HA & Scaling Flashcards
Regional and Global AWS Architecture
There are a few major architectural components, which will map onto AWS products and services:
At a global level:
-Global Service Location & Discovery - when you type netflix.com into your browser, how does your machine discover where to point at?
-Content Delivery (CDN) and optimization - how does the content or data for an application get to users globally, are there pockets of storage distributed globally or is it pulled from a central location
-Global health checks & Failover - detecting if infrastructure in one location is healthy or not and moving customers to another country as required
At a regional level:
-Regional entry point
-Scaling & Resilience
-Application services and components
Customer Global Process
-Globally DNS is used for service discovery and regional based health checks and request routing
-CDN’s are used ot cache content globally - as close to end users as possible to improve performance
The function of the architecture at this global level, is to get customers through to a suitable infraestructure location, making sure any regional failures are isolated and sessions moved to alternative regions,
If this part of our architecture works well, customers will be directed towards a region that has infraestructure for our application.
At this point, the traffic is entering one specific region of the AWS infraestructure.
-Initially, communications from your customers will generally enter at the web tier - generally an AWS regional service, such as an Application Load Balancer or API Gateway
-The purpose of the Web Tie, is to act as an entry point for your regional based applications
-Now the functionality provided to the customer via the Web Tier y provided by the Computer Tier - using services such as EC2, Lambda or containers
-This Compute Tier will consume storage services, such as EBS, EFS and even S3 for media storage.
-CloudFront is capable of using S3 as an origin for media
-Most environments require data storage - DB Tier - this is delivered using RDS, Aurora, DynamoDB and Redshift for data warehousing
-In order to improve performance, most applications don’t directly access the DB, instead they go via a caching layer - ElastiCache or DynamoDB Accelerator (DAX)
-App services such as Kinesis, Step Functions, SQS and SNS, provide some type of functionality to applications
Evolution of ELBs
-Three types of ELBs, available within AWS
-Split between v1 (avoid / migrate) and v2 (prefer)
-Classic Load Balancer (CLB) - v1 - Introduced in 2009 - Can load balance HTTP and HTTPS, as well as other lower level protocols - Not really Layer 7, lacking features, only support 1 SSL certificate per CLB
-Application Load Balancer (ALB) - v2 - HTTP/S/WebSocket
-Network Load Balancer (NLB) - v2 - TCP/TLS/UDP
-v2 = faster, cheaper, support target groups and rules
Elastic Load Balancer Architecture
The job of a LB is to accept connections from customers and then to distribute those connections, across any registered backend compute
When you provision a LB you have to decide on a few important configuration items
-IPV4 only or dual stack (means using IPv4 and the newer IPv6)
-Need to pick the AZs which the LB will use - 1+ nodes are placed into a subnet in each AZ and scale with load.
-When the LB is created, it’s created with a single (A) record DNS name - this resolves to the ELB nodes - so any connections that are made using the DNS name, are actually made to the nodes of that LB
Any incoming requests are distributed equally across all of the nodes of the LB, these nodes are located in multiple AZs and they scale within that AZ - Highly Available - If one node fails, it’s replaced - if the incoming load to the LB increases, additional nodes are provisioned inside each of the Subnets
-Decide whether that LB should be Internet-Facing or Internal - this choice controls the IP addressing for the LB nodes.
