SAA-CO2 Flashcards
AWS Organizations (units)
Consolidated Billing, Root -> OU (organizational unit) -> Accounts
SAML
Security Assertion Markup Language
Storage Gateway
Hybrid cloud storage service
File Gateway
(NFS/SMB) on premise backs up to cloud, low latency access for on premises applications to in cloud data
Tape Gateway
replace physical tapes with virtual tapes
volume gateway
cloud backed block storage volumes
Macie
machine learning & NLP to discover, classify, protect sensitive data
NAT Gateway
connect to the internet from instances within a private subnet. prevents internet from initiating a connection. do not support ipv6 connections
Max number of Internet Gateways per VPC
1
Internet Gateway
VPC and internet connection
egress only igw
like NAT gateway but for ipv6, outbound traffic only
elastic IP address
static ipv4 address
direct connect
direct connection to AWS using colocation
global accelerator
directs customer traffic to optimal endpoints over the global network. provided two static IP addresses
privatelink
private connectivity between VPCs, aws services, on prem networks
ENI
elastic network interface: networking component in a VPC
gp2
general purpose ssd EBS storage
Io1
provisioned IOPS EBS storage (databases)
St1
throughput optimized HDD (big data and Warehouses)
Sc1
cold hdd (file servers)
Standard
ebs magnetic (hdd for infrequent access)
ebs backed ami
ebs storage backed ami, by default root volume is deleted on termination (can set to not do this)
instance store backed ami
ephemeral storage, lost on stop
ec2 hypervisors
zen -> nitro
customer gateway
customer side vpn to allow connection to vpc
vpc endpoints
allows privately connect VPC to supported services
interface endpoint: private endpoint to many services
gateway endpoints: nat gateway for s3 and dynamodb
customer gateway
customer side connection to private vpc through vpn
cluster placement group
place ec2 near another in a datacenter, can’t span availability zones
partition placement group
place ec2 across logical partitions; maximum 7 partitions
spread placement group
spread your ec2s out, max 7 per availability zone
VPC network costs
free traffic in, costs across AZ, inter region costs across vpcs, always use private connection over public
ACL
access control list, a firewall for a subnet. all traffic entering or exiting is checked against these rules. first rule that matches. default allowing all traffic. These are stateless. Allow and deny rules
Route Table
direct traffic into or out of a subnet. routes traffic to the correct destination. traffic sent to smallest CIDR range that matches
Security Groups
stateful (traffic out is allowed back in). virtual firewall for your instance. up to 5 allowed for an instance. automatically assigned default security group if not assigned. Allow rules only
subnets
part of a VPC in a specific availability zone
glacier deep archive
cheapest form, can be restored in 12 hours
S3 Tiers
Standard (9 9’s, 99.99 availability), IA (99.9 availability), One zone IA (99.5 availability) intelligent tiering (pay per object), glacier, glacier deep archive
S3 object lock and glacier vault lock
write once, read many. Governance mode: certain users can overwrite, compliance mode: no one can overwrite, legal holds: must actively delete holds
S3 Performance
first byte within 100-200ms, 3500 PUT/COPY, 5500 Get/Head requests/second/prefix
S3 multipart upload
recommended for 100MB, required for 5GB
S3 Byte Range Fetches
parallelize downloads, pull part of an object
S3 Transfer acceleration
use EDGE network to accelerate uploads
AWS datasync
move large amounts of data to AWS s3, syncs on prem to AWS
S3 cross accounts
create a cross account iam role
IAM root sign in url
different than user sign in url
AWS RAM
resource access manager, share resources across accounts
AWS Shield
sits on edge, protects against DDOS attacks. Standard: included with WAF (free). Advanced: enhanced protection for ec2, cloudfront, route53, etc. 24x7 response
Cloud HSM
hardware security modules. manage your own keys. Fips 140-2 level 3 service
WAF
web application firewall. monitor web requests and protect against bad actors. can inspect http traffic
KMS
key management service. regional. pay per api call. Fips 140-2 level 2 service. CMK=customer master key, AES-256. single tenant, multi-az cluster. must provision across az’s
secrets manager
cost per secret stored, automatically rotates keys. generate random secrets. shared across accounts
RDS Backups
automated backups, db snapshots (1-35 days). automated backups enabled by default. may have higher latency during backups. snapshots are retained. restored is a new RDS instance with new endpoint
RDS Multi AZ
automatic failover, ip address stays the same. during maintenance it fails over. synchronous replication. data charge is free for AZ
RDS Read Replicas
each read replica has its own endpoint. can promote to be their own database. asynchronous replication
redshift
BI / data warehousing. OLAP (online analytics processing). only one AZ. one day retention period default backup, max 35 days
OLTP
Online transaction processing
Aurora
AWS’s own high end database.
- starts 10GB, scales in 10GB increments to 64TB.
- two copies of data in each AZ, min 3 (6 copies)
- self healing storage
- automated backups always enabled (snapshots no impact on performance)
- can be serverless (for unpredictable loads)
elasticache
caching, memcached and redis
memcached: simple, horizontal scaled key-value store
redis: different types, multiple az, backup restore
AWS Directory Service
Active Directory (Microsoft) for aws. SSO to ec2 instances
- AD trust to go on prem
AD Connector
Simple AD
cloud directory
directory based store for developers
load balancers
application load balancer: most features network load balancer: high performance classic load balancer: legacy x-forwarded-for: users public ip address load balancers exist in an az listeners: check for http requests target groups: instance targets
sticky sessions
bind users session to specific instance
cross zone load balancing
make sure to balance across az’s, number of instances can differ in each az
path patterns
path based routing using load balancers
auto scaling
auto scaling group: group of instances
configuration templates: instructions on what to launch
scaling options: how you scale your group
auto scaling options
maintain current instance levels manually on a schedule based on demand (reactive) based on predictions (proactive)
HA Architecture
plan for failure
server migration service
can be used on premises. migrate on prem workloads to aws
application discovery service
gathers information about on premises data centers
sqs
maximum visibility timeout 12 hours. long polling returns a response until messages arrive in the queue