question 9

What is the difference between a signed cookie and signed URL in CloudFront?

Answer 9

Signed URL gives access to individual files and signed cookies give access to multiple files

Question 10

How long should a signed URL be valid for?

Answer 10

For shared content, make it short. For private content you can make it much longer.

Question 11

CloudFront is deploying in front of an HTTP origin. After updating your HTTP app, the users still see the old website. What should you do?

Answer 11

Invalidate the distribution

Question 12

What are the three container management platforms?

Answer 12

ECS, Fargate, EKS

Question 13

What is a task definition in ECS? What is some information it contains?

Answer 13

Metadata in JSON form to tell ECS how to run a Docker Container;
Image Name;
Port binding for Container and Host;
Memory and CPU Required;
Env variables;
Launch type to use;
Logging configuration;

Question 14

We created a container that cannot communicate to any other AWS services. What is a probable reason?

Answer 14

We did not add a task role

Question 15

What is portMapping in ECS?

Answer 15

It will take the network calls that go through the Host network port number (e.g. 8080) and route them to the Container network port number (e.g. 80)

Question 16

For a specific service in ECS, we updated our desired tasks from 1 to 2. Yet no new tasks were launched, as Desired tasks was 2 but Running tasks was 1. How do we fix this?

Answer 16

We need to scale the instances. We can do this by going to the Auto Scaling Group behind our instances and update the desired capacity to 2. This is under the assumption that we are only allowing one task to one instance

Question 17

What is a Task in ECS?

Answer 17

This is a running container with the settings defined in the Task Definition. It can be thought of as an “instance” of a task definition.

Question 18

We get the error ‘[AWS Service] was unable to place a task because no container instance met all of its requirements.”, and that its already using a port required by the task. How can we fix this?

Answer 18

We can add container instances to a cluster or reduce the number of desired tasks. However, it is preferable to use an Application Load Balancer with dynamic port mapping

Question 19

What is Dynamic Port Mapping?

Answer 19

Dynamic Port Mapping allows you to run multiple tasks over the same host using multiple random host ports

Question 20

What is a service in ECS?

Answer 20

A service enables you to run and maintain a specified number of instances of a task definition simultaneously in an Amazon ECS cluster

Question 21

We have updated a task definition in ECS. However, we don’t see the changes when we interact with the instances. What is a possible reason?

Answer 21

We need to make sure that we update the service with the new task definition version as well.

Question 22

You have created a load balancer for your ECS service to use. What must you do with the security group attached to the cluster?

Answer 22

We must make sure that we can allow all traffic from the ALB security group that we created for Dynamic Port Mapping.

Question 23

What is the Amazon ECS Container Instance IAM Role?

Answer 23

It allows the Container instances that run the ECS container agent to make calls to ECS on your behalf. The IAM role and policy allow the service to know the agent belongs to you.

Question 24

What is ECR?

Answer 24

It is a private Docker image repository within your AWS account

Question 25

If you have permission errors to ECR, what could be the reason?

Answer 25

You need IAM permissions to access ECR

Question 26

**What is the AWS CLI v1 login command for ECR?

Answer 26

$(aws ecr get-login –no-include-email –region eu-west-1)

Question 27

**What is the AWS CLI v2 login command for ECR?

Answer 27

aws ecr get-login-password –region eu-west-1 | docker login –username AWS –password-stdin 1234567890-dkr.ecr.eu-west-1.amazonaws.com

Question 28

What are the four commands to push a docker image to ECR?

Answer 28

Login to ECR and Docker;
Build the Docker image;
Tag the image (get it ready for a push specifying the source);
Push the image up

Question 29

What allows ECS and the Container instances to pull and run the docker images from ECR?

Answer 29

It is the IAM role that AWS recommends we give to the ECS containers

Question 30

What is Fargate?

Answer 30

{{answer}}

Question 31

How does an EC2 Instance Profile come into play between EC2 and ECS/ECR?

