Creating Placement in AZ and plce EC2 instances within that group for lower latency True or False? Amazon S3 buckets in all Regions provide read-after-write consistency for PUTS of new objects and eventual consistency for overwrite PUTS and DELETES. - true\Placement Groups can be created across 2 or more Availability Zones.- false You can add multiple volumes to an EC2 instance and then create your own RAID 5/RAID 10/RAID 0 configurations using those volumes. It is possible to transfer a reserved instance from one Availability Zone to another.-true RDS -AZ can be decided DynamoDDB - AZ can nit be selected.
card -
- Cards create
- move
- tit;e
- color , delete , copy
functionality., css
-
Power Users cannot manage groups and users within IAM.
-
Root user has Administrator Access.
-
First thing to create an AWS account is to set up a/c usinfg company email address.
-
MFA can be applied on new users alike as root account.
-
New User do not have any access by default.
-
For S3 performance its good to not to have similr names as that can overwhelm the S3 prerformance so we can add some kind of Random Alphabet or Numerical before such data name.
-
S3 durability 11 x 9s and availability 99.9 SLA
-
S3 - Infrequently Accessed - but when needed its needed fast and a retrival fees is charged.(durability is 11 x 9s)
-
S3 Reduced Redundancy Storage with less durability i.e. 99.99% and same availavibity but very cheap.(facility failure is 1 and data in S3 must stay for 30 days atleast)
-
S3 Glacier - Data Archival - Low cost (data must stay in S3 for 90 minimum)
-
Transfer Acceleration helps transfer data in S3 between various regions using AWS Cloud Front edge locations.
-
Subresourses - ACL and Torrent
-
Bucket names are to be in lower case
-
Any ewly created Bucket or Object is default - Private
-
S3 can be Encrypted using - S3 master key or AWS KMS master key.
-
Versioning after being turned on can only be disabled and not removed.
-
To make an object publically available the object itself shall have the pubic-read permission even if the bucket aleardy has public- read permission.
-
Versioning maintains all the versioned files so the storage in a Bucket keeps on increasing - may like to apply life cycle to other objects so as to save the space.
-
If a version is deleted it can not be restored back but an object can be using Delete Marker(Delete the delet marker make it appear in the console).
-
To prevent accidental deletes we can also enable Versioning's MFA delete capability.
-
For cross region replication - versioning must be turned on. only The new or updated objects are replicated - Multiple region replication and transitive are not possible.
-
In S3 Cross region replication the Delete marker and version delitions are not replicated.
-
For Life Cycle amangement the versioning may be on or off(128 KB after 30 days).
-
Cloud front has - Origin(like S3, EC2, ELB etc.), Edge locations(seperate from AWS region or AZ) and Distribution(Collection of Edge Locations - Web Distributtion and RTMP).
-
Cloud front works with non aws Origin Server and can have multiple origins
-
Edge locations are Read/Write, Object can be cleared before TTL but there is a charge on that.
-
A Cloud front can have multiple origins and viewer access can be restricted via signed urls/cookies
-
Buckets can be secured viaBucket (Policy/Access control list), Encryption can be
- In transit(SSL/TLS)
- At rest
- Server Side
- SSE S3(Master key rotates, AES 256)
- SSE KMS(more transparency but costs- order Trail)(Envelope key- key to master key)
- SSE Customer(SSE C, key is managed by us and AWS manages encryption)
- Client side is when client encrypts and sends to server.
-
Storage Gateway
- NFS(flat files)File gateway(accessd theough NFS mount point)(On permise App -- NFS-Storage Gateway--Inernet or Direct Connect or AWS VPC--S3, stored on S3)
- Volume Gateway(iSCSI,a virtual hard disk is backed up as incremantal snapsots on a EBS snapshot in cloud) - Stored Volumes -> entire data is available locally and the provides low latency access to data on premise- 1 to 16 TB(backedup on S3) - Cached Volumes-> S3 can be used as primary storage and frequently accessed data is retained locally(32 TB)
- Tape Gateways(VTL- backup and archival)(instead of physical tape, virtual tapes are being used, netbackup, backup exac, Veeam) Remember: Direct Connect is the direct data line between Data center and AWS
-
Snowball (Earlier AWS import/Export where we send pur own disk and thatwas used by AWS but due to different firmats it became difficult)
- An appliance that customer can store data in and send to Amazon and then the AWS can use that appliance to transfer the data to S3(the box provides secure data transfer and AWS does a s/w erasure of the data)
- Snowball Edge(has compute capacity as well like a data center like running lambda functions like a data acuisition device)
- Snowmobile(a Truck and is for Extremely big amount of data)
- Snowball can import/export to and from S3
-
Transfer Acceleration
- S3 transfer acceleration uses the cloud front edge n/w (url format- bucketname.s3-accelerate.amazonaws.com and bucket static website BUCKETNAME.S3-website.REGION.amazonaws.com )
- S3 bucket URL format - http://s3-REGION.amazonaws.com/BUCKETNAME
-
S3 files size is 0 to 5TB
-
In life cycle-
- Transition to IA after 30days (128KB)
- Transition to Glacier(after 30 days in IA)
- Object can be moved to Glacier directly for S3 if IA is not used the next day itself
- Delete finally
-
Edge location has 50 locations accross world, edge locations can be READ/WRITE, TTL is in seconds(default 24 hours)
-
Access buckets can used to create access logs to log all the requests made to S3 bucket that can be stored in another bucket(same account or other account).
-
Multipart upload is possible in S3.
-
Minimim size in a S3 file is 1Byte.
