EC2 And ESB

Question 1

What is AMI

Answer 1

• AMI — Amazon Machine Image
• OS is defined by AMI you choose, and hardware will follow >instance type<
• AMI is a template that contains s information telling EC 2 what OS and application software to include on the root data volume of the instance
  There are 4 kind/types of AMI
  1. Amazon Quick Start AMI
  2. AWS Marketplace AMI
  3. Community AMIs
  4. Private AMI’s
  NOTE. A particular AMI available only in one region. AMI invoked by ID. Invocation of AMI from different region will fail. Most likely similar AMI’s will exist in different regions

Question 2

Amazon Quick Start AMI

Answer 2

Amazon quick start AMI’s are popular choices and include various releases of Linux or Windows Server OS and some speciality images for performing common operations. These AMI’s are up to date and officially supported

Question 3

AWS Marker place AMI’s

Answer 3

These are production ready images provided and supported by industry vendors like SApa Dan Cisco

Question 4

Community AMI’s

Answer 4

• > 100K images are available as community AMI’s. Usually created and maintained by a specific vendor for a specific purpose/need

Question 5

Private AMI’s

Answer 5

You can store images created from your own instances deployments as private AMI’s
Having tested and maintained own AMI makes auto-scaling easy.
- you can share images as AMI’s or import VM’s from your loc al infrastructure (by way of AWS S3) using AWS VM Import/Export tool

Question 6

Instance Type

Answer 6

• Instance type is a hardware profile
• There ate 75 instance types
• they are organized/classified into 5 instance families
  
  • General purpose A1, T3, T3a, T2, M6g, M5, M5a, M5n, M4
  • Compute optimized - C5, C5n, C4
  • Memory optimized - R5, R5a, R5n, X1e, X1, High Memory, Z1d
  • Accelerated computing P3, P2, Inf1, G4, G3, F1
  • Storage optimized I3, I3en, D2, H1

Question 7

General purpose Instance Type

Answer 7

• Includes T3, T2, M5 and M4 types optimized to provided balance between compute, memory and network resources
• t2.nano - 1 vCPU and 0.5 GB of memory
• t2.2xlarge 8 vCPU and 32 GB
• t2.micro is part of free tier and is good for experimenting
  M5 and M4 are recommended for many small and midsize data-centric operations
  
  • some M* instance come with their own actually physical drives attached
    T.* require EBS
  • M5.large - 2 vCPU and 8GB memory
  • m5d.metal - 96vCPU and 384 GB memory

Question 8

Compute optimized instance types

Answer 8

• depending web servers and high-end machine learning workloads
• c5.large to c5d.24xlarge - give you as much as 3.5 GHz of processor speed and strong network bandwidth

Question 9

Memory optimized instance types

Answer 9

• work well fro intensive database, data analytics and caching operations
• X1e, X1 and R4 are available with as much s 3.9 terabytes of dynamic random-access memory (DRAM) and low-latency solid-state drive (SSD) storage volume attached

Question 10

Accelerated computing

Answer 10

• to achieve Higher-performance graphics processing from P2, P3, G3 and F1 types
• instance type recommended for 3D virtualization, financial analysis and computational fluid dynamics

Question 11

Storage Optimized instance types

Answer 11

• H1, I3 and D2 have large, low-latency instance storage volumes
• in case of I2en up to 60 TB of slower hard discs drive (HDD) storage
• work well with destributed file systems and heavyweight data processing applications

Question 12

Tenancy

Answer 12

1. Shared tenancy. Physical server can host other customer accounts.
2. Dedicated tenancy. Dedicated to account physical host.

Question 13

Placement groups

Answer 13

By default AWS will try to spread instance . EC2 placement group give you power to control
- Cluster
Instance are lunched in single availability zone in close proximity. Low latency and can be useful for high-performance computing
- Spread
separate instance physically across distinct hardware racks and even availability zones
- Partition
let you associate instances with each over placing them in a single partition and can be kept separate from the instances in another partitions. Dif from Spread where no instance will be together.