Answer 31

The Instance Profile will be attached to the EC2 instance. The ECS agent that is attached to the EC2 profile then uses the IAM role to make calls to ECS and ECR.

Question 32

How does IAM, the Container instance and tasks work together?

Answer 32

You can grant permissions to the applications in the tasks containers that are running on an instance that you have. Perhaps one is reaching out to S3 and another one interacting with EC2. You provide these tasks roles to give these permissions. You define them in the task definition.

Question 33

What is the general idea behind ECS Tasks Placement?

Answer 33

When a service scales in or out, ECS must determine what task to either shut down or get launched. This is only with regards to a task associated with EC2, not Fargate.

Question 34

What is the four step strategy for when Amazon ECS places tasks?

Answer 34

Identify the instances that satisfy the CPU, memory, and port requirements in the task definition;
Identify the instances that satisfy the task placement constraints;
Identify the instances that satisfy the task placement strategies;
Select the instances for task placement

Question 35

What is the Binpack task placement strategy?

Answer 35

Place tasks based on the least available amount of CPU or memory. Fill up an EC2 instance before creating another one.

Question 36

What is the Spread task placement strategy?

Answer 36

Place the task evenly based on the specified value. For example, spread on the EC2 instances across AZs.

Question 37

What are the ECS task placement constraint options?

Answer 37

distinctInstance: Place each task on a different container instance

memberOf: Place tasks on container instances that satisfy an expression. For example tasks should only get placed on t2 instances.

Question 38

ECS service scaling uses the EC2 Auto Scaling, true or false?

Answer 38

False. EC2 Auto Scaling and Capacity Providers is instance level. ECS service scaling is at the task level.

Question 39

You want multiple containers of the same type on EC2 instances. How do we architect this?

Answer 39

Me must not specify a host port and use an ALB with dynamic port mapping. Remember that the EC2 instance security group must allow traffic from the ALB on all ports.

Question 40

How do you integrate CloudWatch with ECS?

Answer 40

Set up logging at the task definition level. The EC2 instance profile needs correct IAM permissions

Question 41

Which ECS config must you enable in /etc/ecs/ecs.config to allow your ECS tasks to endorse IAM roles?

Answer 41

ECS_ENABLE_TASK_IAM_ROLE

Question 42

You are running a web application on ECS, the Docker image is stored on ECR, and trying to launch two containers of the same type on EC2. The first container starts, but the second one doesn’t. You have checked and there’s enough CPU and RAM available on the EC2 instance. What’s the problem?

Answer 42

The host port is defined in the task definition. Set that to 0 and enable Dynamic Port Mapping.

Question 43

You would like to run 4 ECS services on your ECS cluster, which need access to various services. What is the best practice?

Answer 43

Create 4 ECS task roles and attatch them to the relevant ECS task definition.

Question 44

What are the three components of Elastic Beanstalk?

Answer 44

Application, application version, and environment name

Question 45

When we create an Elastic Beanstalk environment with a load balancer, we get two security groups? What are they?

Answer 45

One is for the load balancer and the other is for the instances, which only accepts calls from the load balancer

Question 46

Deleete

Answer 46

Delete

Question 47

What is the All at Once deployment option Elastic Beanstalk?

Answer 47

Deploy all instances in one go. Fastest, but instances aren’t available to serve traffic for a bit

Question 48

What is Rolling Update deployment option Elastic Beanstalk?

Answer 48

Updates a few instances at a time (bucket), and then moves onto the next bucket once the first bucket is healthy

Question 49

What is Rolling Update with Additional Batches deployment option Elastic Beanstalk?

Answer 49

Spins up new instances to move the batch

Question 50

What is the Immutable deployment option Elastic Beanstalk?

Answer 50

Spins up new instances in a new ASG, deploys versions to these instances, and then swaps all the instances when everything is healthy

Question 51

What is a downside of Rolling Update (with batch) deployment?

Answer 51

Long deployment

Question 52

Which deployment option for Elastic Beanstalk has the highest cost and longest deployment?