-
EC2 options
- On Demand: allows to pay a fixed rate by hour w/o committment, low cost, short spike
- Reserved: capacity reservation (1 to 3 year contract will give cost advantage), predicatable usage
- Spot: bid and starts when price goes lesser than bid, flexible timings are needed
- Dedicated Hosts: Physical EC2 server that are dedicated physical machine(existing licances can be used and we can pay hourly)
-
In Spot instance the charges are on per hour basis- if the instance is terminated before an hour the charges wont be applied however if we terminated than we need to pay for the entire hour.
-
EC2 instance types(currentlt there is 10 types)
- D2: Dense Storage- File servers/Data Ware House/Hadoop
- R4: Memory Optimized- Memory intensive Apps/DBs - RAM
- M4: General Purpose - Application Servers - main choice for GPIO
- C4: Compute Optimized - CPU intensive - COMPUTE
- G2: Graphics Intensive- Video Encoding/3D Application - GRAPHICS
- I2: High Speed Storage- NoSQL storage - IOPS
- F1: Field Programmable Gate Array- Hardware Acceleration for your code - FPGA
- T2: Loweset Cost, General Purpose- Web servers /Small DBs - T2 Micro
- P2: Graphics/General Purpose GPU- Machine Learning/Bit coins mining - GRAPHICS
- X1: Memory Optimized- SAP Hanna/Apache Spark - Extreme Memory
-
EBS
- Placed in a specific AZ but replicated(stotage Array is replicated).
-
EBS Types
- General Purpose SSD(upto 10,000 IO{S and burst of 3000 IOPS for extended periods of time)
- Provisioned IOPS SSD: IO intensive Apps i.e. Large RDS or NoSQL(>10000 IOPS < 20000 IOPS)
- Throughput optimized HDD(Magnetic): Big data, ware houses, log processing, CAN not BOOT from, frequently accessed workloads
- Cold HDD: Lowest cost, File Server, infrequently accessed, can NOT BOOT from them, less frequently accessed workloads
- Magnetic (standard): BOOTABLE and lowest cost, infrequently accessed, lowest cost on storage
-
1 EBS can be mounted in 1 EC2 not multiple
-
Security Group is present by default when a default VPC is created and when a new AWS a/c is created
-
Accidental termination protection can be checked when creating a EC2 instance
-
Root volume - has to be bootable - can be only General Purpose SSD, Provisioned IOPS, Magnetic(Standard)
-
We can add volumes
-
By default the attached root volume is Deleted on Termination of EC2 instance 49.Security group is a virtual firewall, they have SSH -22, HTTP-80, HTTPS-443, RDP-3389, MySQL/Aurora-3306
-
CMOD 400 MyKeyPair.pem , ssh ec2-user@IP -i myKeyPair.pem, sudo su, yum update -y, yum install httpd, dc /var/www/html, nano index.html, service httpd start, chkconfig httpd on
-
The Root volume of a EC2 instance can be Encrypted by using normal creation ways(default AMIs), additional volumes can be.
-
One EC2 instance can have multiple SG
-
The change in SG will apply immediately
-
SG are stateful- both ways are configured inbound and outbound rules, everything else is blocked by default and no deny possible and dependes on region as well
-
EC2 instance- Actions - Change Security groups to edit SG accociated with EC2 instance
-
lsblk(volumes that are mounted), mkfs -t ext4 /dev/xvdb, mkdir /aDirectory, mount /dev/xvdb /aDirectory, lsblk, cd /aDirectory, umount /dev/xvdb
-
Detaching can be done from Volumes tab of the Web Console or Force Detach if the volume is mounted
-
Detach the Volume, Take Snapshot, Restore a Volume from the Snap shot (change the stoarage or upgrade) and the then got to volumes, select te restored volume and Attach(a way to upgrade volume)
-
lsblk will reveal the volume, check the fles in a volume by file -s /dev/xvdf, mount to the /aDirectory
-
If we change volume on the fly we must wait 6hours before making another change
-
EBS volumes can be scaled up only
-
Volumes must be in the same AZ as the EC2 instance
-
RAID
- Redundant Array of Independent Disks
- RAID 0 -Good Performance but NO Redundency, Stripped
- RAID 1-Mirrored, Redundancy,
- RAID 5-Good for Reads, Bad for Writes and its use is discouraged(parity checkss can be performed using this)
- RAID 10- Combination of RAID0 and RAID 1
- RAID is used to get a desired IOPS performance
- New EC2 instance with Windows AMI - Add RDP permission to SG(port 3389)- RDP into instance (Get Windows Password, username- Administrator)and Add Disk to a Volume(Stripped- RAID0)
- RAID Snapshot - While taking a snapshot Cached Data is not stored so in RAID its a problem - Need Application Consistent Snapshot
- Stop Application from Writing to Disk
- Flush cache Data to disk
- Freeze the file system
- Unmount the RAID array
- Shutting the down the EC2 instance(easiest)
- Redundant Array of Independent Disks
-
AMI Creation(useful way to encrypt the root volume)
- Stop Ec2(Essential for Application Consistent Backup)
- Volumes -Select root volume - Actions- Create Snapshot(can not encrypt still) now this Snapshot can be copied, Image created(While doing that we get am option to Encrypt the copy then we can create an Image in AMI tab)
- Only unencryped Snapshots can be Shared
-
EBS are more durable and Instance Stores are Ephimeral, Instance Stores can only be Rebooted or Terminated`and if the underlying host fails we loose it and by default the root volume goes on Termination.