Question 14

Resource tag

Answer 14

resource tags can be used to track your components in the environment
Resource take has key and optional associated volume

Key: production-server Value: server1
Key: production-server security-group1
Etc

Question 15

Service lmits. How many VPC per region

Answer 15

Only 5 VPC per region

Question 16

Service limits. Secure shells key pairs across account

Answer 16

5000

Question 17

What is EBS

Answer 17

Elastic Block Store Volume
- for the most part virtualized spaces carved out of a large physical drives.
- 99.99% reliability
- multiple can be attached to an instance. But one can be attached to on instance at the time
- 4 types of EBS. Two SSD and two spinning hard drives
EBS-provisioned IOPS
- maximum IOPS/volume of 64K and maximum throughput/volume of 1,000 MB/s
EBS general-purpose SSD
- will work well for most server workloads
- 16K IOPS/volume
Throughput-Optimized HDD
- log processing and bid data operations
- only 500IOPS/volume but with 500MB/s throughput/volume cost $0.045/month
Cold HDD
- large volume of data with infrequent access 250 IOPS/volume $0.025/GB/month
- $0.1 GB/month. Ex.: 8GB boot drive cost $9.6/year

Question 18

Instance Store Volumes

Answer 18

• attached physically to a server that host an instance
• these volumes are ephemeral
• price include din the price of the instance
• how many depends on the instance type you chose

Question 19

How many PPv4 ranges use by private networks and what are they

Answer 19

• three
• 10.0.0.0 - 10.255.255.255
• 172.16.0.0 — 172.31.255.255
  192. 168.0.0 - 192.168.255.255

Question 20

What are tools to help you secure EC2

Answer 20

• there are four tools
  
  • Security groups
  • Identity Access Management (IAM) roles
    - Network address translation (NAT)
  • key pairs

Question 21

What are security groups and how they work

Answer 21

• play role of firewall (virtual) for EC2 access. Security group will deny all incoming traffic while permitting all outgoing traffic
• rules are setup. traffic is examined by its source and destination, network port and protocol

Question 22

IAM roles - how it works

Answer 22

• define AIM role by givin permission to perform actions on specific service or resources within your AWS account
• then a particular role is assigned to a user or resource and they gain access defined by roles policy

Question 23

What are NAT devices

Answer 23

• Network address translation devices
• there are two types
  
  • NAT instance
  • NAT Gateway - is service and does not require lunch and maintain the instance
  • both will cost you

Question 24

What is an auto scaling group

Answer 24

Auto scaling group is a group of EC2 instances that Auto Scaling.

Question 25

What needs to be done when you define an Auto Scaling group

Answer 25

• You must specify either launch configuration (LC) and Launch template (LT) you have created
• how many running instance you want AS provision and maintain using LC or LT
• you must specify minimum size
• optionally a desired number

Question 26

What is a minimum size of Auto Scaling group

Answer 26

Minimum sizes - Autoa Scakling (AS) will ensure that number of instance will never go beyond the minimum.
-if ZERO is specified it will not spin new once and will terminate existing

Question 27

What is a Maximum for Auto Scaling group

Answer 27

Auto scaling will make sure the number of healthy instance will never exceeds this amount

Question 28

DESIRED Capacity for Auto Scaling

Answer 28

• optional setting between mINIMUM and MAXIMUM
• also called group size
• when specifies Auto scaling will ADD or TERMINATE instance to stay in desired number

Question 29

How to establish “connection:” between ALB and Autos Scaling group

Answer 29

• Add name of ALB (Application Load Balancer ) group in Auto Scaling group configuration

Question 30

What are potential health check for instances that Auto Scaling reacts to

Answer 30

• checks are done by CloudTrail, Cloud Watch
  
  • memory exhaustion
  • file system corruption
  • incorrect network or start-up configuration
  • system problem that require AWS involvement and repair
  • that is not necessary catches application issues
• if ALB is used one can configure ALB health checks based on HTTP return codes and configure AS to determine if instance is “healthy”. ALB will stop routing to “unhealthy” instance and AS will terminate and start the new one.

