AWS Fundamentals Flashcards
Public vs Private Services
- Public or Private Service - NETWORKING PERSPECTIVE
A public AWS service is something which is accessed using public endpoints, such as S3. S3 can be accessed from anywhere which has an internet connection.
A private AWS service is something which runs within a VPC, so only things within that VPC or what is connected to that VPC, can access the service.
For both of these, there are permissions as well as networking, so even though S3 is a public service, by default an identity other than the account root user, has no authorization to access that resource.
-Permissions and networking are two different considerations when talking about access to a service
Three Different Network Zones
“Public Internet” Zone
This is the zone where internet–based services operate from, like online stores, gmail and various online games.
“AWS Public” Zone
It’s a network that runs between the public internet and the AWS private zone networks. This zone is the network where AWS public services operate from, services with public endpoints such as S3.
-Access to Public AWS using Internet as transit
“AWS Private” Zone (VPC - Virtual Private Cloud)
These are isolated so VPCs can’t communicate with each other unless you allow it (VPC Peering), nothing from the internet can reach these private networks unless you configure it. Services can be placed into these private zones, such as EC2 instances and it can only access the internet, using a Internet Gateway (IGW).
-Private services (EC2) can access the internet via IGW, as long as it has an allocated public IP address.
-EC2 can access the AWS public zone via IGW, for services such as S3. (This data doesn’t touch the public internet)
-Private services (EC2) can be given a public IP - 1:1 translated by the IGW, this allows the resource to be accessed from the public internet.
-On-premises can access VPCs only if configured via VPN or Direct Connect
AWS Global Infrastructure
AWS have created their infrastructure platform to be a collection of individual infrastructure located worldwide.
AWS Regions
It’s an area of the world that they have selected, and inside this region there is a full deployment of AWS infrastructure. AWS Regions consist of multiple, physically separated and isolated Availability Zones that are connected with low latency, high throughput, highly redundant networking.
-Regions are geographically spread - as a SA, we can use these regions to design systems which can withstand global level disasters
-When you interact with most AWS services, what you’re doing is interacting with that service in a specific region
-You can refer to it using a region code or name
As a Solutions Architect, regions have three main benefits:
- Geographic Separation - Isolated Fault Domain = If something terrible happens such as a terrorist attack or a natural disaster, then a problem in one region wouldn’t affect other regions.
- Geographic Separation - Different Governance = By picking a region, you will be affected by the laws and regulations of the region that your infrastructure is stored in.
- Location Control - Performance = Regions give you location control, which allows you to tune your architecture for performance. You can place infrastructure as close to your customers as possible.
Availability Zones
Availability Zones consist of one or more discrete data centers, each with redundant power, networking, and connectivity, and housed in separate facilities. These are distinct locations within an AWS Region that are engineered to be isolated from failures in other Availability Zones.
-Services can be placed across multiple availability zones, to make them resilient, by using VPC
AWS Edge Locations
You often can’t have a region in the same town or city as all of your customers, and for this reason, AWS also provides edge locations.
Edge locations are much smalled than regions, and generally only have content distribution services, as well as some types of edge computing.
-They are located in many more places than regions
-Edge locations are useful for companies like Netflix, who need to store TV shows and movies, as close to their customers as possible, this allows low latency and high speed distribution
Service Resilience
-Globally Resilient = These are services that operates globally with a single database, it’s one product, and it’s data is replicated across multiple regions inside AWS (IAM & Route 53)
-Region Resilient = These are services which operates in a single region, with one set of data per region. Their services operates as separate services in each region and they generally replicate data to multiple AZs in that region.
-AZ Resilient = These are services that are run from a single AZ. If the AZ that the service is provisioned into fails, then the service will fail. (Are very prone to failure)
Virtual Private Cloud (VPC) Basics
VPC is the service, you will use to create private networks inside AWS, also VPCs is the service which is used to connect your AWS private networks to your on-premises networks, when creating a hybrid environment, or it’s the service which lets you connect to other cloud platforms when you’re creating a multi-cloud deployment.