-
All AMIs are either EBS backed or Instance Store Backed so Provisioning Time is low for EBS backed AMI
-
In Reboot the data is safe in bith EBS and Instance Store
-
Load Balancers
- Application Load Balancers(layer 7 i.e. http and https)
- Classic Load Balancers(layer 4)
-
No Public IP address available for ELB but DNS Name
-
Application Load Balanver has Target Group, same EC2 can be registered in more than one ELB
- Instances are inService or OutOfService in the Load Balancer - Health Check
-
Cloud Watch -Dashboards - Add Widgets and all the Services supported by Cloud Watch and used by user wil be visible.
- Dashboard -For EC2 we have CPU, Disk, Status (EC2 leveal and Hypervisor), Network related metrices, We can also have cistome metrice(for RAM for Example)(in Host layer)
- Alarm -Select Metric - Create Alaram - Notification Method when a Threshold is reached
- Events - Respond to State Changes in AWS Resourses(e.g. When EC2 is running run Lambda)
- Logs -Monitor at Application Level and log events and store as well
- Metrices
- Standard Monitering is 5 mins, detailed Monitoring is 1 mins
- CLoud watch is for logging , monitering and storing logs vs Cloud Trail is for auditing i.e. moniter AWS Environment - Like a new user, new role, new S3 are logged using Trail
-
AWS CLI
- aws s3 ls (unable to locate creds)
- aws config -Enter access key id, Scret Access Key, region(eu-west-2)
- aws s3 ls (shows the buckets all around the world as S3 is global)
- To Find the creds in the EC2 - cd ~, ls -a, cd .aws, ls(shows config and credentials of the user with programmatic access to Admin)
- aws ec2 describe-instances(all the instance even terminated ones)
- aws ec2 terminate-instances --instance--ids INSTANCEID
- Roles are created Globally
- Attaching the IAM role to possible on a running EC2
-
S3 CLI and Regions
- aws s3 cp --recursive s3://aclloudguru /home/aDir --region REGIONof EC2 -#!/bin/bash (for bash script the path to interpretor)
-
EC2 Meta data
- From the SSHed cli type- curl http://169.254.169.254/latest/meta-data
-
Auto Sclaing
- Create Launch Config(as good as creating a Ec2 instance) - Link with ELB and may be autoscaling policies
-
EC2 Placements Groups
- Logical Gropu of EC2 instances in a AZ and help avail low latency n/w
- Can not span across multi AZ as we want latency to be low
- Only some types such as - compute optimized, GPU, Memory optimized, Stprage Optimized and homogenous instances are recommended
- Can not merge placement groups
-
EFS(Elastic Files System)
- Block based and can be shared across Ec2 inatances, not need to pre provosion and charges are based on memory used
- Its spread across AZ in a region`
- Run the mount command in the Ec2 instances and the same EFS is available to all the mounted EC2
- Good for File Server can be mounted across Ec2 unlike EBS thats mounted in on Single Ec2
-
EFS(Elastic Files System)
- Block based and can be shared across Ec2 inatances, not need to pre provosion and charges are based on memory used
- Its spread across AZ in a region`
- Run the mount command in the Ec2 instances and the same EFS is available to all the mounted EC2
- Good for File Server can be mounted across Ec2 unlike EBS thats mounted in on Single Ec2
-
Lambda
- Takes care of Provisioning, event driven compute source, Compute service in responce to HTTP calls, multiple lambda invocations do happen, scaling is taken care, scale up(eg RAM) , Scale out(increase EC2)
- Compute - Lambda- Create Lambda Function - Blank Function - API Gateway(trigger- SNS, DynamoDB, Cloud Front, Cloudwatch Events, Logs, Code Commit, Alexa Skills lit, Kinesis, Congnito Sync, Alexa Smart Home, AWS IoT ) -
- To HTTP request invoke different Lambda functions but code is identical,
- Pricing is per request, Duration(begining for Start to end/terminate , 5 mins is max time duration for a request for Lambda)
- Instant scaling and one function can trigger another function i.e. X functions from an Event
- AWS X-Ray allows to debug AWS Lambda, can do things globally i.e. Manage S3
-
The route 53-record set- Alias - can be S3, ELB, CouldFront
-
EC2 Root volumes can NOT be encrypted by Default we need Bitlocker
-
Snapshots exist on S3 i.e. Snapshot of a volume
-
Sanpshots are incremental so first Snapshot can take more time
-
Volumes of Encrypted Snapshots are Encrypted and Snapshots of Encrypted Volumes are Encrypted
-
Instance Store backed root volume will be deleted when EC2 is stopped.
-
AMI are stored as per region but can be shared using console or Amazon Ec2 API
-
Roles can be assigned to an EC2 instance also after its been provisioned using CLI or AWS console
-
Roles are UNIVERSAL
-
EFS supports NFSv4
-
Create SnapShots of an EBS volume via CLI - ec2-create-snapshot
-
We can change the permissions to a role, even if that role is already assigned to an existing EC2 instance, and these changes will take effect immediately
-
Sanpshot can be deleted after deregistering from AMI.
-
DNS
- Convert human readable form to an IP address(common IPv4 - 32 bits and IPv6 - 128 bits)
- Top level domanin name(.com, .uk) - Are maintained by IANA(INternet Assigned Number Authority)
-
Domain Registrars- Registers each domain name in a central db known as WhoIS database
-
SOA(Start Of Authority) - Name of the server that supplied data to the zone, administrator of zone
-
NS(Name Server)record- Helps redirect to Content DNS server which has authoritative DNS records
-
A Records- Fundamental DNS record , A stands for Address, this will translate the domain name to IP address
-
TTL is time to live in the DNS servers so can be lowered to 5 mins(300 seconds) when doing DNS migration
-
CNAMES- Canonical name and can be used to resolve one domain name to another
-
Alias Records- We can map a DNS name with a Target DNS name, C Name can not be used with naked domain name the naked domain name must have A Record or an Alias
-
If there is a change in record sets the Alias record is updated as soon
-
CNAME is chargable and not suitable for Naked Domain name whereas Alias can resolve the naked domain name and are not charged
-
When ELB maintains 2 connections-one with the client and other with the EC2 instance
-
The Maximum size of a VPC is /16 and Minimum is /28
-
Cloud front can have origins- S3, Ec2 http server and http server that on premise as well.