Question 31

What are Auto Scaling (AS) options

Answer 31

• MANUAL - if you change any of minimum, desired of instances in AS group AS will immediately adjust to it. If you had a desired 2 and made 4 it will immediately start 2 more, in revers if you had 4 and set as 2 it will terminate 2
• Dynamic Scaling Policies
  Dynamic Scaling policies work by monitoring CloudWatch alarms and scaling out by increasing desired capacity when alarm is breached. There three dynamic scaling policies:
  
  • simple
  • step
  • target tracking

Question 32

What are Simple Scaling Policies adjustments types

Answer 32

With a simple scaling policy, whenever the metrics rises above the threshold AS simply increases the desired capacity. How much is define by chosen ADJUSTMENTS TYPES.
- ChangeInCapacity - Increase in capacity be specific amount. Ex you start with 4 then alert reached it increases value by 2 (desired value)
- ExactCapacity -0 Sets Capacity to a specific value, regardless of the current value. Ex Desired capacity is 4, when load increase it set it to 6
- PercentChageInCapacity - changes as a % of current desired capacity - ex 4 and value set as 50% it will ad 2 more to 6
There is a COOLDOWN period. It is period As waits before executing policy again even if alert is still on.
It will never go above MAXIMUM

Question 33

What is Step Scaling Policies for Auto Scaling

Answer 33

With RAPID increase demand simple scaling may not add enough instance quickly enough
Using step scalling policy, you can instead add instances based on how much the aggregate metric exceeds the threshold
- Create CloudWatch Alarms to monitors a specific thresholds
There are 4 parameters for each STEP
- lower bound
- upper bound
- adjustment type
- amount by which to increase the desired capacity
WARM-UP time - is how long AS waits until it starts considering matrices of newly spawn instances
. Default is 300 seconds

Question 34

What are the adjustments types for AutoScaling

Answer 34

chosen ADJUSTMENTS TYPES.

• ChangeInCapacity - Increase in capacity be specific amount. Ex you start with 4 then alert reached it increases value by 2 (desired value)
• ExactCapacity -0 Sets Capacity to a specific value, regardless of the current value. Ex Desired capacity is 4, when load increase it set it to 6
• PercentChageInCapacity - changes as a % of current desired capacity - ex 4 and value set as 50% it will ad 2 more to 6

Question 35

How Target tracking Auto Scaling policy works

Answer 35

• You just specify target for one of monitored metrics. AS will create an appropriate CloudWatch Alarm and scaling policy to adjust the number of instances to keep matrix near target
• chosen metric must change proportionally to load
• it will also scale-in to keep target value. You can disable scaling-in

Question 36

What is Scheduled Actions

Answer 36

• used then you know time period when you need extras capacity
• must specify
  
  • min, max and desired capacity value
  • start date and time

Question 37

What is AWS Systems Manager

Answer 37

• also known as
  
  • EC2 System Manager
  • Simple System Manager (SSM)
    Let’s you automatically or manually perform actions against your AWS resources and on-premises servers.
    Possible Task include:
    FOR ON-PREM AND AWS EC2
  • upgrading installed packages
  • taking an inventory of installed software
    For other AWS resources
  • creating AMI golden image from EBS snapshot
  • attaching AMI instance profiles
  • disabling read access to S3 for example
    Tow capabilities:
  • ACTIONS
  • Insights
  • installing new software

Question 38

What are action types system manager supports

Answer 38

• Automations - actions you can run against your AWS resources
• Command - actions you can run against your LInux and Windows instances
• Policy - defined processes for collecting inventory data from managed instances

Question 39

AWS System ManagerActions - Automation

Answer 39

• Automation enables you perform actions against your AWS resources in bulk
• automation provides granular control over how it carries out its individual actions:
  
