Merge 1 Flashcards
AWS Global Infrastructure consists of…
- Regions2. Availability Zones3. Edge Locations
What is a Region?
A Region is a geographical area.
What is an Availability Zone?
An Availability Zone (AZ) is simply a data center.
What is an Edge Location?
Edge locations are CDN endpoints for CloudFront.
Why are AZs isolated/independent from one another?
E.g. in case there is a flood in one, the other won’t be affected. Low latency between each AZ.
VPC
Virtual data center
Route53
DNS service
CloudFront
CDN - edge locations to cache files
Direct Connect
connect physical datacenter to AWS directly using a dedicated phone line
Use Direct Connect when…
…you need a very reliable internet connection for pushing lots of data to AWS or down from AWS
EC2
virtual machines in cloud
Elastic Beanstalk
deploy code to AWS, AWS provisions infrastructure
Lambda
upload code, code will respond to events
S3
Virtual disk in the cloud where you can store objects (files). Don’t use to store DBs or OSs or apps
Glacier
Archive files from S3
EFS (Elastic File Service)
Block-based storage that you can share (can install DBs, apps, etc)
Storage Gateway
Virtual machine that connects S3 to your on-premises datacenter
RDS
relational database service
DynamoDB
nonrelational database
RedShift
data warehousing
Elasticache
cache data in cloud (takes load off of database)
Snowball
move terabytes of data into cloud
DMS
migrate on-premise database to the cloud, migrate databases inside AWS to other regions or services. no down time, can convert databases
EMR
big data processing. know what it is and how to access it
Kinesis
streaming and analyzing real-time data at massive scale
Cloud Search/Elastic Search
if you need to create search capabilities for website
Data Pipeline
move data from one place to another
IAM
sign in, authenticate, manage users and permissions
Inspector
agent installed on VMs, inspects and reports on security
Certificate Manager
free SSL certificate for domains
Directory Service
Using Active Directory, connects active directory to AWS
WAF
give application-level protection to your website
Artifacts
compliance documentation in AWS console
CloudWatch
monitor performance
CloudFormation
document that turn infrastructure into code
CloudTrail
audits AWS resources
Opsworks
automates deployments using Chef
Config
monitors/audits environment, can set alerts based on compliance
Trusted Advisor
automated way of scanning environment, giving security tips
SWF
coordinating automated and human tasks
API Gateway
door for apps to access backend data
Elastic Transcoder
Changes video format to suitable devices
CodeCommit
GitHub
CodeBuild
compile code
CodeDeploy
deploys code to EC2 instances
CodePipeline
keep track of all versions of code
Mobile Hub
design mobile apps
Cognito
sign in w/ Identity Federation
Device Farm
mobile testing
Mobile Analytics
analyze mobile data
WorkSpaces
have desktop in cloud
SNS
task notification
SQS
queue system to decouple apps
SES
send/receive emails
AWS Global Infrastructure consists of…
Regions, Availability Zones, Edge Locations
What is a Region?
A Region is a geographical area. Each Region consists of 2 or more Availability Zones.
What is an Availability Zone?
An Availability Zone (AZ) is simply a data center.
What are Availability Zones, physically?
They are facilities that are close to each other but not dependent on one another. For example, one AZ in Manhattan, another in New Jersey.
Why are AZs isolated/independent from one another?
E.g. in case there is a flood in one (e.g. Manhattan), the other (NJ) won’t be affected.
T/F: There is low latency between 2 AZs in the same region.
TRUE
What is an Edge Location?
Edge locations are CDN endpoints for CloudFront.
What is an example of what CDN used for?
To cache large media files in the cloud. Example: if I am a user in NY and if I want to download a video hosted in Australia, the first time, the video has to travel to the edge location in NY prior to downloading. Next time, the video would be cached at the NY edge location.
Think of VPC as…
…a logical datacenter.
Where do you deploy a VPC?
Region
T/F: VPCs can span regions.
FALSE
T/F: VPCs can span Availability Zones.
TRUE
According to the AWS definition, what does Amazon VPC allow you to provision?
Amazon VPC lets you provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define.
According to the AWS definition, how much control do you have over your networking environment?
You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.
T/F: You can easily customize the network configuration for your Amazon VPC.
TRUE
What is an example of how you can customize the network configuration for VPC?
Create a public-facing subnet for your webservers that has access to the Internet, and place your backend systems (e.g. databases, application servers) in a private-facing subnet with no internet access
You can leverage multiple layers of security, including…
…security groups and Network ACLs to help control access to EC2 instances in each subnet.
T/F: You can create a Hardware VPN connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter.
TRUE
Private IP address ranges
- 10.0.0.0-10.255.255.255 (10/8 prefix)
- 172.16.0.0-172.31.255.255 (172.16/12 prefix)
- 192.168.0.0-192.168.255.255 (192.168/16 prefix)
Maximum addressable size in AWS
/16
What are the two routes of entry into VPC?
Internet Gateway, Virtual Private Gateway
What is the purpose of the Internet Gateway?
Allows you to connect to the Internet
What is the purpose of the Virtual Private Gateway?
Allows you to terminate VPN connections
What is the purpose of the Router?
It routes traffic based on what is defined in the route tables
What is a Public subnet?
Internet-accessible subnet
What is a Private subnet?
Not Internet-accessible subnet
What do you normally put in public subnets?
Webservers, bastion host
What do you normally put in private subnets?
Database servers, application servers
Can security groups span subnets or availability zones?
Yes
Can network ACLs span subnets or availability zones?
Yes
How many subnets per availability zone?
One
Can route tables span subnets or availability zones?
Yes
Can a subnet span multiple availability zones?
No
What can you do with a VPC?
- Launch instances into a subnet of your choosing
- Assign custom IP address ranges in each subnet
- Configure route tables between subnets
- Create internet gateway and attach it to our VPC
- Much better security control over your AWS resources
- Instance security groups
- Subnet network access control lists (ACLs)
What does a route table define?
Whether a subnet is public or private
How many internet gateways can you have per VPC?
One
Example question: if Internet connection is running slow, how can you boost Internet speed?
If one of the answers is “attach another IGW to the VPC,” DON’T PICK THAT ONE!
T/F: Security groups are stateful.
TRUE
What does “stateful” mean?
If you create a rule allowing traffic in, it automatically allows traffic out.
T/F: Network ACLs are stateless.
TRUE
What does “stateless” mean?
If you create a rule allowing traffic in, you need to create a rule allowing the traffic back out.
