TowardsAWS Cheat Sheet

Question 1

Virtual Private Cloud (VPC) and Networking

Answer 1

VPCs can span multiple availability zones in a single region and can contain several public and private subnets

A public subnet contains a route to an internet gateway (which you need to set up)

A private subnet has in general no internet access.

If this is needed, you need to maintain a NAT Gateway or Instance and also whitelist traffic to those.

If you need SSH access from the internet to a resource in a private subnet you need to set up a bastion host on a public subnet and configure your Security Groups and Network Access Control lists accordingly for forwarding traffic on port 22

Question 2

Disaster Recovery Plans

Question 3

Backup and Restore

Answer 3

Self describing; has highest RTO and RPO but lowest cost

Question 4

Pilot Light

Answer 4

Storing critical systems as a template from which resources can be scaled out in the event of a disaster.

With this, you replicate your data from one Region to another and provision a copy of your core workload infrastructure.

Resources required to support data replication and backup, such as databases and object storage are always on.

Other elements such as application servers are loaded with application code and configurations but are switched off and are only used during testing or when DR failover is invoked.

Pilot Light approach minimizes the ongoing cost of DR by minimizing the active resources, and simplifies recovery at the time of a disaster because the core infrastructure requirements are all in place

Question 5

Warm Standby

Answer 5

A duplicate version of only your business critical systems that are always running, in case you need to divert workloads to them in the event of a disaster

This approach ensures there is a scaled down but fully functional copy of your production environment in another Region.

This approach extends the pilot light concept and decreases the time to recovery because your workload is always on in another Region

Question 6

Multi Site

Answer 6

Self describing; lowest RTO and RPO but highest cost

This is a one for one replication of your production environment.

It is truly fault tolerant

Question 7

Recovery Time Objective

Answer 7

Time needed to bring services back online after a major incident

Question 8

Recovery Point Objective

Answer 8

The data loss measured in time

Question 9

Route Tables

Answer 9

Rules how traffic can flow within your VPC

Always contains a destination and a target e.g. 0.0.0.0/0 (CIDR Destination) and igw-1234567890. The CIDR block contains all IPv4 addresses of the subnet and points them to the Internet Gateway.

Attached to certain subnets

There is a default route table (main route table) which will be associated with each newly created subnet as long as you dont attach one by yourself

The main route table cant be deleted

You can add, modify and remove routes in this table

One subnet can only have one route table

The same route table can be attached to multiple subnets

Route tables can also be attached to your Virtual Private Gateway or Internet Gateway so you can define how traffic entering your VPC will be routed

You VPC always has an implicit router to which your route tables will be attached to

Question 10

Virtual Private Gateway (VPC Gateway)

Answer 10

Needed if you want to connect your AWS VPC with an on premise Network

Question 11

Network Access Control List

Answer 11

operating on the subnet level and are stateless

they can define block and allow rules

by default allow traffic for all ports in both directions

return traffic must be explicitly allowed

Question 12

Security Groups

Answer 12

Operating on the instance level and are stateful

They only define only allow rules

The default security group allows communication of components within the security group, allow all outgoing traffic and block all incoming traffic

return traffic is implicitly allowed

SGs can be attached or removed from EC2 instances at any time (state of machine does not need to be stopped or terminated)

Rules always need to specify CIDR ranges and never a single IP

If you want to have a dedicated IP, you also need to define it as a CIDR range only covering a single IP by its subnet mask (/32)

Question 13

VPC Endpoints

Answer 13

needed to access AWS servcies which are not part of your VPC

There are different types such as Gateway Endpoint which is for DynamoDB and S3 and Interface Endpoint which is for all other services and are powered by AWS PrivateLink

Question 14

NAT Gateway & Instance

Answer 14

Needed to connect to the public internet from your private subnets

There are two dfferent types:

NAT Instance - managed by the user with no default auto scaling
NAT Gateway - AWS managed gateway, scales based on demand, fewer administrations required, and higher availability compared to the NAT instance

Question 15

VPC Peering

Answer 15

VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses

Instances in either VPC can communicate with each other as if they are within the same network

Also possible to connect with VPCs of other accounts

Question 16

Transit Gateway

Answer 16

This connects your VPCs and on premises networks through a central hub.

This connection simplifies your network and puts an end to complex peering relationships

Transit Gateway acts as a highly scalable cloud router - each new connection is made only once

Question 17

Elastic IP addresses

Answer 17

This is a static public IPv4 addresses associated with your AWS account in a specific Region.

Unlike an auto assigned public IP address, an elastic IP address is preserved after you stop and start your instance in a virtual private cloud

Question 18

Amazon Machine Image (AMI)

Answer 18

This is a supported and maintained image provided by AWS that provides the information required to launch an instance

You can launch multiple instances from a single AMI when you require multiple instances with the same configuration

Contains launch permissions for the volumes to attach to the instance after launch

Can be either EBS backed or Instance Store backed

Contains one or more EBS snapshots or for instance stored backed AMIs a template for the root volume (OS, app server, applications etc)

Question 19

Elastic File System (EFS)

Answer 19

Network drive

Good for sharing data with multiple instances

Can also be attached to Lambda functions

Paying for storage in use and for data transferred

Different modes

General Purpose Performance Mode - for low latency requirements

Max IO performance mode - for high IOPS requirements ie big data or media processing; has higher latency than General Purpose Mode

Question 20

Elastic Block Storage (EBS)

Answer 20

Virtual file system drive

Cant be used simultaneously at several instances; only one per time (not a network drive)

You can take snapshots of it

If the EBS volume is the root volume, by default it will be deleted when the instance gets terminated

Non root volumes will not be terminated after the instance gets terminated

Created in a single region

For high availability/DR you need snapshots saved to S3

Pricing is only for defined storage capacity, not per transferred data

Cold HDD- lowest cost designed for less frequently accessed workloads

SC1 - up to 250 IOPS

Throughput Optimized HDD - low cost designed for frequently accessed workloads

Question 21

Instance Store

Answer 21

This provides temporary block level storage for your instance

This storage is located on disks that are physically attached to the host computer

Ephemeral Storage

Gets deleted at instance termination or hardware failure

Use only for a session or cached data

Very high IOPS

Question 22

Placement Groups

Answer 22

This is a logical grouping of instances within a single Availability Zone that benefit from low network latency, high network throughput

Spread - distribute instances across availability zones for high availability

Cluster - place instances on the same rack for high network bandwidth

Partition - multiple cluster groups so you can have best of both sides: high availability through spreading and high bandwidth through clustering

Question 23

Auto Scaling Policies

Answer 23

This monitors your applications and automatically adjusts capacity to maintain steady, predictable performance at the lowest possible cost.

-Cant span over multiple regions

Different types of policies are available

Choose a scaling metric and a target value such as CPU utilization

EC2 Auto Scaling will take care of creating the CloudWatch alarms that trigger the policy to scale

You can define warm up times for which the target tracking wont be activated (if your instances start and CPU spikes to 100%, you dont want to scale because of this CPU uitilzation

Question 24

Route 53

Answer 24

This is a scalable and highly available Domain Name Service

Fully managed by AWS

Question 25

Key Management Service (KMS)

Answer 25

Key Management Service gives you centralized control over the cryptographic keys used to protect your data.

The service is integrated with other AWS services making it easier to encrypt data you store in these services and control access to the keys that decrypt it

Encryption of AMIs and EBS volumes

Can be shared evenly across the AWS Account boundary by assigning the targeted accounts as users of the master encryption key

It is natively integrated with other services like SQS, S3 or DynamoDB to easily encrypt data