Hybrid Envir. and Migration Flashcards
Border Gateway Protocol
BGP is a path-vector protocol it exchanges the best path to a destination between peers.. the path is called AS path
ASN
They Way BGP identifies different entities with in the network
Autonomous system Numbers are the way that BGP identifies different entities with in the network
Allocated by IANA
ASN are unique and allocated by IANA(0-65535), 64512 -65534 are private
Autonomous systems(AS)
Multiple routers controlled by one entity a network in BGP
Routers controlled by one entity considered a network in BGP
Are connections between two different Autonomous Systems in the BGP network Automatic ?
Not automatic - peering is manually configured
How does BGP Operates ? what Protocol?
it operated over TCP/179 - it’s reliable
How can you manipulate the AS path ? And why would you want to ?
AS Path Prepending can be used to artificially make the satellite path look longer making the fiber path preferred
Shorter paths get priority even if the longer that would offer better performance ex. a long fiber path vs a short satellite path
Why is BGP important in AWS ?
used by some AWS services such as:
- Direct Connect
- Dynamic Site to Site VPNs
AWS Site-to-Site VPN
VPN connection between VGW and CGW
a logical connection which creates a highly available IPSEC VPN between an AWS VPN and external network such as on-premises traditional networks
Virtual Private Gateway(VGW)
Logical gateway object which can be the target on route tables
something you create and associate with one VPC and can be the target on one or more route tables
Customer Gateway(CGW)
Logical piece of configuration within AWS and also the physical configuration
used to refer to both the logical piece of configuration within AWS
and the thing that configuration represents
How would you design an Highly Available Site-to-Site VPN connection ?
By default when a virtual gateway it’s is created, it creates two ENI in the AWS public zone in two different AZ but there is only one Customer Gateway by default to create a HA connection you would need to add a second CGW connection preferably in another building which would then add two more ENI in 2 different AZ for that connection so you would have two connections 4 VGW and 2 CGW
Drawback for Site-to-Site VPN?
speed limitations 1.25Gbps
Latency consideration -inconsistent , runs over public internet
cost-AWS hourly cost, GB out cost , data cop(on premises)
Benefits of using Site-to-Site VPNs ?
speed of setup- hours.. all software configuration
can be used as a backup for direct connect(DX) and also can be used with DX for quick provisioning in the the beginning of a DX to establish connectivity
AWS Direct Connect
physical private link connecting your business premises to its public and private services.
VIFS
DX connection can have multiple virtual interfaces(VIFs)
there are both private VIF(VPC) & Public VIF (public Zone Service)
Draw backs to Direct connect
Takes much longer to provision cs. VPN
DX port provisioning is quick the cross connect takes longer
extension to premise can take weeks/months
No encryption
Benefits of using DX
faster 40GB with aggregation
low consistent latency, doesn’t use business bandwidth (no public internet)
How can you enable encryption on DX?
the public VIF allows connections to AWS public services
inside the VPC we already have a virtual private gateway because that is what is used for any private VIFs running on DX (Private VIFs don’t have encryption)
what we can do is create a VPN using the ENI endpoint created by VPG and instead of using the public internet as the transit network you can use the public VIF running over Direct connect
IPSEC VPN over public VIF you get the benefits of DX the encryption of IPSEC
How can you design Resilience when using Direct Connect ?
AWS region(assumed to already be resilient ) is connected to a direct connection location , the location has AWS DX router and a Customer or provider DX router a single cross connection
the Direct connect location is the connected to customer on premises router which is one connection
to design resiliency you need 2 cross connections and another customer customer premises connection so ideally a separate DX location connected to another customer location (ideally geographic separate)
Transit Gateway(TGW)
Network Transit Hub to connect VPCs to on premise network
Benefits of using TGW
supports transitive routing
share between accounts using AWS TAM
Peer Attachments with different regions .. same or cross account
What other network resources can TGW be used with ?
VPC, site-to-site VPN, and Direct connect Gateway
Storage Gateway
Hybrid storage Virtual Appliance (on-premises*)
Extension of file & Volume storage into AWS
Storage Gateway Use cases
volume storage locally and backup into AWS
Tape Backups into AWS using AWS storage instead of physically Tapes
can provide an emulation layer using AWS storage but presenting this to backup software as a physical tape architecture
Migration of existing infrastructure to ASW
you can use it AS TRICKLE MIGRATION
Storage Gateway Mode
you pick when creating SGW
Tape Gateway (VTL) mode:
virtual tapes => s3 and Glacier
File mode - SMB and NFS:
file storage backed by s3 objects
Volume mode (Gateway cache/ stored) - ISCSI:
Block storage backed by s3 and EBS snapshots
Explain the two options Volume gateway mode ?
cached - the the primary data is stored in AWS and frequently accessed data is cached locally ideal for extending storage into AWS
Stored = the primary data is stored on-premises and asynchronously replicated into ASW an EBS snapshot is created from the backup data ideal for migrations into AWS
Snowball
ordered from AWS, log a job , Device delivered (not instant)
Data encryption using KMS
50TB or 80TB capacity
only storage
Snowball Edge
Both storage and computer
storage optimized(with EC2)- 80TB, 24vCPU, 32 GIB Ram 1TB SSD
computer optimized/Compute with GPU - 100TB + 7.68 NVME, 52 VCPU and 208 GIB RAM
Snowmobile
Portable DC with a shipping container on a truck
special order
ideal for single location when 10PB+ is required
up to 100PB per snow mobile
When should you user Snowball?