Default VPC properties:
- User friendly, allowing you to immediately deploy instances
- All subnets in default VPC have a route out to the internet
- Each EC2 instance has both a public and private IP address
- If you delete the default VPC the only way to get it back is to contact AWS.
What does VPC Peering allow you to do?
Allows you to connect one VPC with another via a direct network route using private IP addresses
Example: VPC Peering Use Case
Connect: VPC for monitoring services, VPC for Active Directory, Administration VPC, Production VPC, Dev VPC, Test VPC
T/F: When VPC Peering, instances behave as if they were on the same private network
TRUE
T/F: You can peer VPCs with other AWS accounts as well as with other VPCs in the same account.
TRUE
Example: peer VPCs with other accounts use case
Peer VPCs with Dev account, Test account, Production account
What is the configuration of VPC Peering?
Star configuration (1 central VPC peers with 4 other VPCs)
T/F: Transitive peering is allowed.
FALSE
What does a VPC consist of?
- IGWs (or Virtual Private Gateways)
- Route Tables
- Network Access Control Lists
- Subnets
- Security Groups
You have a business-to-business web application running in a VPC consisting of an Elastic Load Balancer (ELB), web servers, application servers and a database. Your web application should only accept traffic from predefined customer IP addresses. Which two options meet this security requirement? Choose 2 answers
A> Configure web server VPC security groups to allow traffic from your customers’ IPs
B> Configure your web servers to filter traffic based on the ELB’s “X-forwarded-for” header
C> Configure ELB security groups to allow traffic from your customers’ IPs and deny all outbound traffic
D> Configure a VPC NACL to allow web traffic from your customers’ IPs and deny all outbound traffic
A> Configure web server VPC security groups to allow traffic from your customers’ IPs
B> Configure your web servers to filter traffic based on the ELB’s “X-forwarded-for” header
A is obviously correct as security group can be configured to accept traffic from predefined customer IPs
You can leverage AWS WAF to configure your webserver and filter the traffic based of HTTP header passed by load balancer. Hence #B is correct
The security group can be configured to only allow the inbound or outbound traffic. When you allow certain inbound traffic in security group, the outbound traffic is automatically allowed because of the stateful nature. Hence #C is wrong
In case if you deny all outbound traffic in NACL it will accept the inbound traffic but outbound hence #D is wrong.
In the VPC Lab it states that AWS won’t allow you to use more than /16 on a VPC. But then later on when you go to the ‘Create Subnet’ wizard, in the demo you entered 10.0.1.0/24. So why can you now exceed the /16?
This can be summed up quite simply. The /16 or /24 is the number of mask bits in the CIDR address. The 16 signifies that should mask the first two octets. Leaving two additional octets for addressing needs. Each octet contains 255 addresses. Therefore a mask of /16 is 255 X 255 addresses or 65535.A /24 address is only masking 8 bits or 255 addresses. So in essense a mask of /16 is a lot more than a mask of /24.
Can a vpc of any size be created?
a) amazon vpc supports vpcs from /16 to /28 (in cidr)
b) there is no size limit
c) amazon vpc supports vpcs with any subnet smaller than /16
d) amazon vpc supports vpcs with any subnet greater than /28
a)amazon vpc supports vpcs from /16 to /28(in cidr)
which of the following is true about route table in vpc (multiple)
a) main route table is created along with with vpc
b) the main route table can be replaced with a custom route table
c) route tables are automatically created and cannot be edited
d) a subnet can exist without association with route table .
a)main route table is created along with with vpcb)the main route table can be replaced with a custom route tableExplanations:
A is correct, as per AWS doc: “When you create a VPC, it automatically has a main route table.”
B is correct, as per AWS doc: “You cannot delete the main route table, but you can replace the main route table with a custom table that you’ve created”
C is totally wrong
D is wrong, as per AWS doc: “Each subnet must be associated with a route table, which controls the routing for the subnet. If you don’t explicitly associate a subnet with a particular route table, the subnet is implicitly associated with the main route table.”
Through the training I was continuously told that Security Groups are stateful, and any rule created inbound is automatically created outbound. However, upon going through the Wordpress portion of the training, you create a Security Group and I see a Outbound Rules tab. So now I’m confused, did Security Groups change since they released the training or am I confusing it with something else?
The outbound tab is relevant where traffic originates from within the security group, whereas inbound rules are relevant from traffic originating from clients outside the security group.Taking your wordpress site example, assuming it is deployed on an instance secured by a security group for inbound traffic, say from a web browser you would want http 80 and https 443 open on inbound part of the security group whereas for Wordpress to pull updates to plugins you would want http 80 open on the outbound portion of the security group so it can poll remote plugin sites (either directly or via a nat). By default, there are no restrictions on outbound traffic, but if you wanted to limit the way in which your instance could reach out to the internet the this is one area in which you could do it.
I’m in the middle of preparing for my Architect Associate exam and I have a question on VPC. I’ve created an exercise for myself where the following infrastructure should be created:
2 Frontend servers with an Apache HTTP server
2 Backend servers with Tomcat (and a simple web application that allows you to upload files to S3).
I’m a bit “stuck” on the VPC configuration, where I had the following in mind:
- Create 4 subnets, 1 for each server. Not per se to assign 1 subnet per server, but more to spread them throughout the availability zones.
- Add a Load Balancer between Frontend and Backend servers to divide the load between the
2.I know you can go a lot further than that, but the main idea is to tinker a bit with VPC stuff, not to provide a small enterprise with a full blown infrastructure. The reason why I would create 4 different subnets is to provide high availability, since you can put your EC2 instances in different availability zones. But is that reasoning correct? Or are there better ways of handling that problem.
Your approach to achieve HA for the use case you have described is ideal. if you wanted to take it a step further I’d also add an auto-scaling group so that if an instance dies in an AZ the auto-scaling group will recover it, but you’ll discover that anyway as you go through the course.Given you want to load-balance the backend instances, you have to think about which subnet(s) you’ll be launching them into, and here are 2 possible ways I have seen done:
1 - launch them into the frontend subnets; give the frontend instances access to hit the LBs via the LB security group, and give the LBs access to the backend instances via the backend’s SG.
2 - have another pair of subnets just for the LBs, and again do something similar with the SGs. You’ll need to adjust your route tables in order to put these new subnets in-between the other 2 sets. This of course presumes your VPC has enough spare IPs to allow for more subnets.