-
S3 and DynamoDB are designed for multi AZ
-
AMI and instance types are specified while creating a EC2
-
SNS can work for Email JSON, HTTP, Lambda but NOT DynamoDB
-
Loose Coupling=> Asynchronous Integration=> Where immediate response is not neededbut only a request registered info will suffice.
-
An ARN is created as soon a SNS is created
-
Autoscaling group needs AMI, Instance, Configuration Name
-
A VPC reduces the ncessary internet access points, obfuscates the necessary internet access point to a level that untrusted end users cannot access them.
-
Security group i a region can have 100 rules and 500 Security groups in a region per account
-
Route 53 Routing Policies(Global Service like IAM where users are global)
- Simple - When there is only one web server- Create Record Set- Alias- Alias Target Name- Routing Policy- Simple
- Weighted - Lets you split the traffic based on Weights you assign(not necessarily same region) (Specify the weight and ID)
- Latency - Allows to route traffic on Latency(go to lowest Latency)(Give Region and ID)
- Failover - Detect failed (In Route 53 - create health check for ELB may be using ELB DNS name and may be associate Health Check)
- Geolocation - Route depending on Geopraphic location(give Location and ID, Default indicates "Everywhere" else)
-
ELB do cost and Public IPAddress is not Exposed by AWS!
-
Route 53 support MX(Mail Server) records
-
Route 53 Support Sone Apex records(naked domain names)
-
There is 50 domain names available by default, however it is a soft limit and can be raised by contacting AWS support.
-
A PTR is a reverse DNS Record(converts an IP to DNS name)
-
Cloud Watch gives System Wide Visibility for Monitoring Resourses, Application Performance, Operational Health.
-
Hybrid Deployment extends and existing on-premise into cloud
-
Restricting Data Access S3-Pre Signed URL, S3 ACl, Buckey Policy
-
ELB is configured with Listeners to accept traffic.
-
Multi AZ is supported in MySQL, Microsoft SQL, Oracle, PostgresSQL, Aurora
-
AWS Beanstalk automatically handles the deployment details
-
RDS - Create instance - MySQL - Select the multi AZ , instance class, storage type, instance identifier, username, passcode, security group
- In security group make sure that the inbound rule in db securithy group to SQL Port 3306 has source defined to our Security Group
- End point of DB is used to connect to DB(PHP, Nodejs, java)
- When deleting the RDS, an option to Take a Final Snapshots appears
-
Backups
- Automated Backups- Allow recover Database to any point in time in the retention period, 1-35 days, take a full daily snapshots and store transaction logs, recovery leads to choosing the most recent Backup and then applying the transaction log leading to second within.
- Automated backups are enabled by default and the size of the backup storage is the size of RDS, IO may get slow while backup is going on so take backup in a defined window.
- Snapshots are done manually and stored even of the the RDS is deleted
- After a restore from both Snapshot and Automatic backup a new DB is created and end is new as well, Multi AZ etc.
- Encryption
- Encryption at rest is supported in MySQL, Oracle, SQL, Postgres and Maria using AWS KMS
- Encrypting an existong DB is not supported if need to this do a migration or restore
- Action on a RDS->
- Take Snapshot(Migrate to say Aurora, copy to another region, share, delete, restore and increase DB instance are some actions tha can be performed on a Snapshot),
- Migrate
- Point in Time
- Read Replica
-
Multi AZ in RDS
- Exact copy goes to another Zone so that in even of Planned Maintainance , DB instance failure or AZ failure the RDS will failover to standby.
- Multi AZ is for Disaster recovery not for performance optimization, use Read Replicas for that!
- Microsoft SQL server seems not having multi - AZ(only SQL, Oracle, MySQL, PostGres, MariaDB and Aurora anyways store copies)
-
Read Replica
- Database can have upto 5 replicas
- Read Replica is read only copy of production database.
- Supported- MySQL, PostGres, MariaDB
- Read Replicas must have automated backups turned on
- Read Replica of Read Replica have more latency
- Each Read Replica has own End Point
- Read Replica have no Multi AZ they are in same AZ as that of the database
- Read Replicas can be promoted
- Read Replicas can be promoted to become own databases and the replication is broken
- Read Replica can be in other region only for MariaDb and MySQL and not for PostgresSQL
-
Scaling RDS is a task but its a Push action in a DynamoDB w/o any downtime
-
DynamoDB - Fast and flexible data model
- Stored Across 3 geographically distinct data centers(different facility)
- Stored in SSD
- Eventual Consistent Reads
- Across all copoies is reached after a second(best for Read perfornamce)
- Strongly Consistent reads
- Returns a result that reflects all writes that received a success response prior to read
-
DynamoDB has provisioned throughput capacity, expensive for Write and cheap for Reads
-
Create DynamoDB table - name - primary key(String, number, binary)- provisioned capacity- ARN is created, We can Reserve Capacity, We get a flexible data model(dynamically add columns)
-
DynamoDB capacity can be scaled on the Run.
-
While scaling is happening there is not going to any downtime.
