New notes

Question 1

What is the scope of a Virtual Private Cloud (VPC)?

Answer 1

Regional

VPCs are regional. You create VPCs in each region separately.

Question 2

At which level do you attach an Internet gateway?

Answer 2

VPC

Internet Gateways are attached to the VPC. You then need to add entries to the route tables for your public subnets to point to the IGW.

Question 3

AWS Outposts

Answer 3

An Outpost is a pool of AWS compute and storage capacity deployed at a customer site, e.g. EC2 instances

AWS operates, monitors, and manages this capacity as part of an AWS Region. You can create subnets on your Outpost and specify them when you create AWS resources such as EC2 instances, EBS volumes, ECS clusters, and RDS instances.

Question 4

RAID 0 vs RAID 1 (on EBS)

Answer 4

RAID 0 = used for performance (splits data across volumes, but if one fails then whole thing fails)
RIAD 1 = fault tolerance/failover (mirrors data)

Question 5

GaurdDuty vs Inspector vs Macie

Answer 5

Inspector = Scanning for potential vulnerabilities (EC2 mainly)

Guard Duty = Scanning for active intrusion attempts

Macie = identify and alert on sensative data such as PII (Personally Identifiable Information)

Amazon Inspector provides you with security assessments of your applications settings and configurations on your EC2 instances while Amazon GuardDuty helps with analyzing your entire AWS environment for potential threats.

Inspector only covers EC2 at the moment. GuardDuty, on the other hand, will continuously monitor your “AWS accounts, workloads, and data stored in Amazon S3” and alert you.

Question 6

VPC overview - part 1

Answer 6

VPC Peering
- Connect two or more VPC’s using AWS network (not transitive) over IPv4 or IPv6
- Private connection

VPC Endpoints
- Allows access from your VPC to AWS services (e.g. S3, DynamoDB, SNS, SQS, CloudWatch, API Gateway etc)
- Private connection

Direct Connect (DX)
- connect VPC to customer data center (over IPv4 and IPv6)
- consistent network experience
- private connection

Direct Connect Gateway
- connect one customer data center to multiple VPC on AWS
- private connection

Question 7

VPC overview - part 2

Answer 7

AWS Site-to-Site VPN
- Connects customer data center to AWS VPC
- private encrypted connection, howver over the Internet

Egress-only Internet Gateway
- allows outbound only connection to your VPC (private subnet) to the internet (IPv6 only)
- public network

AWS VPN CloudHub
- Connect multiple VPC’s to multiple Customer data centers (Customer Gateway)
- public network

Transit Gateway
- Connecting multiple VPC services together (spoke and hub) and is transitive
- public network

Internet Gateway
- Allows resources (e.g.EC2) in a VPC to connect to the internet
- Public connection

Question 8

SQS Visbility Timeout

Answer 8

SQS Visibility Timeout is a period of time during which Amazon SQS prevents other consumers from receiving and processing the message again.

In Visibility Timeout, a message is hidden only after it is consumed from the queue. Increasing the Visibility Timeout gives more time to the consumer to process the message and prevent duplicate reading of the message. (default: 30 sec., min.: 0 sec., max.: 12 hours)

Question 9

AWS App Runner

Answer 9

Similar to Beanstalk, but for containerised web apps

Question 10

Security Groups and NACL operate at which level?

Answer 10

Security Group = EC2 instance level

Network Access Control List (NACL) = subnet level

Question 11

Security Groups

Answer 11

Security groups are stateful, meaning if traffic can go out, then it can go back in.

Security Group = stateful (return traffic is automatcially allowed)

NACL = stateless (return traffic must be explicitily allowed by the rules)

Question 12

Bastion Hosts

Answer 12

Bastion hosts should be deployed in a public subnet

Question 13

AWS Fargate

Answer 13

AWS Fargate is a serverless compute engine for containers that works with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes (EKS).

Question 14

Amazon EBS root device volumes

Answer 14

By default, Amazon EBS root device volumes are automatically deleted when the instance terminates.

You can preserve the volume by setting the value of DeleteOnTermination attribute of the EBS volumes to False.

Question 15

S3 Glacier retrival

Answer 15

Expedited retrievals allow you to quickly access your data when occasional urgent requests for a subset of archives are required. For all but the largest archives (250 MB+), data accessed using Expedited retrievals are typically made available within 1–5 minutes.

Provisioned capacity ensures that your retrieval capacity for expedited retrievals is available when you need it. Each unit of capacity provides that at least three expedited retrievals can be performed every five minutes and provides up to 150 MB/s of retrieval throughput. You should purchase provisioned retrieval capacity if your workload requires highly reliable and predictable access to a subset of your data in minutes.