Similar to 1, it is possible to launch the LBs into the backend subnets. Usually it depends on which subnets you have room free for the LBs. Don’t forget to lock everything down security-wise with your SGs and network ACLs.
amazon gurantees hardware isolation in vpc , is this true
a) yes but only dedicated placement option which is seperately billable
b) no guarantee that hardware will be shared by another account
c) yes it comes free with vpc
d) yes but only with virtual private gateway feature
a) yes but only dedicated placement option which is seperately billable
What is VPC Peering?
VPC peering is simply a connection between two VPCs that enables you to route traffic between them using private IP addresses.
For VPC Peering, instances in either VPC can communicate with each other…
…as if they are within the same network.
How can you create a VPC peering connection?
between your own VPCs, or with a VPC in another AWS account within a single region
How does AWS create a VPC peering connection?
AWS uses the existing infrastructure of a VPC
T/F: VPC Peering connections are gateways.
FALSE
T/F: VPC Peering connections are VPN connections.
FALSE
Does VPC Peering rely on a single piece of hardware?
No
Is there a single point of failure for communication or a bandwidth bottleneck?
No
T/F: VPC peering can occur between VPCs in different regions.
False; VPC peering must occur between VPCs within a single region.
Example: If VPC A and VPC B were peered, and VPC A’s CIDR = 10.0.0.0/16 and VPC B’s CIDR = 10.0.0.0/24, what will happen to the connection?
It will not work since VPCs with matching or overlapping CIDRs cannot be peered.
Transitive Peering…
…is NOT supported!
How to create a VPC with public and private subnets:
- Create VPC, which creates a main route table, default security group, and default network ACL.
- Create 2 subnets.
- Create and attach an IGW to the VPC.
- Create another route table.
- Associate the IGW and one of the subnets to the custom route table.
- Launch instance in the public subnet with a security group allowing HTTP, HTTPS, SSH.
- Launch instance in the private subnet with a security group allowing SSH, ICMP, .
- Launch NAT instance or create NAT gateway or Bastion.
- Create Network ACL mirroring security groups
What is the purpose of the CIDR block?
Specifies IP address ranges
What size can the CIDR be for a VPC or subnet?
Between /16 and /28
What is meant by “Tenancy?”
Determines whether VPC and its assets are deployed onto shared hardware or dedicated hardware. Default is shared hardware.
When would you want the Tenancy to be Dedicated?
Security concerns, e.g. regulatory requirements
When you create a VPC, what else is created?
Main route table, default security group, default network ACL
When you create a VPC, what is NOT created?
Subnets, Internet Gateway
Can a subnet be the same size as your VPC?
Yes
1 subnet always equals
1 Availability Zone
To make a subnet public…
…create and attach an Internet Gateway, associate it with a route table, and associate the subnet with that route table. Additionally, enable auto-assign IP on that subnet.
When you create a new subnet, is it associated with any route tables?
Yes, it will be associated with the main route table by default
Why is it considered a best practice to keep the main route table private?
If there is a route out to the Internet from the main route table, all subnets in that route table will automatically be public, which is a security risk.
If you forget to enable auto-assign public IP for a subnet…
…when you launch an EC2 instance you can enable auto-assign there.
If you forget to assign a public IP address to a public EC2 instance…
…you can allocate an Elastic IP address to it
When you launch an instance in the private subnet…
…traffic will be sourced from the public subnet.
To SSH into your private instance from your public instance…
…you need to copy/paste your keypair into the public instance and chmod 600
To be able to PING the private instance…
…allow ICMP on the private instance and ping the private IP from the public instance
To perform security patches, install software, etc on a private instance…
…you need a way for that instance to access the Internet (NAT instance or NAT gateway)
To allow private instances to access the internet…
…use a NAT instance or a NAT gateway and allow a route out from the private route table > NAT > Internet.
To launch a NAT instance…
…search “nat” in the Community AMIs
After NAT instance is launched…
…disable Source/Dest check
In which subnet should the NAT instance or NAT gateway be deployed?
Public subnet
Is a security group required for a NAT instance?
Yes
Is a security group required for a NAT gateway?
No
What happens when you create a NAT gateway?
You create an Elastic IP since it is required to create one or use an existing one. In addition, a message pops up that explains that you need to edit your main route table to include a route with a target = NAT gatway.
What is meant by Source/Dest check?
By default, EC2 instances are either the source or destination of any traffic, and traffic does not go through an EC2 instance.
What happens if the NAT instance goes down, or its availability zone goes down?
The NAT instance is a single point of failure, so you will lose any internet access to everything in the private subnet.
To prevent a NAT instance from going down…
…set it behind an Auto Scaling group, set min number = 1, or use multiple public subnets and deploy NAT instances in each
With NAT gateways, do you need Auto Scaling?
No
When a NAT instance’s bandwidth is used up (bottlenecked), what do you do?
Increase the instance size, change instance family so you can support more traffic
T/F: When you deploy a NAT instance, you must assign a public IP address.
TRUE
To create high availability with NAT instances…
…use Auto Scaling Groups, multiple subnets in different AZs, and a script to automate failover.
Can subnets/availability zones span multiple Network ACLs?
No, but the reverse is possible.
What traffic does the default Network ACL allow?
All traffic inbound and outbound.
What traffic does a new Network ACL allow?
No traffic inbound or outbound.
When you create a standard Network ACL for connecting to the Internet, why might it not connect right away?
You will need another rule that opens up ephemeral ports in order to cover the different types of clients that might initiate traffic to the public-facing instances in your VPC
T/F: Each subnet in your VPC must be associated with a network ACL.
TRUE
If you don’t explicitly associate a subnet with a network ACL…
…the subnet is automatically associated with the default network ACL
When you associate a network ACL with a subnet…
…the previous association is removed.
How are the rules in a Network ACL evaluated?
Numerical order starting with the lowest number
When blocking specific IPs…
…use network ACLs not security groups
If I have multiple VPCs created, may I use the same CIDR block, i.e. 10.0.0.0/16 for each VPC?
If there’s no peering needed
Several questions indicate that in order to make an EC2 instance in a non-default/private subnet, 2-way internet accessible you need to add an elastic IP. Is that because the instance is already running and that’s the only way to add a public IP to a running instance? Specifying “Auto-assign Public IP” at launch time has the same effect, correct?
