AWS Architect Associate Blog
EC2
General purpose SSD has a maximum of 10.000 IOPS.
It is possible to detach the non-root volume from running EC2
instance.
An EC2 placement group is used to determine how far are
instances placed between each other. In cluster mode, they
will be placed to reduce the latency inside a single AZ. In spread mode,
they will be placed on different underlying hardware (and potentially in
different AZ).
It is impossible to migrate Reserved Instances across regions
but possible across AZ.
EC2 uses Xen hypervisor.
There are 2 types of virtualization types for EC2: Paravirtual
(PV, older) and Hardware Virtual Machine (HVM, newest).
HVM provides a completely virtualized environment for the OS
(unaware of being a VM) while PV requires kernel modifications but offers
better performances (especially for I/O).
It is possible to sell your remaining Reserved Instances on
Reserved Instances Marketplace.
A Golden image refers to an AMI that has been constructed from a
customized image.
The maximum ratio of IOPS to volume size is 50:1 (8Gb:400IOPS).
All EBS volumes are stored in a single availability zone, EBS
Snapshots are stored on S3 in the same region as the instance. You can then
enable cross-region replication.
From AWS doc, massively parallel computations should be done on
spot instances.
VM Import/Export enables customers to import Virtual Machine
(VM) images in order to create Amazon EC2 instances.
An EC2 instance can launch the User Data script at boot to
download the latest version of your app.
It is not possible to encrypt an EBS volume once mounted.
EC2 supports 2 block devices: Instance store volumes and EBS.
To choose an EC2 instance type, you basically need to know both
memory and I/O requirements.
In order to sell the Reserved Instance on the RI Marketplace,
you need to terminate them first (stop is not enough).
An ENI (Elastic Network Interface) is a virtual network
interface that you can attach to an instance in a VPC while running (hot
attach), while stopped (warm attach) or while being launched (cold attach).
An EBS volume can still be used while the snapshot is in
progress.
Maximum size of an EBS Provisioned IOPS SSD volume is 16TiB.
There is a limit of 20 EC2 instances per region.
VPC
A NAT Gateway can only be deployed in a public subnet.
An account can start a maximum of 5 VPC per region by default.
Inside a VPC, an instance does not retain its private IP.
Inside a VPC, a subnet is public if it has an Internet Gateway.
VPC can assign DNS name to instances by configuration.
Auto-assign public IP feature is available per subnet (not VPC
scope).
To protect your VPC against remote attacks, use ACL to deny IPs.
There are 3 options available when creating a VPC with the
wizard: Public & Private subnets and Hardware VPN Access.
An Internet Gateway is a logical connection between a VPC and
Internet. It does not limit the bandwidth. If a VPC does not have an IG, it can
NOT be accessed from the Internet.
A Nat Instance is an EC2 instance configured to forward traffic
to the internet. Instances from a private subnet can access the Internet if a
route is configured to the NAT Instance via the routing table.
A Nat Gateway is a NAT Instance fully managed service.
For Network error while connecting to EC2 instance check 1.
username 2. correct private key in use while created/used in keypair.
In VPC network, Network ACL acts as a firewall for both inbound
and outbound traffic at the subnet level.
ENI, Elastic Network Interface is an additional network assigned
to EPC in VPC network. it can include the primary private network.
If a VPC has dedicated instance tenancy, all created instances
inherit same and will be created as the dedicated instance.
Virtual Private Gateway is a device/ software application in the customer side of VPN connection.
When we create VPC with the gateway using the wizard in the
console it updates route table automatically.
5 Virtual private Gateway is allowed per region.
200 subnets are allowed per VPC.
5 VPC is allowed per region.
Autoscaling and ELB
An ELB is not accessible from the internet by default. To get
public access, you need to have an Internet Gateway and a properly setup route
table.
It is impossible to update a launch configuration for ASG once
created. To update, create a new one and update the ASG with the latest launch
configuration.
The 3 types of ASG scaling are Manual Scaling (update by hand),
Schedule Scaling (based on time of the week = predictable) and Dynamic Scaling
(based on resources such as CPU).
Perfect Forward Secrecy is used to offer TLS cipher suites to
Cloudfront and ELB.
ELB has its own access logs, that needs to be enabled. Those are
not in CloudWatch.
ELB has 2 components, load balancers, and controllers; the controller is responsible for monitoring load.
Storage
To connect to S3 securely, use an S3 VPC endpoint.
There is a limit of 100 S3 buckets per account.
To enable cross-region replication for S3 buckets, Versioning
must be enabled on both source and destination buckets.
