AWS Fundamentals Flashcards
Public vs AWS Public vs Private Services Architecture
Public - accessible via public endpoint
AWS - public zone sits between public and private AWS public services sit here
Private - on-prem within a VPC (virtual private cloud). Nothing can connect to this unless explicitly allowed. To connect to public internet, the service in the VPC (ex. EC2) must have an IP address registered. When this happens, the service is wholly or partly projected through the AWS public internet, which talks to the public internet. We can also do an internet gateway to allow a private zone to access the public internet along with a connection to an AWS public service like S3.
AWS Global Infrastructure
Many infrastructure sites. Some services are globally available (IAM) and most are regional (EC2)
Regions - Have a name and a code. (AP-southeast-2, asia pacific (sydney)) Regions are not continental or country. AWS creation. Full deployment of AWS INFRA. Depends on customer requirements and size of customer base. Most AWS services are interacted with isolated in a region.
Edge location - smaller than regions. Mostly content delivery networks. Helps improve latency.
Availability zone - Lower level infrastructure inside regions. Multiple in each region. If isolated issue in a region that only impacts one availability zone, the others will be available still. Can distribute components across multiple AZ. Building in Resilience. AZs are logical and could have multiple physical locations per zone. VPCs can be spread across multiple AZs.
Benefits of Regions
Geographic separation - isolated fault domains - isolated blast radius for disaster Fault tolerance yay!
Geopolitical separation - different governance, regionally isolated data
Location control - tune architecture for performance. Duplication! Redundancy! Yay!
Resiliency:
Globally
Regionally
Zone
Each AWS service has different levels of resilience.
Global - Region can fail and the serive will keep running. IAM and Route53 are example. You cannot pick a region. World would need to fail for full outage.
Region - operate in a region with one set of data per region. RDS db in AUS and US while replicating data across. If AUS fails then US will still be available.
Availability Zone - Prone to failure if you have issues inside that zone.
VPC
Virtual private cloud. Create private networks inside AWS in a region in an account. REGIONALLY RESILIENT. VPC is assigned a range of IP addresses. CIDR only one for default.
Used to connect other private AWS services with on-prem networks to create a hybrid environment.
Private and isolated on creation. Cannot talk to other VPCs unless configured.
ONLY 1 default VPC in a region. Many Custom VPCs.
Custom VPCs basic
Can have many per region.
Configurable. You configure everything. 100% private by default.
Sizes, structured, linkages with other VPCs, comms with other services.
Can have multiple CIDR ranges for IPs.
Default VPC’s basic
Auto created by AWS. Less flexible. Only one CIDR range for Defualt. Preconfigured with one subnet in each AZ in a region. Splits the CIDR RANGE between them. Services inside those subnets. 1 subnet per availability zone. This makes a VPC REGIONALLY RESILIENT.
It can be deleted and recreated. Not normally used for production due to inflexibility. In order to get the default back again you cannot “create” it. You do an “action” to get a new default VPC
Default VPC CIDR 172.3.1.0.0/16
Come with an internet gateway, security group, and NACL
Anything in the subnets are assigned an ipv4 address. Anything deployed into the subnet is available on the public internet.
EC2 overview
Elastic compute cloud
Access to VMs known as instances. If you need to deploy compute OS, DB, Apps, Interfaces, etc you use EC2 service to manage those.
PRIVATE AWS SERVICE - private aws zone. Must configure public access. VPC that EC2 is running inside must support the connection of the EC2 to the internet.
EC2 is AZ resilient. Instance fails if AZ fails.
Features:
Infra as service (consumer manages OS and above)
Instances - VMs that have a few states. Running, stopped, terminated. Running -> Stopped, Stopped -> Running, TERMINATED means it is deleted! These states dictate charges. Running you are being charged for all pieces, memory, CPU, disk, network. Stopped - no charges except that storage is still allocated to the instance. The pictures, data, etc are still there! EBS storage $$$. No EC2 instance cost - terminated! Not reversible.