You can assign and unassign IPv4 and IPv6 IP addresses on each network interface. Leave the IP address field blank and an available address will be assigned or enter an IP address that you want to assign. To add or edit an IPv4 public IP Allocate an Elastic IP to this instance or network interface.Yes I think so ! Elastic IP’s can be allocate to an Private Instance through the Manage IP section even after the Instance is up and running
In this lecture to access the DB server from the jump host you are copying the private key on to the bastion host. Which is not a safe practice as publicly accessible jump hosts are the first ones to be hacked.Is there a better way of doing this, like using a combination of IAM role and instance metadata, which gives temporary credentials to access other AWS services?
There is a better way indeed. If you connect to the first host with -A, it enables SSH Key forwarding, and your local ssh key will be used to connect to the second host
To use an ELB in a custom VPC…
…you need two public subnets to make it highly available
NAT vs Bastion
NAT: routes traffic from Internet to EC2 instances in private subnets and is Linux, so can SSH but cannot RDP
Bastion: used to securely administer EC2 instances using SSH/RDP in private subnets
Bastion use case
Administration only
Scenario: how to make a bastion instance highly available?
Need multiple public subnets. can have a bastion in each public subnet. implement Autoscaling groups
Bastion example
Think of the webserver created in the lab, where we ssh into public and then private instance
Can you delete a VPC while EC2 instances are active?
No
Can you delete a VPC while ELBs are active?
No
Why do you delete a NAT gateway before deleting a VPC?
NAT gateways take a while to delete and they are a dependency
Think of VPC as…
…a logical datacenter in AWS
1 Subnet =
1 AZ
Security Groups are…
…stateful
Network ACLs are…
…stateless
Can you peer VPCs in same account?
Yes
Can you peer VPCs in different accounts?
Yes
Transitive peering?
No
When creating a NAT instance…
…disable Source/Destination Check on the instance
NAT instances must be in which subnet?
Public
For NAT instance to work…
…must have elastic IP address, must be a route out of the private subnet to the NAT instance
How much traffic do NAT instances support?
Depends on the instance size. If bottlenecking, increase the instance size
You can create high availability using…
…AutoScaling Groups, multiple subnets in different AZs, a script to automate failover
T/F: NAT instances are behind a security group.
TRUE
NAT gateways…
…scale automatically up to 10 Gbps, no need to patch, not associated with security groups, automatically assigned a public IP, do not need to disable source/dest check
Default NACL…
…automatically created with a VPC and by default it allows all inbound and outbound traffic
Custom NACL…
…denies all inbound and outbound traffic until you add rules
T/F: Each subnet in your VPC must be associated with a network ACL
TRUE
If you don’t explicitly associate a subnet with a network ACL…
…the subnet is automatically associated w/ default network ACL
Can you associate a network ACL with multiple subnets?
Yes, but a subnet can only be associated with one NACL at a time
When you associate a network ACL with a subnet…
…the previous association is removed
NACL rules…
…evaluated in order, starting with the lowest numbered rule
NACL inbound and outbound rules are…
…separate. Each rule can either allow or deny traffic
NACLs are stateless, so…
…responses to allowed inbound traffic are subject to the rules of outbound traffic (and vice versa)
Block IP addresses using…
…NACLs not Security Groups
A NAT is used to…
…provide internet traffic to EC2 instances in private subnets
A Bastion is used to…
…securely administer EC2 instances using SSH or RDP in private subnets
If you want resiliency…
…always have 2 public subnets and 2 private subnets. Make sure each subnet is in different AZs
With ELBs, make sure…
…they are in 2 public subnets in 2 different AZs
With Bastion hosts…
…put them behind an autoscaling group w/ a minimum size of 2. Use Route53 (round robin or health check) to automatically fail over
To make NAT instances resilient…
…need one in each public subnet, each with their own public IP, and you need to write a script to fail between the two. Instead, where possible, use NAT gateways
If you’ve used the Internet…
…you’ve used DNS
DNS is used to convert…
…human friendly domain names into an IP address
IP addresses are used by…
…computers to identify each other on the network
IP address forms
IPv4, IPv6
IPv6 was created because…
…we were running out of IPv4 addresses
Top Level Domains - example
“.com” in google.com
Second word in a domain name
second level domain name
Top level domain names controlled by…
…Internet Assigned Numbers Authority (IANA) in a root zone database (DB of all available top level domains)
Domain Registrars
ensure that domain names aren’t duplicated. Each domain name becomes registered in a central database known as the WhoIS database
SOA Records
Start of Authority Records
SOA Record stores information about…
- the name of the server that supplied the data for the zone
- the administrator of the zone (contact details, owner name)
- current version of the data file-number of seconds a secondary name server should wait before checking for updates
- the number of seconds a secondary name server should wait before retrying a failed zone transfer
- the maximum number of seconds that a secondary name server can use data before it must either be refreshed or expire
- the default number of seconds for the time-to-live file on resource records
NS records
stands for Name Server records, used by Top Level Domain servers to direct traffic to the Content DNS server which contains the authoritative DNS records
A records
Address Record. A record used by computer to translate the name of the domain to the IP address
Do ELBs have an IPv4 or IPv6 address?
No, they have just a DNS name.
Can you use an A record to resolve to an ELB?
No, use an Alias Record
TTL record
The length that a DNS record is cached on either the Resolving Server or the user’s own local PC is equal to the value of the Time To Live in seconds.
The lower the TTL…
…the faster changes to DNS records take to propagate throughout the internet
If adding additional A records, servers to production website or migrate production website to AWS…
…DNS change required, will take time to propagate to all end users. Decrease TTL to 300 seconds
CNAMES (Canonical Name)
resolve one domain name to another
Alias Records
map record resource sets in your hosted zone to ELBs, CloudFront distributions, or S3 buckets that are configured as websites
Key difference between CNAMEs and Alias Records
CNAME can’t be used for naked domain names (zone apex). A records or Alias Records can
Alias resource record sets can save you time because…
…Route53 automatically recognizes changes in the record sets that the alias resource record set refers to
Example of how Alias resource record sets can save you time
Alias resource record set for example.com points to an ELB at lb1-1234.us-east-1.elb.amazonaws.com. If IP of ELB changes, Route53 will reflect those changes in the DNS answers for example.com w/o any changes to the hosted zone that contains resource record sets for example.com
Do ELBs have a pre-defined IPv4 address?
No, you resolve to them using a DNS name
If you make a request to Route53, CNAMEs…
…will be associated w/ a charge. On the other hand, Alias Records won’t
Register a Domain Name Steps
- Domains > Registered Domains > Register Domain
- Enter a domain name and click “Check” Note: Prices!
- Click “Add to Cart”
- Fill out contact details
- Review and Purchase
After you register a domain name, what else is created?
