AWS System Operation

Question 1

Systems Administrator

Answer 1

Systems Administrator You are a systems operator, and it is your job to keep your application environments running at maximum performance at all times.

Just as a pit crew enables the racecar driver to win a race, systems operators are the pit crew—they help end users function successfully in their day-to-day jobs. You are an AWS systems operator, and this book will help you obtain the AWS Certified SysOps Administrator - Associate certification.

Question 2

Deploying Systems

Answer 2

You might find yourself manually installing common, off-the-shelf packages on standalone instances.

You might be coordinating an enterprise-wide effort to embrace fully-automated continuous deployment/continuous integration. Wherever you are on that spectrum, the responsibility to get it running in the first-place falls on your shoulders. However, deployment comprises much more than initializing systems. As enterprises evolve from monolithic application servers to container services, micro services, and serverless architectures, keeping up with the continuous stream of service updates requires attention and automation that you must manage.

Question 3

Monitoring Systems

Answer 3

Monitoring Systems
You might have a wall of monitors, all rendering real-time data on the environments in your care.

You might have fully-automated alert functions that respond to changes in behavior, repairing or replacing failing parts and keeping you informed of these adjustments. Nonetheless, you are monitoring much more than just network latency or CPU consumption. You have analytic engines that trace patterns in user behaviors—both consumers and employees. Your bots constantly review log files, looking for unusual activity and notifying you of anomalies.

Question 4

Optimizing Systems

Answer 4

As a systems operator, you are your company’s best agent for maximizing performance because your analytics help you choose the correct infrastructure configuration, the optimal storage methods, and the best possible customer outcome
However, you do more than optimize for speed; you optimize for cost. By using elastic environments, your environment not only automatically scales out during peak demand to minimize latency, but it also automatically scales in later to minimize spend. You manage an environment that is highly utilized every hour of every day

Question 5

Fortifying Systems

Answer 5

Things break and systems go offline, but you don’t let that keep you up at night. You maintain highly available architectures: systems that detect failed components and automatically switch over, replacing and restoring as needed without interruption of service to your consumers. But your availability methods cover more than single regions and multiple Availability Zones. Systems operations on AWS involves using multi-region and hybrid methods when needed to ensure continuity of operations no matter what Mother Nature throws at you.

Question 6

Securing Systems

Answer 6

The combination of security groups, access control lists, and private networks in concert with native tools such as Amazon CloudFront and AWS Shield, help your environment stand up to the most sinister of attacks.
Threats don’t always come from the outside, however. You know that the most dangerous vector is the internal attack. That’s why you have meticulously employed a policy of compartmentalized, restricted privilege sets so that no one can step into unauthorized territory, along with detailed Application Programming Interface (API) logging that reports on all actions to provide comprehensive control over your assets.

Question 7

The Three-Tier Design

Answer 7

One of the earliest cloud-native architectures used is the three- tier design, which includes the following:
A front-end web server layer
An application middle layer
A database layer

Question 8

Web Tier

Answer 8

The Web Tier is the front end to the application. It accepts the request from the user and passes that request to the Application Tier. It takes the response from the Application
Tier and presents it back to the user. The format of the response is controlled at this tier, whether it is an HTML document, a CSV file, a PDF file, or some other format. This tier has no direct access to the Database Tier, and it should be decoupled from any processes happening in the Application Tier or the Database Tier.

Question 9

Application Tier

Answer 9

The Application Tier is a middleware tier where the internal business logic resides. It responds to requests from the Web Tier and communicates directly with the Database Tier. The Application Tier operates and scales independently of the other tiers.

Question 10

Database Tier

Answer 10

The Database Tier is a back-end tier where the databases manage the state of the application. This tier should only be accessed by the Application Tier. It processes requests from the Application Tier and provides responses back to the Application Tier

Question 11

The Three Tier Architecture

Answer 11

The Challenge An application runs an order management system for a global company.

The application will manage inventory, customer records, and orders in an integrated system. Some of the system requirements include flexibility to adjust to changing needs. It must be scalable to handle variable customer loads.
It must have separate front-end and processing layers to allow User Interface (UI) development to be isolated from business logic programming. It must be cost effective. In addition to scalable web and application instances, it should leverage native, cost- effective services such as elastic load balancing and Amazon S3.

The environment must be secure. Steps should be taken to ensure that all traffic is properly protected in transit and at rest. All access must be controlled and monitored at all times.

