AWS Solutions Architect Flashcards
EC2 Sizing & Configurations
- Oerating System (OS): Linux, Windows or Mac OS
- How much compute power & cores (CPU) d
- How much random-access memory (RAM)
- How much storage space, Network-attached (EBS & EFS), hardware (EC2 Instance Store)
- Network card: speed of the card, Public IP address
- Firewall rules: security group
- Bootstrap script (configure at first launch): EC2 User Data
EC2 User Data
- Bootstraping with bashcript
- Automate boot tasks (updates, installing, etc)
- Root User
- Only run once at the instance first start
EC2 Instance Type - Naming Convention
- m5.2xlarge
- m = instance class
- 5 = generation (aws improves over time)
- 2xlarge = size within the instance class
EC2 Instance Types – General Purpose
- Balance between Compute, Memory, Networking
EC2 Instance Types – Compute Optimized
Great for compute-intensive tasks that require high performance
processors:
- Batch processing workloads
- Media transcoding
- High performance web servers
- High performance computing (HPC)
- Scientific modeling & machine learning
- Dedicated gaming servers
EC2 Instance Types – Memory Optimized
Fast performance for workloads that process large data sets in memory
Use cases:
- High performance, relational/non-relational databases
- Distributed web scale cache stores
- In-memory databases optimized for BI (business intelligence)
- Applications performing real-time processing of big unstructured data
EC2 Instance Types – Storage Optimized
Great for storage-intensive tasks that require high, sequential read and write
access to large data sets on local storage
Use cases:
- High frequency online transaction processing (OLTP) systems
- Relational & NoSQL databases
- Cache for in-memory databases (for example, Redis)
- Data warehousing applications
- Distributed file systems
Security Groups
Security Groups are the fundamental of network security in AWS
- Inbound and Outbound Traffic
- Security groups only contain rules
- Security groups rules can reference by IP or by security group
Act as a “firewall” on EC2 instances. They regulate:
- Access to Ports
- Authorised IP ranges – IPv4 and IPv6
- Control of inbound network (from other to the instance)
- Control of outbound network (from the instance to other)
Good to know
- Can be attached to multiple instances
- Locked down to a region / VPC combination
- Does live “outside” the EC2 – if traffic is blocked the EC2 instance won’t see it
- It’s good to maintain one separate security group for SSH access
- If your application is not accessible (time out), then it’s a security group issue
- If your application gives a “connection refused“ error, then it’s an application
error or it’s not launched
- All inbound traffic is blocked by default
- All outbound traffic is authorised by default
- Can reference other security groups
Classic Ports to Know
- 22 = SSH (Secure Shell) - log into a Linux instance
- 21 = FTP (File Transfer Protocol) – upload files into a file share
- 22 = SFTP (Secure File Transfer Protocol) – upload files using SSH
- 80 = HTTP – access unsecured websites
- 443 = HTTPS – access secured websites
- 3389 = RDP (Remote Desktop Protocol) – log into a Windows instance
EC2 Instances Purchasing Options
- On-Demand Instances – short workload, predictable pricing, pay by second
- Reserved (1 & 3 years)
- Reserved Instances – long workloads
- Convertible Reserved Instances – long workloads with flexible instances
- Savings Plans (1 & 3 years) –commitment to an amount of usage, long workload
- Spot Instances – short workloads, cheap, can lose instances (less reliable)
- Dedicated Hosts – book an entire physical server, control instance placement
- Dedicated Instances – no other customers will share your hardware
- Capacity Reservations – reserve capacity in a specific AZ for any duration
EC2 On Demand
-Pay for what you use:
* Linux or Windows - billing per second, after the first minute
* All other operating systems - billing per hour
- Has the highest cost but no upfront payment
- No long-term commitment
- Recommended for short-term and un-interrupted workloads, where
you can’t predict how the application will behave
EC2 Reserved Instances
- Up to 72% discount compared to On-demand
- You reserve a specific instance attributes (Instance Type, Region, Tenancy, OS)
- Reservation Period – 1 year (+discount) or 3 years (+++discount)
- Payment Options – No Upfront (+), Partial Upfront (++), All Upfront (+++)
- Reserved Instance’s Scope – Regional or Zonal (reserve capacity in an AZ)
- Recommended for steady-state usage applications (think database)
- You can buy and sell in the Reserved Instance Marketplace
- Convertible Reserved Instance
- Can change the EC2 instance type, instance family, OS, scope and tenancy
- Up to 66% discount
EC2 Savings Plans
- Get a discount based on long-term usage (up to 72% - same as RIs)
- Commit to a certain type of usage ($10/hour for 1 or 3 years)
- Usage beyond EC2 Savings Plans is billed at the On-Demand price
- Locked to a specific instance family & AWS region (e.g., M5 in us-east-1)
- Flexible across:
- Instance Size (e.g., m5.xlarge, m5.2xlarge)
- OS (e.g., Linux, Windows)
- Tenancy (Host, Dedicated, Default)
EC2 Spot Instances
- Can get a discount of up to 90% compared to On-demand
- Instances that you can “lose” at any point of time if your max price is less than the
current spot price - The MOST cost-efficient instances in AWS
- Useful for workloads that are resilient to failure
- Batch jobs
- Data analysis
- Image processing
- Any distributed workloads
- Workloads with a flexible start and end time
- Not suitable for critical jobs or databases
EC2 Dedicated Hosts
- A physical server with EC2 instance capacity fully dedicated to your use
- Allows you address compliance requirements and use your existing server- bound software licenses (per-socket, per-core, pe—VM software licenses)
- Purchasing Options:
- On-demand – pay per second for active Dedicated Host
- Reserved - 1 or 3 years (No Upfront, Partial Upfront, All Upfront)
- The most expensive option
- Useful for software that have complicated licensing model (BYOL – Bring Your Own License)
- Or for companies that have strong regulatory or compliance needs
EC2 Dedicated Instances
- Instances run on hardware that’s
dedicated to you - May share hardware with other
instances in same account - No control over instance placement
(can move hardware after Stop / Start)
EC2 Capacity Reservations
- Reserve On-Demand instances capacity in a specific AZ for any duration
- You always have access to EC2 capacity when you need it
No time commitment (create/cancel anytime), no billing discounts - Combine with Regional Reserved Instances and Savings Plans to benefit
from billing discounts - You’re charged at On-Demand rate whether you run instances or not
- Suitable for short-term, uninterrupted workloads that needs to be in a
specific AZ
Which purchasing option is right for me?
