AWS Concepts Flashcards
What is an EC2 Burstable Instance?
It means that the instance has an okay characteristic, but can ramp up the capabilities very fast if needed
You plan on running an open source MongoDB database year-round on EC2. Which instance launch mode should you choose?
Reserved Instances
You would like to deploy a DB and the vendor license bills you based on the physical cores and underlying socket visibility. Which EC2 launch modes allow you to get visibility into them?
Dedicated hosts
You are running a critical workload of three hours per week, on Monday. Which EC2 Instance Launch Type should you choose to maximize the cost savings while ensuring the application stability?
Scheduled Reserved Instances
What is load balancing?
Load balancers are servers that forward internet traffic to multiple servers (EC2 instances) downstream
What are some reasons to use a load balancer?
Expose a single point of access (DNS) to your application;
Handle failures of downstream instances;
Provide SSL termination (HTTPS) for your websites;
Enforce Stickiness with cookies;
High availability across zone (can forward to instances in different AZs)
Separate public traffic from private traffic;
What is an EC2 reserved instance?
A reserved instance is the same as the On-Demand, however, because you have reserved it for a set period of time, it is heavily discounted
What is Load Balancer stickiness?
It is when the same client is always redirected to the same instance behind a load balancer;
There is a cookie that has an expiration date you control
What can you do to make sure a user doesn’t lose their session data on their server?
Use Load Balancer stickiness
What is Cross-Zone Load Balancing?
Each load balancer instance distributes evenly across all registered instances in all AZ;
otherwise, each load balancer node distributes requests evenly across the registered instances in its AZ
True or False: cross-zone load balancing is always on for Application Load Balancer and Classical Load Balancer?
False; Cross-Zone Load Balancing is always on for ALB (can’t be disabled) but not for CLB
What is SSL/TLS?
An SSL (Secure Socket Layer) Certificate allows traffic between your clients and your load balancer to be encrypted in transit (in-flight encryption); TLS (Transport Layer Security) is the newer version
What is SNI?
Server Name Indication; it solves the problem of loading multiple SSL certificates onto one web server (to serve multiple websites);
Only works for ALB and NLB
How does SNI work?
It requires the client to indicate the hostname of the target server in the initial SSL handshake
What does a de-registration delay in load balancing help with?
A de-registration delay is set so that when an instance is being re-registered (or unhealthy), the load balancer can still have time to send “in-flight” requests to the target;
however new requests are not sent to the instance
When you specify an average performance of a characteristic of an ASG (ex. ASG CPU to stay around 40%), what scaling policy is this?
Target Tracking Scaling
Example: When a CloudWatch alarm is triggered (CPU > 70%), then add 2 units.
What Scaling Policy is this an example of?
Simple / Step Scaling
You can anticipate usage patterns for ASG instances; what scaling policy should you use?
Scheduled Actions Scaling Policy
What is the purpose of a Scaling Cooldown?
The cooldown period helps to ensure that your Auto Scaling group doesn’t launch or terminate additional instances before the previous scaling activity takes effect
Your application is using an Application Load Balancer. It turns out your application only sees traffic coming from private IP which are in fact your load balancer’s. What should you do to find the true IP of the clients connected to your website?
Look into the X-Forwarded-For header in the backend
Your boss wants to scale your ASG based on the number of requests per minute your application makes to your database. What do you do?
You create a CloudWatch custom metric and build an alarm on this to scale your ASG
A web application hosted in EC2 is managed by an ASG. You are exposing this application through an Application Load Balancer. The ALB is deployed on the VPC with the following CIDR: 192.168.0.0/18. How do you configure the EC2 instance security group to ensure only the ALB can access the port 80?
Open up the EC2 security on port 80 to the ALB’s security group
You are running an application in 3 AZ, with an Auto Scaling Group and a Classic Load Balancer. It seems that the traffic is not evenly distributed amongst all the backend EC2 instances, with some AZ being overloaded. Which feature should help distribute the traffic across all the available EC2 instances?
Cross Zone Load Balancing
True or False: An EBS volume is locked to an AZ
True
What is the GP2 (SSD) EBS Volume
General purpose SSD volume that balances price and performance for a wide variety of workloads
What is the IO1 (SSD) EBS Volume
Highest-performance SSD volume for mission-critical low-latency or high-throughput workloads which is I/O intensive;
Good for large DB workloads such as MongoDB, PostgreSQL, etc.;
What is the ST1 (HDD) EBS Volume
Low cost HDD volume designed for frequently accessed, throughput-intensive workloads
What is the SC1 (HHD) EBS Volume
Lowest cost HDD volume designed for less frequently accessed workloads
What is a main difference of EBS vs Instance Store
Instance store is physically attached to the machines (EBS is a network drive);
Data stored on the Instance Store is not persistent through instance stops, terminations or hardware failures.