Glacier has 3 types of data retrieval: Expedited (minutes),
Standard (hours) and Bulk (less than a day).
To maximize S3 performances, use a random string as a prefix
string for each key.
S3 RRS has 99.99% for durability and availability.
Direct Connect is NOT an encrypted connection to S3.
AWS Storage Gateway simply allows integrating on-premises IT
environments with Cloud Storage.
On AWS Storage Gateway:
> Cached Volumes, the data is stored in S3 and a copy of frequently accessed data is stored local gateway storage from 1GB up to 32TB of iSCSI storage. This is cost saving on primary storage while keeping low latency for frequently accessed data (storage extension).
> Stored Volumes if you need low latency of all of your data to be stored locally (then asynchronous backups to S3). Data gets backed up as EBS snapshots and stored in S3 bucket. Gateway uploads the data to cloud for cost-effective backup and rapid disaster recovery.
ref: https://docs.aws.amazon.com/storagegateway/latest/userguide/StorageGatewayConcepts.html#volume-gateway-concepts
> Cached Volumes, the data is stored in S3 and a copy of frequently accessed data is stored local gateway storage from 1GB up to 32TB of iSCSI storage. This is cost saving on primary storage while keeping low latency for frequently accessed data (storage extension).
> Stored Volumes if you need low latency of all of your data to be stored locally (then asynchronous backups to S3). Data gets backed up as EBS snapshots and stored in S3 bucket. Gateway uploads the data to cloud for cost-effective backup and rapid disaster recovery.
ref: https://docs.aws.amazon.com/storagegateway/latest/userguide/StorageGatewayConcepts.html#volume-gateway-concepts
Do not confuse AWS Import/Export with Direct Connect, the first
one is used to accelerates transferring large amounts of data in and out of AWS
bypassing the Internet.
Maximum size of multi-part files upload on S3 is 5TB.
To protect S3 content from CloudFront, you can either use S3
signed URLs or use Origin Access Identify (OAI) for CloudFront.
Glacier archives are immutables.
ECS
ECS Cluster can be launched in 2 type
- Fargate Lunch Type when ECS launches in Serverless
- EC2 Launch Type, when launch cluster in EC2 cluster.
EFS
There are additional changes for EFS file-sync, pay as you go
model for data copied to EFS per GB;
EFS file-sync can be monitored using cloud watch.
Default through burst out rate of EFS is 50KB/sec per GB.
Over default throughput burst of EFS, there is an optional
provisional throughput mode.
You mount EFS on an instance only in one VPC at a time, both EFS
and VPC must be in the same AWS region.
An inbound rule for NFS port 2049 (NFS) must be added on the mount
target’s security group of EC2 instance for communicating.
VPC peering within single AWS region works for EFS only for C5
and M5 instances.
Encryption of EFS can be configured only at creation time.
EFS support 2 performance modes
·
General Purpose performance mode (default): best for the webserver,
content server, general file server, and home directories.
·
Max I/O performance mode: best for parallelized application such
as big data, media processing, etc; it comes with the trade-off of bit higher
latency for file operations.
Route53
Route53 provides, in addition to routing (DNS), registration
service and health check.
Route53 supports Multi Answers to randomly returns one out of
many resources.
Route53 can be used for failover between an on-premise and AWS
environment.
CNAME failover happens of RDS instance by route53.
Alias record of Route53 allows mapping zone Apex to DNS name of
1. ELB. Route 53 supports alias records for three types of load balancers: Application Load Balancers, Network Load Balancers, and Classic Load Balancers.
2. S3 Bucket.
3. CloudFront distribution, using CF endpoints.
4. Elastic Beanstalk DNS,
5. API gateway DNS name,
6. VPC endpoint
We can enable DNS failover to ELB endpoints, by creating an alias record pointing to ELB and set Evaluate Target Health parameter to true.
We can associate health check of any record type of Route 53 except SOA and NS records.
We can configure endpoint of Route53 DNS failover to on-premise datacenter outside AWS.
Health check interval defaults to 30 min which can be configured to fast interval health check with 10sec interval, and it disables the resource records for failed endpoints and no longer serves the
The default threshold is 3 health checks for an endpoint mark as failed which can be configured between 1-10.
CNAME failover happens of RDS instance by route53.
Alias record of Route53 allows mapping zone Apex to DNS name of
1. ELB. Route 53 supports alias records for three types of load balancers: Application Load Balancers, Network Load Balancers, and Classic Load Balancers.
