AWS Dev Jan 2022 Flashcards
What is a region?
A cluster of datacenters. Most AWS services are region-scoped.
How do you choose an AWS region?
- Compliance -data may need to be local to region.
- proximity - reduce latency for bulk of users.
- available services. does the region have that service?
- Pricing - varies region to region.
Availability Zones
Each region normally has 3 (6 is the max)
ap-southeast-2a
ap-southeast-2b
Altogether form a region.
Each AZ is one of more data centers with redundant power, networking and connectivity. They are isolated from disasters
IAM stand for?
Identity and access management - global service.
Create users in IAM
Can be grouped together if makes sense e.g. ‘developers’, ‘operations’
Can groups contain other groups?
No they can only contain users
A user can belong to multiple groups.
Users and groups can be assigned a JSOn doc called a policy.
Policy define permissions of user.
IAM policy consists of?
Version number
Statement
ID (optional)
SID (optional
Effect - to allow or deny
Principal who applied to
Action list of policies allows or denies
Resource what resources applies to
Password policy
prevent password reuse
MFA - if password is compromised can’t hack account
virtual MFA device - on one phone
authy - multi device
Password policy
prevent password reuse
MFA - if password is compromised can’t hack account
virtual MFA device - on one phone
authy - multi device
Universal 2nd factor (U2F) security key
support for multiple root and IAM users with single security key.
Hardware key fob MFA device
Hardware Key fob MFA Gov Cloud (US)
Cloudshell?
Terminal in AWS where CLI commands can be run from
Only available in some regions
IAM role
Intended to be used by AWS services
Assign permiisions to AWS servuce e.g.
EC2 instance (individual server) - may want to perform some action on AWS and need to give permission to EC2 instance. EC2 will use IAM role to access information from AWS and if permission is correct, will get access.
Lambda function role
Roles for CloudFormation
Security groups?
Control how traffic allowed into or out of EC2 instances.
Rules either via IP addresses or by other security groups.
Act as a firewall
Regulate access to ports, authorised IP ranges
Can be attached to multiple instances
Locked down to region/VPC combination
Live outside EC2
Time-out probs security group issue
‘Connection refused’ error - likely application error
by default all inbound traffic blocked/outbound traffic authorised
Ports
SSH port 22 - log into SSH on Linux
21 FTP
22 SFTP - upload files using SSH
90 - HTTP access unsecured sites
443 - HTTPS access secure sites
3389 - RDP log into Windows instance (Remote Desktop Protocol)
EBS
Network drive attach to instance whilst they run
persist data even after determination
‘network USB stick’
Locked to an AZ
Delete on termination - controls the EBS behaviour when the EC2 terminates
EBS Snapshots
Backup
Can restore it to another AZ
EBS snapshot archive (24 - 72 hours to restore)
Recycle bin -stored for about 1 year
Fast snapshot restore
AMI
Customisation of EC2 instance - owner software, configuration, monitoring tool.
Build own AMIs - build for specific region (can copy accross region)
Quick start-up as everything preconfigured
Public AMI - AWS provided
Own AMI
AWS MArketplace AMI
Start an EC2 instance, customise, stop instance for data integrity, build ami - creates EBS snapshots, launch instances from AMIs.
unique for each aws region
EC2 instance store
name of hard drive attached to server
emphemeral (if stop EC2 data will be lost)
Good for buffer/cache/scratch data
better I/O performance
EBS Volume types
size / throughput /io
EC2 only gp2/gp3 , ios1/ios2 boot volumes
gp2/gp3 low cost, effective storage, low latency
gp3 can independently set IOps and throughput but in gp2 they’re linked
provision IOPS - critical buiness application. sustained IOPS performance. Or apps that need more than 16000 IOPS
Good for database workloads.
Hard disk drive st1, sc1
cannot be boot volumne
sc1 for data infrequently accessed - low cost
root volumne - by default will be deleted on termination. other EBS volumne types not deleted as disabled by default
EBS IOPS peaks at 16,000 IOPS or equivalent 5334 GB.