–If you pick Internet-Facing > Nodes have public IPs and private IPs
–If you pick Internal > Nodes only have private IPs
-LB (Nodes) are configured with Listeners which accept traffic on a port & protocol, and communicate with targets on a port and protocol
-LB in order to function need 8+ free IP addresses per Subnet and /27+ subnet to allow for scale (-5 reserved by AWS)
-Internal is generally used to separate different tiers of applications - allow independent scaling between applications tiers
Cross-Zone LB
-Each node gets 100% / Number of Nodes
-CZ LB fixes the uneven distribution of incoming load between instances on each AZ (AZA = 4 instances (12.5% each)- AZB = 1 instance (50%))
-CZ LB allows every LB node to distribute any connections that it receives equally across ALL registered instances in ALL AZs
This means that the node in AZA could distribute connections to the instance in AZB, and the node in AZB could distribute connections to instances in AZA
-Enabled as default
ELB - KEY POINTS
-ELB is a DNS A Record pointing at 1+ nodes per AZ ***
-Nodes (in one subnet per AZ) can scale
-Cross-Zone LB means that nodes can distribute requests across to other AZs
LB come in two types:
-Internet-Facing means nodes have public IPv4 IPs ***
-Internal means nodes only have private IPv4 IPs
-EC2 doesn’t need to be public to work with a LB - Internet-Facing Lb can communicate with public or private instances
-Listeners Configuration controls WHAT the LB does
-They require 8+ Free IPs per subnet, and /27 subnet to allow scaling (AWS recommends /28)
Load Balancer Consolidation
-CLBs don’t scale… every unique HTTPS name requires an individual CLB because SNI isn’t supported
-LB v2 uses listener-based rules, each of these rules, can have an SSL certificate handling HTTPS for both domains. Then we can have host-based rules, which direct incoming connections at multiple target groups, which foward these on to multiple ASGs. (Host based rules using SNI and an ALB allows consolidation)
Application Load Balancer (ALB)
-Layer 7 LB - listens on HTTP and/or HTTPS
-No other L7 protocols (SMTP, SSH, Gaming…)
-Can’t be configured NO TCP/UDP/TLS Listeners
-It can understand L7 content type, cookies, custom headers, user location and app behaviour
-HTTP/S (SSL/TLS) always terminated on the ALB - no unbroken SSL (security teams) - a new connection is made to the application
-ALBs MUST have SSL certs if HTTPS is used
-ALBs are slower than NLB - more levels of the network stack to process
-Health checks evaluate application health - L7
ALB - Rules
-Rules direct connections which arrive at a listener
-Processed in priority order
-Default rule = catchall
-Rule Conditions = Checking for host-header, http-header, http-request-method, path-pattern, query-string & source-ip
-Actions = forward, redirect, fixed-response, authenticate-oidc & authenticate-cognito
-If you need to forward encrypted connections through to the instances, without terminating them on the LB, then you need to use a NLB ***
Network Load Balancer (NLB)
-Layer 4 LB - TCP, TLS, UDP, TCP_UDP
-No visibility or understanding of HTTP or HTTPS - No headers, no cookies, nosession stickiness
-REALLY FAST (millions of RPS, 25% of ALB latency)
-Ideal to deal with any non-HTTP/S protocols - SMTP, SSH, Game Servers, financial apps (not http/s)
-Health checks JUST check ICMP / TCP Handshake - Not app aware (No detail checking)
-NLBs can have static IPs - useful for whitelisting
-Forward TCP to instances - unbroken end-to-end encryption
-Used with private link to provide services to other VPCs
ALB VS NLB
-Unbroken encryption > NLB ***
-Static IP for whitelisting > NLB ***
-The fastest performance > NLB ***
-Protocols not HTTP or HTTPS > NLB ***
-PrivateLink > NLB ***
-Otherwise > ALB ***
Launch Configuration and Templates
-Allow you to define the configuration of an EC2 instance IN ADVANCE
-Let’s you configure AMI, Instance Type, Storage & Key pair
-Define Networking and Security Groups
-Let’s you configure Userdata & IAM Role
-Both are NOT editable - defined ONCE - LT has versions
-LT provide newer features- including T2/T3 Unlimited CPU, Placement Groups, Capacity Reservations, Elastic Graphics
Architecture:
-LC have one use, they’re used as part of ASGs - to launch EC2 instances (Not editable and No Versioning)
-LT can be used for the same thing but in addition, it can also be used to launch EC2 instances directly from the console or the CLI