- On demand: coming and staying in resort whenever we like, we pay the full price
- Reserved: like planning ahead and if we plan to stay for a long time, we may get a good discount.
- Savings Plans: pay a certain amount per hour for certain period and stay in any room type (e.g., King, Suite, Sea View, …)
- Spot instances: the hotel allows people to bid for the empty rooms and the highest bidder keeps the rooms. You can get kicked out at any time
- Dedicated Hosts: We book an entire building of the resort
- Capacity Reservations: you book a room for a period with full price even you don’t stay in it.
EC2 Spot Instance Requests
- Can get a discount of up to 90% compared to On-demand
- Define max spot price and get the instance while current spot price < max
- The hourly spot price varies based on offer and capacity
- If the current spot price > your max price you can choose to stop or terminate your instance with a 2 minutes grace period.
- Other strategy: Spot Block
- “block” spot instance during a specified time frame (1 to 6 hours) without interruptions
- In rare situations, the instance may be reclaimed
- Used for batch jobs, data analysis, or workloads that are resilient to failures.
- Not great for critical jobs or databases
How to terminate Spot Instances?
- You can only cancel Spot Instance requests that are open, active, or disabled.
- Cancelling a Spot Request does not terminate instances
- You must first cancel a Spot Request, and then terminate the associated Spot Instances
Spot Fleets
- Spot Fleets = set of Spot Instances + (optional) On-Demand Instances
- The Spot Fleet will try to meet the target capacity with price constraints
- Define possible launch pools: instance type (m5.large), OS, Availability Zone
- Can have multiple launch pools, so that the fleet can choose
- Spot Fleet stops launching instances when reaching capacity or max cost
- Strategies to allocate Spot Instances:
- lowestPrice: from the pool with the lowest price (cost optimization, short workload)
- diversified: distributed across all pools (great for availability, long workloads)
- capacityOptimized: pool with the optimal capacity for the number of instances
- priceCapacityOptimized (recommended): pools with highest capacity available, then select
the pool with the lowest price (best choice for most workloads) - Spot Fleets allow us to automatically request Spot Instances with the lowest price
Private vs Public IP (IPv4)
Fundamental Differences
- Public IP:
- Public IP means the machine can be identified on the internet (WWW)
- Must be unique across the whole web (not two machines can have the same public IP).
- Can be geo-located easily
- Private IP:
- Private IP means the machine can only be identified on a private network only
- The IP must be unique across the private network
- BUT two different private networks (two companies) can have the same IPs.
- Machines connect to WWW using a NAT + internet gateway (a proxy)
- Only a specified range of IPs can be used as private IP
Elastic IPs
- When you stop and then start an EC2 instance, it can change its public
IP. - If you need to have a fixed public IP for your instance, you need an
Elastic IP - An Elastic IP is a public IPv4 IP you own as long as you don’t delete it
- You can attach it to one instance at a time
- With an Elastic IP address, you can mask the failure of an instance or software
by rapidly remapping the address to another instance in your account. - You can only have 5 Elastic IP in your account (you can ask AWS to increase
that). - Overall, try to avoid using Elastic IP:
- They often reflect poor architectural decisions
- Instead, use a random public IP and register a DNS name to it
- Or, as we’ll see later, use a Load Balancer and don’t use a public IP
Placement Groups
- Sometimes you want control over the EC2 Instance placement strategy
- That strategy can be defined using placement groups
- When you create a placement group, you specify one of the following
strategies for the group: - Cluster—clusters instances into a low-latency group in a single Availability Zone
- Spread—spreads instances across underlying hardware (max 7 instances per
group per AZ) - Partition—spreads instances across many different partitions (which rely on
different sets of racks) within an AZ. Scales to 100s of EC2 instances per group
(Hadoop, Cassandra, Kafka)
Placement Groups
Cluster
-Pros: Great network (10 Gbps bandwidth between instances with Enhanced
Networking enabled - recommended)
- Cons: If the rack fails, all instances fails at the same time
- Use case:
* Big Data job that needs to complete fast
* Application that needs extremely low latency and high network throughput
Placement Groups
Spread
- Pros:
- Can span across Availability
Zones (AZ) - Reduced risk is simultaneous
failure - EC2 Instances are on different
physical hardware - Cons:
- Limited to 7 instances per AZ
per placement group - Use case:
- Application that needs to
maximize high availability - Critical Applications where
each instance must be isolated
from failure from each other
Placements Groups
Partition
- Up to 7 partitions per AZ
- Can span across multiple AZs in the
same region - Up to 100s of EC2 instances
- The instances in a partition do not
share racks with the instances in the
other partitions - A partition failure can affect many
EC2 but won’t affect other partitions - EC2 instances get access to the
partition information as metadata - Use cases: HDFS, HBase, Cassandra,
Kafka
Elastic Network Interfaces (ENI)
- Logical component in a VPC that represents a
virtual network card - The ENI can have the following attributes:
- Primary private IPv4, one or more secondary IPv4
- One Elastic IP (IPv4) per private IPv4
- One Public IPv4
- One or more security groups
- A MAC address
- You can create ENI independently and attach
them on the fly (move them) on EC2 instances
for failover - Bound to a specific availability zone (AZ)
EC2 Hibernate
- Stop – the data on disk (EBS) is kept intact in the next start
- Terminate – any EBS volumes (root) also set-up to be destroyed is lost
- First start: the OS boots & the EC2 User Data script is run
- The in-memory (RAM) state is preserved
- The instance boot is much faster!