- A VPC = A Virtual Network inside AWS
- A VPC is within 1 account & 1 region
- Private and Isolated unless you decide otherwise
- Two types - Default VPC (1 per region) and Custom VPC (many per region - very flexible)
- VPC CIDR = defines the start and end range of IP addresses that the VPC can use (Default VPC can only have 1 CIDR while Custom VPC can have multiple)
The way in which a VPC provides resilience is that it can be subdivided into subnets, which is short for subnetworks. Each subnet inside a VPC is located in one AZ (Default VPC have one subnet )
Default VPC Facts
- One per region - can be removed & recreated
- Default VPC CIDR is always 172.31.0.0/16
- /20 Subnet in each AZ in the region
- Internet Gateway (IGW), Security Group (SG) & NACL
- By default subnets assign public IPv4 addresses
Elastic Compute Cloud (EC2) Basics
EC2 provides access to virtual machines known as instances.
Key Facts & Features
- IAAS - Provides Virtual Machines => Instances
- Private service by-default - uses VPC networking
- AZ Resilient - Instance faults if AZ fails
- Different instance sizes and capabilities
- On-Demand Billing - Per second (Depends on the software)= There are few components to an instance charge.. for running the instance (amount for CPU and memory), for the storage that the instance uses and then extras for any commercial software that the instance is launched with
- Local on-host storage (Instance Store) or Elastic Block Store (EBS)
Instance Lifecycle
An instance can be in one of a few states:
- Running = After it finishes provisioning or if you decide to start it again from “Stopped”
- Stopped = If you shut down the instance
- Terminated = If you delete it (Non-reversible action)
These are important because they influence the charges for the instance.
At a high level, an instance is composed of:
- CPU = Determines how much processing can be achieved.
- Memory = Super fast area to store data, that’s currently being worked on by the instance.
- Disk = Medium-term data is stored (EBS)
- Networking = Is how the instance communicates with other entities in AWS and beyond.
-When an instance is at the “Running” state you’re being charged for all four categories.
-When an instance is at the “Stopped” state you’re only being charged for storage (EBS).
-When an instance is at the “Terminated” state you will not be charged.
Amazon Machine Image (AMI)
An AMI is an image of an EC2 instance.
- They can be used to create an EC2 instance or from an EC2 instance.
- Contains attached permissions and these control which accounts can and can’t use the AMI.
-Permissions
– Can be set as a public AMI - everyone is allowed to launch.
– The owner of an AMI is implicit allowed to create EC2 instances from that AMI.
– You can add Explicit permissions, where the owner grants access to that AMI for specific AWS accounts.
-Root Volume
It’s the drive that boots the operating system.
-Block Device Mapping
Which links the volumes that the AMI has and how they’re presented to the operating system. So it determines which volume is the boot volume, and which volume is a data volume.
– The O.S expects to receive volumes presented to it, as well as an ID, a device ID, and the block device mapping links the volume to the device ID that the O.S expects.
Connecting to EC2
EC2 instances can run different O.S
- Windows instances using Remote Desktop Protocol (RDP), using the port 3389.
You need to provide a private key to gain access to the local administrator password of the instance and then you connect to that instance using RDP, using the local admin user and that password.
- Linux instances you use the SSH protocol, using the port 22. When you are connecting to Linux instances you log in or authenticate to that instance using what’s known as an SSH key pair (Private and Public)
You can only download the private key once, because this is how you will authenticate to the instance.
Simple Storage Service (S3) Basics
-Global Storage Platform - regional based/resilient =Regional because it’s data is stored in a specific AWS Region at rest and never leaves that region unless you explicitly configure it to. Regional Resilient because the data is replicated across availability zones in that region.
-Public service, unlimited data & multi-user = You can access to it as long as you have an internet connection, runs from the AWS public zone, it’s “unlimited” and it’s designed for multi-user usage of that data.
-…Movies, Audio, Photos, Text, Large Data Sets
-Economical & accessed via IU/CLI/API/HTTP
-Default storage service in AWS
-Objects = Are the data the S3 stores, a picture, an episode of a tv show or it could be large scale datasets. (Files)
-Buckets = Are containers for objects.
Object S3
An object in S3 is made up of two main components:
-Key (file name) = foto.jpg = the key identifies the object in a bucket
-Value = Is the data or content of the object (From zero bytes to 5TB)
Objects also have a Version ID, Metadata, Access Control and Subresources.
Buckets S3
Are created in a specific AWS region.
-Your data that’s inside a bucket, has a primary home region and it never leaves that region unless you configured it. (Stable and controlled data sovereignty)
-By creating a bucket in a region you can control what laws and rules apply to that data.
-Its identified by it’s name, needs to be globally unique across all regions.
-Can hold an unlimited number of objects. (Infinitely scalable storage)
As an object storage system, an S3 bucket has no complex structure, it has a flat structure. All objects stored within the bucket at the root level.