Unit of consumption - Instance
Choices of sizes and capabilities
Ondeamnd billing second or hour
Pay for what you use only. charge for amount, storage, commercial software
Storage is done via local or Elastic block storage
Amazon Machine Image
Image of an EC2 instance
Similar to server image (ezpz setup and config)
COntains the boot volume. Can contain other volumes. Block device mapping to config volumes that the image has and how they are presented to the OS. Which volume is boot, data, etc. OS expects to see volumes along with a device ID. ID linked to block.
AMI contains attached permissions. Which accounts can and cannot manage.
public - everyone allowed
owner - implicit allow
explicit - specific aws accounts allowed
Connecting to your EC2
Run different OS’s linux or windows.
Connect to windows using RDP port 3389. Remote desktop protocol.
Linux use SSH on port 22.
Login using ssh key pair. Creates the public and private key. Must download and keep the private portion safe. Public key is placed on instance. Private allows you to connect to the instance that has the public part of the pair. For windows you need the private key and the admin login for the EC2.
S3 Basics
Object storage! Global! Runs from all AWS regions. PUBLIC service. Regional based - never leaves that region unless you configure it to leave.
It can be replicated across AZs in the region.
Ran from AWS public zone.
Unlimited data, multi-user for that data.
Large data! Photo storage (Stock images).
Scales from nothing to near unlimited.
Accessible via GUI, CLi, API, HTTP.
Objects & buckets.
Objects are images, movies, data
Buckets hold multiple objects
Objects in S3
2 main components and metadata
Object key + bucket = access to value (data or image)
Can range from 0bytes to 5TB
Have version ID, metadata, access control, sub resources.
Bubckets
Created in a specific region. Options and config happen at this level!
Data inside bucket has primary home region. Won’t leave that region unless you configure otherwise. Data sovereignty. The contained blast radius is the region.
Buckets are ID’d by their name. Must be globally unique. COMPLETELY unique GLOBALLY ALWAYS. 3-63 characters, all lower case, no underscores. Start with lowercase letter or number. CANNOT be IP formatted. 100 bucket soft limit. 1000 bucket hard limit.
Divide up a single bucket via prefix names.
Can hold unlimited number of objects. 0 to unlimited bytes of data.
Bucket has not complex structure. All objects stored at the same level. NOT A FILE SYSTEM. If you list, you’ll see something you THINK are folders. But that’s not how it really works. Name of the file has no bearing on the value (content) contained in the object).
Can represent folders with prefix object names Koala.jpg /old/Koala.jpb
TEST POWER UP
Bucket names are globally unique
3-63 characters, lowercase, no underscores
Start with lowercae letter or number
cannot be IP formatted 1.1.1.1
Buckets have a 100 soft limit and 1000 hard limit per acct
Unlimited objects in a bucket
Objects can be 0 bytes to 5TB
Object key is the name and the value is the data contained in the object
S3 patterns and Anti patterns
Object store - NOT FILE OR BLOCK
Cannot mount it as a drive
Great for large scale data storage or distribution
Great for offloading posts, audio, movies
Can shrink EC2 instance by offloading to S3
Any input to/from AWS services - Where to store data? S3!
CloudFormation (CFN)
Used to automate CRUD operations on infrastructure via templates.
Templates to create AWS Infra.
Updates to templates cause updates to infra.
Uses YAML OR JSON.
Templates all have a list of resources. Tells CFN what to do. It is the only mandatory part of the template.
Description of the template. Used to give details about changes or costs etc. If template format version… description must follow the template format version!!!
Metadata - control the UI. Groupings, order, descriptions, labels, etc.
Parameters - add fields for more information from user. Size of instance, name, AZ numbers, etc.
Mappings - create lookup tables,
Conditions - decision making inside the template - create condition, then use it
Outputs - return info to the user, return the admin address for website.
Take template and give it to CLoudFormation… it creates a stack. Each logical resource mentioned in the template will be created an actual resource in the aws account.
Very powerful, don’t mess it up. O.O
CloudWatch
Used by all other AWS Services
Collects and manages operational data. Any data about an environment.
3 main jobs
METRICS - AWS, APPS, ON-PREM: CPU Utilization for EC2, Disk use for on-prem server, #visitors per second on site. Works within some other cloud platforms too. Some metrics are natively gathered by CloudWatch. For anything not native, you’ll need the Cloudwatch agent.