We can also encrypt data in the EBS
If you need high IOPS would you use ESB or EC2 Instance Store?
EC2 Instance Store. It has much higher IOPS because it is a physical drive
Between EBS and EFS, which service can be mounted accross AZs?
EFS
What are the 6 relational databases that AWS RDS supports?
Postgres, MySQL, MariaDB, Oracle, Microsoft SQL Server and Aurora
How many read replicas can you have for RDS?
Up to 5. They can be Within AZ, Cross AZ or Cross Region. Up to 15 with Aurora.
Business users want analytics on data from an RDS database. What architecture change can we make?
Make a replica of the RDS DB instance so that the reporting application that draws analytics does not disrupt or overflow traffic to the RDS DB instance; instead it reads from the replica
Read replicas can be encrypted without master encryption.
False. The master must be encrypted for the read replicas to be encrypted and vice-versa.
How do we encrypt the master and read replicas at rest?
AWS KMS. Encryption is defined at launch time.
How do we encrypt the RDS in-flight?
SSL Certificates. Provide SSL options with trust certificate when connecting to the database
You need to encrypt an un-encrypted RDS backup. How would you do it?
You can copy an unencrypted snapshot into an encrypted one.
How would we encrypt an un-encrypted RDS database?
Create a snapshot. Copy the snapshot and enable encryption for the snapshot. Restore the database from the encrypted snapshot. Migrate applications to the new database and delete the old database
What are IAM policies used for with AWS RDS?
It is used to decide who can manage the RDS;
Can be used to authenticate API calls to RDS;
Which two DBs do IAM authentication work with?
MySQL and PostgreSQL
What are the three benefits of IAM Authentication for RDS? What two databases support it?
Network in/out must be encrypted using SSL;
IAM to centrally manage users instead of managing access individually on each DB instance;
For applications running on Amazon EC2, you can use profile credentials specific to your EC2 instance to access your database instead of a password, for greater security;
MySQL and PostgreSQL;
What are four responsibilities that fall on the user for RDS security?
Check the ports / IP / security group inbound rules in DB’s SG;
In-database user creation and permissions or manage through IAM;
Creating a database with or without public access;
Ensure parameter groups or DB is configured to only allow SSL connections;
When faced with infrequent, intermittent or unpredictable workloads when it comes to AWS Databases, what should you use?
Aurora Serverless
How is Aurora Global Database distributed?
There is 1 primary region (read/write) and up to five secondary regions (read only) and up to 16 read replicas per secondary region
Explain User Session Store with ElastiCache
A user logs into any application instance. The application writes the session data to ElastiCache. The user hits another instance of the application and the instance can retrieve the data and the user does not have to re-authenticate.
True or False: MemcacheD is non persistent and has no backup and restore
True
True or False: Redis does not have backup and restore features
False
What type of data is caching effective for?
Data that changes slow and few keys are frequently needed
What is Lazy Loading / Cache-Aside / Lazy Population for ElastiCache?
It is when data is not stored in cache (a cache hit) it will read from the DB and then the application will write to the cache
What are two cons for Lazy Loading Cache data?
Cache miss penalty that results in 3 round trips (noticeable delay for that request);
Stale data: data can be updated in the database and outdated in the cache
What is a write through for ElastiCache?
When data is written to the Amazon RDS, it is also written to ElastiCache
How can you mitigate missing data in Cache on a Write Through?
You can implement Lazy Loading strategy. That way, if you don’t find the data, it will go to the database.
Cache eviction can occur in what three ways?
Delete the item explicitly;
Item is evicted because memory is full and it’s not recently been used;
You set an item time-to-live;
Is data asynchronously or synchronously copied when Multi-AZ is enabled in RDS?
Synchronous (except for Aurora). RDS creates a primary DB Instance and synchronously replicates the data to the standby instance in a different AZ.
Is data asynchronously or synchronously copied when a read replica is created?
Asynchronously
What is a negative in doing Read Replicas in multi-AZ?
There is a network cost in going from one AZ to another
What is the major differences between Multi-AZ for availability and Read Replicas
Multi-AZ for availability hosts a stand by instance that can not be read/write other than from the Master RDS instance. It is not used for scaling. Read replicas are used for scaling. They are async when written to. They can be used as backups, but are primarily there for easing burden on a master DB.
Read Replicas with Multi-AZ is now available. Your read replicas in another AZ can be used as a standby.
Which Elesticache service is multi-threaded, Redis or Memcached?
Memcached. It is the only feature that Redis does not have
For AWS Route 53, what are the most common records?
A (host name to IPv4), AAAA (host name to IPv6), CNAME (host name to host name) and Alias (host name to AWS resource)
What is a DNS Records TTL?