2. S3 Bucket.
3. CloudFront distribution, using CF endpoints.
4. Elastic Beanstalk DNS,
5. API gateway DNS name,
6. VPC endpoint
We can enable DNS failover to ELB endpoints, by creating an alias record pointing to ELB and set Evaluate Target Health parameter to true.
We can associate health check of any record type of Route 53 except SOA and NS records.
We can configure endpoint of Route53 DNS failover to on-premise datacenter outside AWS.
Health check interval defaults to 30 min which can be configured to fast interval health check with 10sec interval, and it disables the resource records for failed endpoints and no longer serves the
The default threshold is 3 health checks for an endpoint mark as failed which can be configured between 1-10.
RDS
RDS Secondary instances can NOT be used as a standalone read
instances.
It is possible to pre-provision up to 30 000 IOPS per database
instance on RDS.
RDS default retention period is 35 days.
SQL Server maximum size is 300Gb.
RDS Secondary receives synchronous calls while Read Replicas are
asynchronous.
Oracle DOES NOT support read replica (SQL Server, PostgreSQL and
MySQL does though).
SQL Server DOES NOT support HA/Failover (Oracle, PostgreSQL and
MySQL does though).
Database caching can be done on AWS ElastiCache to reduce the number of queries.
Redshift is not designed to handle high concurrency workloads.
Use RDS instead.
To reduce costs, disable unnecessary manual snapshots.
Aurora supports MySQL and PostgreSQL engines.
On RDS, make sure that the underlying instance supports
encryption.
A Read-replica can be launched in a different region from
cluster DB.
RDS Multi-AZ failover is done through a DNS health check (CNAME
is changed from primary to standby).
RDS automatically switch standby in different AZ if we have
enabled multi-AZ deployment.
In DynamoDB, local secondary Index scans the entire table
including all partitions.
DynamoDB performs database table scan sequentially by default
with 1MB and 1 increment.
RDS standby database instance should be in the same Region and
not in AZ (as it automatically provisioned in different AZ of primary
instance).
S3 and DynamoDB store data in key-document pair format.
RDS auto backup retention period is for 1day with no cost.
The events that would cause RDS failover are:
·
Loss of availability of primary AZ
·
loss of network connectivity of primary AZ,
·
Compute node failure in primary
·
Storage failure in the primary.
Amazon RDS provides two different methods for backing up and
restoring your DB Instance(s): automated backups and database snapshots.
Updates are applied to your Read Replica(s) after they occur on
the source DB Instance using “asynchronous” replication.
RR is supported by database MySQL,
MariaDB, Aurora, PostgreSQL. We can have a multi-AZ copy of read-replica.
Under normal circumstances, all automatic backups of an RDS
instance are deleted upon termination. However, it is possible to can create a
final DB Snapshot upon deletion. If you do, you can use this DB Snapshot to
restore the deleted DB Instance at a later date. Amazon RDS retains this final
user-created DB Snapshot along with all other manually created DB Snapshots
after the DB Instance is deleted.
Automated backups are deleted when the RDS DB instance is
deleted. Only manually created DB Snapshots are retained after the DB Instance
is deleted.
We can encrypt previously unencrypted database by first creating
a snapshot of the database, create a copy of the snapshot and specify the KMS
key, and later restore the encrypted database using the encrypted snapshot.
To automatically failover from one geographic location to
another you should use Multi-AZ for RDS.
For infrequent IO database workload, cost-effective way is to
use RDS Magnetic Storage.
We can't copy a KMS Encrypted backup of RDS MySQL database to a different region as KMS is regional service so we can't copy encrypted things
over the region.
Read-Replica support for RDS --> 5 per master; Aurora
-->15 per master.
Way to store user preference of size 20k in DynamoDB with
defined WCU, RCU.
DynamoDB --> Local secondary index can be created at a time
creating a table; we can have only 1 local secondary index.
Enable DynamoDB autoscaling for improving throughput.
For the RDS MySQL, MariaDB, PostgreSQL and Oracle database
engines, when you select to convert your RDS instance from Single-AZ to
Multi-AZ, the following happens:
·
A snapshot of your primary instance is taken,
·
A new standby instance is created in a different Availability
Zone,
·
From the snapshot, synchronous replication is configured between
primary and standby instances.
In a Multi-AZ deployment, RDS automatically provisions and
maintains a synchronous standby replica in a different Availability Zone.
The primary DB instance is synchronously replicated across
Availability Zones to a standby replica to provide data redundancy, eliminate
I/O freezes, and minimize latency spikes during system backups. Running a DB
instance with high availability can enhance availability during planned system
maintenance and help protect your databases against DB instance failure and
Availability Zone disruption.
