AWS Dev Jan 2022

Question 1

What is a region?

Answer 1

A cluster of datacenters. Most AWS services are region-scoped.

Question 2

How do you choose an AWS region?

Answer 2

• Compliance -data may need to be local to region.
• proximity - reduce latency for bulk of users.
• available services. does the region have that service?
• Pricing - varies region to region.

Question 3

Availability Zones

Answer 3

Each region normally has 3 (6 is the max)
ap-southeast-2a
ap-southeast-2b
Altogether form a region.
Each AZ is one of more data centers with redundant power, networking and connectivity. They are isolated from disasters

Question 4

IAM stand for?

Answer 4

Identity and access management - global service.
Create users in IAM
Can be grouped together if makes sense e.g. ‘developers’, ‘operations’

Question 5

Can groups contain other groups?

Answer 5

No they can only contain users
A user can belong to multiple groups.
Users and groups can be assigned a JSOn doc called a policy.
Policy define permissions of user.

Question 6

IAM policy consists of?

Answer 6

Version number
Statement
ID (optional)
SID (optional
Effect - to allow or deny
Principal who applied to
Action list of policies allows or denies
Resource what resources applies to

Question 7

Password policy

Answer 7

prevent password reuse
MFA - if password is compromised can’t hack account
virtual MFA device - on one phone
authy - multi device

Question 8

Password policy

Answer 8

prevent password reuse
MFA - if password is compromised can’t hack account
virtual MFA device - on one phone
authy - multi device

Universal 2nd factor (U2F) security key
support for multiple root and IAM users with single security key.

Hardware key fob MFA device

Hardware Key fob MFA Gov Cloud (US)

Question 9

Cloudshell?

Answer 9

Terminal in AWS where CLI commands can be run from
Only available in some regions

Question 10

IAM role

Answer 10

Intended to be used by AWS services
Assign permiisions to AWS servuce e.g.

EC2 instance (individual server) - may want to perform some action on AWS and need to give permission to EC2 instance. EC2 will use IAM role to access information from AWS and if permission is correct, will get access.
Lambda function role
Roles for CloudFormation

Question 11

Security groups?

Answer 11

Control how traffic allowed into or out of EC2 instances.
Rules either via IP addresses or by other security groups.
Act as a firewall
Regulate access to ports, authorised IP ranges
Can be attached to multiple instances
Locked down to region/VPC combination
Live outside EC2
Time-out probs security group issue
‘Connection refused’ error - likely application error
by default all inbound traffic blocked/outbound traffic authorised

Question 12

Ports

Answer 12

SSH port 22 - log into SSH on Linux
21 FTP
22 SFTP - upload files using SSH
90 - HTTP access unsecured sites
443 - HTTPS access secure sites
3389 - RDP log into Windows instance (Remote Desktop Protocol)

Question 13

EBS

Answer 13

Network drive attach to instance whilst they run
persist data even after determination
‘network USB stick’
Locked to an AZ
Delete on termination - controls the EBS behaviour when the EC2 terminates

Question 14

EBS Snapshots

Answer 14

Backup
Can restore it to another AZ
EBS snapshot archive (24 - 72 hours to restore)
Recycle bin -stored for about 1 year
Fast snapshot restore

Question 15

AMI

Answer 15

Customisation of EC2 instance - owner software, configuration, monitoring tool.
Build own AMIs - build for specific region (can copy accross region)
Quick start-up as everything preconfigured
Public AMI - AWS provided
Own AMI
AWS MArketplace AMI
Start an EC2 instance, customise, stop instance for data integrity, build ami - creates EBS snapshots, launch instances from AMIs.
unique for each aws region

Question 16

EC2 instance store

Answer 16

name of hard drive attached to server
emphemeral (if stop EC2 data will be lost)
Good for buffer/cache/scratch data
better I/O performance

Question 17

EBS Volume types

Answer 17

size / throughput /io
EC2 only gp2/gp3 , ios1/ios2 boot volumes
gp2/gp3 low cost, effective storage, low latency
gp3 can independently set IOps and throughput but in gp2 they’re linked

provision IOPS - critical buiness application. sustained IOPS performance. Or apps that need more than 16000 IOPS
Good for database workloads.

Hard disk drive st1, sc1
cannot be boot volumne
sc1 for data infrequently accessed - low cost

root volumne - by default will be deleted on termination. other EBS volumne types not deleted as disabled by default

EBS IOPS peaks at 16,000 IOPS or equivalent 5334 GB.