(the OS is not stopped / restarted) - Under the hood: the RAM state is written
to a file in the root EBS volume - The root EBS volume must be encrypted
- Use cases:
- Long-running processing
- Saving the RAM state
- Services that take time to initialize
EC2 Hibernate – Good to know
- Supported Instance Families – C3, C4, C5, I3, M3, M4, R3, R4, T2, T3, …
- Instance RAM Size – must be less than 150 GB.
- Instance Size – not supported for bare metal instances.
- AMI – Amazon Linux 2, Linux AMI, Ubuntu, RHEL, CentOS & Windows…
- Root Volume – must be EBS, encrypted, not instance store, and large
- Available for On-Demand, Reserved and Spot Instances
- An instance can NOT be hibernated more than 60 days
What’s an EBS Volume? (Elastic Block Store)
- An EBS (Elastic Block Store) Volume is a network drive you can attach
to your instances while they run - It allows your instances to persist data, even after their termination
- They can only be mounted to one instance at a time (at the CCP level)
- They are bound to a specific availability zone
- Analogy: Think of them as a “network USB stick”
- Free tier: 30 GB of free EBS storage of type General Purpose (SSD) or
Magnetic per month
EBS Volume
- It’s a network drive (i.e. not a physical drive)
- It uses the network to communicate the instance, which means there might be a bit of
latency - It can be detached from an EC2 instance and attached to another one quickly
- It’s locked to an Availability Zone (AZ)
- An EBS Volume in us-east-1a cannot be attached to us-east-1b
- To move a volume across, you first need to snapshot it
- Have a provisioned capacity (size in GBs, and IOPS)
- You get billed for all the provisioned capacity
- You can increase the capacity of the drive over time
EBS Snapshots
- Make a backup (snapshot) of your EBS volume at a point in time
- Not necessary to detach volume to do snapshot, but recommended
- Can copy snapshots across AZ or Region
- EBS Snapshot Archive 24 to 72 hours
- Recycle Bin for EBS Snapshots (from 1 day to 1 year)
- Fast Snapshot Restore (FSR) ($$$)
EBS – Delete on Termination attribute
- Controls the EBS behaviour when an EC2 instance terminates
- By default, the root EBS volume is deleted (attribute enabled)
- By default, any other attached EBS volume is not deleted (attribute disabled)
- This can be controlled by the AWS console / AWS CLI
- Use case: preserve root volume when instance is terminated
AMI (Amazon Machine Image)
AMI are a customization of an EC2 instance
* You add your own software, configuration, operating system, monitoring…
* Faster boot / configuration time because all your software is pre-packaged
* AMI are built for a specific region (and can be copied across regions)
* You can launch EC2 instances from:
* A Public AMI: AWS provided
* Your own AMI: you make and maintain them yourself
* An AWS Marketplace AMI: an AMI someone else made (and potentially sells)
AMI Process (from an EC2 instance)
- Start an EC2 instance and customize it
- Stop the instance (for data integrity)
- Build an AMI – this will also create EBS snapshots
- Launch instances from other AMIs
EC2 Instance Store
- EBS volumes are network drives with good but “limited” performance
- If you need a high-performance hardware disk, use EC2 Instance Store
- Better I/O performance
- EC2 Instance Store lose their storage if they’re stopped (ephemeral)
- Good for buffer / cache / scratch data / temporary content
- Risk of data loss if hardware fails
- Backups and Replication are your responsibility
EBS Volume Types
-EBS Volumes come in 6 types
* gp2 / gp3 (SSD): General purpose SSD volume that balances price and performance for
a wide variety of workloads
* io1 / io2 (SSD): Highest-performance SSD volume for mission-critical low-latency or
high-throughput workloads
* st1 (HDD): Low cost HDD volume designed for frequently accessed, throughput- intensive workloads
* sc1 (HDD): Lowest cost HDD volume designed for less frequently accessed workloads
- EBS Volumes are characterized in Size | Throughput | IOPS (I/O Ops Per Sec)
- When in doubt always consult the AWS documentation – it’s good!