All critical data must be stored in durable, highly-available systems, protected against node failure

Question 12

Architecture Enviroment

Answer 12

Architectures live inside AWS Regions ; in this scenario, in us-west- 2 (Oregon, United States). Regions are made up of multiple Availability Zones , which provide the foundation for highly available architectures. Although this is a systems operation exam, it is critical to understand the nature of AWS Regions and Availability Zones

Question 13

AWS Networking

Answer 13

Networking components start inside the AWS Region with Amazon Virtual Private Cloud (Amazon VPC). Amazon VPC is a private network in the AWS Region that isolates all traffi c from the millions of other applications running in AWS. Amazon VPC is divided into subnets ; all assets running in your Amazon VPC are assigned to a subnet. Unlike on-premises subnetting decisions that can affect latency between servers, Amazon VPC subnets only affect access

Access between subnets is controlled through network Access Control Lists (nACLs) and access in and out of Amazon VPC is controlled through attached gateways. In this scenario, the only gateway is the Internet Gateway (IGW) , and it allows traffic to and from external (public IP) sources. By granting route table access to the gateway only to specifi c subnets, ingress and egress can be tightly controlled. In this scenario, public subnets indicate IGW access. Without IGW access, the subnets become private; that is, they are accessible only to private IP networks

Question 14

Seven Different Security Groups

Answer 14

Public Elastic Load Balancing The only security group that allows
full public access
Web Tier Amazon EC2 This accepts traffi c only from public Elastic Load Balancing.
Private Elastic Load Balancing This accepts traffi c only from Web
Tier Amazon EC2.
Application Tier Amazon EC2 This accepts traffi c only from private Elastic Load Balancing.
Amazon ElastiCache This accepts traffi c only from Application Tier Amazon EC2.
Amazon Relational Database Service (Amazon RDS) This accepts
traffic only from Application Tier Amazon EC2.
Network Address Translation (NAT) This is used only for internally initiated outbound traffic.

Question 15

Compute

Answer 15

In this scenario, you use traditional compute methods, such as Linux servers running on Amazon EC2. Amazon EC2 comes in many sizes (how many CPUs, how much memory, how much network capacity, and so on), known as instances .

Based on the Amazon Machine Image (AMI), each Amazon EC2 instance can run a wide range of Linux- or Windows-based operating systems as well as preinstalled software packages.

Amazon EC2 instances also support runtime confi guration as required.

The requirements for the scenario include scalable solutions. AWS provides Auto Scaling as an engine that can take predefi ned launch confi gurations and dynamically add or remove instances from the web or the Application Tier based on metrics

Question 16

Database

Answer 16

Amazon RDS runs in your Amazon VPC on Amazon EC2. You select the database engine and version (MySQL, Oracle, Postgres, and so forth) and the confi (the size of the Amazon EC2 instance, which subnets to use, how often to take backups, and so on).

Amazon RDS takes care of the infrastructure of the instances and the engine; your database administrator (DBA) takes care of the database schema and data.

This scenario also includes Amazon DynamoDB , a native NoSQL engine optimized for consistent low latency, high availability, and strongly consistent reads and writes.

Unlike Amazon RDS (or do-it-yourself databases running on Amazon EC2), Amazon DynamoDB operates at the regional level through API access only.

Question 17

Storage

Answer 17

This scenario looks at storage in three different areas: the block storage used by the Amazon EC2 instances, the object storage keeping all of the media as well as backups and AMIs, and the caching storage used by Amazon CloudFront. Amazon EBS is durable, persistent block storage used by most Amazon EC2 and Amazon RDS instances. It provides drive space for boot volumes and data volumes. Additionally, AWS provides ephemeral storage for many Amazon EC2 instance types through instance storage. Deciding which one to use becomes an operational value judgment, one that compares speed, persistence, and cost.

Question 18

User Management

Answer 18

Although not drawn in the sample three-tier architecture diagram, user management becomes one of the critical elements of the AWS operational design. Operator access is controlled through AWS Identity and Access Management (IAM) . IAM maintains control over validating authentication methods (passwords, access keys, and so on) and then grants access to authenticated operators. Because everything in AWS is accessed through APIs, IAM becomes a comprehensive tool for controlling all permissions to AWS services and resources. For established enterprise customers, IAM can be integrated with existing directory systems via AWS Directory Service.

Question 19

Security, Monitoring, and Deployment

Answer 19

Security is integral to every part of the AWS platform. This means that security is part of each piece of the architecture.
Monitoring of critical systems is provided by Amazon CloudWatch , which provides visibility into metrics that happen on the Customer side of the shared responsibility model. Thousands of metrics across more than 90 services keep track of everything from CPU consumption to latency, queue depths, and so on.
AWS CloudTrail records every API call in the AWS system, including:
Who made the API call
When the API call was performed
Where the API call originated
The result of the API call
These records and other log fi les are processed through Amazon CloudWatch Logs,
which analyze text data for patterns that trigger alerts and
corresponding actions.