ELB Load Balancing (High Availability and Scalability) Flashcards

Question 1

Q

scalability

Answer

A

your application can handle greater loads by adapting

Question 2

Q

two kinds of scalability

Answer

A

vertical

horizontal (=elasticity)

Question 3

Q

vertical scalability

Answer

A

increasing the size of the instance

if your app runs on t2.micro, scaling means running it on t2.large

Question 4

Q

vertical scalability use cases

Answer

A

non-distributed systems such as a database

RDS, ElastiCache

Question 5

Q

horizontal scalability

Answer

A

increase the number of instances / systems for your application

distributed system
common for modern web applications

Question 6

Q

high availability

Answer

A

usually goes hand in hand with horizontal scaling but not all the time

you run your app in at least 2 data centers (== AZ in AWS) in order to survive a data center loss

can be passive (RDS multi AZ) or active (horizontal scaling)

Question 7

Q

RDS

Answer

A

Amazon relational database service

is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud.

Question 8

Q

Multi-AZ

Answer

A

Amazon RDS provides high availability and failover support for DB instances using Multi-AZ deployments.

In a Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone.

Question 9

Q

high availability for EC2

Answer

A

run instances for the same application across multi AZ

Autoscaling Group multi AZ, Load Balancer multi AZ

Question 10

Q

horizontal scalability for EC2

Answer

A

increase number of instances (scale in or scale out)

Autoscaling Group

Load Balancer

Question 11

Q

Amazon ElastiCache

Answer

A

Amazon ElastiCache is a web service that makes it easy to deploy, operate, and scale an in-memory data store or cache in the cloud. The service improves the performance of web applications by allowing you to retrieve information from fast, managed, in-memory data stores, instead of relying entirely on slower disk-based databases.

Question 12

Q

load balancers

Answer

A

servers that forward internet traffic to multiple servers (EC2 instances) downstream

available on the left panel Load balancing

Question 13

Q

why should we use load balancers

Answer

A

we can spread load across instances and expose a single point of access to your app, DNS.
we dont need to know about all the EC2 backend instances, we just need to know the single point of access, the host name of your balancer.
LB will perform regular health checks to your instances so it knows when not to send traffic to your instances
provide SSL termination (HTTPS) for your website
enforces stickiness with cookies
high availability across availability zones
separate public traffic (user - to LB) from private traffic (LB to EC2 instances)

Question 14

Q

why AWS load balancer

Answer

A

it’s a managed LB. AWS guarantees that it will be working, takes care of upgrades, maintenance, high availability
although costs less to set up your own, a lot more effort on my end
integrated with many AWS offerings and services

Question 15

Q

health checks

Answer

A

enables LB to know if the instances it sends traffic to are available to reply to requests in a good way

done on a port and a route (/health is common). If the response is not 200 OK, the instance is deemed unhealthy

you can configure how often

Question 16

Q

three types of load balancers

Answer

A

classic LB (v1 old generation) - 2009
application LB (v2 new generation) - 2016
network LB (v2 new generation) - 2017

it is recommended to use the 2 last of the new generation, provide more features

Question 17

Q

classic load balancer

Answer

A

supports TCP, HTTP and HTPPS traffic

health checks are TCP or HTTP based

fixed hostname

Question 18

Q

application load balancer

Answer

A

supports HTTP, HTPPS and WebSocket traffic
only layer 7 LB
fixed host name

-

Question 19

Q

network load balancer

Answer

A

supports TCP, TLS (secure TCP), UDP

Question 20

Q

internal (private) LB

Answer

A

private within your account, you can’t access it from the public web

Question 21

Q

external (public) LB

Answer

A

will allow your users to access for ex., your website

Question 22

Q

load balancer security groups

Answer

A

create security group on LB with inbound rules allowing HTTP (port 80) traffic and HTTPS (port 443) from any users from any IPs
create security group in EC2 instances that allows incoming traffic only from LB. In the security group we can reference the security group we created on LB in step1

Question 23

Q

load balancer and scaling

Answer

A

LB can scale but not instantaneously - contact AWS for a warm up

Question 24

Q

load balancer troubleshooting

Answer

A

4xx are client induced errors
5xx errors are app induced errors
503 means at capacity or no registered target
if LB can’t connect to your app, check security groups

Question 25

Q

load balancer monitoring

Answer

A

ELB access logs will log all requests

2. CloudWatch Metrics will give you aggregate statistics

Question 26

Q

TCP, HTTP´, HTTPS layers

Answer

A

TCP layer 4

others layer 7

Question 27

Q

load balancer stickiness

Answer

A

it is possible to implement stickiness so that the same client is always redirected to the same instance behind LB

works for classic and application LB

You are running a website with a load balancer and 10 EC2 instances. Your users are complaining about the fact that your website always asks them to re-authenticate when they switch pages. You are puzzled, because it’s working just fine on your machine and in the dev environment with 1 server.