Inside S3 there’s no concept of file type based on the name, they are just objects. Folders in S3 are represented when we have object names => /old/Picture1.jpg. When we create object names like this, then S3 presents them in the UI as a folder called “old”. Folders are often referred to as prefixes in S3 because they’re part of the object name.
EXAM POWER UP
-Bucket names are globally unique
- 3-36 characters, all lower case, no underscores
-Start with lowercase letter or a number
-Can’t be IP formated e.g. 1.1.1.1
-Buckets - 100 soft limit, 100 hard per account = How to structure a system which has a potentially 1000s of users, when you can’t create a bucket per user? Take a single bucket, and divide it up using prefixes.
-Unlimited objects in bucket, 0 bytes to 5TB
-Key = Name, Value = Data
S3 Patterns and Anti-Patterns
-S3 is an object store - not fiel or block
-You CAN’T MOUNT an S3 bucket as (K:\ or /images)
-Great for large scale data storage, distribution or upload.
-Great for “offload” = if you have a blog with lots of posts and lots of images, audio or movies, instead of storing that data on an expensive compute instance, you can move it to an S3 bucket and configure your blog software to point your users at S3 directly.
-INPUT and/or OUTPUT to MANY AWS products = Most services which consume data and or output data can have S3 as an option, to take data from or put data to when it’s finished.
Amazon Resource Name (ARN) = All resources in AWS have a unique identifier.
-ARNs uniquely reference one resource within AWS.
Bucket ARN => arn:aws:s3:::koalacampaign12111999
CloudFormation Basics
Is a tool which lets you create, update, and delete infrastructure in AWS, in a consistent and repeatable way using templates.
-Rather than creating and updating resources manually, you create a template, and CFN will do the rest on your behalf.
-It allows you to do automated consistent provisioning.
A CloudFormation Template is written either in YAML or JSON.
- Resources = Will tell CF what to do (this is the only mandatory part of the template.
- Description = You would use this to give some details about the template. (Must follow the template format version)
- Template format version = Is the way that AWS allow for extending the standards over time.
- Metadata = It’s got many functions, but one of the things that it does is, it can control, how the different things in the CFN template are presented through the console UI, so through the AWS Console, if you’re applying it. So you can specify groupings, you can control the order, you can add descriptions and lables. (It’s a way to how the UI presents the template)
-Parameters = Is where you can add fields which propmt the user for more information. So if you apply the template from the console UI, you will see boxes that you need to type in, you might use this for, which size of instance to create, the name of something, the number of availability zones to use. Parameters can even have settings for which are valid entries, so you can apply criteria for values that can be added as parameters and you can also apply default values.
-Mappings (Optional Section) = key/value pairs which can be used for lookups (allows you to create lookup tables)
- Conditions = These allow decision making in the template. So you can set certain things in a template, that will only occur if a condition is met. This is a 2-step process, 1 => create condition, 2 => the condition is used within resources in the CFN template.
- Outputs = Are a way that one the template is finished, it can present outputs based on what’s being created, updated, or deleted.
CloudFormation Basics 2
Resources inside a CFN template are called Logical Resources, and they have:
-Type = CFN uses this to know what to create
- Properties = CFN uses to configure the resources
When you give a template to CloudFormation, then it creates a Stack.
- Stack = Contains all of the logical resources that the template tells it to contain. For any logical resources in the stack, CFN makes a corresponding physical resource in your AWS account.
It’s CloudFormation job to keep the logical and physical resources in sync.
-When you use a template to create a stack, CloudFormation will scan the template, create a stack with logical resources inside, and then create physical resources which match.
-If you update the template, you can use it to update that same stack (logical resources will change) and CloudFormation will perform the same actions on the physical resources.
-If you delete a stack, its logical resources are deleted, which causes CloudFormation to delete the matching physical resources.
Whenever you upload a template to CFN, what is actually doing is uploading the template directly to a S3 bucket, that it creates automatically
CloudWatch (CW) Basics
It’s a support service which is used by almost all other AWS services, especially for operational management and monitoring. (Public Service)
-Collects and manages operational data on your behalf, opertional data is any data generated by an environment, either detailing how it performs, how it nominally runs, or any logging data that it generates.
-If you have a public internet connection, and permissions to add data to CloudWatch, It can be used for almost everywhere.
-It gives you a UI, a command line interface, or an API interface to access that data.