The primary DB instance switches over automatically to the
standby replica if any of the following conditions occur: An Availability Zone
has an outage. The primary DB instance fails. The DB instance’s server type is
changed. The operating system of the DB instance is undergoing software
patching. A manual failover of the DB instance was initiated using Reboot with
failover.
SQS
SQS default retention is 4 days, can be configured between 1 min to 14 days. Messages get deleted once the retention limit exceeds. Message size can be from 1kb to 2GB.
SQS Short pulls returns right away even if the message is empty. Long polling waits for the new message (or long-polling timeout).
SQS Short pulls returns right away even if the message is empty. Long polling waits for the new message (or long-polling timeout).
The visibility timeout is a period of time during which Amazon SQS prevents other consuming components from receiving and processing a message
We can delete all messages in an SQS queue using PurgeQueue Action. When we purge a queue all the previous messages sent to message queue are deleted.
FIFO queue: At least once and duplicate messages produced gets deleted. Queue names ends with (.fifo)
Standard queue: May deliver duplicate messages.
Type of queue can only be selected at the time of its creation.
SSE ensure the encryption of message
FIFO queue: At least once and duplicate messages produced gets deleted. Queue names ends with (.fifo)
Standard queue: May deliver duplicate messages.
Type of queue can only be selected at the time of its creation.
SSE ensure the encryption of message
It can be a good idea to add SQS in front of DynamoDB (with a
EC2 worker) to better handle spikes to avoid outperforming Dynamo capacity.
IAM and AWS Security
AWS Trusted Advisor can be used to monitor AWS service limits
(EIP...) in addition to best security practices.
AWS Trusted Advisor gives information about Performance, Cost
Optimizations, Security and Fault Tolerance.
Managing different levels of permissions for users on API
Gateway is done through IAM Users permissions.
It is possible to TAG EC2 instances to have more granularity in
giving IAM permissions.
You can assign an IAM role per container task on ECS.
Cloudtrail logs are encrypted on S3 with SSE by default.
CloudTrail can capture low level DynamoDB requests.
AWS Config is a service that enables you to assess, audit, and
evaluate the configurations of your AWS resources.
Elastic Beanstalk
Elastic Beanstalk can be used to create Web Server and Worker
environments.
ElasticBeanstalk updates by having a duplicate with updates ready
before swapping.
Elastic Beanstalk is a PaaS-like layer on top of AWS which
abstracts away the underlying EC2 instances, ELB, ASG... It is made for
developers who do not want to deal with systems.
CloudFormation is simply a way to define all the resources
needed in a huge JSON file (great to reduce cost and backup recovery)
EMR
EMR
AWS EMR is a hosted Hadoop service, allows to run the big data analysis using Apache Hadoop and Apache Spark.
EMR has 3 types of node:
- Master node = Node that hosts the software and distributes data across nodes, it also monitors health check of slave nodes
- Core node = Node which has software components that runs the tasks and store data in HDFC (Hadoop Data File System)
- Task node = Node which has a software component which runs only tasks.
EMR master node is launched into a security group that allows Secure Shell (SSH) and service access, while the slave nodes are launched into a separate security group that only permits communication with the master node.
During the launch of EMR, instance type, the number of nodes and version of Hadoop cluster are required.
Use cases are:
- Log processing- to process logs
- Clickstream analysis
- Genomics and life science dataset processing.
Use cases are:
- Log processing- to process logs
- Clickstream analysis
- Genomics and life science dataset processing.
Global
AWS public dataset is free (e.g. a human genome).
Publishers, subscribers, and topics are a feature of SNS. You have subscribers to an Amazon SNS topic, not readers.
Publishers, subscribers, and topics are a feature of SNS. You have subscribers to an Amazon SNS topic, not readers.
CloudWatch retention period for a 1-minute data point is 15 days.
CloudWatch can monitor a VPN endpoint using TunnelState metric.
The only metric that CloudWatch does not print is Memory.
When mentioning disaster recovery, do not think
high-availability but failover instead.
SWF might require human interaction to proceed.
To sign up on 1234 account, use
1234.signin.aws.amazon.com/console.
You are charged for all unused EIP (attached to stop instances
for example).
Kinesis retention periods are 24 hours by default but can be
extended to 7 days.
Active Director service can redirect traffic to customer's
hosted AD.
On AWS KMS, you still manage the master key, which is not the
case with S3 SSE.
To reduce cost on easily reproducible data (only!!), it's
possible to cancel automated and manual snapshots.