- Only gp2/gp3 and io1/io2 can be used as boot volumes
EBS Volume Types Use cases
General Purpose SSD
- Cost effective storage, low-latency
- System boot volumes, Virtual desktops, Development and test environments
- 1 GiB - 16 TiB
- gp3:
- Baseline of 3,000 IOPS and throughput of 125 MiB/s
- Can increase IOPS up to 16,000 and throughput up to 1000 MiB/s independently
- gp2:
- Small gp2 volumes can burst IOPS to 3,000
- Size of the volume and IOPS are linked, max IOPS is 16,000
- 3 IOPS per GB, means at 5,334 GB we are at the max IOPS
EBS Volume Types Use cases
Provisioned IOPS (PIOPS) SSD
- Critical business applications with sustained IOPS performance
- Or applications that need more than 16,000 IOPS
- Great for databases workloads (sensitive to storage perf and consistency)
- io1/io2 (4 GiB - 16 TiB):
- Max PIOPS: 64,000 for Nitro EC2 instances & 32,000 for other
- Can increase PIOPS independently from storage size
- io2 have more durability and more IOPS per GiB (at the same price as io1)
- io2 Block Express (4 GiB – 64 TiB):
- Sub-millisecond latency
- Max PIOPS: 256,000 with an IOPS:GiB ratio of 1,000:1
- Supports EBS Multi-attach
EBS Volume Types Use cases
Hard Disk Drives (HDD)
- Cannot be a boot volume
- 125 GiB to 16 TiB
- Throughput Optimized HDD (st1)
- Big Data, Data Warehouses, Log Processing
- Max throughput 500 MiB/s – max IOPS 500
- Cold HDD (sc1):
- For data that is infrequently accessed
- Scenarios where lowest cost is important
- Max throughput 250 MiB/s – max IOPS 250
EBS Multi-Attach – io1/io2 family
Attach the same EBS volume to multiple EC2
instances in the same AZ
* Each instance has full read & write permissions
to the high-performance volume
* Use case:
* Achieve higher application availability in clustered
Linux applications (ex: Teradata)
* Applications must manage concurrent write
operations
* Up to 16 EC2 Instances at a time
* Must use a file system that’s cluster-aware (not
XFS, EXT4, etc…)
EBS Encryption
- When you create an encrypted EBS volume, you get the following:
- Data at rest is encrypted inside the volume
- All the data in flight moving between the instance and the volume is encrypted
- All snapshots are encrypted
- All volumes created from the snapshot
- Encryption and decryption are handled transparently (you have nothing to
do) - Encryption has a minimal impact on latency
- EBS Encryption leverages keys from KMS (AES-256)
- Copying an unencrypted snapshot allows encryption
- Snapshots of encrypted volumes are encrypted
- Create an EBS snapshot of the volume
- Encrypt the EBS snapshot ( using copy )
- Create new ebs volume from the snapshot ( the volume will also be
encrypted ) - Now you can attach the encrypted volume to the original instance
EFS Elastic File System
- Managed NFS (network file system) that can be mounted on many EC2
- EFS works with EC2 instances in multi-AZ
- Highly available, scalable, expensive (3x gp2), pay per use
- Uses security group to control access to EFS
- Compatible with Linux based AMI (not Windows)
- File system scales automatically, pay-per-use, no capacity planning
EFS – Performance & Storage Classes
- EFS Scale
- 1000s of concurrent NFS clients, 10 GB+ /s throughput
- Grow to Petabyte-scale network file system, automatically
- Performance Mode (set at EFS creation time)
- General Purpose (default) – latency-sensitive use cases (web server, CMS, etc…)
- Max I/O – higher latency, throughput, highly parallel (big data, media processing)
- Throughput Mode
- Bursting – 1 TB = 50MiB/s + burst of up to 100MiB/s
- Provisioned – set your throughput regardless of storage size, ex: 1 GiB/s for 1 TB storage
- Elastic – automatically scales throughput up or down based on your workloads
- Up to 3GiB/s for reads and 1GiB/s for writes
- Used for unpredictable workloads
EFS Storage Classes
- Storage Tiers (lifecycle management feature
– move file after N days) * Standard: for frequently accessed files * Infrequent access (EFS-IA): cost to retrieve files,
lower price to store. Enable EFS
-IA with a Lifecycle Policy - Availability and durability * Standard: Multi-AZ, great for prod * One Zone: One AZ, great for dev, backup enabled
by default, compatible with IA (EFS One Zone
-IA) - Over 90% in cost savings
IAM Role
- Permissions to AWS Services to access AWS Resources.
- EC2 Instances Roles
- Lambda Function Roles
- Roles for CloudFormation
IAM Security Tool
- IAM Credentials Report: list of credentials status of all users.
- IAM Access Advisor: show services from the user and last access.
IAM User Groups
- IAM User Groups can contain only IAM Users.
An IAM policy consists of one or more statements. A statement in an IAM Policy consists of the following, EXCEPT:
- Effect
- Principal
- Version
- Action
- Resource
Version
Elastic Network Interface (ENI)
- Represents a Virtual Network Card
- Bounded to Availability Zone (AZ)
- Primary private IPv4, one or more secondary IPv4
- One Elastic IP (IPv4) per private IPv4
- One Public IPv4
- One or more security groups
- A MAC address
- Can be moved between EC2 Instances (Failover)
EC2 Hibernate
- To enable EC2 Hibernate, the EC2 Instance Root Volume type must be an EBS volume and encrypted to protect sensitive content.
- Stop – the data on disk (EBS) is kept intact in the next start
- Terminate – any EBS volumes (root) also set up to be destroyed is lost
You can use an AMI in N.Virginia Region us-east-1 to launch an EC2 instance in any AWS Region. T or F
- FALSE
AMIs are built for a specific AWS Region, they’re unique for each AWS Region. You can’t launch an EC2 instance using an AMI in another AWS Region, but you can copy the AMI to the target AWS Region and then use it to create your EC2 instances.
You are running a high-performance database that requires an IOPS of 310,000 for its underlying storage. What do you recommend?
- Use an EBS gp2 drive
- Use an EBS io1 drive
- Use an EC2 Instance Store
- Use an EBS io2 Block Express drive
- Use an EC2 Instance Store
You can run a database on an EC2 instance that uses an Instance Store, but you’ll have a problem that the data will be lost if the EC2 instance is stopped (it can be restarted without problems). One solution is that you can set up a replication mechanism on another EC2 instance with an Instance Store to have a standby copy. Another solution is to set up backup mechanisms for your data. It’s all up to you how you want to set up your architecture to validate your requirements. In this use case, it’s around IOPS, so we have to choose an EC2 Instance Store.
You are using an Application Load Balancer to distribute traffic to your website hosted on EC2 instances. It turns out that your website only sees traffic coming from private IPv4 addresses which are in fact your Application Load Balancer’s IP addresses. What should you do to get the IP address of clients connected to your website?