Time to Live. It is a duration that is specified back to the client to be cached. Helps the load on the DNS. It is mandatory.
A CNAME and Alias can point to a root hostname true or false?
False; an Alias can point to root and non-root but a CNAME must point to a non-root domain
An alias must point a hostname to an AWS Resource true or false
True
Multiple values are returned to the client using a simple routing policy. Which route is chosen?
It is chosen by random by the client
You can attach health checks to a simple routing policy, true or false?
True
What is a weighted routing policy?
It controls the percentage of the requests that go to a specific endpoint
What is latency routing policy?
Redirect to the server that has the least latency close to us
What three things can you monitor in a route53 health check?
Endpoint, status of other health checks, or state of a CloudWatch alarm
What is a Failover Routing Policy?
Route 53 will perform a health check on a primary resource, and if unhealthy, will route to the secondary, disaster-recovery resource.
What is Geo Location Routing Policy?
Routes the user based on location
What is the difference between Geo Location Routing Policy and Latency Routing Policy?
Geo location does not care about latency. Users in latency can be sent to resources not in their nearest geo-location.
Whats a reason you would choose Multi-Value routing policy over simple routing policy in Route53?
In Multi-Value, you can associate your routing records with a Route53 health check.
What is a NAT Gateway?
It enables instances in a private subnet to initiate communication to the internet, but doesn’t allow the internet to initiate communication to the private subnet.
You want only the load balancer to talk to your EC2 instances. How do we set this up?
You allow all traffic to flow through your load balancer. It is redirected to your target group. Change the security group of the EC2 (or Target Group?) to accept traffic from ELB in the Source field.
What is a Target Group in EC2?
A Target Group tells the load balancer where to direct to a group of instances based on path, hostname or query string and headers
What is the purpose of Network Load Balancers?
To forward TCP & UDP traffic to your instances
How many static IPs per AZ do Network Load Balancers have?
One
Load Balancers provide a static IPv4 address, true or false?
False. They provide a static DNS.
You are running a website with a load balancer and 10 EC2 instances. Your users are complaining about the fact that your website always asks them to re-authenticate when they switch pages. You are puzzled, because it’s working just fine on your machine and in the dev environment with 1 server. What could be the reason?
The Load Balancer does not have stickiness enabled
Your application is using an Application Load Balancer. It turns out your application only sees traffic coming from private IP which are in fact your load balancer’s. What should you do to find the true IP of the clients connected to your website?
Look into the X-Forwarded-For header in the backend
Application Load Balancers handle TCP, true or false?
False
I have an ASG and an ALB, and I setup my ASG to get health status of instances thanks to my ALB. One instance has just been reported unhealthy. What will happen?
The ASG will terminate the EC2 Instance. Remember, the ELB is not in charge of scaling instances.
Scaling an instance from an r4.large to an r4.4xlarge is called
Vertical Scaling
You would like to expose a fixed static IP to your end-users for compliance purposes, so they can write firewall rules that will be stable and approved by regulators. Which Load Balancer should you use?
Network Load Balancer. The Network Load Balancer exposes a static IP, whereas an Application or Classic Load Balancer expose a static DNS (URL)
Your application load balancer is hosting 3 target groups with hostnames being users.example.com, api.external.example.com, and checkout.example.com. You would like to expose HTTPS traffic for each of these hostnames. How do you configure your ALB SSL certificates to make this work?
Use SNI. Server Name Indication is a feature allowing you to expose multiple SSL certs if the client supports it
Your Application Load Balancer (ALB) currently is routing to two target groups, each of them is routed to based on hostname rules. You have been tasked with enabling HTTPS traffic for each hostname and have loaded the certificates onto the ALB. Which ALB feature will help it choose the right certificate for your clients?
Server Name Indication (SNI)
An application is deployed with an Application Load Balancer and an Auto Scaling Group. Currently, the scaling of the Auto Scaling Group is done manually and you would like to define a scaling policy that will ensure the average number of connections to your EC2 instances is averaging at around 1000. Which scaling policy should you use?
Target Tracking
What does a listener do in an ALB? What do the rules do?
It checks for connection requests from clients, using the protocol and port that you configure. The rules that you define for the listener determine how the load balancer routes requests to its registered targets.
For EBS, when would you use HDD and when would you use SSD?
Use HHD when you want to optimize for large streaming workloads where the dominant performance attribute is throughput;
Use SSD when you want to optimize for transactional workloads involving frequent read/write operations with small I/O size, where the dominant performance attribute is IOPS;
How do we enforce SSL encryption with PostgreSQL and MySQL?
Postgres in aws RDS console: rds.force_ssl=1
MySQL within db: GRANT USAGE ON . ‘mysqluser’@’%’ REQUIRE SSL;