A hosted zone, NS records, SOA records
Route53 Routing Policies
Simple, Weighted, Latency, Failover, Geolocation
Simple Routing Policy
This is the default routing policy when you create a new record set.
When is a simple routing policy most commonly used?
When you have a single resource that performs a given function for your domain. For example, one web serves content for the http://acloud.guru website
Pictoral example of Simple Routing Policy
User makes DNS request > Request hits Route53 > Route53 forwards request to EC2 instances in your region
When you register a domain name, why are there multiple NS records?
For redundancy
To link a domain name with an EC2 instance…
…create a record set in Route53, specify whether you want an alias record. If you specify an alias record, select an endpoint (either ELB, S3 bucket, or CloudFront distribution). Select routing policy
Alias records are supported for…
A (IPv4), AAAA (IPv6)
Weighted routing pictoral
User makes DNS request > request hits Route53 > send a percentage of traffic to one region, send another percentage of traffic to another
Weighted routing use case
Business in California. 80% of orders come from California, so route 80% of traffic to US-WEST-1. However, some orders are mail order throughout the US, so maybe send 20% of traffic to US-EAST-1.Performing A and B testing for a website, ie flip production website to a new site. Continue to send most of users to new site, while send some to the new site for testing
T/F: You can perform weighted routing in different regions or the same region.
TRUE
Is Route53 region-dependent?
No, it is Global
To create a weighted record set…
…you actually need to create 2 record sets, set separate endpoints, and assign weights to each.
Latency based routing allows you to route your traffic based on…
…the lowest network latency for your end user (ie which region will give them the fastest response time)
To use latency based routing…
…create a latency resource record set for the EC2 or ELB resource in each region that hosts your website
When Route53 receives a query for your site…
…it selects the latency resource record set for the region that vies the user the lowest latency. Route53 then responds with the value associated with that record set.
Latency based routing pictoral
User makes request to Route53 > Route53 determines that there is a latency of 50 ms to one region and 300 ms to another region. User then routed to region with lowest latency
Failover routing policies are used when…
…you want to create an active/passive set up. For example, you may want your primary site to be in EU-WEST-2 and your secondary DR site in AP-SOUTHEAST-2
What will Route53 do for your primary site?
Monitor the health using a health check, which monitors the health of your end points
Failover pictoral
User makes request > primary site health check passes so request routed to primary site> if fails, switches to secondary site
Failover policy creation steps
- configure health check for primary load balancer
- configure health check for entire website
- when you create a record set, specify failover
- primary or secondary
- evaluate target health = yes
- associate w/ existing health check = yes, select health check
- repeat for secondary but don’t associate it with health check
Geolocation routing…
…lets you choose where your traffic will be sent based on the geographic location of your users (ie the location from which the DNS queries originate)
Geolocation routing example
all queries from Europe to be routed to a fleet of EC2 instances that are specifically configured for your European customers. These servers may have the local language of your European customers and all prices are displayed in Euros
Can you have an IP address for an ELB?
No, they do not have pre-defined IPv4 addresses, you resolve to them using a DNS name
Alias Record vs CNAME
Alias: can resolve to individual AWS Resources, accept naked domain names
Given choice, choose Alias Record over CNAME
What is Direct Connect?
Direct Connect makes it easy to establish a dedicated network connection from your premises to AWS
Using Direct Connect…
…you can establish private connectivity between AWS and your datacenter, office, or colocation environment, which can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections
Direct Connect benefits include:
reduced costs when using large volumes of traffic, increased reliability, increased bandwidth
How is Direct Connect different from a VPN?
VPN connections can be configured in minutes and are a good solution if you have an immediate need, have low to modest bandwidth requirements, and can tolerate the inherent variability in Internet-based connectivity.
Direct Connect does not involve the Internet; instead it uses dedicated, private network connections between your intranet and Amazon VPC. Direct Connect takes longer to set up.
A content delivery network (CDN) is…
…a system of distributed servers (network) that deliver web pages and other web content to a user based on the geographic locations of the user, the origin of the webpage and a content delivery server
Edge location
location where content will be cached. separate to a region/AZ
Origin
origin of all the files that the CDN will distribute. can either be an S3 bucket, an EC2 instance, an ELB or Route53
Distribution
name given to the CDN which consists of a collection of edge locations
With edge locations, when users make a request…
…request goes to edge location first. if desired object is not cached, the request goes to the origin and then pulled down/cached at the edge location
CloudFront can be used to…
…deliver your entire website, including dynamic, static, streaming, and interactive content using a global network of edge locations.
Requests for your content are…
…automatically routed to the nearest edge location, so content is delivered with the best possible performance
T/F: CloudFront works with AWS as well as non-AWS servers
TRUE
Web Distribution
used for websites
RTMP
used for media streaming
T/F: Edge locations are read only.
False; they are not just read only, you can write to them too
How long are objects cached at the edge location?
life of the TTL
Will there be a charge if you clear cached objects?
Yes
Can you have multiple origins per distribution?
Yes
Create a web distribution if you want to:
- Speed up distribution of static and dynamic content, for example, .html, .css, .php, and graphics files.
- Distribute media files using HTTP or HTTPS.
- Add, update, or delete objects, and submit data from web forms.
- Use live streaming to stream an event in real time.
Create an RTMP distribution…
…to speed up distribution of your streaming media files using Adobe Flash Media Server’s RTMP protocol
For web distributions, what can be the origin of your files?
either an Amazon S3 bucket or a web server
After you create the web distribution, can you add more origins?
Yes
With an RTMP distribution, can you play a media file before the file has finished downloading from a CloudFront edge location?
Yes
For RTMP distributions, what can be the origin of your files?
an Amazon S3 bucket
To use CloudFront live streaming…
…create a web distribution
Origin Domain Name
name of the bucket or webserver
Can you have on-premise origins?
Yes
Origin Path
way of adding multiple subfolders in the origin (pictures, videos, etc)
Origin ID
name of the origion
Restrict Bucket Access
Yes or No, example: stop people from using s3 bucket url so that they use CloudFront instead
If you decide to restrict bucket access…
…you need to create an Origin Access Identity (OAI)
What is an Origin Access Identity?
a user. can add permissions to that user
If you do not update the bucket policy to Grant Read Permissions…
…you will have to manually update the permissions yourself
Path Pattern
allows us to set different origin servers
Which HTTP methods are cached by default?
GET, HEAD
If you have objects that constantly need to change (e.g. every 12 hours)…
…decrease the TTL
What is meant by Restrict Viewer Access?