-
REDSHIFT- Ware housing service
- Online Analytics Processing(OLAP is an example)
- Single Node(160Gb, small business)
- Multi-Node(big business)
- Leader Node(client or receives queries)
- Compute Node(perform queries and do computing upto 128 compute nodes)
- REDSHIFT stores data as columns and stored sequential so a better I/O
- Advanced data compresion as column is of same data type
- AWS REDSHIFT will analyse data and apply appropriate compression
- Multi Node has Massively Prallel Processing(MPP)
- Price - Compute Node Hours, Backup and Data Transfer
- Encryption at Transit and Rest are possible
- Available in One AZ only
- Can restore to a NEW AZ if there is Outage
-
Elasticache
- Easy to deploy and scale by allowing to retive info from fast, in memory, managed Caches, improves I/O intensive queries
- Memcached
- Existing Memcached Environmants will work seemlessly with AWS Memcached
- REDIS
- Key Value Store and supports Lists and Sets
- Master Slave replication and Multi AZ so as to achieve Multi AZ redundency
- REDIS has Multi AZ but not Memcached
-
Aurora
- Aurora can not be installed else where except its a service on the AWS cloud only
- MySQL compatible
- Upto 5 times performance than SQL
- Cost is lesser than Oracle
- Scaling
- 10 Gb is initial and scales to 64Tb when Autoscaling
- Scaling do have a downtime but its quick in Aurora
- 2 copies of data is contained in each AZ and minimum is 3 AZ i.e. min 6 copies
- handles transparently the failure of 2 copies for Write availability and 3 copies failure for Read Consistency
- Auto healing
- Aurora can not be installed else where except its a service on the AWS cloud only
-
Aurora Replica
- Aurora Replica(upto 15, failover occurs)
- MySQL Replica(upto 5, failover wont occur)
- Available in some region(US east) - Specify DB instance class - Multi AZ - DB indentifier - credentials - failover - Priority(tier0 to tier15)
- Instance Actions - Create Aurora Replica - Reader - Replication Role
- Cluster Endpoints will failover to next good End Point(Instances)
-
Multi AZ has a failover
-
When replicating data from your primary RDS instance to your secondary RDS instance, what is the charge? Its Free
-
When you add a rule to an RDS security group you do not need to specify a port number or protocol? FALSE
-
If you are using Amazon RDS Provisioned IOPS storage with MySQL and Oracle database engines what is the maximum size RDS volume you can have by default? - 6Tb
-
What happens to the I/O operations while you take a database snapshot - Suspended even of the Read Replica is there
-
In RDS when using multiple availability zones, can you use the secondary database as an independent read node? - NO
-
By default, the maximum provisioned IOPS capacity on an Oracle and MySQL RDS instance (using provisioned IOPS) is 30,000 IOPS.
-
VPC can span AZ not Regions, a logically isolated section in AWS cloud, have complete control of the n/w env.
- Hardware Virtual Private Network is connection between corporate data center and VPC = Hybrid Cloud
-
For a VPC the private n/w ranges are
- 10.0.0.0 to 10.255.255.255 (10/8)
- 172.16.0.0 to 172.31.255.255(17.16/12)
- 192.168.0.0 to 192.168.255.255(192.168/16)(Max size in AWS VPC)
- One Subnet is span in ONE AZ
- SG and ACL and Route Table can Span Acoss AZ
- One Internet Gateway per VPC
- SG are stateful and ACL are stateless
- Default VPC is created by default in Every region so that EC2 are provisioned easily
- All Subnets inside have internet access
- Each EC2 instance has public and private IP address
- Delete of Default VPC can be undone by contacting AWS
- VPCs in different regions can be connected via direct network route using private ip address(VPC Peering)
- Instances behave as if they are in same private network
- Peering can be done in same as welll as different AWS accounts
- Peering is a Star configuration so NOT TRANSITIVE
-
VPC - Your VPC - Name and CIDR(between /16 and /28) and Tenancy - Creates Route Table, ACL and SG but no new Subnet(SG and ACl can span multiple AZ but not Subnet)
- Reserved are 3 by default and 2 can not be used anyways
- Internet gateway - detached by default - Attach to VPC(only one IGW per VPC as they are highly durable)
- Instead of using default Route Table we create a new route table and set Destination(0.0.0.0/0) and target(IGW) - Subnets Associations(internet access to subnets)
- For a subnet we need to turn 'Turn on auto assign public ip' so that EC2 instances get public ip when provisioned
- Start Instance - Network (Subnet-specify own subnet) - AUto Assign public ip address
- Subnets can communicate with each other by default
-
For private subnet we can configure SSH, MySQL and ICMP(for pings) with Source as the public subnet address range , note private ip address of private subnet so we can ping and ssh via public EC2
-
NAT(Network Address Translator)
- NAT Instance - EC2 - create - choose NAT - Give VPC and public subnet - SG is needed while for NAT Gateway its not needed to be added by us - Action - Disable - Change Source/Destination check - Attach to Default Route Table with Source(0.0.0.0/0) and Target(NAT instance).
- Amount of Traffic depends on the instance size and type
- Behind the SG
- NAT Gateway
- Scale automatically
- VPC - create a NAT Gateway - Public subnet - Allocate Elastic IP - include in Route Table (default in our case)
- SG are taken care automatically in NAT Gateways
- No Security Patches required
- Highly Available
- Redundency
- 10 GBps vs Instance depends on instance type
- Slightly Expensive
-
High availability can be created using Autoscaling groups, multiple subnets in multiple AZ and a script to automate the failover
-
ACL vs SG
- SG works on Instance level, ACL works on Subnet level
- SG supports Allow rules, ACL has both Allow and Deny rules
- SG are Stateful, ACL in not stateless
- Numerical Order in ACL
- ACL applies to instances in a subnet automatically
- Deault ACL has in out traffic is allowed
- Custom ACL has all denied
- One Subnet will have only One ACL
- Ephimeral ports need to be added to custom ACL for public facinig subnets
- Lower Number rule takes effect in ACL
- Each Subnet must have a ACL
- Block particular IP address using ACL not SG
-
When we do a high availability app using ELB, its a good to have two public subnets and two private subnets also in different AZ because AZ can go down.