Question 18

EBS multi-attach

Answer 18

• up to 16 EC2 instances at a time
• higher avlaibility in clustered Linux applications (ex. Teradata)
• Multiple EC2 in same AZ

Question 19

EFS

Answer 19

Managed NFS - mounted on many EC2 INSTANCES
works with EC2 in multi AZ
Highly avalible, expensive, pay per use
Only compatible with Linux based AMI (not windows)
CM, web serving, WP, data sharing
File system scales automatically
Mount same file system on instances in muti az

Question 20

EFS

Answer 20

Big data - MAx IO for big data,

Question 21

EFS -storage classes

Answer 21

storage tiers
standard - frequently accessed files
Infrequent access - pay to access, lower cost to store
standard - multi az
or for dev - one zone IA (low cost), backups by default

Question 22

ebs vs efs

Answer 22

elastic block storage
only attach to one ec2 instance at a time
only on AZ
gp2 - io increases if disk size increases
io1 - increase IO independantly
Backups use IO so don’t run backup when app is busy

to migrate ebs to new az, take snapsot and restore snapshot to another az
root ebs volums terminated when instance is terminated (can adjust this setting)
network volumne that only mounted on one instance

Question 23

efs

Answer 23

mounted to 100s of instances accross AZs
EFS share site files (WP)
Only for Linux (does not work for Windows)
higher cost than EBS
leverage EFS IA for cost savings
network file system accross multi instances

Question 24

Instance store

Answer 24

Max IO onto an EC2 instance - but ephemeral drive. Lose if lose that instance
best disk I/O store - good for caching
can run a database but data will be lost if EC2 instance is stopped – can set uo a replication mechanism on another EC2 instance with an Instance store to have a stand by copy. Or set up backup mechanisms for data
for IOPs of 310,000

Question 25

elb

Answer 25

managed load balancer
cost less than setting up own and better for scalability

Question 26

Load balancer elb

Answer 26

link security group of ec2 instance wih SG of load balancer (source). EC2 instnce will only allow traffic coming from load balancer - enhanced security

Only Network Load Balancer provides both static DNS name and static IP. While, Application Load Balancer provides a static DNS name but it does NOT provide a static IP. The reason being that AWS wants your Elastic Load Balancer to be accessible using a static endpoint, even if the underlying infrastructure that AWS manages changes.

Question 27

Application load balancer alb

Answer 27

load balancing to multiple http apps accross machines (tarhet groups)
Load balancing to multi apps on same maachines (containers)
support for websocket, redirect
routing - routing based on path of URL to different target groups, and on hostname in URL and query string

good for microservices and container based (docker and ECS)
port mapping feature redirect port ECS

Question 28

target groups (alb)

Answer 28

EC2 (managed by auto scalain)
ECS tasks
LAmda funstion
IP addresses - must be private IP

Question 29

nlb

Answer 29

layer for load balancer - TCP and UDP trffic
high perf - handles millions of requests per seconds
Less latency than ALB
one statc IP for AZ
target groups - EC2 instances
IP address - must be private ip
alb - get fixed ip address
Network Load Balancers support both TCP and UDP protocols.

Question 30

gateway load balancer

Answer 30

analyse traffic
target groups ec2 instances
ip addresses (private ip)

Question 31

sticky sessions

Answer 31

send client to same instance as was sent to previously.

can be enabled for alb and classic
cookie - expiration date that control
login session data
inbalance to the load

cookie - application based cookie - custom, generated by application must not use ceraton aws name

application: generated by load balanceer

duration based:
generated by load balancer. expiration generted by load balancer

Question 32

cross zone load balancer

Answer 32

distribute evenly accross instances in different azs

enabled by default by alb. can be disabled at target group level.

nlb and gatewat
disabled by default
some cost

classic
disabled by default
no charge

if not - distributed via elb no matter how many instances

When Cross-Zone Load Balancing is enabled, ELB distributes traffic evenly across all registered EC2 instances in all AZs.

Question 33

SNI - Server Name Indicatioon

Answer 33

Load multiple SSL certs onto one web server in order for that server to load multiple sites.
Requires the client to indicate the hostname of the target server in the inital SSL handshake
Only work when use ALB, NLB or Cloudfront. Not work for classic.
multiple target groups for different sites using multiple SSL cers

Question 34

auto scaling group

Answer 34

minimum, maximiun, desired number of EC2 instances
works with load balancer
health check passed on from loas balancer to asg to terminate unhealthy instances
launch template - info on how to launch ec2 instances

Question 35

auto scaling group - scaling policies

Answer 35

dynamic
target tracking - make sure alwas avaible
step scaling - cloudwatch alarm
scheduled action - know scale in advance
preditive scaling

metrics - cpu utilisation
request count er target - number of requests per ec2 instance is stable
average network in/out

For each Auto Scaling Group, there’s a Cooldown Period after each scaling activity. In this period, the ASG doesn’t launch or terminate EC2 instances. This gives time to metrics to stabilize. The default value for the Cooldown Period is 300 seconds (5 minutes).

Question 36

Server Name Indication (SNI)

Answer 36

server Name Indication (SNI) allows you to expose multiple HTTPS applications each with its own SSL certificate on the same listener.