Viewers have to use signed URLs or signed cookies
Restrict Viewer Access use case
If you have content you want to restrict to a certain audience, e.g. A Cloud Guru, it checks to make sure users have signed URLs or cookies (ie if users paid)
Signed URLs/cookies are…
…private
How are you going to secure CloudFront or secure objects in S3 to make sure only paying customers use it?
Always use signed URLs or signed cookies
AWS WAF Web ACL
…Layer 7 protection, so WAF operates at the application layer. Protects against SQL injection, cross-site scripting
Default CloudFront Certificate (*.cloudfront.net)
Choose this option if you want your users to use HTTPS or HTTP to access your content with the CloudFront domain name (such as https://d111111abcdef8.cloudfront.net/logo.jpg).
Custom SSL Certificate (example.com)
Choose this option if you want your users to access your content by using an alternate domain name, such as https://www.example.com/logo.jpg.
If you need to prevent users in selected countries from accessing your content…
…you can specify either a whitelist (countries where they can access your content) or a blacklist (countries where they cannot)
Can you have both a whitelist and a blacklist simultaneously?
No
Invalidating objects…
… removes them from CloudFront edge caches. there is a charge
T/F: You can use CloudFront to download and upload files.
TRUE
Amazon EC2 is…
…a web service that provides resizable compute capacity in the cloud
EC2 reduces the time required to obtain and boot new server instances to…
…minutes, allowing you to quickly scale capacity, both up and down, as your computing requirements change
EC2 changes the economies of computing by…
…allowing you to pay only for the capacity that you actually use
EC2 provides developers the tools to…
…build failure resilient apps and isolate themselves from common failure scenarios
EC2 pricing options
On Demand, Reserved, Spot, Dedicated Hosts
On Demand
allow you to pay a fixed rate by the hour with no commitment.
On Demand use case example
If you’re a startup, you can pay for instances by the hour with no long term commitment for experimentation, terminate instances when you are complete.
Reserved
provide you with a capacity reservation, and offer a significant discount on the hourly charge for an instance. 1-year or 3-year terms
Reserved use case example
If you need a minimum of 2 webservers to serve your customers
Spot
enable you to bid whatever price you want for instance capacity, providing for even greater savings if your apps have flexible start and end times. engineering, pharma companies use these
If bid price > spot price…
…instances can be provisioned
If spot price > bid price…
…instances will be terminated
Dedicated Hosts
physical EC2 server dedicated for your use (hourly rate). Dedicated hosts can help you reduce costs by allowing you to use your existing server-bound software licenses
On Demand Use Cases
Users that want the low cost and flexibility of EC2 without any up-front payment or long-term commitmentApps with short term, spiky, or unpredictable workloads that cannot be interruptedApps being developed or tested on EC2 for the first time
Reserved Use Cases
Apps with steady state or predictable usageApps that require reserved capacityusers able to make upfront payments to reduce their total computing costs even further
Example of combining reserved + on demand instances
2 webservers = reserved. Need more for Black Friday = on demand
Spot Use Cases
Apps that have flexible start and end timesApps that are only feasible at very low compute pricesUsers with urgent computing needs for large amounts of additional capacity
Spot Use Case Examples
Large pharma company saves money by using compute capacity during very low demand timesLarge world events, e.g. Brexit, analysts need to find solutions really quickly
Dedicated Hosts Use Cases
Useful for regulatory requirements that may not support multi-tenant virtualizationGreat for licensing which does not support multi-tenancy or cloud deployments (e.g. Microsoft, SQL, Oracle)Can be purchased on demand (hourly)can be purchased as a reservation for up to 70% off the on-demand price
Termination of Spot Instances - EXAM TIP
If the spot instance is terminated by Amazon EC2, you will not be charged for a partial hour of usage. However, if you terminate the instance yourself, you will be charged for any hour in which the instance ran
Instance Types
D = Dense R = Memory-optimized (RAM) M = General Purpose (main choice) C = Compute-optimized G = Graphics-IntensiveI = High Speed Storage (I/O) F = Field Programmable Gate Array T = Lowest Cost, General Purpose (t2 micro) P = Graphics/General Purpose CPU (pics) X = Memory-optimized (extreme RAM)
Dense Storage use case
Fileservers/Data Warehousing/Hadoop
Memory Optimized use case
Memory Intensive apps/DBs
General Purpose use case
Application Servers
Compute Optimized use case
CPU Intensive apps/DBs
Graphics Intensive use case
Video Encoding/3D application streaming
Field Programmable Gate Array use case
Hardware acceleration for your code
Lowest Cost, General Purpose use case
Web Servers/small DBs
Graphics/General Purpose GPU use case
Machine Learning, Bit Coin Mining, etc
Memory Optimized use case
SAP HANA, Apache Spark, etc
What is EBS?
EBS allows you to create storage volumes and attach them to EC2 instances.
Once a volume is attached…
…you can create a file system on top of these volumes, run a database, or use them in any other way you would use a block device
EBS volumes are placed…
…in a specific AZ, where they are automatically replicated to protect you from the failure of a single component
single component?
storage array
EBS volume types
General Purpose SSD (GP2)
Provisioned IOPS SSD (IO1)
Throughput Optimized HDD (ST1)
Cold HDD (SC1)
Magnetic (Standard)
General Purpose SSD (GP2)
General purpose, balances both price and performance
Ratio of 3 IOPS per GB with up to 10K IOPS and the ability to burst up to 3000 IOPS for extended periods of time for volumes under 1 Gib
Provisioned IOPS SSD (IO1)
Designed for I/O intensive apps such as large relational or NoSQL databasesUse if you need more than 10K IOPSCan provision up to 20K IOPS per volumeHighest-performance SSD volume designed for mission-critical applications
Throughput Optimized HDD (ST1)
Big data
Data warehousing
Log processing
Sequential data
Cannot be a boot volume
Cold HDD (SC1)
Lowest cost storage for infrequently accessed workloadsFile ServerCannot be boot volumes
Magnetic (Standard)
Lowest cost per GB of all EBS volumes types that is bootable.Ideal for workloads where data is accessed infrequently, and apps where the lowest storage cost is important
Can you mount 1 EBS volume to multiple EC2 instances?