- Modify your website backend to get the client IP address from the X-Forwarded-For header
Application Load Balancers support the following protocols, EXCEPT:
- HTTP
- HTTPS
- TCP
- WebSocket
TCP
Application Load Balancers can route traffic to different Target Groups based on the following, EXCEPT:
- Client Location (Geography)
- Hostname
- Request URL Path
- Source IP Address
- Client Location (Geography)
For compliance purposes, you would like to expose a fixed static IP address to your end-users so that they can write firewall rules that will be stable and approved by regulators. What type of Elastic Load Balancer would you choose?
- Application Load Balancer with an Elastic IP attached to it
- Network Load Balancer
- Classic Load Balancer
Network Load Balancer
Network Load Balancer has one static IP address per AZ and you can attach an Elastic IP address to it. Application Load Balancers and Classic Load Balancers have a static DNS name.
We have an RDS database that struggles to keep up with the demand of requests from our website. Our million users mostly read news, and we don’t post news very often. Which solution is NOT adapted to this problem?
- Elastic Cache Cluster
- RDS Multi-AZ
- RDS Read Replicas
RDS Multi-AZ
Be very careful with the way you read questions on the exam. Here, the question is asking which solution is NOT adapted to this problem. ElastiCache and RDS Read Replicas do indeed help with scaling reads.
Which RDS (NOT Aurora) feature when used does not require you to change the SQL connection string?
Multi-AZ keeps the same connection string regardless of which database is up.
How can you enhance the security of your ElastiCache Redis Cluster by allowing users to access your ElastiCache Redis Cluster using their IAM Identities (e.g., Users, Roles)?
IAM Authentication
You have an unencrypted RDS DB instance and you want to create Read Replicas. Can you configure the RDS Read Replicas to be encrypted?
No, You can not create encrypted Read Replicas from an unencrypted RDS DB instance.
You need to store long-term backups for your Aurora database for disaster recovery and audit purposes. What do you recommend?
- Enable Automated Backups
- Perform On Demand Backups
- Use Aurora Database Cloning
Perform On Demand Backups
Your development team would like to perform a suite of read-and-write tests against your production Aurora database because they need access to production data as soon as possible. What do you advise?
Aurora Cloning Feature
You have purchased a domain on GoDaddy and would like to use Route 53 as the DNS Service Provider. What should you do to make this work?
Create a Public Hosted Zone and update the 3rd party Registrar NS Records
Your website TriangleSunglasses.com is hosted on a fleet of EC2 instances managed by an Auto Scaling Group and fronted by an Application Load Balancer. Your ASG has been configured to scale on-demand based on the traffic going to your website. To reduce costs, you have configured the ASG to scale based on the traffic going through the ALB. To make the solution highly available, you have updated your ASG and set the minimum capacity to 2. How can you further reduce the costs while respecting the requirements?
Reserve two EC2 Instances
You want to install software updates on 100s of Linux EC2 instances that you manage. You want to store these updates on shared storage which should be dynamically loaded on the EC2 instances and shouldn’t require heavy operations. What do you suggest?
Store the software updates on EFS and mount EFS as a network drive at startup
EFS is a network file system (NFS) that allows you to mount the same file system to 100s of EC2 instances. Storing software updates on an EFS allows each EC2 instance to access them.
A company has its data and files stored on some S3 buckets. Some of these files need to be kept for a predefined period of time and protected from being overwritten and deletion according to company compliance policy. Which S3 feature helps you in doing this?
S3 Object Lock - Retention Compliance Mode
Elastic IP
- A fixed public IP for your instance.
- public IPv4 IP you own as long as you don’t delete it
- You can attach it to one instance at a time
- 5 Per account
- Avoid use
Placement Groups
- Cluster: clusters instances into a low-latency group in a single Availability Zone
- Spread: spreads instances across underlying hardware (max 7 instances per
group per AZ) - Partition: spreads instances across many different partitions (which rely on
different sets of racks) within an AZ. Scales to 100s of EC2 instances per group
(Hadoop, Cassandra, Kafka
EBS (Elastic Block Store) Volume
- “Network USB Stick Drive”
- Network Drive that you can attach to your instances while they run.
- They can only be mounted to one instance at a time
- Bounded to specific AZ.
EBS vs EFS vs EC2 Instance Store
EBS
- One Instance (Except for multi-attach io1/io2)
- Bounded to AZ
- Migrate to another AZ via snapshot.
- Root volume gets terminated by default.
EFS
- Mounting 100s of instances across AZ
- Share website files (WordPress)
- Only Linux Instances (POSIX)
- Higher price than EBS
EC2 Instance Store
- Better I/O performance
- EC2 Instance Store lose their storage if they’re stopped (ephemeral)
- Good for buffer / cache / scratch data / temporary content
- Risk of data loss if hardware fails
- Backups and Replication are your responsibility
Why use a load balancer?
- Spread load across multiple downstream instances
- Expose a single point of access (DNS) to your application
- Seamlessly handle failures of downstream instances
- Do regular health checks to your instances
- Provide SSL termination (HTTPS) for your websites
- Enforce stickiness with cookies
- High availability across zones
- Separate public traffic from private traffic
ELB (Elastic Load Balancer)
- Managed load balancer by AWS
- Less effort
- It is integrated with many AWS offerings / services
Health Checks
- Crucial for Load Balancer
- route /health
- if not 200, then unhealthy
Classic Load Balancer
- Support TCP, HTTP, HTTPS
- Health Checks TCP or HTTP
- Fixed hostname: xxx.region.elb.amazonaws.com
ALB (Application Load Balancer)
- Load Balancing to multiple HTTP applications across machines (Target Groups)
- Load Balancing to multiple applications on the same machine (Ex:containers)
- Support HTTP/2 and WebSocket
- Support redirects (Ex from HTTP to HTTPS).