Question 28

Q

load balancer stickiness use case

Answer

A

we want to make sure that user doesn’T lose his session data so keep on talking to the same EC2 instance

the cookie used for stickiness has an expiration date you control

Question 29

Q

enabling stickiness downside

Answer

A

may bring imbalance to the load over the backend EC2 instances

Question 30

Q

load balancer stickiness configuration

Answer

A

for classic LB it is configured in LB properties

for application LB - at the target group level (left panel –> Load Balancing –> Target Groups), checkbox

you can configure for how long

takes a little bit of time to kick in

Question 31

Q

cross-zone load balancing

Answer

A

each LB instance distributes evenly across all registered instances in all AZ

(one LB can be deployed in multiple AZ –> hence multiple LB instances)

if cross-zone load balancing disabled, each instance will distribute evenly only in its zone

Question 32

Q

cross-zone load balancing and classic LB

Answer

A

disabled by default but you will not be charged if you enable it

the setting is on tab Description

Question 33

Q

cross-zone load balancing and application LB

Answer

A

always on and can’t be disabled but you will not be charged for data crossing AZones

there is no setting to change it

Question 34

Q

cross-zone load balancing and network LB

Answer

A

disabled by default but you will be charged if you enable it

the setting is on tab Description

Question 35

Q

SSL certificate allows traffic

Answer

A

between your clients and your load balancer to be encrypted in-transit (in-flight encryption)

Question 36

Q

SSL

Answer

A

secure sockets layer

used to encrypt connections

Question 37

Q

TLS

Answer

A

Transport Layer Security - newer version of SSL

TLS certificates are mainly used nowadays, but people still say SSL
have expiration date and have to be renewed

Question 38

Q

public SSL certificates are issued by

Answer

A

Certificate Authorities

Question 39

Q

Load balancers and SSL certificates

Answer

A

users connect to LB over HTTPS, so using SSL certificates, over public internet
internally LB does SSL certificate termination
in the backend it can talk to your EC2 instance using HTTP, not encrypted but the traffic goes over your VPC, which is private network and somewhat secure
LB will load X509 certificate (SSL (TLS) server certificate)

Question 40

Q

you can manage certificates using

Answer

A

ACM
AWS ceritficate manager

you can upload your own certificates to ACM

Question 41

Q

when you set up HTTPS listener on LB

Answer

A

you must

specifiy a default certificate

you can

add a list of optional certs to support multiple domains
clients can you use SNI (server name indication) to specify the host name they reach
specify a security policy to support older versions of SSL / TLS (legacy clients)

Question 42

Q

SNI and LB

Answer

A

With SNI support we’re making it easy to use more than one certificate with the same ALB.

In order to handle different domains with the same load balancer.

It’s always been possible to use wildcard and subject-alternate-name (SAN) certificates with ALB, but these come with limitations.

Wildcard certificates only work for related subdomains that match a simple pattern and while SAN certificates can support many different domains, the same certificate authority has to authenticate each one. That means you have reauthenticate and reprovision your certificate everytime you add a new domain.

Question 43

Q

classic LB and SSL

Answer

A

supports only 1 SSL certificate

must use multiple CLB for multiple hostname with multiple SSL certificates

Question 44

Q

application LB and SSL

Answer

A

supports multiple listeners with multiple SSL certificates

uses server name indication SNI to make it work

Question 45

Q

network LB and SSL

Answer

A

supports multiple listeners with multiple SSL certificates

uses server name indication SNI to make it work

Question 46

Q

add HTTPS listener

Answer

A

select LB and then tab Listeners –> when adding a listener you can add certificate(s)

for classic LB - only one

for application and network LB you can create rules using SNIs - in which case which certificate can be used

Question 47

Q

application LB allows

Answer

A

load balancing to multiple HTTP applications across machines (target groups)
load balancing to multiple applications on the same EC2 instance (ex: using containers und ECS)
routing to different target groups

Question 48

Q

routing to different target groups

Answer

A

based on path in URL (example.com/users or example.com/posts)
based on hostname in URL (one.example.com and other.example.com)
based on QueryString and Headers
example. com/users?id=123
based on source IP

in LB configuration you configure rules - to which target group to forward on condition

Question 49

Q

application LB are great

Answer

A

when you have micro services and container-based application (ex.: Docker and Amazon ECS)

have a port mapping feature which allows to redirect to a dynamic port on the ECS instance

Question 50

Q

application vs classical LB

Answer

A

if we wanted to have multiple applications behind LB,

with classic LB we would have to have multiple classical LB, one per application

but with app LB - one in front of many apps

Question 51

Q

Application LB target groups behind it

Answer

A

EC2 instances (can be managed by an autoscaling group) - HTTP
ECS tasks (managed by ECS itself) - HTTP
lambda functions - HTTP request is translated into a JSON event
private IP addresses

ALB can route to multiple target groups
Health checks will be done at the target group level