No, use EFS instead
General Purpose SSD (GP2) Use Cases
-Recommended for most workloads-System boot volumes-Virtual desktops-Low-latency interactive apps-Development and test environments
Provisioned IOPS SSD (IO1) Use Cases
- Critical business applications that require sustained IOPS performance, or more than 10,000 IOPS or 160 MiB/s of throughput per volume
- Large database workloads, such as:
MongoDB
Cassandra
Microsoft SQL Server
MySQL
PostgreSQL
Oracle
Throughput Optimized HDD (ST1) Use Cases
-Streaming workloads requiring consistent, fast throughput at a low price-Big data-Data warehouses-Log processing-Cannot be a boot volume
Cold HDD (SC1) Use Cases
-Throughput-oriented storage for large volumes of data that is infrequently accessed-Scenarios where the lowest storage cost is important-Cannot be a boot volume
By default, if an EC2 instance is terminated, what happens to the EBS root volume attached to it?
The volume will be deleted since “Delete on Termination” is checked by default
Bootstrap scripts are placed in…
…User Data under “Advanced Details”
AWS tagging best practices
Tag everything!
Where do you request spot instances?
Purchasing Option in Configure Instance Details
Where do you request a dedicated host?
Tenancy in Configure Instance Details
To launch reserved instances…
Reserved Instances > Purchased Reserved Instances, add instances to cart
Encrypted boot volumes (default)
Root volumes cannot be encrypted by default. Other EBS volumes can be encrypted if you check Encrypted
Termination protection…
…is turned off by default. You must turn it on yourself if you want it.
On an EBS-backed instance, what is the default action if the instance is terminated?
The root EBS volume is deleted.
EBS root volumes of your DEFAULT AMI’s
cannot be encrypted, but you can use a third party tool to encrypt the root volume, or this can be done when creating AMIs using the console or API
A security group is…
…a virtual firewall
1 instance can have how many security groups?
Multiple. Also, multiple instances can be one security group
If you change security group rules…
…changes take effect immediately
Security Groups: If you allow inbound rules (e.g. HTTP, HTTPS, SSH) but don’t allow outbound rules, will those outbound rules affect the request?
No; since security groups are stateful, the inbound requests will be allowed back out automatically
Can you deny traffic with a security group?
No, only allow rules are allowed
The default security group…
…allows all inbound and outbound traffic by default
By default, all inbound traffic is…
…blocked
By default, all outbound traffic is…
…allowed
When creating a new volume…
…make sure it is in the same AZ as your instance, or you will not be able to attach it to your instance
After SSH into instance and elevating privileges, type what to find volumes?
lsblk
To attach a volume…
…you need to format and mount it
To check if a volume has data…
file -s e.g. file -s /dev/xvdf”data” = no data
To format a volume…
mkfs -t ext4 . ext4 is file format for Linux
To mount a volume…
mount e.g. mount /dev/xvdf /myfileserver
Which directory is created by default when you mount a volume?
lost+found
To unmount a volume…
umount
If you forget to unmount a volume when you try to detach it…
…use Force Detach
Where are snapshots stored?
S3
When another snapshot is taken…
…only changed data since your last snapshot is sent to S3, since snapshots are incremental
Can you make a volume from a snapshot?
Yes
Can you change the volume type, size when you make a volume from a snapshot?
Yes
What is stored on your root volume?
OS
Think of a snapshot as…
a photograph (point in time copies of volumes)
If you create a snapshot for the first time…
…it may take some time to create
What does RAID stand for?
Redundant Array of Independent Disks (putting together a bunch of disks as one disk)
RAID types
RAID 0, RAID 1, RAID 5, RAID 10
RAID 0
Striped, No Redundancy (if one disk fails, the entire volume fails), Good Performance (use: gaming)
RAID 1
Mirrored (take one disk, mirror a copy to another disk), Redundancy
RAID 5
at least 3 disks, good for reads, bad for writes, AWS does not recommend ever putting RAID 5’s on EBS
RAID 10
Striped & Mirrored, good redundancy, good performance
Where are RAID volumes used on AWS?
If you do not get disk I/O you require, add multiple volumes and create RAID array (usually RAID 0 or RAID 10 on AWS)
Best practice when launching Windows instances
Create a new keypair for Windows instances, separate from Linux instances
Username, password for Windows instances
User = Administrator Password = upload private key file into "Retrieve Password" window to obtain password
To add a RAID
Right-click, Disk Management. Right-click on an unallocated volume and choose volume type you want to create, select drive you want the RAID volume assigned to
How can I take a Snapshot of a RAID array - background?
Problem - Take a snapshot, the snapshot excludes data held in the cache by apps and the OS. This tends not to matter on a single volume; however, using multiple volumes in a RAID array, this can be a problem due to interdependencies of the array.
Solution - Take an application consistent snapshot
How can I take a Snapshot of a RAID array - continued
Stop the application from writing to disk. Flush all caches to the disk.How can we do this? Freeze the file system, unmount the RAID array, shut down the associated EC2 instance (easiest)
What is an AMI?
AMI provides the info required to launch a virtual server in the cloud.
Specify an AMI when you launch an instance, and you can launch as many instances from the AMI you need.
You can also launch instances from as many different AMIs as you need
AMIs consist of…
a template for the root volume for the instance
launch permissions that control which AWS accounts can use the AMI to launch instances
a block device mapping that specifies the volumes to attach to the instance when it’s launched
T/F: AMIs are regional.
Yes, you can only launch an AMI from the region in which it is stored. However, you can copy AMIs to other regions using the console, command line, or EC2 API
select your AMI based on…
Region, OS, Architecture, Launch Permissions, Storage for the Root Device
Instance Store is also known as
Ephemeral Storage
EBS
Persistent Storage, fast provisioning times, more durability
Can you attach EBS volumes after launching an instance?
Yes
Can you attach instance store volumes after launching an instance?
No, but you can attach them before launching
Can instances with instance stores be stopped?
No, only reboot or terminate
Root device for EBS volume is created from
an EBS snapshot
Root device for instance store volume created from
a template stored in S3
Can you detach instance store volumes?
No
Which takes longer to provision, EBS or instance store?
Instance store
Can Instance store volumes be of any instance type?
No, there are limits on instance families
On an instance store volume, what happens if the host fails?
instance data is gone
What happens if you reboot both volume types?
You will not lose your data
Can volumes be stopped?
EBS - Yes
Instance store - No
Will root volumes be deleted on termination by default?
Yes. With EBS, you can tell AWS to keep the root volume
Health check ping path
file to test health check i.e. an html file saying that instance is healthy
Response timeout
how long it takes to do a healthcheck
Interval
how long to wait between healthchecks
Healthy threshold
how many consecutive health checks an instance must pass before becoming healthy
Unhealthy threshold
how many consecutive health checks an instance must fail before becoming unhealthy
Is IP address given for ELB?