- Routing table to different target groups: URL, hostname, query string/header.
- Great for microservices and container based applications.
ALB Target Group
- EC2 Instance - HTTP
- ECS task - HTTP
- Lambda Functions - HTTP translate to json
- IP Addresses must be private
- ALB can route to multiple target groups
- Health Checks are at target group level.
- Fixed hostname (XXX.region.elb.amazonaws.com
- IP of the client is inserted in the header X-Forwarded-For
NLB (Network Load Balancer)
- Forward TCP and UDP traffic to your instances.
- Handle millions of requests
- Less latency than ALB
- One static IP per AZ, supports Elastic IP
- Extreme Performance
NLB Target Group
- EC2 instances
- IP Addresses – must be private IPs
- Application Load Balancer
- Health Checks support the TCP, HTTP and HTTPS Protocols
GLB (Gateway Load Balancer)
- Deploy, scale, and manage a fleet of 3rd party network virtual appliances in AWS
- Example: Firewalls, Intrusion Detection and Prevention Systems, Deep Packet Inspection Systems, payload manipulation.
- Uses the GENEVE protocol on port 6081
- Transparent Network Gateway – single entry/exit for all traffic
- Load Balancer – distributes traffic to your virtual appliances
- Target groups
– EC2 instances
– IP Addresses – must be private IP
Sticky Sessions
- It is possible to implement stickiness so that the same client is always redirected to the same instance behind a load balancer.
- Works for Classic Load Balancer, Application Load Balancer, and Network Load Balancer
- Application-based Cookies
- Duration-based Cookies
Cross-Zone Load Balancing
With Cross Zone Load Balancing:
each load balancer instance distributes evenly
across all registered instances in all AZ
—————————————————————-
Without Cross Zone Load Balancing:
Requests are distributed in the instances of the
node of the Elastic Load Balancer
Enable by default on ALB
SSL/TLS
- SSL refers to Secure Sockets Layer, used to encrypt connections
- TLS refers to Transport Layer Security, which is a newer version
- Public SSL certificates are issued by Certificate Authorities (CA)
- Comodo, Symantec, GoDaddy, GlobalSign, Digicert, Letsencrypt, etc…
SNI (Server Name Indication) - SSL
- multiple SSL certificates onto one web server
- It’s a “newer” protocol and requires the client to indicate the hostname of the target server in the initial SSL handshake.
-The server will then find the correct certificate, or return the default one. - Only works for ALB & NLB (newer
generation), CloudFront - Does not work for CLB (older gen)
Elastic Load Balancers – SSL Certificates
- Classic Load Balancer (v1)
- Support only one SSL certificate
- Must use multiple CLB for multiple hostname with multiple SSL certificates
- Application Load Balancer (v2)
- Supports multiple listeners with multiple SSL certificates
- Uses Server Name Indication (SNI) to make it work
- Network Load Balancer (v2)
- Supports multiple listeners with multiple SSL certificates
- Uses Server Name Indication (SNI) to make it work
Connection Draining
- Time to complete “in-flight requests” while the
instance is de-registering or unhealthy
-S tops sending new requests to the EC2
instance which is de-registering
ASG (Auto Scaling Group)
- Scale out (add EC2 instances) to match an increased load
- Scale in (remove EC2 instances) to match a decreased load
- Ensure we have a minimum and a maximum number of EC2 instances running
- Automatically register new instances to a load balancer
- Re-create an EC2 instance in case a previous one is terminated (ex: if unhealthy)
- It is possible to scale an ASG based on CloudWatch alarms
- Scalling cooldown
Auto Scaling Groups – Dynamic Scaling Policies
- Target Tracking Scaling
Example: I want the average ASG CPU to stay at around 40% - Simple / Step Scaling
When a CloudWatch alarm is triggered (example CPU > 70%), then add 2 units - Scheduled Actions
Example: increase the min capacity to 10 at 5 pm on Fridays - Predictive scaling: continuously forecast load and schedule scaling ahead
RDS (Relational Database Service)
- DBs
- Postgres
- MySQL
- MariaDB
- Oracle
- Microsoft SQL Server
- Aurora (AWS Proprietary database)
- Advantage over using RDS versus deploying DB on EC2:
- RDS is a managed service:
- Automated provisioning, OS patching
- Continuous backups and restore to specific timestamp (Point in Time Restore)!
- Monitoring dashboards
- Read replicas for improved read performance
- Multi AZ setup for DR (Disaster Recovery)
- Maintenance windows for upgrades
- Scaling capability (vertical and horizontal)
- Storage backed by EBS (gp2 or io1)
- BUT you can’t SSH into your instances
- Storage Auto Scaling
You have to set Maximum Storage Threshold (maximum limit for DB storage)
RDS Read Replicas
- Up to 15 Read Replicas
- Within AZ, Cross AZ or Cross Region
- Replication is ASYNC , so reads are eventually consistent
- Replicas can be promoted to their own DB
- Applications must update the connection string to leverage read replicas.
- Network Cost
- In AWS there’s a network cost when data goes from one AZ to another.
- For RDS Read Replicas within the same region, you don’t pay that fee.