Question 37

RDS

Answer 37

postgred
MySQl
MariaDB
Oracle
Microsoft SQL server
Aurora

Question 38

Why RDS?

Answer 38

Managed service
automated provisioning and OS patching
continuous backups and can restore (point in time restore)
read replicas (performance)
multi AZ for disaster recovery
Monitoring dashboard
Maintaince windows
SCalaing capacity
Storage EBS (gp2 or io1)
Cannot SSH into instances

Question 39

RDS - Auto scaling

Answer 39

Running out of storage - RDS will detect it and auto scale storage
App
avoid manually scaling db storage
set maximum storage
auto modify if less that 10% of storage
low storage lasts at least 5 mins
6 hours have passed since modification
useful for apps which have unpredictable workloads
Supports all RDS db engines

Question 40

Read replicas vs multi az

Answer 40

read replicas help to scale reads
up to 5 read replicas - within AZ, cross AZ or cross region
replication is async so rads are eventually consistent
replicas can be promoted to own db
read replica only for SELECT reads
if read replica in same region but different Az - no cost

multi az
sync replication
one dns name
incrase availability
failover loss of AZ, network, storage
not for scaling - just for standby

read replicas can be set up as multi az if desired

Question 41

RDS single az - multi az

Answer 41

0 downtime

Question 42

Aurora

Answer 42

Not open source
Compatible with post-gres/mysql
cloud optomised - better performance over post gres/my sql
storage auto grows up to 128 TB
Dont need to worry about monitoring storage
up to 15 read replicas with auto scaling
failover - instantaneous
high avaliablity - stores 6 copies of data accross 3 azs. only need 3 copy out of 6 for reads, 5 out of 6 for writes
self healing
20% more cost
one auror master that takes writes
cross region replication

reader endpoint - connection load balancing. connects to all read replicas. load balancing happens atconnection level not statement level.

Question 43

rds and aurora

Answer 43

Encrypt at rest
using aws kms
encrypt unencrypted take snapshot restore and encrypt
in flight encryption - tls ready by default - use aws tls root certs client side
IAM auth roles to connect to db
security groups control network access to auror/rds db
no ssh exceot custon rds ssh access
audit logs can be enabled. send to cloudwatch for longer retention

Question 44

elasticache

Answer 44

elasticache - redis or memcached

redis - bit like RDS - multi az with auto failover
read replicas to scale reads and have high availability.
backup and restore
data durability

memcache - multi node for partitioning of data
no high availabity
non persistant
non backup/restore
multithreaded architecure

Question 45

VPC endpoint

Answer 45

give private access to aws service

Question 46

site to site vpn

Answer 46

connect vpn to aws
auto encrypted
goes over public internet
cannot access vpc endpoints

Question 47

direct connect (DX)

Answer 47

physical connection between on premisis and aws

connection is private, secure and fast
goes over a private network
takes at least month to establish

cannot access vpc endpoints

Question 48

direct connect (DX)

Answer 48

physical connection between on premisis and aws

connection is private, secure and fast
goes over a private network
takes at least month to establish

cannot access vpc endpoints

Question 49

VPC Gateway Endpoint

Answer 49

amazon s3 and dynamo db.

All others have interface endpoint

Question 50

VPC Flow Logs

Answer 50

capture info about traffic going to and from network instances

Question 51

s3 secuirty

Answer 51

IAM user
resource - s3 bucket policies
acl

encryption - s3 bucket keys

Question 52

s3 storage classes

Answer 52

durability - how many times s3 will lose object. s3 has high durability.
same for all storage classes

avaliability - depends on storage class
s3 standard high availability

Question 53

s3 standard

Answer 53

low latency and high throughput
used for frequently accessed data
99.99% availibility

Question 54

s3 infrequent access

Answer 54

less frequently accessed but requires rapid access when needed
lower cost than s3 standard
disaster recovery/backups

one zone infrequent access
lower availabity 95%
high durability - data lost when az is destroyed
storing secondary backups on on premesis data or data you can recreate

Question 55

glacier storage class

Answer 55

low cost - archiving/backup
pricing - price for storage + object retrival cost

Instant retrieval
Millisecond retrieveal. Great for data accessed once a quarter

flexible retrieval
expedieted - to 5 mins
standard 3 to 5 hours
bulk - 5 to 12 hours (free)
minmum storage duration 90 days.

deep archive
stanard 12 hours
bulk 48 hours

Question 56

intelligent tiering

Answer 56

small monthly monitoring and auto tiering fee
no retrieveal charges
moves objects automatically between storage tiers based on usage

frequent access (default)
infrequest access (30 days)
archive instant access (90 days)
arcive access (90 to 700 +)
deep archive access (180 to 700 +)

Question 57

transfer acceslaration

Answer 57

uses private network to send file to different location

Question 58

s3 byte range fetches

Answer 58

speed up downloads
retrieve partiak data