  • in one swoop
• on e step at the time, enabling you to control what happens and when
• you can define rate - so you can control number of % of resources to target at once

Question 40

AWS Systems Manager Actions - Command

Answer 40

• enables run commands on your on-prem managed instances
• accomplished via agents installed EC2 and on-prem managed instances
• by default it cannot do anything , you first need to apply an instance profile role that contains the permissions in the AmazonEC2Rolefor SSM policy
  AWS offered a variety command documents for Linux and Windows for series of common taks

Question 41

AWS Systems Manager - Session manager

Answer 41

• Let’s you achieve interactive Bash and PowerShall access to your Linux and Win instances
• no need for network ACL configuration, port opening etc. does not need to be in public subnet
• using web console or AWS CLI.
• must installed AWS Session manager plug-in
• there are SDK for session manager
  Sessions are secured using TCL 1.2
• ## Session manger can use Cloud Trail to log all logins in S3 bucket

Question 42

AWS Systems Manger - Patch Manager

Answer 42

• helps automate patching for your Linux and Windows instances
• Supported for
  Windows server, Ubuntu Server, RHEL, SUSE LInux Enterprise Server, CentOS, Amazon Linux, Amazon Linux 2
  = individual patching, patching by tag, create patch group
• patch group is collection of instances with tag key “Patch Group”
• Patch Manager uses patch baseline to define which available patches to install.
• AWS has a default baseline
• you can create your own, it will contain one or more approval rules that define operating system, the classification an severity and auto approval delay
• default auto approval 7 days
  You can’t define superior bulletin ID (for windows) or CVE (Common Vulnerabilities and Exposures) ID
• Patc h Manager executes the AWS-RunPat chBasdline document to perform patching
  Approved patch are executed during specified mani at ace window or immediately

Question 43

State Manager

Answer 43

State Manager is a configuration Management tool that ensures your instances have the software you want them to have and are configured the way you want
- can run automatically run command and policy documents against your instances
- one time or on schedule
- ONE must create an association that defines command document to run, any parameters, target instances and the schedule
Once association is created State Manager will execute it immediately against running instances after that will follow the schedule

Currently there is only one policy doc UEM you you can use with state Manager - AWS-GatherSoftwareInventory

Question 44

What are AWS Systems Manager Insigights

Answer 44

Aggregate, health, compliance and operational details about your AWS resources into a single area of AWS Systems manager

• some insights are categorized by resotrce group defines one or more tag keyss and optional tag values
• you can apply the same key tag to all resources associated with a particular application (EC2, S3, EBS volumes, security groups etc.

Question 45

Built-in insights

Answer 45

AWS Config compliance
- shows total number of resources in the group that are compliant and noncompliant with AWS Config rules
- compliance by resource
- show brief history of configuration changes tracked by AWS Config
CloudTrail Events
displays each resource in the resource, type and last event recorded by Cloud Trail for this resource
Personal Health DashBoard
-Shows alerts when AWS experience issues that impact your resources.
- number of events AWS resolved in last 24 hours
Trusted Advisor Recommendations
- can check your environment for optimization
Including cost

Question 46

Inventory Manager-

Answer 46

• collect data from your instances
  
  • operating system name and version
  • applications and file names, versions and sizes
  • Network configuration, including IP MAC addresses
  • windows updates, roles, services and registry values
  • CPU model, cores and speed

You can choose what instances to to collect data from by creating REGIONWIDE inventory association by executing AWS-GatherSoftwareInventory policy document.

• you can chose all instances it is global inventory association . New will automatically included
• collection each 30 minutes
• for on-perm specify the region there you collect it to
• to get all regions you can configure Resource Data Sync in each region to store data in one single S3 bucket

Question 47

Compliance insight

Answer 47

How patch association is stacks against rues you have configured
- shows number of instance that have patches as well as detail of specific patches installed
Association compliance show number of instance that successfully have association executed against them