EBS multi-attach
- up to 16 EC2 instances at a time
- higher avlaibility in clustered Linux applications (ex. Teradata)
- Multiple EC2 in same AZ
EFS
Managed NFS - mounted on many EC2 INSTANCES
works with EC2 in multi AZ
Highly avalible, expensive, pay per use
Only compatible with Linux based AMI (not windows)
CM, web serving, WP, data sharing
File system scales automatically
Mount same file system on instances in muti az
EFS
Big data - MAx IO for big data,
EFS -storage classes
storage tiers
standard - frequently accessed files
Infrequent access - pay to access, lower cost to store
standard - multi az
or for dev - one zone IA (low cost), backups by default
ebs vs efs
elastic block storage
only attach to one ec2 instance at a time
only on AZ
gp2 - io increases if disk size increases
io1 - increase IO independantly
Backups use IO so don’t run backup when app is busy
to migrate ebs to new az, take snapsot and restore snapshot to another az
root ebs volums terminated when instance is terminated (can adjust this setting)
network volumne that only mounted on one instance
efs
mounted to 100s of instances accross AZs
EFS share site files (WP)
Only for Linux (does not work for Windows)
higher cost than EBS
leverage EFS IA for cost savings
network file system accross multi instances
Instance store
Max IO onto an EC2 instance - but ephemeral drive. Lose if lose that instance
best disk I/O store - good for caching
can run a database but data will be lost if EC2 instance is stopped – can set uo a replication mechanism on another EC2 instance with an Instance store to have a stand by copy. Or set up backup mechanisms for data
for IOPs of 310,000
elb
managed load balancer
cost less than setting up own and better for scalability
Load balancer elb
link security group of ec2 instance wih SG of load balancer (source). EC2 instnce will only allow traffic coming from load balancer - enhanced security
Only Network Load Balancer provides both static DNS name and static IP. While, Application Load Balancer provides a static DNS name but it does NOT provide a static IP. The reason being that AWS wants your Elastic Load Balancer to be accessible using a static endpoint, even if the underlying infrastructure that AWS manages changes.
Application load balancer alb
load balancing to multiple http apps accross machines (tarhet groups)
Load balancing to multi apps on same maachines (containers)
support for websocket, redirect
routing - routing based on path of URL to different target groups, and on hostname in URL and query string
good for microservices and container based (docker and ECS)
port mapping feature redirect port ECS
target groups (alb)
EC2 (managed by auto scalain)
ECS tasks
LAmda funstion
IP addresses - must be private IP
nlb
layer for load balancer - TCP and UDP trffic
high perf - handles millions of requests per seconds
Less latency than ALB
one statc IP for AZ
target groups - EC2 instances
IP address - must be private ip
alb - get fixed ip address
Network Load Balancers support both TCP and UDP protocols.
gateway load balancer
analyse traffic
target groups ec2 instances
ip addresses (private ip)
sticky sessions
send client to same instance as was sent to previously.
can be enabled for alb and classic
cookie - expiration date that control
login session data
inbalance to the load
cookie - application based cookie - custom, generated by application must not use ceraton aws name
application: generated by load balanceer
duration based:
generated by load balancer. expiration generted by load balancer
cross zone load balancer
distribute evenly accross instances in different azs
enabled by default by alb. can be disabled at target group level.
nlb and gatewat
disabled by default
some cost
classic
disabled by default
no charge
if not - distributed via elb no matter how many instances
When Cross-Zone Load Balancing is enabled, ELB distributes traffic evenly across all registered EC2 instances in all AZs.
SNI - Server Name Indicatioon
Load multiple SSL certs onto one web server in order for that server to load multiple sites.
Requires the client to indicate the hostname of the target server in the inital SSL handshake
Only work when use ALB, NLB or Cloudfront. Not work for classic.
multiple target groups for different sites using multiple SSL cers
auto scaling group
minimum, maximiun, desired number of EC2 instances
works with load balancer
health check passed on from loas balancer to asg to terminate unhealthy instances
launch template - info on how to launch ec2 instances
auto scaling group - scaling policies
dynamic
target tracking - make sure alwas avaible
step scaling - cloudwatch alarm
scheduled action - know scale in advance
preditive scaling
metrics - cpu utilisation
request count er target - number of requests per ec2 instance is stable
average network in/out
For each Auto Scaling Group, there’s a Cooldown Period after each scaling activity. In this period, the ASG doesn’t launch or terminate EC2 instances. This gives time to metrics to stabilize. The default value for the Cooldown Period is 300 seconds (5 minutes).
Server Name Indication (SNI)
server Name Indication (SNI) allows you to expose multiple HTTPS applications each with its own SSL certificate on the same listener.