Question 16

What will occur when an EC2 instance is stopped and started

Answer 16

– The underlying host for the instance is possibly changed.

– All data on the attached instance-store devices will be lost.

Question 17

Fargate

Answer 17

Fargate allocates the right amount of compute, eliminating the need to choose instances and scale cluster capacity. You only pay for the resources required to run your containers, so there is no over-provisioning and paying for additional servers.

By default, Fargate tasks are given a minimum of 20 GiB of free ephemeral storage, which meets the storage requirement in the scenario.

Question 18

AWS Cost Explorer

Answer 18

AWS Cost Explorer is a service provided by Amazon Web Services (AWS) that helps you visualize, understand, and analyze your AWS costs and usage. It provides a comprehensive set of tools and features to help you monitor and manage your AWS spending.

You can programmatically query your cost and usage data via the Cost Explorer API. You can query for aggregated data such as total monthly costs or total daily usage. You can also query for granular data, such as the number of daily write operations for DynamoDB database tables in your production environment.

Question 19

S3 Pre-signed URLs vs CloudFront Signed URLs vs Origin Access Identity (OAI) vs Origin Access Control (OAC)

Answer 19

https://tutorialsdojo.com/s3-pre-signed-urls-vs-cloudfront-signed-urls-vs-origin-access-identity-oai-origin-access-control-oac/

Question 20

Dynamo DB auto scailing

Answer 20

DynamoDB auto scaling uses the AWS Application Auto Scaling service to dynamically adjust provisioned throughput capacity on your behalf, in response to actual traffic patterns. This enables a table or a global secondary index to increase its provisioned read and write capacity to handle sudden increases in traffic, without throttling.

Question 21

CIDR notation

Answer 21

/32 denotes one IP address
/0 refers to the entire network

Question 22

EBS costs incurred

Answer 22

EBS Volumes attached to stopped EC2 Instances incur costs

Question 23

Elastic Fabric Adapter (EFA)

Answer 23

An Elastic Fabric Adapter (EFA) is a network device that you can attach to your Amazon EC2 instance to accelerate High Performance Computing (HPC) and machine learning applications.

Question 24

Amazon Kinesis Data Streams

Answer 24

Amazon Kinesis Data Streams enables real-time processing of streaming big data. It provides ordering of records, as well as the ability to read and/or replay records in the same order to multiple Amazon Kinesis Applications.

Consumers are: EMR, EC2, Lambda, Amazon Kinesis Data Analytics

Question 25

S3 buckets

Answer 25

S3 buckets are region specific

They are stored in 3 AZ’s per region

Question 26

AWS ECS vs EKS

Answer 26

Elastic Container Service (ECS) = AWS proprietary service

Elastic Kubernetes Service (EKS) = open-source platform

Question 27

AWS DataSync vs Storage Gateway

Answer 27

https://tutorialsdojo.com/aws-datasync-vs-storage-gateway/

DataSync
* copy large amount of data to/from on-premise to AWS or AWS to AWS
* Copy to S3, EFS, FSx
* replications tasks can be scheduled hourly, daily, weekly

Storage Gateway
* hybrid cloud storage service that gives you on-premises access to virtually unlimited cloud storage
* S3, FSx, Volumne, Tape Gatway
* used for distaster recovery, on-premise cache & low-latency file access, backup & restore

Question 28

Site-to-Site VPN vs Direct Connect

Answer 28

Both are private connection from on-premise to AWS VPC (connects using Virtual Private Gateway on AWS)

Site-to-Site = encrypted connection, public internet
Direct Connect = NOT encrypted, private

Question 29

WAF, Shield, Firewall

Answer 29

WAF
* SQL injection, cross-site-scripting (XSS)
* Deploys on CloudFront (CDN), Appliction Load Balancer, API Gateway

Shield
* DDoS protection
* Deploys on CloudFront, ALB, Network Load Balancer

Firewall
* Applies at VPC level

Question 30

Amazon SQS

Answer 30

Uses short polling by default. To enable long polling, set
ReceiveMessageWaitTimeSeconds to greater than zero

Question 31

AppSync pipeline resolvers

Answer 31

AppSync pipeline resolvers = aggregating data from multiple database tables

Question 32

AWS CloudTrail

Answer 32

AWS CloudTrail records AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred

CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE).