-
NATs vs Bastions
- NATs are used to provide internet access to an instance in private subnet
- Bastion are used to administer the instanses in private subnets via SSH or RDP
-
VPC FLOW LOGS
- VPC - ACTIONS - Create Flow Log - create logs - log the traffic data within the VPC
-
VPC and Subnets
- 5 VPC are allowed by default in each AWS Region
- 200 Subnets per VPC
- 5 NAT Gateways per AZ
-
SQS
- Distributed Queue System that can be consumed by other component
- SQS is a PULL based system
- Example - S3->Lambda->SQS->EC2
- Even when the EC2 fails the message is still in SQS and can be comsumed by another SQS
- The message goes to timeout when its queried, size is 256Kb any text format and can be retrived programatically by SQS API
- Types
- Standard Queue
- Unlimited Transactions per second
- One or more messages may reach out of order
- Best effort ordering but not guaranteed
- FIFO Queue
- 300 transactions per second
- Order is guaranteed
- Message is delivered once and remains until the consumer deletes it and so no duplicates Messages can be kep in queue from 1 minute to 14 days, 4 days is default -Visibility Timeout- the time for which the message is invisible in the queue before it is visible again so if the timeout occurs before the processing the same message can be taken by another consumer i.e. same message might be delivered twice.
- Standard Queue
- Max visibility timeout is 12 hours
- Long polling is way in which EC2 can query SQS for messages
- Message Oriented API
-
SWF (Simple Workflow Service)
- Cordinate work across distribution application components.
- Execute via code or human action or scripts
- Retention upto 1 year
- Task oriented
- Task is assigned only once, keeps track of tasks and events
- SWF Actors
- Starters- Website, App
- Deciders - control the flow of activity
- Workers - Carry activity task
-
SNS(Simple Notification Service)
- Publish messages from app and deliver them to subscribers
- Lambda can be associated with SNS
- Push messaging System
- Multiple recipients, formatted copies, stored in Multi AZ
- Create Topic- Create Subscription- Protocol(HTTP, HTTPS,Email, Email JSON, SQS, Application, Lambda)- Endpoint- conformation
- Useful in Autoscaling
- No polling- Push instantly
- Delivery Over Multiple protocol
-
Elastic Transcoder
- Convert media file into other formats and charges on the minutes encoded and resolution
- Example- Upload a file to S3- invoke a lambda function - Invokes Transcoder - Save transcoded file to S3
-
API Gateway
- Publish, maintain and moniter API at any scale
- Example - API Gateway - Triggers Lambda or functions in EC2
- API Caching
- Cache the endpoint response, API gateway caches the response for a TTL and gives better performance
- Low cost and efficient
- Scales but throttle to prevent attacks
- Can be configured in cloud watch to see logs
- Cross Origin Resource Sharing needs to be enabled in the API Gateway
-
Kinesis
- Streaming Data- Data that is generated continously and sent in small sizes
- Kinesis helps load and analyse streaming data
- Three kinesis services
- Kinesis Streams
- Data producers - Kinesis Streams - Stores for 24 hours default and extedn upto 7days
- Shards are used to store - Consumers like EC2 - then S3 etc
- The capacity of the Stream is the sum of capacities of all the shards
- Kinesis Firehose
- Data Producers - Streams but no shrads - Data is Analysed or Send to S3 or Redshift for example and not stored in Stream(no need to manage Shards and retention)
- Kinesis Analytics
- Helps run SQL type queries on Kinesis(Kinesis Streams or Firehose) Data and save to S3, Redshift or Elastic Search Cluster
- Kinesis Streams
-
SWF(ensures task is done once only) is Task Oriented, SQS and SNS are Message Oriented
-
SNS subscribers - HTTP, HTTPS, Email JSON, Email, SQS, Application and Lambda
-
SES - Simple Email Service
-
AWS Resource Name is created when a SNS Topic is created
-
SWF Domain - Collection of related workflows
-
S3 url format - https://s3-region.amazonaws.com/bucket-name
-
11 Regions currently, China has one AZ and mostly 3 AZs
-
Compliance -
- SOC 1/ SSAE 16, ISAE 3402
- SOC 2,
- SOC 3
- FISMA, DIACAP, FedRAMP - PCI DSS Level 1
- ISO 27001
- ISO 9001
- ITAR
- FIPS 140-2
-
Security
- Shared Security Model
- AWS is responsible for facility
- AWS is responsible for the security configuration of its managed services like DynamoDB, RDS, Redshift, Elastic map reduce, Amazon Workspaces
- AWS S3, EC2, VPC etc are under user control
- Managed services user needs to have account managenent and user access, MFA and user activity logging using CloudTrail(could Watch beig Monitering)
- Storage Decommissioning includes - degaussed and physically destroying the storage device
-
Network Monitering and Protection
- DDoS,
- Man in the middle attacks
- Ip spoofing - Host based firewall, ip can be own
- Port Scanning - request advance permission for Scans of own instance
- Packet Sniffing by other tenants
-
Credentials
- Passwords-root a/c or IAM users need to login to aws console
- MFA- root or IAM user need to login to aws console.