Answer 52

Immutable

Question 53

Which three EB deployment options are recommended for Prod environments?

Answer 53

Immutable and Rolling with Batch and Traffic Splitting

Question 54

What is Blue/Green deployment?

Answer 54

It is when we have two identical production environments. We deploy to either Blue or Green to test and then we switch traffic to which environment is the new version. If problems arise, we can quickly deploy out the old version and fix bugs.

Question 55

Which deployment option for Elastic Beanstalk has downtime if the deployment fails?

Answer 55

All at Once

Question 56

What is Traffic Splitting deployment option for Elastic Beanstalk?

Answer 56

We can specify a percentage of traffic that gets sent to a new application version and the amount of time we would like to monitor its health.

Question 57

What is a Beanstalk lifecycle policy? How can we prevent data loss?

Answer 57

Beanstalk can have at most 1000 versions. Setting a lifecycle policy can help phase out old versions. Based on time and space. We can configure an option so that it does not delete source bundle in S3.

Question 58

What are .ebextensions files?

Answer 58

They are configuration files to configure your environment and customize the AWS resources that it contains. They are YAML or JSON formatted but have a .config file extension.

Question 59

We clone an Elastic Beanstalk environment that has an RDS database configured and running. The data is migrated over true or false?

Answer 59

False. Data is lost but configuration is kept.

Question 60

After creating an Elastic Beanstalk environment, we cannot change the ELB type, true or false?

Answer 60

True. You can still change the ELB types settings however.

Question 61

We need to change the ELB type of our Elastic Beanstalk environment. We can go ahead and clone it and change the LB configuration, true or false.

Answer 61

False. We need to migrate (create new environment without LB but same configuration), to a new environment, deploy to the new environment, and then CNAME swap or Route 53 update.

Question 62

What is the best architecture concerning Elastic Beanstalk and RDS databases in Production?

Answer 62

We do not want to provision an RDS database with Beanstalk in prod. The RDS lifecycle is tied to the Beanstalk lifecycle. Instead we should separately create the RDS instance and provide our EB application a connection string.

Question 63

How do we decouple RDS from Elastic Beanstalk?

Answer 63

We create a snapshot of RDS DB;
Go to the RDS console and protect the RDS database from deletion;
Create a new Elastic Beanstalk environment, without RDS, point your application to existing RDS;
Perform a CNAME swap or Route 53 update;
Terminate the old environment (RDS will not be deleted);
Since RDS will stay, need to delete CloudFormation stack;

Question 64

True or false, a single docker on an Elastic Beanstalk application utilizes RDS?

Answer 64

False. Only EC2

Question 65

What one of two things must we provide for single Docker container in Elastic Beanstalk?

Answer 65

Dockerfile or a dockerrun.aws.json v1 (points to an already built Image)

Question 66

What do we need to provide to set up a Multi Docker Container in Elastic Beanstalk?

Answer 66

Dockerrun.aws.json (v2). This is used to generate the ECS task definition.

Question 67

What is the ECS Capacity Provider?

Answer 67

A Capacity Provider help determine the allowed usage of resources for each task. When we create a service, we can choose a Capacity Provider (our CP strategy) instead of Fargate or EC2 to determine how tasks are placed.

Question 68

You would like your Elastic Beanstalk environment to expose an HTTPS endpoint instead of an HTTP endpoint in order to get in-flight encryption between your clients and your web servers. What must be done to setup HTTPS on Beanstalk?

Answer 68

Add a secure listener in the .ebextensions in a .config file

Question 69

You are looking to perform a set of repetitive and scheduled tasks asynchronously. Which Elastic Beanstalk environment should you setup?

Answer 69

Set up a Worker environment and a cron.yaml file

Question 70

What is the difference between a task placement strategy and a task placement constraint?

Answer 70

A placement strategy is a best attempt at placing or terminating tasks on services. A placement constraint is a more hard-nosed rule on where a task can get placed.