Network storage, HA, and Scaling Flashcards
Elastic File System
implementation of NFSv4
EFS Filesystem can be mounted on Linus
shared between many EC2 instances
Where does EFS run from ?
runs in a vpc via mount targets
can be access from on-premises-VPN or Dx
3 type of Load Balancers
classic Load Balancer (CLB)- v1 - introduces 2009
not really layer 7, lacking features, 1ssl per CLB
Application Load Balance (ALB) -v2 - HTTP/s / websocket
Network Load Balancer(NLB)-v2-TCP, TLS , & UDP
v2 = faster, cheaper, support target groups and rules
How does ELB work ?
Configured to run in 2+ AZ’s, 1+ Nodes are placed into a subnet in each AZ and scale with load
Each ELb is configured with an (A) record DNS name and this resolved to the ELB Nodes
How do ELB communicate with an EC2 instance ?
Load Balances (Nodes) are configured with listener which accept traffic on a port & protocol and communicate with targets on a port and protocol
Internet-Facing ELB vs Internal ELBs
internet-facing Nodes have public IPs
Internal Only have private IPs
What show your subnet size be if your going to deploy a ELB in it ?
8+ free IPs per subnet and a /27 or larger subnet to allow for scale
Cross Zone LB
Allow load balancers to even distribute load across active AZS
Does an EC2 instance need to be public to work with an ELB?
No , an internet-facing load balancer can communicate with public instances or private instances.
An internet-facing Load balancer has public IP addresses on it’s nodes
it can accept connections from the public internet and balance these across both public and private EC2 instances
Application LB
Layer 7 load balancer .. listens on HTTP and / or HTTPS
No other Layer 7 protocols (SMTP, SSH, Gaming) and no TCP/UDP/TLS listeners
Layer 7 content type, cookies , custom header, user locations and app behaviors
How are HTTP/HTTPS connections made and why would it be important ?
HTTP/ HTTPs(SSL/TLS) always terminated on the ALB no unbroken SSL
which could pose a security risk for security teams
ALBs must have ssl cert if HTTPS is uses because a new connection is initiated when connection to the application
ALB Rules
rules direct connections which arrive at the listener
processed in priority order
default rule= catch all, processed last
ALB rule conditions
anything layer 7
host-header, http-header, http-request method, path-pattern, query-string & souce-IP
What are some actions that can be taken based on an ALB rule ?
forward, redirect, fixed-response, authenticate-OIDC & authenticate -cognito
Network Load Balancer (NLB)
Layer 4 load balancer … TCP, TLS, UDP, TCP_UDP
No visibility or understanding of HTTP or HTTPS
SMTP, SSH Game servers, financial apps
really really, fast ( millions of rps, 25% of ALB latency)
Forward TCP to instance unbrokern encryption
What do Health checks on NLB check ?
Health checks just check ICMP/TCP handshake not app aware
If you need your LB to have a static IP what LB would you choose ?
NLB’s can have static IP’s - useful for whitelisting
Some use cases for NLB
unbroken encryption
static IP for whitelisting
the fastest performance
protocol not HTTP or HTTPs
Private Link
Launch Configuration and Templates
allow you to define the configuration of an EC2 instance in advance
Ami, instance Type, storage & key pair
networking and security Groups
userdata & IAM role
Say you want to be able to alter your configurations after creating them which would you choose to use launch configurations or launch template ?
both are not editable- defined once LT has versions
Which of the option for configuration for EC2 instance in advance is newer and what additional features does it offer ?
Launch template provide newer features
including T2/T3 unlimited, placement groups, capacity reservations , elastic graphics
Auto Scaling groups
automatic scaling and self-healing for EC2
uses launch Templates or configurations
has minimum, desired, and maximum size
keep running instances at the desired capacity by provisioning or terminating instances
scaling policies automate base on metrics
Types of scaling options for Auto Scaling groups
manual scaling -manually adjust the desired capacity
scheduled scaling - Time based adjustment
dynamic scaling- simple, stepped scaling and Target Tracking
cooldown periods on an ASG
how long to wait at the end of a scaling option before doing another
Launch and terminate set to suspend or resume what would be the actions taken by ASG
If launch is set to spend the ASG won’t lunch any new EC2 instances
if Terminate is set to suspend the ASG won’t terminate any EC2 instances
if AddToLoadBalancer is enabled what would be actions taken by ASG
add to LB on launch
AlarmNotification
controls whether the ASG accepts notifications from cloud watch
AzRebalance
controls whether ASG will balance instance evenly across all of Azs
HealthChecks
instance health check on/off
ReplaceUnhealthy
Terminate unhealthy and replace
ScheduleActions
schedule on/off
Standby
use this for instances ‘inservice vs standby’
suspend activities on ASG on a specific instance
ASG cost
ASG are free only the resources created are billed
If your instances are being rapidly terminated and created what option help stop this ?
use cool down period to avoid rapid scaling
What does ASG define
When and where
What do launch templates define ?
what
Simple scaling
“CPU above 50% +1 ”
“CPU below 50% +1 ”
stepped scaling
allows you to scale in or out based on how far away you are from a metric
Target Tracking
Desired Aggregate CPu = 40% ASG handle it
Are you able to scale based on SQS ?
yes scaling based on SQS- ApproximateNumberOfMessages - visible
ASG Lifecycle Hooks
custom Actions on instance during ASG actions
during instance Lunch or instance terminate instances are paused until timeout
during that pause you can perform some operation
Notifications for lifecycle hooks can be sent to an SNS topic or event Bridge
after timeout they are either contrine or abandoned
ASG EC2 Health checks
EC2- stopping, stopped, Terminated, shutting down, impaired(not 2/2) = unhealthy
Types of ASG Health checks
ELB, EC2(default), custom
ASG ELB Health Check
Healthy = Running and passing ELB Health Check
can be more ALB is application away because in operates on Layer 7 of the networking model
ASG Health Checks Grace period
default 300s delay before starting checks
allows system launch, bootstrapping, and application start
SSL Bridging
Listener is configured for HTTPS, connection is terminated on the ELB & needs a certificate for the domain name
ELB initiates a new SSL connection to backend instances. Instances need SSL certificate and the computer required for cryptographic operations
How ALB can operates
SSL Pass-through
Listener configured for TCP/ No encryption or decryption happens on the NLB.Connection is passed to the backend instance
Each instance needs to have the appropriate SSL cert installed. With this architecture there is no certificate exposure to AWS… all self-managed and secure
SSL offLoading
Listener is configured for HTTPs. Connections are terminated and then backed connections use HTTP.
ELB to instance connection use HTTP - no certificate or cryptographic requirements
Session Stickiness
Stickiness generates a cookie with locks the device to a single backend instance for a duration
with no stickiness connections are distributed across all in-service backend instances. Unless applications handles user state this could cause user logoff shopping cart losses.
Gateway Load balancer (GLB)
Help you run and scale 3rd party applications
things like firewalls, intrusion detection and prevention systems
How does Gateway Load balancer (GLB) work ?
inbound and outbound traffic (transparent inspection and protection)