- Access keys- digital sign for programatical access
- Key Pairs - to ssh EC2 or Cloud front signed urls
- X.509 - Digitally Signed SOAP request to AWS APIs or HTTPS SSL server certification
- AWS Trusted Advisor- helps close common security gaps, save money improve system performance like- not using IAM, not using MFA, S3 being open to public, not having CloudTrail
-
Instance Isolation -
- Different instances running on the same physical machine are seperated by Xen hyperisor and a firewall
- Each instance has access to virtual hard disk and guest menory is used in other processes only after memory scrubbing
- In a SG all ingress traffic is denied whereas outgoing is allowed
-
Guest Operating System-
- User has the root pernission, encrytion of data is a good practice(Encryption is available on EC2's more powerful instances eg.- M3, C3, R3, G2)
-
SSL termination of Load Balancer is supported (i.e. data wont be encrypted between the ELB and the web server)and allows to know the ip address of any client that connects in ELB
-
Direct Connect - Helps bypass the internet service providers usinf cross connect, have a Rackspace and connect to an AWS direct connect equipment and also has virtual interfaces that help allow the access to public and private ip space
-
Risk and Compliance
- Stratergic risk management is 2 times in a year
- AWS security scans are for underlying infra
-
Storage Options-
- Storage Gateway
- Gateway cached and Gateway Stored volumes that can be mounted to iSCSI on the on premise applications
- Gateway Cached gives low latency access to frequently accessed data(32 Tb)
- Gateway Storages all the primary data while doing the backup async(1 Tb)
- Snapshot storage, Volume, Data Transfer, number of Gateways are cost deciding factors for Storage Gateways
- Storage Gateway
-
Elasticity
- Proactive(Salaray day)
- Proactive Event Scaling(Black friday sales)
- Auto Scaling(based on demand)
-
Web Tier(allow 80 -http 443-https), Application Server(SSH port 22), DB Layer(only Applocation layer has access)
-
SQL Server's atorage can nit be increased and Auto Backup is enabled by default
-
To run a DB on EC2 instance - EBS is suitble
-
EBS snapshots are accessable via APIs and AWS console, CLI
-
A Policy is a document that provides a formal statement of one or more permissions
-
In a default VPC, all Amazon EC2 instances are assigned 2 IP addresses at launch, public and private ip address
-
If an Amazon EBS volume is the root device of an instance, I can not detach it without stopping the instance I can not move a reserved instance from one region to another, In RDS the maximum size for a Microsoft SQL Server DB Instance with SQL Server Express edition is 10Gb per DB
-
I can "force" a failover for any RDS instance that has Multi-AZ configured, Reserved instances are available for multi-AZ deployments, MySQL installations default to port number 3306
-
If an Amazon EBS volume is an additional partition (ie not the root volume) , I can detach it without stopping the instance but it will take some time
-
What are the four levels of AWS premium support - Basic, Deleloper, Business, Enterprise
-
AZ - distinct locations within Region that are isolated from fail overs
-
Individual instances are provisioned in AZ
-
How many copies of my data does RDS - Aurora store by default - 6
-
1 hr is the maximum response time for a Business Level Premium Support Case
-
Design Principles(5 pillars)
- Security
- Apply security at all layers(Subnets, ACL, SG, Patching at times)
- Tracebility
- Customer secures in the could(IAM config, OS config, N/w config, Firewall config, Encryption)
- AWS takes care of Security in the cloud(Regions, AZ, Edge Locations)
- Data Protection- classification-> shall the data be public, private, restricted
- Encryption cam be done using S3, RDS, ELB, EBS
- Privilage Management
- ACL, Passcode management -rotation, strength, Roles, Groups, IAM, MFA
- Infra Protection
- VPC, Host-N/W boundary likw Bastions or Jump Boxes
- Detective controls
- CloudTrail(Reginal Service), ClouldWatch, AWS Config
- AWS Logs need to captured and analysed
- Reliability
- Dynamically have resources, Recovery from Service/infra failures
- Scaling horizontally- distrubuting system into small resources
- Foundations
- Comm links between HQ and datacenter
- N/W topology
- Change Management
- CloudWatch and Autoscaling that react to change in Environment, ClouDTrail
- Failure Management
- Cloud Formation?
- Performance Efficiency
- Compute
- CPU, Memory, Auto scaling
- Storage
- Block based, Object based, Throughput, Random, Sequential, Availability
- DB
- RDS, DunanoDB, Redshift
- Space time trade off
- RDS Read Replicas, Elasicache, CloudFront, Direct Connect
- Compute
- Cost Optimization
- Lowest price and still achieve the business goal
- Transparent Attribute expenditure
- AWS Blog, Trusted Advisor can help
- EC2 reserved instances can help optimize costs whereas SNS and CloudWatch can help in expenditure awareness
- Operational Excellence
- AWS Config helps track and respond to changes in your AWS environment
- Tagging for easy identification
- Security
-
Kinesis -Big Data consumer and large social media stream, Redshift for BI and Elastic Map Redice for BigData processing
- Instance Store volumes can not be detached and attach to another instance whereas EBS(Can be stopped) can be
-
OpsWorks
- Orchestration service that uses Chef that has a receipe/cookBooks to maintain a consistent state
-
curl or get http://169.254.169.254/latest/meta-data gives META DATA like public ip address
-
AWS Organizations
- A service that enables consolidating multiple AWS a/c and centrally manage
- 20 Linked a/c possible
- CloudTrail is per a/c per region but a central S3 bicket is possible
- Unused reserved instances for EC2 are applied across the group
- Root - Organizational Unit(contains AWS a/c and have policies or other OUs)
- Consolidated Billing
- Paying thats linked to all the accounts and can not access resourses
- Volume pricing discount
- All features
- Consolidated Billing
-
Create Organization - Enable All Features/Enable All Features - Invite or Create Account using A/c id or email - Organize accounts - Create Organizational Units - Now we can select an OU and add an account - Policies tab and create a policy - Check in the Organize accounts and we can attach policies
-
Cross Account Access -