No, a DNS name is given instead since the IP address may change
By default, how many AZs is an ELB deployed into?
2
Instances monitored by ELB are reported as either
In service or out of service
How do health checks work?
they check the instance health by talking to it
Metrics are monitored every N minutes (basic)
Metrics are monitored every 5 minutes
Detailed monitoring = Monitoring every N minutes
Metrics are monitored every 1 minute
What CloudWatch metrics are available by default for EC2 instances?
CPU, Disk, Network, Status Check
Status checks at which level?
Instance, host
To view RAM utilization…
you need to create a custom metric
CloudWatch Events…
…help you respond to state changes in your AWS resources
Logs…
…you can go into application layer and log different events (as opposed to host layer for dashboards). helps you to aggregate, monitor, and store logs
CloudWatch is for…
performance monitoring
CloudTrail is for…
auditing whatever happens with AWS account
Role Types
AWS Service Roles, Role for Cross-Account Access, Role for Identity Provider Access
When provisioning EC2 instance with IAM role, where do you select the role?
Configure Instance Details (IAM role)
When you first use CLI…
You need to configure AWS credentials using access key ID and secret access key, Region
Can you assign a role to an EC2 instance after launching it?
Not using console, but can using CLI. You can also modify a role
The only way to modify a role attached to an EC2 instance is…
attach a policy
If you delete a role attached to the EC2 instance
The role is gone. You cannot add a new role; you must terminate and launch a new instance with desired role
Which is more secure, using roles or storing your access key and secret access key on EC2 instances?
Roles; they are also easier to manage
T/F: Roles are universal, you can use them in any region.
TRUE
How to obtain instance metadata:
curl http://169.254.169.254/latest/meta-data/
Can we obtain user data from EC2?
No, it throws an error
What is a Placement Group?
a logical grouping of instances within a single AZ.
Using placement groups…
…enables apps to participate in a low-latency, 10 Gbps network
Placement groups are recommended for…
…apps that benefit from low network latency, high network throughput, or both.
Can a placement group span multiple AZs?
No, it’s a single point of failure
The name you specify for a placement group…
…must be unique within your AWS account.
Which instances can be launched in a placement group?
Compute Optimized, GPU, Memory Optimized, Storage Optimized
T/F: AWS recommends homogeneous instances w/in placement groups.
TRUE
Can you merge placement groups?
No
Can you move an existing instance into a placement group?
No. Create an AMI from your existing instance, and launch a new instance from the AMI into a placement group
RDS Types
SQL Server, Oracle, MySQL Server, PostgreSQL, Aurora, MariaDB
What is Elasticache?
Web service that makes it easy to deploy, operate, and scale an in-memory cache in the cloud
In-memory caching engines that Elasticache supports:
Memcached, Redis
Use case for Elasticache
If web app constantly requests the top 10 products, cache that information in Elasticache
DMS
allows you to migrate your production database to AWS
Once migration starts…
AWS manages complexities of the migration processes like data type transformation, compression, and parallel transfer, while ensuring that data changes to the source database that occur during the migration process are automatically replicated to the target
Purpose of the AWS schema conversion tool
automatically converts the source DB schema and a majority of the custom code, including views, stored procedures, and functions, to a format compatible with the target DB.
RDS is used for
OLTP
DynamoDB used for
NoSQL
RedShift used for
OLAP
Which RDS types can be encrypted at rest?
…
Types of Backups
Automated Backups, Database Snapshots
Automated Backups
allow you to recover your DB to any point in time within a retention period. they will take a full daily snapshot and will store transaction logs throughout the day
Retention period range
1-35 days, 7 days by default
Recover an automated backup
AWS will choose the most recent daily backup, and then apply transaction logs relevant to that day
Which type of backup is enabled by default?
Automated
Where is the backup data stored?
S3
How much storage will you get?
Free storage space = size of your database
When are backups taken?
within a defined window
What will happen to storage I/O during the backup window?
may be suspended
Are DB snapshots manual or automated?
Manual
When the RDS instance is deleted, what happens to automated backups?
They are deleted.
When the RDS instance is deleted, what happens to DB snapshots?
They are stored
When the RDS instance is deleted, do you have a chance to make one final snapshot?
Yes.
What happens when you restore either an automated backup or a DB snapshot?
the restored version of the DB will be a new RDS instance with a new end point.
Encryption at rest is supported for which DBs?
MySQL, Oracle, SQL Server, PostgreSQL, MariaDB
How do you perform encryption on DBs?
AWS KMS
Will underlying storage, backups, read replicas, and snapshots be encrypted after the RDS instance is encrypted?
Yes
Can you encrypt an existing DB instance?
No, you will need to create a new DB instance and migrate your data into it.
to scale up RDS
take a snapshot, restore snapshot to larger instance size
Multi-AZ is good for
failover/disaster recovery only.
If you use Multi-AZ, will AWS handle the replication?
Yes
Is Multi-AZ good for improving performance?
No. You need Read Replicas.
Use case for Read Replicas
If DB has a lot of reads performed to it, you can change the connection of the EC2 instances to read from read replicas instead of the main DB
Multi-AZ db options
All except Aurora, which has it by default.
Read replica db options
MySQL Server, PostgreSQL, MariaDB
Read replicas are used for
scaling, not DR
In order to deploy a read replica
you must have automatic backups turned on
How many read replicas can you have for one database?
5
Can you have read replicas of read replicas?
Yes, but watch out for latency
Is read replica asynchronous or synchronous?
asynchronous
Is Multi AZ asynchronous or synchronous?
synchronous
Will each read replica have a DNS endpoint?
Yes
Can you have read replicas that have multi-AZ turned on?
No. You can create read replicas of Multi-AZ source dbs though.
Can read replicas be promoted to their own databases?
Yes, but this breaks replication
Can you change the instance size of a read replica?
Yes
DynamoDB vs RDS
DynamoDB offers push button scaling, so you can scale your DB on the fly, w/o any down time.RDS is not so easy and you usually have to use a bigger instance size or add a read replica
What is DynamoDB
fast and flexible NoSQL database service for all apps that need consistent, single-digit millisecond latency at any scale.
Is DynamoDB fully managed?
Yes
What models does DynamoDB support?
Document, key-value
Uses for DynamoDB
mobile, web, gaming, ad-tech, IoT
Where is data in DynamoDB stored?
SSD Storage