An AMI must be completely copied (not shared) to a different
region.
General
There is no charge for using cloud formation template
We can use the TCP protocol to connect load balancer from the
client.
Amazon AWA Devpay and FPS are payment services of AWS
S3 is a cost-effective, durable and scalable data storage
structure
Maintain 2 snapshots, 1 original and another incremental gives
the lower cost of storage of EBS snapshot.
Versioning is mandatory in an S3 bucket for using Life-cycle
management policies.
For fault tolerance, EC2 instances should be placed equally in
all AZ's for ELB to work.
ELB works for within AZ's and not across regions.
AWS Cloudformation list stack command, prints all stacks
created/ deleted in the past 90 days.
Cloud formation is a JSON based template for AWS infrastructure
as code, can be used to duplicate this architecture.
Security group of EC2 acts as a local firewall which can be
configured to ensure EC2 accepts an only incoming connection from ELB
20 EC2 instance per region, which can be increased
A single internet gateway can be attached to VPC at a time.
In CloudFront, we set the origin S3 bucket or HTTP server as a
configuration setting.
Reserved instance payment mode: Partial, full, no upfront
Bucket name *always* comes first, "s3-website"
followed by the Region *always* comes next.
myawsbucket.s3-website.us-west-2.amazonaws.com
SWF workflow ensures the actions are executed at least once.
"EBS Volumes cannot
be attached to an EC2 instance in another AZ."
/28 is the smallest possible subnet in an AWS VPC.
SSD volumes must be between 1 GiB - 16 TiB.
EC2 and EL2 require more attention while configuring HA
solution.
Secure transferring data from AWS VPC to the on-premise network
can be utilized by AWS VPN,
Data encryption at rest can be implemented by S3 server-side
Encryption and EBS encryption.
Enable CloudTail on ELB for logging API at ELB level.
Deletion of failed incomplete parts to be uploaded on S3 can be
expired by using life-cycle policies of S3.
Multipart Upload is recommended for files greater than 100 Mb
and is required for files 5 GB or larger. S3 Transfer Acceleration is
especially useful in cases where your bucket resides in a Region other than the
one in which the file transfer was originated.
S3 - IA is 99.9% available.
Each S3 snapshot comes with the unique identifier and we can
create the volume using any of the existing snapshots of S3.
Once EC2 instance is terminated, cloud watch store the metrics
for 2 weeks.
EC2 Instance type.
General purpose: A, T, M
Compute-optimized: C
memory Optimized: R, X, Z
Accelerated Computing: P, G, F
Storage optimized: H, I, D
DynamoDB and S3 use AWS key-value pairs.
SQS FIFO queues preserve the status of exact in which messages
are being sent or receive.
Standard SQS queues provide at least once delivery, but not
guarantee for not creating duplicates of the messages.
SQS visibility timeout is a period of time during which Amazon
SQS prevents other consuming components from receiving and processing a
message.
Target tracking scaling policy allows setting the threshold of
EC2 instance within the autoscaling group behind ELB that configure EC2
instance always runs at 60% CPU utilization.
using Network ACL, we can deny certain traffic from to the instance
running in VPC
Kinesis Firehose --> Creating data lake in AWS and using a
batch job in the data lake. Amazon S3, Amazon Redshift, and Amazon Elastic search
Service are the three possible destinations for Amazon Firehose data.
Kinesis Analytics--> has an ability to transform data during
ingestion.
Kinesis Data stream --> S3, DynamoDB, Redshift; retain data
for 7 days.
Kinesis --> Analyze access, application and security login
one system real time.
Amazon CloudFront can be integrated with Amazon WAF (Web
Application Firewall) for protecting DDOS attack.
EBS replicate within their availability zone for protecting
application/ EBS from component failure; it provides 99.999% availability.
Autoscaling is not intended to handle a sudden spike in web
traffic.
Event Driven Architecture: Cognito, S3, SQS, SNS, Lambda
EFS --> Concurrent connection/ mount from multiple EC2
Instances.
In VPC, the instance does not retain its private IP of rebooted.
Big data analysis on S3 platform --> S3 Select, Athena,
Redshift Spectrum.
S3 select--> way to query, analyze and process data from S3
bucket.
Athena --> Analyze data in S3 bucket using standard SQL
Redshift spectrum --> Execute SQL query in S3.
Enable CRR to copy date across AZ.
Use Cross Region Snapshot copy for Redshift cluster for Standby
cluster.
Public subnet --> Subnet associated with Route table route to
Internet Gateway.