LOGS - AWS product, APPS, On-Prem. Ingests logs! Anything outside native, need cloudwatch agent.
EVENTS - Event hub. AWS service does something? Genertes event that can do more actions. Can also gen events based on timeframes.
BILLING ALARMS, AUTO SCALING, NOTIFICATION
Namespace - container for monitoring data. Separate areas for separate things. Naming conventions. ALL AWS data goes into AWS namespace. AWS/EC2 RESERVED names. Contain related metrics.
Datapoint - Individual points of data in a timeline of a metric. Timestamp & value. Datapoints are separated by dimensions.
Dimensions are name/value pairs that separate and add perspectives. Instance ID and Instance type to help differentiate.
ALARMS are initiated based on a metric. Ok is all good. ALARM means threshold has been triggered. SNS topic or actions can follow.
Shared Responsibility Model
A shared responsibility across the infrastructure stack.
Part lie with AWS and part consumer (me).
AWS is responsible for the security OF the cloud.
Hardware,regions,networking,DB,compute.
I am responsible for security IN the cloud.
OS,data encryption, integrity, auth,network traffic. firewall, Applications, identity mgmt, customer data.
High availablity, Fault Tolerance, Disaster recovery
High availability - Ensure agreed level of operational performance (uptime), for higher than normal period.
NOT about the user’s experience. MAX online time. Quick rollbacks. Duplication/redundancy. Might have some small disruption - that’s ok. Minimizing the time out of operation. Not about preventing any disruption.
COSTS. Design decisions. Automation.
Fault Tolerance - a system can continue to operate PROPERLY even when there is a failure of some components or services. Where HIgh availability is not enough! Double redundancy. EXPENSIVER. $$$$$
Disaster recovery - Tools process and procedure to enable recovery or continuation of vita tech infra systems after disaster. Practiced practice plan plan. Standby premises. Regular backups, stored separately from primary. All staff should know how to access these backups. Duplicates for processes etc at the standby premises. Keeps crucial/irreplaceable things safe. How best to recover will be on test!
Route53
Two main services.
REGISTER DOMAINS
Talks to TLD registries.
Checks if domain is available.
Creates zone file. (DB OF info for a domain)
Allocates nameservers for zone. 4 for zone.
hosted zone.
Registers with TLD registry. Adds nameserver records into the TLD zone file.
HOST ZONE
DNS as a service. Zone files hosted in AWS.
Zone can be public - live in AWS Public Zone
Zone can be private - lives in VPCs
Hosted zone hosts records. Record sets.
Single global service - GLOBALLY RESILIENT. Replicated.
Types of DNS records
Nameserver (NS) - allow delegation in DNS. TLD has multiple nameservers for zones. Root delegates nameservers to TLD.
A and AAAA records. Maps IPv4 and IPv6 to domain names.
Normally create two records with same name. One A one AAAA. They can pick IPv4 or IPv6.
Cname - canonical name - equivalent of nicknames. Alias. Pointer. reduce admin overhead. CNAMES cannot point to an IP address… ONLY to other domain names.
MX Records - used to transfer email. Google.com zone. “A” record named mail. Points to an IP address. Dot on the right === fully qualified domain name. Email server looks at to address “google.com” does a MX query then uses priority value (lower is higher priority) to determine which MX record to use. Uses the record to connect to google.com via SMTP and uses that connection to deliver the mail.
TXT record - add arbitrary text to a domain. Prove domain ownership. QUery this TXT file to prove domain ownership from outside source.
DNS TTL
Time to live - in seconds.
Query goes through resolver. Resolver talks to root. Then to TLD. Then to domain zone. Uses the result to connect to domain. Authoratative answer is the outcome here.
TTL determines how long the result can be cached in a resolver (likely with an ISP) BUT cached results are non-authoritative. Stale cache can result in failures to connect. Cached can mean more speed. Resolver SHOULD respect a TTL but it doesn’t always. TTL should be lowered days or weeks in advance of a record change.