Question 33

WAF

Answer 33

If CloudFront (CDN) is not an option, you can use WAF to block access based on geolocation matching or IP address in the web Access Control List (ACL)

Question 34

Interface vs Gateway endpoint

Answer 34

https://tutorialsdojo.com/vpc-interface-endpoint-vs-gateway-endpoint-in-aws/

Question 35

How to scale EKS

Answer 35

Scale Elastic Kubernetes Service (EKS) by:
* Install the Kubernetes Metrics Server to the Amazon EKS cluster and activate the Horizontal Pod Autoscaling.
* Set up Karpenter to automatically adjusts the number of nodes in the EKS cluster when pods fail or are rescheduled onto other nodes.

EKS autoscailing products:
* Karpenter
* Cluster Autoscaler

Question 36

ENI vs EFA vs ENA

Answer 36

https://digitalcloud.training/aws-networking-eni-vs-efa-vs-ena/

Elastic Network Interface (ENI) - virtual network card that can be attached to any instance of the Amazon Elastic Compute Cloud (EC2)

Elastic Fabric Adapter (EFA) - accelerate high-performance computing (HPC) and machine learning on Amazon EC2 instances

Elastic Network Adapter (ENA) - high throughput and packet per second (PPS) performance, as well as consistently low latencies on Amazon EC2 instances

Question 37

What is Provisioned IOPS?

Answer 37

Provisioned IOPS, also known as Provisioned Input/Output Operations Per Second, is a significant feature offered by Amazon Web Services (AWS), designed to enhance the storage performance of Amazon Elastic Block Store (EBS) volumes.

IOPS is the standard measure of I/O operations per second on a storage device. It includes both read and write operations.

Question 38

HTTP/HTTP ports

Answer 38

HTTP = port 80
HTTPS = port 443

Question 39

EC2 Step Scailing

Answer 39

With step scaling, you choose scaling metrics and threshold values for the CloudWatch alarms that trigger the scaling process as well as define how your scalable target should be scaled when a threshold is in breach for a specified number of evaluation periods.

Question 40

AWS CloudTrail Lake

Answer 40

AWS CloudTrail Lake lets you run SQL-based queries on your event logs in AWS CloudTrail.

Question 41

EC2 Scailing

Answer 41

Target tracking scaling – Increase or decrease the current capacity of the group based on a target value for a specific metric. This is similar to the way that your thermostat maintains the temperature of your home – you select a temperature and the thermostat does the rest.

Step scaling – Increase or decrease the current capacity of the group based on a set of scaling adjustments, known as step adjustments, that vary based on the size of the alarm breach.

Simple scaling – Increase or decrease the current capacity of the group based on a single scaling adjustment.

Question 42

Volume Gateway

Answer 42

The Volume Gateway is a cloud-based iSCSI block storage volume for your on-premises applications. The Volume Gateway provides either a local cache or full volumes on-premises while also storing full copies of your volumes in the AWS cloud.

Question 43

Aurora failover

Answer 43

If you have an Amazon Aurora Replica in the same or a different Availability Zone, when failing over, Amazon Aurora flips the canonical name record (CNAME) for your DB Instance to point at the healthy replica, which in turn is promoted to become the new primary. Start-to-finish failover typically completes within 30 seconds.

If you are running Aurora Serverless and the DB instance or AZ becomes unavailable, Aurora will automatically recreate the DB instance in a different AZ.

If you do not have an Amazon Aurora Replica (i.e., single instance) and are not running Aurora Serverless, Aurora will attempt to create a new DB Instance in the same Availability Zone as the original instance. This replacement of the original instance is done on a best-effort basis and may not succeed, for example, if there is an issue that is broadly affecting the Availability Zone.

Question 44

EBS volumes

Answer 44

• snapshots are automatially encyrpted
• All data moving between the volume and the instance are encrypted.

Question 45

AWS Proton

Answer 45

AWS Proton is the first fully managed application deployment service for Container and Serverless Applications. We can use AWS Proton to connect and coordinate all the different tools needed for infrastructure provisioning, code deployments, monitoring, and updates

Question 46

Amazon FSx for Lustre provides two deployment options: scratch and persistent.

Answer 46

Scratch file systems are designed for temporary storage and shorter-term processing of data. Data is not replicated and does not persist if a file server fails.

Persistent file systems are designed for longer-term storage and workloads. The file servers are highly available, and data is automatically replicated within the AWS Availability Zone (AZ) that is associated with the file system. The data volumes attached to the file servers are replicated independently from the file servers to which they are attached.

Question 47

A, CNAME and ALIAS

Answer 47

The A record maps a name to one or more IP addresses when the IP are known and stable.

The CNAME record maps a name to another name. It should only be used when there are no other records on that name.