CloudWatch Performs three main jobs:
-Metrics = Allows the collection of metrics, monitoring of metrics, and actions based on metrics. Metrics are simply data relating to AWS products, applications, or on-premises systems. (CPU utilization of EC2 instances, disk space use on an on-premises server, or the number of visitors per second to your website)
Some metrics are gathered natively by the product (CPU utilization of EC2 instances, that’s done by default), some types of metric collection need an extra piece of software called CloudWatch Agent. Also monitoring certain things inside products which aren’t exposed to AWS needs the Agent, for example, if you want to monitor which processes are running on an EC2 instance, or the memory utilization of those processes, you’ll need CloudWatch Agent.
-CloudWatch Logs = Allows for the collection, monitoring, and actions based on logging data. Almost anything which is logged can be ingested by CloudWatch Logs, for on-premises infrastructure, custom logs, or anything outside of what’s exposed to AWS natively, you’ll need the CloudWatch Agent.
-CloudWatch Event = This functions as an event hub, it provides two powerful features: -If an AWS service does something, maybe an EC2 instances is terminated, started, or stopped, then CloudWatch Events will generate an event which can perform another action. -Generate an event to do something at a certain time of days of week.
CloudWatch Concepts
Namespace = Is a container for monitoring data, it’s a way to separate things into different areas.
Namespaces have a name, as long as it stays within a rule set for namespaces names, but there’s one exception, and that’s that all AWS data goes into an AWS namespace, which is called AWS/ and then the service name (AWS/EC2 for all metric data for EC2).
Namespaces contain related metrics.
Metric, Datapoint, Dimensions & Alarms
Metric
Is a collection of related data points in a time ordered structure. A metric is not for a specific server, CPU utilization is the metric, and that metric might be receiving data for lots of different EC2 instances.
We need a way of identifying which things log data to a specific metric.
Datapoint
Every time any server measures its utilization and sends it into CloudWatch, that goes into the CPU utilization metric and each one of those measurements is called Datapoint.
Consists of two things: -Time stamp = 2022-01-12T08:45:45Z (timezone) when the measurement was conducted. - Value = 98.3, which represents 98.3% CPU utilization
The CPU utilization metric, could contain data for many servers. How do we separate the data for these?
Dimensions
Dimensions separate datapoints for different things or perspectives within the same metric. These are Name value pairs which allow CloudWatch to separate things within a metric.
An example of this is, when sending data points into CloudWatch for CPU utilization of EC2, AWS also send in the instance ID and Instance type, and this allows us to view datapoints for particular instance.
Alarms
Are created and are linked to a specific metric, then based on how you configure the alarm, it will take an action based on that metric.
States:
-OK = Everything is ok.
-ALARM = Something bad has happened - The metric in some way is not in a good state. Based on that you can define an action.
-INSUFFICIENT_DATA = How alarms start before they’ve amassed enough data to assess whether they should be in an OK or ALARM state.
The Shared Responsibility Model
Is how AWS provide clarity around which areas of systems security are theirs, and which are owned by the customer.
- The model is useful as you learn about AWS and so this lesson provides a brief introduction.
- Keep in mind the infrastructure stack (IaaS, PaaS & SaaS)
High-Availability
Aims to ensure an agreed level of operational performance, usually uptime, for a higher than normal period.
-HA isn’t aiming to stop failure and it doesn’t mean that customers won’t experience outages.
A highly available system is one designed to be online and providing services as often as possible. It’s a system designed, so that when it fails, it’s components can be replaced or fixed as quicky as possible, often using automation to bring systems back into service.
-HA is about maximizing a system’s online time.
-HA is about minimizing any outages.
-You can have two servers online constantly, one active and one standby, in case of a failure, when they migrate from the active server, they might have to re-login or might have some small disruption.
-System availability is generally expressed with percentage of uptime.
-HA has costs required to implement it. (using spare equipment)
Example = 4x4 in the desert.
Fault-Tolerance
Is the property that enables a system to continue operating properly in the event of the failure of some(one or more faults within) of its components.
It means it has to continue operating through a failure without impacting customers.
-In case of a failure, you can swap the server with another server but this would cause a system error, a disruption. However quick the fix, however small that disruption, in certain situations, it can be life threating. (HA isn’t enough)
-Fault Tolerance systems are designed to work through failure with no disruption. For example, we might have the system’s monitor communicating with two servers at the same time, in an active-active configuration. So this is not just a simple fail over configuration, if a server failed, it would drop down to just communicating with the remaining server. (as long as one server remains active, the system is fully functional)
-Harder to design, harder to implement and costs much more
Example = A plane in the air