Data on Root volume gets deleted if Instance terminated on
Instance store-backed AMI/ EC2 instance.
X-Ray --> for tracing API gateway and Lambda events.
Amazon Glue --> ETL tool
Cloudwatch --> logging various AWSservice, detecting errors
while executing lambda code
Cloudtrail --> Record all API calls to all AWS services
include user/application, when and what IP address
config --> record changes of resource in S3 bucket once we
set configuration rules to comply and tracks whether resources comply with
those rules.
NAT gateway --> Solution for connecting instances to connect
internet for downloading patches; egress only internet gateway; outbound only
internet connection.
API keys, MFA, roles --> ways to secure cloud infrastructure.
Cloud watch metric retention period: less than 60 sec -->
3hour; 60 sec --> 15 days; less than 5min --> 63days; 1hour -->
15months.
Scalable website --> RDS with multi-AZ, autoscaling
Truster advisor --> CPFSS; cost optimization, performant,
fault tolerance, security, service limit.
Connecting on-premise to AWS--> IPsec VPN tunnel, Direct
connect VPN cloud hub.
Elastic Cache
Elastic Cache
Elastic cache (Redis, Memcached) to reduce latency if requests
to AWS RDS requests.
Redis- when need sorted list, counters and hashes
Memcached - when you need simple data type model and need to run large nodes with multiple core/ threads.
Redis- when need sorted list, counters and hashes
Memcached - when you need simple data type model and need to run large nodes with multiple core/ threads.
If there exists Heavy load in RDS instance, it can be ease by using RDS read replica and Elastic cache.
Horizontal Scaling
With Memcached, you can partition your data and scale up to 20 nodes in a cluster. Using Auto Discovery, your application will find all the nodes available.
With Redis, you are limited to one cluster, but you can create additional clusters which can be placed in a replication group. You can only have on write node, but up to 5 read replica nodes to handle read operations.
Vertical Scaling
You are not able to resize a cluster on the fly. However, you can launch new clusters with the required node types and direct traffic to it.
Memcached clusters will start empty and start to store newly cached data
Redis clusters can be launched from a backup
Horizontal Scaling
With Memcached, you can partition your data and scale up to 20 nodes in a cluster. Using Auto Discovery, your application will find all the nodes available.
With Redis, you are limited to one cluster, but you can create additional clusters which can be placed in a replication group. You can only have on write node, but up to 5 read replica nodes to handle read operations.
Vertical Scaling
You are not able to resize a cluster on the fly. However, you can launch new clusters with the required node types and direct traffic to it.
Memcached clusters will start empty and start to store newly cached data
Redis clusters can be launched from a backup
Set schedules based autoscaling if the load changes every day at
the scheduled time.
How creating read-replica of MySQL Aurora database in another the region acts as DR.
RRS--> 99.99% availability, durability; to be used for easily
reproducible data.
HA stateless application --> RDS, EC2, DynamoDB.
Lambda languages --> Node.js, Java, C#, Python.
SQS default visibility timeout is 30 sec, and longest a message
retain in the queue is 12 hours; maximum visibility timeout is 12 hours; it has
messageid and body; it has no order of delivery messages.
SWF actors have Activity workers, workflow starters, deciders.
Amazon ElastiCache with Redis provides native functions that
simplify the development of leaderboards. With Memcached, it is more difficult
to sort and rank large datasets.
AWS KMS uses envelope encryption to protect data. AWS KMS
creates a data key, encrypts it under a Customer Master Key (CMK), and returns
plaintext and encrypted versions of the data key to you.
When you choose AWS KMS
for key management with Amazon Redshift, there is a four-tier hierarchy of
encryption keys. These keys are the master key, a cluster key, a database key,
and data encryption keys.
Origin server supported by CloudFront: S3, HTTP server running
on EC2, HTTP server running on-premise.
The supported notification protocols for SNS are HTTP, HTTPS,
Amazon SQS, Email, Short Message Service (SMS), and AWS Lambda.
Dedicated Instances run on hardware that’s dedicated to a single
customer. As a customer runs more Dedicated Instances, more underlying hardware
may be dedicated to their account. Dedicated Hosts are physical servers with
Amazon EC2 instance capacity fully dedicated to a single customer’s use.
You would use Mail eXchange (MX) records to define which inbound the destination mail server should be used.
If a security group is not specified at launch, then an Amazon
EC2 instance will be launched into the default security group for the Amazon
VPC. The default security group allows communication between all resources
within the security group, allows all outbound traffic, and denies all other
traffic including inbound traffic
Data is copied asynchronously from the source database to the
Read Replica.