The ALIAS record maps a name to another name, but can coexist with other records on that name.

Question 48

Amazon ECS on AWS Fargate

Answer 48

Amazon ECS on AWS Fargate is a container orchestration solution. t handles infrastructure scaling (scales in/out based on demand), patching, and provisioning, giving the company more time to focus on creating and deploying applications

Question 49

Amazon QuickSight

Answer 49

Amazon QuickSight is a unified business intelligence service that makes it easier for all employees within an organization to build visualizations, perform ad hoc analysis, and quickly get business insights from their data, anytime, on any device.

Question 50

IAM policy statement

Answer 50

An IAM policy statement includes several key elements:

• Effect: This element determines whether the statement allows or denies access. The effect can be set to “Allow” or “Deny” to permit or prohibit actions explicitly.
• Action: The action specifies the specific AWS service actions allowed or denied. Actions are represented by unique names, such as ec2:RunInstances for launching EC2 instances or s3:GetObject for retrieving objects from S3 buckets.
• Resource: The resource element identifies the AWS resources the actions apply. It uses Amazon Resource Names (ARNs) to specify the specific resources or resource types, such as arn:aws:s3:::my-bucket/* for all objects in an S3 bucket.
• Condition (optional): Conditions provide additional constraints on when the policy’s effect applies. For example, you can define conditions based on time, IP address, or request parameters to further control access.

Question 51

Amazon Data Lifecycle Manager

Answer 51

Amazon Data Lifecycle Manager is a service that automates the creation, retention, and deletion of EBS snapshots. This service directly addresses the problem of increasing costs due to unused snapshots

Question 52

AWS Compute Optimize

Answer 52

AWS Compute Optimizer recommends optimal AWS resources for your workloads to reduce costs and improve performance by using machine learning to analyze historical utilization metrics.

Compute Optimizer generates recommendations for the following resources:
* Amazon Elastic Compute Cloud (Amazon EC2) instances
* Amazon EC2 Auto Scaling groups
* Amazon Elastic Block Store (Amazon EBS) volumes
* AWS Lambda functions

Question 53

Amazon Quantum Ledger Database

Answer 53

Amazon Quantum Ledger Database (Amazon QLDB) is a fully managed ledger database that provides a transparent, immutable, and cryptographically verifiable transaction log owned by a central trusted authority. Used in blockchain. Amazon QLDB can be used to track every application data change and maintains a complete and verifiable history of changes over time.

Question 54

VPN

Answer 54

VPN = goes over the Internet

VPC and Direct Connect = private connection

Question 55

Interface Endpoint vs Gateway Endpoint

Answer 55

Use Gateway Endpoint when connecting EC2 to S3 or DyanmoDB. This is the cheaper option of the two.

Use Interface endpoint for on-premise connection or other AWS services

Question 56

CloudWatch on EC2

Answer 56

Default = CPU utilization, Network utilization, Disk performance, and Disk Reads/Writes

Custom metrics = Memory utilization, Disk swap utilization, Disk space utilization, Page file utilization, Log collection

Question 57

SQS

Answer 57

Visbility time default = 30secs

Message retention period:
* default = 4 days
* min = 1
* max = 14

Question 58

Lambda

Answer 58

Time to run:
* default = 3 secs
* min = 1 sec
* max = 900 secs (15mins)

Question 59

Signed URL vs Signed Cookies

Answer 59

Use signed URLsfor the following cases:
- You want to use an RTMP distribution. Signed cookies aren’t supported for RTMP distributions.
- You want to restrict access to individual files, for example, an installation download for your application.
- Your users are using a client (for example, a custom HTTP client) that doesn’t support cookies.

Use signed cookiesfor the following cases:
- You want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers’ area of a website.
- You don’t want to change your current URLs.

Question 60

CloudWatch EC2 monitoring

Answer 60

Default = 5mins
Detailed = 1mins

Question 61

AWS IAM Identity Center

Answer 61

AWS IAM Identity Center (successor to AWS Single Sign-On) provides single sign-on access for all of your AWS accounts and cloud applications. It connects with Microsoft Active Directory through AWS Directory Service to allow users in that directory to sign in to a personalized AWS access portal using their existing Active Directory user names and passwords

Question 62

AWS Config

Answer 62

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources

Question 63

Kinese Data Streams vs Firehose

Answer 63

Kinesis Data Strems –> processers (EC2, Lambda, EMR, Kinesis Data analyics) —> BI tools

Firehose —> data stores (S3, Redshift data warehouse, ElasticSearch, Splunk) —> Analytics tools