Difference between Region and Availability Zone
- us-east-1a / us-east-1b
- Region = us-east
- AZ = 1a or 1b
RDS Multi AZ (Disaster Recovery)
- SYNC replication
- One DNS name – automatic app failover to standby
- Increase availability
- Failover in case of loss of AZ, loss of network, instance or storage failure
- No manual intervention in apps
- Not used for scaling
- Note:The Read Replicas be setup as Multi AZ for Disaster Recovery (DR)
RDS – From Single-AZ to Multi-AZ
- Zero downtime operation (no need to stop the DB)
- Just click on “modify” for the database
- The following happens internally:
- A snapshot is taken
- A new DB is restored from the
snapshot in a new AZ - Synchronization is established
between the two databases
RDS Custom
Managed Oracle and Microsoft SQL Server Database with OS and
database customization
* RDS: Automates setup, operation, and scaling of database in AWS
* Custom: access to the underlying database and OS so you can
* Configure settings
* Install patches
* Enable native features
* Access the underlying EC2 Instance using SSH or SSM Session Manager
Aurora
- proprietary technology from AWS (not open sourced)
- Postgres and MySQL are both supported as Aurora DB
- Aurora can have up to 15 replicas and the replication process is faster than
MySQL - Support for Cross Region Replication
- Failover in Aurora is instantaneous. It’s HA (High Availability) native.
- Replicas Auto Scaling
- Custom Endpoints (Analytical Queries)
- Aurora Serverless - Automated database instantiation and autoscaling based on actual usage.
- Aurora Multi-Master - In case you want continuous write availability for the writer nodes. Every node does R/W - vs promoting a Read Replica as the new master
- Global Aurora
- Aurora Cross Region Read Replicas
- Aurora Global Database (recommended)
- Typical cross-region replication takes less than 1 second
- Aurora Machine Learning
RDS Backup vs Aurora Backup
RDS
- Automated backups:
* Daily full backup of the database (during the backup window)
* Transaction logs are backed-up by RDS every 5 minutes
* => ability to restore to any point in time (from oldest backup to 5 minutes ago)
* 1 to 35 days of retention, set 0 to disable automated backups
- Manual DB Snapshots
* Manually triggered by the user
* Retention of backup for as long as you want
- Trick: in a stopped RDS database, you will still pay for storage. If you plan on
stopping it for a long time, you should snapshot & restore instead
- Automated backups
- 1 to 35 days (cannot be disabled)
- point-in-time recovery in that timeframe
- Manual DB Snapshots
- Manually triggered by the user
- Retention of backup for as long as you want
RDS & Aurora Restore options
- Restoring a RDS / Aurora backup or a snapshot creates a new database
- Restoring MySQL RDS database from S3
- Create a backup of your on-premises database
- Store it on Amazon S3 (object storage)
- Restore the backup file onto a new RDS instance running MySQL
- Restoring MySQL Aurora cluster from S3
- Create a backup of your on-premises database using Percona XtraBackup
- Store the backup file on Amazon S3
- Restore the backup file onto a new Aurora cluster running MySQL
Aurora Database Cloning
- Create a new Aurora DB Cluster from an existing one
- Faster than snapshot & restore
- Uses copy-on-write protocol
- Initially, the new DB cluster uses the same data
volume as the original DB cluster (fast and efficient
– no copying is needed) - When updates are made to the new DB cluster
data, then additional storage is allocated and data is
copied to be separated - Very fast & cost-effective
- Useful to create a “staging” database from a “production” database without impacting the production database
Amazon RDS Proxy
- Improving database efficiency by reducing the stress on database resources (e.g., CPU, RAM) and minimize open connections (and timeouts)
- Reduced RDS & Aurora failover time by up 66%.
- Enforce IAM Authentication for DB, and securely store credentials in AWS Secrets Manager.
- RDS Proxy is never publicly accessible (must be accessed from VPC)
Amazon ElastiCache
- Redis or Memcached
- Helps reduce load off of databases for read intensive workloads
- Helps make your application stateless
- Solution Architecture - DB Cache
- Solution Architecture – User Session Store
Redis Vs Memcached
- Redis
- Multi AZ with Auto-Failover
- Read Replicas to scale reads and have high availability
- Data Durability using AOF persistence
- Backup and restore features
- Supports Sets and Sorted Sets
- IAM Authentication for Redis
- Redist AUTH
- Redis Sorted Sets
- MemCached
- Multi-node for partitioning of data (sharding)
- No high availability (replication)
- Non persistent
- No backup and restore
- Multi-threaded architecture
Route 53 - Record Types
- A – maps a hostname to IPv4
- AAAA – maps a hostname to IPv6
- CNAME – maps a hostname to another hostname
- The target is a domain name which must have an A or AAAA record
- Can’t create a CNAME record for the top node of a DNS namespace (Zone
Apex) - Example: you can’t create for example.com, but you can create for
www.example.com - NS – Name Servers for the Hosted Zone
- Control how traffic is routed for a domain
Route 53 – Hosted Zones
- Public Hosted Zones – contains records that specify how to route
traffic on the Internet (public domain names) application1.mypublicdomain.com - Private Hosted Zones – contain records that specify how you route
traffic within one or more VPCs (private domain names) application1.company.internal
Route 53 – Records
- Domain/subdomain Name – e.g., example.com
- Record Type – e.g., A or AAAA
- Value – e.g., 12.34.56.78
- Routing Policy – how Route 53 responds to queries
- TTL – amount of time the record cached at DNS Resolvers
CNAME vs Alias
- AWS Resources (Load Balancer, CloudFront…) expose an AWS hostname:
- lb1-1234.us-east-2.elb.amazonaws.com and you want myapp.mydomain.com
- CNAME:
- Points a hostname to any other hostname. (app.mydomain.com => blabla.anything.com)
- ONLY FOR NON ROOT DOMAIN (aka. something.mydomain.com)
- Alias:
- Points a hostname to an AWS Resource (app.mydomain.com => blabla.amazonaws.com)
- Works for ROOT DOMAIN and NON ROOT DOMAIN (aka mydomain.com)
- Free of charge
- Native health check
Route 53 – Alias Records
- Maps a hostname to an AWS resource
- An extension to DNS functionality
- Automatically recognizes changes in the
resource’s IP addresses - Unlike CNAME, it can be used for the top node
of a DNS namespace (Zone Apex), e.g.:
example.com - Alias Record is always of type A/AAAA for
AWS resources (IPv4 / IPv6) - You can’t set the TTL
Route 53 – Alias Records Targets
- Elastic Load Balancers
- CloudFront Distributions
- API Gateway
- Elastic Beanstalk environments
- S3 Websites
- VPC Interface Endpoints
- Global Accelerator accelerator
- Route 53 record in the same hosted zone
- You cannot set an ALIAS record for an EC2 DNS name
Route 53 – Routing Policies
- Simple
- Weighted
- Latency-based
- Geolocation
- Geoproximity
- Ip-based
- Multi-value
Route 53 - Health Check
- Health checks that monitor an endpoint
(application, server, other AWS resource) - Health checks that monitor other health
checks (Calculated Health Checks) - Health checks that monitor CloudWatch
Alarms (full control !!) – e.g., throttles of
DynamoDB, alarms on RDS, custom metrics,
… (helpful for private resources)
Elastic Beanstalk
- Automatically handles capacity provisioning, load balancing, scaling, application
health monitoring, instance configuration, … - Just the application code is the responsibility of the developer
- We still have full control over the configuration
- Beanstalk is free but you pay for the underlying instances
Amazon S3 (Simple Storage Service)
- Amazon S3 is one of the main building blocks of AWS
- Uses Case:
- Backup and storage * Disaster Recovery * Archive * Hybrid Cloud storage * Application hosting * Media hosting * Data lakes & big data analytics * Software delivery * Static website
- Buckets (Unique name in world)
- Max object size is 5 TB
- file 5GB > Use multiupload
- Bucket Policies ( Example public access)
- Versioning of files
- Cross-Region Replication (CRR)
- Same-Regio Replication (SRR)
- S3 Batch Replication (Existing objects)
S3 Storage Class
- Amazon S3 Standard - General Purpose
- 99.99% Availability
- Used for frequently accessed data
- Low latency and high throughput
- Sustain 2 concurrent facility failures
Use Cases: Big Data analytics, mobile & gaming applications, content
distribution…
-> Infrequent Access
* For data that is less frequently accessed, but requires rapid access when needed
* Lower cost than S3 Standard
- Amazon S3 Standard-Infrequent Access (IA)
- 99.9% Availability
- Use cases: Disaster Recovery, backups
- Amazon S3 One Zone-Infrequent Access
- High durability (99.999999999%) in a single AZ; data lost when AZ is destroyed
- 99.5% Availability
- Use Cases: Storing secondary backup copies of on-premises data, or data you can recreate
-> Glacier
* Low-cost object storage meant for archiving / backup
* Pricing: price for storage + object retrieval cost
- Amazon S3 Glacier Instant Retrieval
- Millisecond retrieval, great for data accessed once a quarter
- Minimum storage duration of 90 days
- Amazon S3 Glacier Flexible Retrieval
- Expedited (1 to 5 minutes), Standard (3 to 5 hours), Bulk (5 to 12 hours) – free
- Minimum storage duration of 90 days
- Amazon S3 Glacier Deep Archive
- Standard (12 hours), Bulk (48 hours)
- Minimum storage duration of 180 days
- Amazon S3 Intelligent Tiering
- Small monthly monitoring and auto-tiering fee
- Moves objects automatically between Access Tiers based on usage
- There are no retrieval charges in S3 Intelligent-Tiering
Amazon S3 Advanced
- Moving objects can be automated using a Lifecycle Rules
- Transitions and Expiration
- Storage Class Analysis
- Request Pays
- Event Notifications
- Event Bridge
- Multi-Part Upload
- S3 Transfer Acceleration
- S3 Byte-Range Fetches
- S3 Select and Glacier Select
- S3 Batch Operations
- Amazon S3 automatically scales to high request rates, latency 100-200 ms
- Your application can achieve at least 3,500 PUT/COPY/POST/DELETE or
5,500 GET/HEAD requests per second per prefix in a bucket.
Amazon S3 Security
- Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) – Enabled by Default
- Server-Side Encryption with KMS Keys stored in AWS KMS (SSE-KMS)
- Server-Side Encryption with Customer-Provided Keys (SSE-C)
- Client-Side Encryption
- MFA Delete
- Access Logs
- Pre-Signed URLs
- Glacier Vault Lock (WORM, Vault Lock Policy, Compliance)
- Object Lock (Compliance, Governance, Period, Legal Hold)
- Access Points
- Object Lambda
Cross-Origin Resource Sharing (CORS)
If a client makes a cross-origin request on our S3 bucket, we need to enable
the correct CORS headers
Advanced Storage Comparison
- S3: Object Storage
- S3 Glacier: Object Archival
- EBS volumes: Network storage for one EC2 instance at a time
- Instance Storage: Physical storage for your EC2 instance (high IOPS)
- EFS: Network File System for Linux instances, POSIX filesystem
- FSx for Windows: Network File System for Windows servers
- FSx for Lustre: High Performance Computing Linux file system
- FSx for NetApp ONTAP: High OS Compatibility
- FSx for OpenZFS: Managed ZFS file system
- Storage Gateway: S3 & FSx File Gateway, Volume Gateway (cache & stored), Tape Gateway
- Transfer Family: FTP, FTPS, SFTP interface on top of Amazon S3 or Amazon EFS
- DataSync: Schedule data sync from on-premises to AWS, or AWS to AWS
- Snowcone / Snowball / Snowmobile: to move large amount of data to the cloud, physically
- Database: for specific workloads, usually with indexing and querying