multiple devices to multiple premises
When would you use Snowball Edge?
ideal for remote sites or where data processing on ingestion is needed
When would you use Snowmobile?
not economical for multi-site(unless huge) or sub 10 PB
What is a directory?
stores objects (e.g. user, Groups, computers, server file shared) with a structure(domain/tree)
multiple trees can be grouped into a forest
commonly used in window environments
Sign-in to multiple devices with the same username/password provide centralized management assets
AWS Directory Service
AWS managed implementation
Runs within a VPC
can be isolated , integrated with existing on-premises systems, or act as a ‘proxy’ back to on-premises
How would you implement HA with AWS Directory Service?
Deploy into multiple AZ
AWS Directory Service Modes: Simple AD Mode
Standalone directory which uses samba 4
integrated with AWS services- EC2 instances can join simple AD and workspaces can use it for logins and management
AWS Directory Service Modes:
AWS Managed Microsoft AD
Supports applications which requires MS AD specific schema or schema updates can
primary running location is in AWS Trust relationships can be created between AWS and on-premises directory system
AWS Directory Service Modes:
AD connector
Allows AWS services which need a directory to use an existing on-premises directory
Primary directory is located on-premised requests from AWS are proxied back to the existing directory
Drawback of AD connector
Only a proxy .. no local functionality
if private connectivity fails.. the AD proxy won’t function- interrupting services at the AWS side
Draw backs for simple AD Mode ?
up to 500 user(small)
or 5,000 users(Large)
not designed to integrated with any existing on-premises directory system
Benefit of using AWS Managed Microsoft AD?
Resilient if the VPN fails ..
services in AWS will still be able to access the local directory run-in in Directory service
When would you user Simple AD?
the default. simple requirements . A directory in AWS
When would you use Microsoft AD?
Applications in AWS which need MS AD DS or you need to trust AD DS
When would you use AD connector ?
use AWS services which need a directory without storing any directory info in the cloud proxy to you on-premises Directory
AWS DataSync
Data Transfer service to and from AWS
migration ,Data processing Transfers, Archival/cost effective storage or DR/BC
designed to work at huge scale
Keeps metadata(e.g. permission/timestamps)
Built in data validation
Key features of DataSync?
scalable - 10gbps per agent
bandwidth limiters (avoid link saturation)
incremental and schedule transfer options
compession and encryption
automatic recovery from transit errors
How is DataSync billed ?
pay as you use per GB cost for data moved
What AWS service can be integrated with DataSync?
s3,EFS, and Fsx
DataSync : Task
a ‘job ’ within data sync, defines what is being synced, how quickly, from where and to where
DataSync: Agent
software used to read or write to on-premise data stores using NFS or SMB
DataSync : Location
every task has two locations from and to e.g. network file system(NFS), server manager block(SMB), Amazon EFS, Amazon FSx and Amazon S3
FSx for windows File server
Fully managed native windows file server/shares (low admin over head)
designed for integration with windows environments
integrates with directory service or self0managed AD
What is the resiliency of FSx for windows File server ?
FSx for windows File server can be deployed in a singe Az or Multi-AZ within a VPC
FSx for windows File server key features
VVS - user Driven Restores
Native File system accessible over SMB
windows permission model
support Distributed file system(DFS) sale-out file share structure
integrates with DS or your own directory
FSx for Lustre
Managed Lustre- Designed for HPC-Linux client(POSIX)
Machine Learning, Big Data , Financial Modeling
100’s GB/s throughput & sub millisecond latency
FSx for Lustre Deployment types
Scratch - Highly optimized for short term no replication & fast
Persistent - Long term, HA(in one AZ), self-healing
Key features of FSx for Lustre
Metadata stored on metadata Targets (MDTs) Just 1 target
Object are stored on called object storage targets(OSTs)(1.17Tib)
Baseline performance based on size
Size - min 1.2TiB the increments of 2.4TiB
Burst up to 1,300 MB.s per TiB(credit system)
FSx for Lustre: Scratch Storage
Base 200 MB/s per TiB of storage
FSx for Lustre: Persistent storage
Persistent offers 50 MB/s,
100MB/s and 200MB/s per TiB of storage
Draw backs FSx for Lustre: Persistent
Larger File system means more server, more disk, and more chance of failure
persistent has replication within one AZ only
Auto-heals when hardware failure occurs
Draw backs FSx for Lustre: Scratch
Scratch is designed for pure performance
short term or temp workloads
No HA .. no replications
FSx for Lustre backups
both scratch and persistent you can backup to S3 with both manual or Automatic 0-35 day retention
How big is the Direct Connect Port ?
A 1gbps or 10Gbps Network Port into AWS
at a DX location 1000 Base-LX if your capacity is 1 gbps
or
10 GBase-LR if using 10gbps
What is the requirement need for your Customer Router to be able to use AWS direct connect ?
requires Vlans/BGP
What can be Subscribers to SNS Topic?
subscribers ex : HTTP(s), Email(JSON) ,SQS , Mobile Push SMS messages & Lambda