SPF records are used to verify authorized senders of mail from
your domain.
You can have multiple local secondary indexes, and they must be
created at the same time the table is created. You can create multiple global
secondary indexes associated with a table at any time.
The default Amazon EC2 instance limit for all regions is 20.
ELB:-> Layer 4 for TCP, Layer 7 form HTTP, HTTPS
By default, when you use Transmission Control Protocol (TCP) for
both the front-end and back-end connections, your load balancer forwards
requests to the back-end instances without modifying the request headers. If
you enable Proxy Protocol, a human-readable header is added to the request
header with connection information such as the source IP address, destination
IP address, and port numbers.
A human-readable header is added to the request header with
connection information such as the source IP address, destination IP address,
and port numbers when enabling proxy protocol on ELB.
Amazon Cloud Watch Logs gives you the ability to install an agent that can export otherwise internal logs to Amazon Cloud Watch.
A PTR record is used to resolve an IP address to a domain name,
and it is commonly referred to as “reverse DNS.”
The main difference between Amazon SQS policies and IAM policies
is that an Amazon SQS policy enables you to grant a different AWS account
permission to your Amazon SQS queues, but an IAM policy does not.
Autoscaling components :
1. Autoscaling group; We can configure only on-demand and spot instances for EC2 instance type. Reserved instances can't be used.
2. Launch configuration,
3. Scaling policies.
> Manual Scaling – specify maximum, minimum and desired capacity of your auto scaling group. You can use manual scaling when resources need to be increased for responses to infrequent events like launching a new product.> Scheduled Scaling – used to increase or decrease the number of instances in your auto-scaling group due to a specific anticipated need or predictable need. For example, you need to scale out additional servers to cope with quarterly or yearly processing workloads
> Dynamic Scaling – control your auto scaling deployments based on dynamic changes to CloudWatch thresholds – e.g. increase the number of web servers when you identify incoming web traffic going above a threshold
Autoscaling cools down a period of time after an Auto Scaling an event during which Auto Scaling waits before resuming Auto Scaling activities.
The launch configuration is referenced by the Auto Scaling group instead of being part of the Auto Scaling group:
It allows you to change the Amazon Elastic Compute Cloud (Amazon EC2) instance type and Amazon Machine Image (AMI) without disrupting the Auto Scaling group.
It facilitates rolling out a patch to an existing set of instances managed by an Auto Scaling group.
It allows you to change security groups associated with the instances launched without having to make changes to the Auto Scaling group.
If we associated Auto Scaling group with a Classic load balancer, we can use the load balancer health check to determine the health state of instances in the mAuto Scaling group. By default, an Auto Scaling group periodically determines the health state of each instance.
When a request is made, the AWS service decides whether a given request should be allowed or denied. The evaluation logic follows these rules:
1) By default, all requests are denied (in general, requests
made using the account credentials for resources in the account are always
allowed).
2) An explicit allow overrides this default.
3) An explicit deny overrides any allows.
The benefit of Cloud Computing ability to use the cloud’s
Application Programming Interface (API) to automate deployment processes and to
build self-healing systems.
An Elastic Load Balancing load balancer’s DNS CNAME will not
change over time, providing you with a single fixed addressing entry,
regardless of the pool of IPs referenced by the CNAME.
Amazon WorkSpaces uses PCoIP (PC-over IP), which provides an
interactive video stream without transmitting actual data.
An IGW provides a target for Internet-routable traffic, and it
performs NAT for instances that have been assigned public IP addresses. An IGW
serves two purposes: to provide a target in your VPC route tables for
Internet-routable and VPN-routable traffic and to provide PAT for instances
that have been assigned public IP addresses.
ELB distributes traffic across multiple AZ, The Elastic Load
Balancing service allows you to distribute traffic across a group of Amazon
Elastic Compute Cloud (Amazon EC2) instances in one or more Availability Zones
within a region.
The CNAME record maps a name to another name. It should be used
only when there are no other records on that name.
Cross-region replication can help lower latency and satisfy
compliance requirements on distance. Amazon S3 is designed for eleven nines
durability for objects in a single region, so a second region does not
significantly increase durability. Cross-region replication does not protect
against accidental deletion.
A deletion policy must be applied to an AWS CloudFormation
resource in order to ensure that the resource is not deleted when the stack is
deleted.
Amazon EC2 supports RSA 2048 SSH-2 key pairs.