Question 52

Q

application LB communication client - LB- instance

Answer

A

application servers dont see the IP of the client directly

the true IP is inserted into the header X-Forwarded-For, port - X-Forwarded-Porto and protocol - X-Forwarded-Proto

When client talks to the LB, it performs connection termination. When LB talks to EC2 instance, it uses LoadBalancer IP (private IP)

so if EC2 instance needs to know the IP of the client, it needs to look into the extra headers of the HTTP request

Question 53

Q

SNI only works for

Answer

A

application and network LBs

Question 54

Q

ELB connection draining naming

Answer

A

classic LB - Connection draining

Target Group: deregistration delay (ALB, NLB)

Question 55

Q

connection draining

Answer

A

time to complete in-flight requests while the instance is de-registering or unhealthy

allows the instance to shut down anything it was doing before being de-registered

ELB will stop sending new requests to the instance while it’s being deregistered

Question 56

Q

connection draining workflow

Answer

A

EC2 instance is being terminated or unhealthy so it’s gonna go into draining mode

during this mode the existing connections will be waiting for the duration of the connection draining period to be completed

any new connection to ELB will be redirected to another EC2 instance

Question 57

Q

duration of the connection draining period

Answer

A

300 sec by default

you can change between 1 sec and 1 hour or disable completely

Question 58

Q

duration of the connection draining period strategy

Answer

A

if your app has very short requests, like a web app, for ex. 1-5 seconds, then you should set to 10-20 seconds max, because you don’t expect any request to last longer than 20 sec

if your EC2 instances are very slow to respond, have a lot of data processing to do, then you want to set it higher to give a chance to those request that are in-flight to be completed

if you disable completely: so in case a connection is dropped while your EC2 instance is being killed, users will receive error and will have to repeat the request, which will be redirected to another instance

Question 59

Q

SSL based communication

Answer

A

client sends request to web server secured with SSL
webserver sends its certificate to the client, so that the client can verify its identity. The certificate contains the server’s public key
the client generates a random session key and encrypts it with the server’s public key. And sends to the server.
Only the server can decrypt the session key. After that the communication is encrypted symmetrically

Question 60

Q

SNI

Answer

A

server name indication, extention of TLS

allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate

Question 61

Q

why is SNI required

Answer

A

Since TLS operates at the transport layer, below HTTP, it doesn’t see the hostname requested by a client. And can’t choose certificate based on the hostname

Question 62

Q

how does SNI work

Answer

A

SNI works by having the client tell the server “This is the domain I expect to get a certificate for” when it first connects.

The server can then choose the correct certificate to respond to the client.

In order to provide any of the server names, clients MAY include an extension of type “server_name” in the (extended) client hello.

All modern web browsers and a large majority of other clients support SNI.

Question 63

Q

host name in SSL/TLS certificate

Answer

A

The Common Name (AKA CN) represents the server name protected by the SSL certificate. The certificate is valid only if the request hostname matches the certificate common name. Most web browsers display a warning message when connecting to an address that does not match the common name in the certificate.

Question 64

Q

In the case of a single-name certificate,

Answer

A

the common name consists of a single host name (e.g. example.com, www.example.com)

Answer 65

A

the common name consists of a wildcard name (e.g. *.example.com).

Answer 66

A

the commonName field in the X.509 certificate specification.

Answer 67

A

static DNS name we can use in our application

AWS wants your load balancer to be accessible using a static endpoint, even if the underlying infrastructure that AWS manages changes

Answer 68

A

You are designing a high performance application that will require millions of connections to be handled, as well as low latency.

NLB provide the highest performance if your application needs it

Answer 69

A

Nothing

The capacity of your ASG cannot go over the maximum capacity you have allocated during scale out events

Answer 70

A

is not technically feasible

Answer 71

A

Network Load Balancers expose a public static IP, whereas an Application or Classic Load Balancer exposes a static DNS (URL)

Answer 72

A

static DNS name that we can use in our app

not static IP4, not static IP6

Answer 73

A

LB doesn’t having stickiness enabled

Answer 74

A

Look into X-Forwarded-For header in the backend

Answer 75

A

Enable health checks

Answer 76

A

Network LB

Answer 77

A

Hostname and request path but not client IP

Answer 78

A

ASG will terminate this instance

Answer 79

A

create CloudWatch custom metric and build an alarm on this to scale your ASG

Answer 80

A

Network Load Balancers expose a public static IP, whereas an Application or Classic Load Balancer exposes a static DNS (URL)

Answer 81

A

SNI (Server Name Indication) is a feature allowing you to expose multiple SSL certs if the client supports it. Read more here: https://aws.amazon.com/blogs/aws/new-application-load-balancer-sni/

Answer 82

A

Network LB

Answer 83

A

Cross Zone Load Balancing

Answer 84

A

Target Tracking

Brainscape's Knowledge GenomeTM

ELB Load Balancing (High Availability and Scalability) Flashcards

Brainscape's Knowledge Genome^TM