RDS
postgred
MySQl
MariaDB
Oracle
Microsoft SQL server
Aurora
Why RDS?
Managed service
automated provisioning and OS patching
continuous backups and can restore (point in time restore)
read replicas (performance)
multi AZ for disaster recovery
Monitoring dashboard
Maintaince windows
SCalaing capacity
Storage EBS (gp2 or io1)
Cannot SSH into instances
RDS - Auto scaling
Running out of storage - RDS will detect it and auto scale storage
App
avoid manually scaling db storage
set maximum storage
auto modify if less that 10% of storage
low storage lasts at least 5 mins
6 hours have passed since modification
useful for apps which have unpredictable workloads
Supports all RDS db engines
Read replicas vs multi az
read replicas help to scale reads
up to 5 read replicas - within AZ, cross AZ or cross region
replication is async so rads are eventually consistent
replicas can be promoted to own db
read replica only for SELECT reads
if read replica in same region but different Az - no cost
multi az
sync replication
one dns name
incrase availability
failover loss of AZ, network, storage
not for scaling - just for standby
read replicas can be set up as multi az if desired
RDS single az - multi az
0 downtime
Aurora
Not open source
Compatible with post-gres/mysql
cloud optomised - better performance over post gres/my sql
storage auto grows up to 128 TB
Dont need to worry about monitoring storage
up to 15 read replicas with auto scaling
failover - instantaneous
high avaliablity - stores 6 copies of data accross 3 azs. only need 3 copy out of 6 for reads, 5 out of 6 for writes
self healing
20% more cost
one auror master that takes writes
cross region replication
reader endpoint - connection load balancing. connects to all read replicas. load balancing happens atconnection level not statement level.
rds and aurora
Encrypt at rest
using aws kms
encrypt unencrypted take snapshot restore and encrypt
in flight encryption - tls ready by default - use aws tls root certs client side
IAM auth roles to connect to db
security groups control network access to auror/rds db
no ssh exceot custon rds ssh access
audit logs can be enabled. send to cloudwatch for longer retention
elasticache
elasticache - redis or memcached
redis - bit like RDS - multi az with auto failover
read replicas to scale reads and have high availability.
backup and restore
data durability
memcache - multi node for partitioning of data
no high availabity
non persistant
non backup/restore
multithreaded architecure
VPC endpoint
give private access to aws service
site to site vpn
connect vpn to aws
auto encrypted
goes over public internet
cannot access vpc endpoints
direct connect (DX)
physical connection between on premisis and aws
connection is private, secure and fast
goes over a private network
takes at least month to establish
cannot access vpc endpoints
direct connect (DX)
physical connection between on premisis and aws
connection is private, secure and fast
goes over a private network
takes at least month to establish
cannot access vpc endpoints
VPC Gateway Endpoint
amazon s3 and dynamo db.
All others have interface endpoint
VPC Flow Logs
capture info about traffic going to and from network instances
s3 secuirty
IAM user
resource - s3 bucket policies
acl
encryption - s3 bucket keys
s3 storage classes
durability - how many times s3 will lose object. s3 has high durability.
same for all storage classes
avaliability - depends on storage class
s3 standard high availability
s3 standard
low latency and high throughput
used for frequently accessed data
99.99% availibility
s3 infrequent access
less frequently accessed but requires rapid access when needed
lower cost than s3 standard
disaster recovery/backups
one zone infrequent access
lower availabity 95%
high durability - data lost when az is destroyed
storing secondary backups on on premesis data or data you can recreate
glacier storage class
low cost - archiving/backup
pricing - price for storage + object retrival cost
Instant retrieval
Millisecond retrieveal. Great for data accessed once a quarter
flexible retrieval
expedieted - to 5 mins
standard 3 to 5 hours
bulk - 5 to 12 hours (free)
minmum storage duration 90 days.
deep archive
stanard 12 hours
bulk 48 hours
intelligent tiering
small monthly monitoring and auto tiering fee
no retrieveal charges
moves objects automatically between storage tiers based on usage
frequent access (default)
infrequest access (30 days)
archive instant access (90 days)
arcive access (90 to 700 +)
deep archive access (180 to 700 +)
transfer acceslaration
uses private network to send file to different location
s3 byte range fetches
speed up downloads
retrieve partiak data