AWS has developed a strategic business plan to identify any
risks and has implemented controls to mitigate or manage those risks. Customers
should also develop and maintain their own risk management plans to ensure they
are compliant with any relevant controls and certifications.
SNSTopic names should typically be available for reuse
approximately 30–60 seconds after the previous topic with the same name has
been deleted. The exact time will depend on the number of subscriptions active
on the topic; topics with a few subscribers will be available instantly for
reuse, while topics with larger subscriber lists may take longer.
Create an Amazon SNS topic using Amazon SNS. Then create and
subscribe multiple Amazon SQS queues sent to the Amazon SNS topic.
An ENI is associated with a VPC subnet.
KMS manages CMK
A Query operation finds items in a table or a secondary index
using only primary key attribute values and a Scan operation reads every item
in a table or a secondary index.
Redis clusters can only contain a single node; however, you can
group multiple clusters together into a replication group.
When connection draining is enabled, the load balancer will stop
sending requests to a deregistered or unhealthy instance and attempt to complete
in-flight requests until a connection draining timeout period is reached, which
is 300 seconds by default.
There is no data transfer
charge for data transferred within a Region. There is only a charge for such a
transfer when it is between Regions.
There is no data transfer charge for data transferred between
EC2 and S3 in the same Region.
You receive 5 GB of S3 Standard for free, including 20,000 GET
Requests, 2000 PUT Requests, 15 GB of data transfer in, and 15 GB of data
transfer out each month for one year.
With EBS services, you pay for provisioned storage, not just
used storage.
Glacier: minimum of 90 days archival storage. Archives deleted
before 90days are charged pro-rated basis of the charge of remaining days.
There is no charge of data transfer between EC2 and Glacier in
the same region.
Glacier retrieval modes: Expedited, Standard and Bulk retrieval.
If an instance becomes unhealthy, the load balancer reports the
instance state as OutOfService. If there are in-flight requests made to the
unhealthy instance, they are completed. The maximum timeout limit does not
apply to connections to unhealthy instances.
The load balancer routes request only to the healthy instances.
When the load balancer determines that an instance is unhealthy, it stops
routing requests to that instance. The load balancer resumes routing requests
to the instance when it has been restored to a healthy state.
The load balancer checks the health of the registered instances
using either the default health check configuration provided by Elastic Load
Balancing or a health check configuration that you configure.
A load balancer periodically sends pings, attempts connections,
or sends requests to test the EC2 instances. These tests are called health
checks. The status of the instances that are healthy at the time of the health
check is InService. The status of any instances that are unhealthy at the time
of the health check is OutOfService. The load balancer performs health checks
on all registered instances, whether the instance is in a healthy state or an
unhealthy state.
How to serve private content using CloudFront. Remove the read
permissions to the objects of the bucket- Limit the access to only CloudFront,
by setting up the limit access to Origin Access Identity (OAI), Create signed
URL or Signed Cookies and specify with an expiration date, restrict the access
of the URL by with an IP address. The application that generates the URL must
be a Trusted Signer (download CloudFront key pairs). You can also restrict the
access by Country / Geo-location
Amazon SQS automatically deletes messages that have been in a
queue for more than the maximum message retention period. The default message
retention period is 4 days. Since the queue is configured to the default
settings and the batch job application only processes the messages once a week,
the messages that are in the queue for more than 4 days are deleted.
Elastic Load Balancing provides access logs that capture
detailed information about requests sent to your load balancer. Each log
contains information such as the time the request was received, the client's IP
address, latencies, request paths, and server responses. You can use these
access logs to analyze traffic patterns and troubleshoot issues.
S3 VPC endpoint doesn't cross region requests when we create a
VPC endpoint for S3, any requests to S3 endpoints within the region are routed
to a private S3 endpoint with the Amazon network
NAT Gateway must be created in public subnet otherwise it can't
route traffic to the internet and so requests would fail. It can't be created
without an elastic IP. NAT Gateway does not have a security group.
Security groups are stateful if you send a request from your
instance, the response traffic for that request is allowed in regardless of
inbound security group rule.
EC2, RDS, and EBS can be launched from the golden image, which
is the snapshot of the previous stage of a resource. It is better and fast
approach compared with bootstrapping a resource using custom scripts.
Existing VM's in on-premises can be moved to AWS using VM
export/import utility.
Elastic Beanstalk, ECS and Fargate can be used for deploying
solutions using containers across EC2 instances. Docker golden image can be
managed using ECR ( Elastic Container Registry).
Elastic Beanstalk can deploy and scale web applications and
services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker
on familiar servers such as Apache, Nginx, Passenger, and IIS.