- We can login to an account with an IAM and access other a/c w/o providing creads
- Identify account numbers
- Create a Group and User in IAM
- Login
- Create the policy
- Create Cross account role
- Policy
- Version
- Statements - array of JSON objects that have keys such as Effect, Action, Resource
- We can create a Policy and Role that uses the policy and is for Cross Account Accesss
- We can login to an account with an IAM and access other a/c w/o providing creads
-
Tags are meta data of the AWS resourses and can be inherited in Cloud Formation, AutoScaling, Elactic Beanstalk
- Resourse Groups are container for Tags have info on Regions, health, name, technology
- Tag Editor can be helpful to start using Resourse Groups, add or edit or find Tags
-
VPC Peering
- Connection between two VPC using private IPs and we can have connection between own VPC even in other AWS a/c but within a Single Region
- No single point of failure nor bandwidth bottleneck
- Connection is via CIDR if it changes the commection wont work
- Transitive Peering is not supported
- Overlapping CIDRs can not have VPC peering
-
Direct Connect
- Dedicated Connection
- VPN can be configured fast(direct connect takes 5 months) but bandwidth can be low but Direct connect is a dedicated connection
- 10 Gbps and 1Gbps and sub 1Gb are available
-
STS(Security Token Service)
- Grants Limited and temporary access to AWS resources for the users that are coming from
- Federation (active directiory i.e. joining a list of users in one domain with another domain)
- Uses SAML(Security Assertion Markup Language)
- Single Sign on allows users to login AWS console w/o IAM credentials
- Access is granted based off user Active Directory
- Federation
- OpenId, facebok, google, Amazon
- Cross Account Access
- Federation (active directiory i.e. joining a list of users in one domain with another domain)
- Identity Broker- Service that allows to take identity from point A to B
- Identity Store - Services like active Directory of FB, Google
- Identity = user of like fb, google
- ERP-> Identidty Broker ≤-> Active Directory then Identity Broker to AWS Security Token Service(gives token, access keys ad time duration) the token goes to ERP and S3 which can Authenticate ERP based on Token after communicationg with IAM
- Identity Broker contacts with LAP first and then STS then App gets temporary access
- Grants Limited and temporary access to AWS resources for the users that are coming from
-
Active Directory Federation with AWS
- Sign on using Active Directory creds we receive a SAML
- Authentication to active directory first then get temporary security creds
-
Workspaces
- Cloud Based replacement for the desktop
- No AWS account needed for access the Workspaces
- Windows 7 experience that can be personalised or locked by admin
- Install own applications
- Persistent
- Data Backed up on D:// drive every 12 hours
-
ECS(Elastic Contaniner Service)
-
Guest OS, Dependencies, App, VM now, when the number of VMs increase the dependency management may become difficult
-
So a uniform standard container - build, test and deploy app quickly has all the code, config, dependencies and delives environmental consistency and version control, operational efficiency and developer productivity
-
Virualization VS Containerization
- Virtualization has a VM and guest OS whereas docker has only the App and dependencies and docker container
- Docker is faster, escape from Dependency Hell
- Isolation between container
- Code portability
- Micro Services- App A in container A and B in container B etc.
-
Docker Components
- Image(like ISO) is file required to boot
- Docker Container- holds everything to run, start, stop or delete
- Layers- Union File System and image is built using the layer thats added or Updated
- Docker file- image then helps create a layer with instructions
- Docker Demon/Engine- runs on linux create operation env
- Docker Client- controls Deamon, interface between us and docker
- Docker Hub/registries- Existing images that we can use or are created before
-
Amazon ECS - Scalable and fast container management service that runs, stops, manage docker containers on a cluster of EC2 instances with API calls also gives access of state of cluster
-
Regional, has ETL workloads, micro services model
-
Image is a read only image that creats a docker container- Image is created from Dockerfile
-
Images are stored in registry like Doker Hub or ECR(EC2 container registry), developers can use the docker CLI to push, pull and manage images
-
Task Definition
- Text files in JSON format
- Required to run docker container in Amazon ECS
- Specify the image to be used, cpu and memory to be used in container, if containers are linked
- Which ports mapping to host
- What if container finishes or fails
- Starting commands, ennvironment vars
- IAM Roles
- Its like a Autoscaling that can help maintain desired count
-
ECS Cluster
- Logical Group of ECS container instances
- Clusters are region specific
- One container can be part of one cluster at a time
- IAM policies are applicable to clusters
- Multiple instance types
-
ECS schediling
- Helps run specified number of tasks constantly and reschedules in case of a failure, ensure ELB is registered with tasks , we can create own scheduler or third party schedulers like Blox
- ECS schedulers uset he state info from the ECS Api only
-
- ECS Container Agent
- Allows container instances connect with the cluster
- Contained in Amazon ECS AMI but can be install on a EC2 instance that suports ECS Spec
- EC2 instances that have -
- Pre installed on special ECS AMIs
- Linux Based(will not work with windows but Amazon Linux, Ubuntu, RedHat, CentOS)
- ECS Security
- EC2 used IAM ROles to Access ECS, ECS tasks use IAM role to access services and resources
- We can access and configure OS in EC2 instance in ECS Clusters
- ECS Limits
- Clusters per region = 1000 - soft
- Instances per Custer = 1000 - soft
- Service per cluster = 500 - soft
- One Load Balancer per service - Hard
- SG works on instance level not task or container level
-
For client side encryption- client library such as Amazon S3 Encryption Client.
-
When in IAM new user - Acces Key ID and Secret Access Key are valid security creds that are attached themselves
-
Enterprise, Business and developer are 3 support levels
-
S3 - Read after write consistency for PUTS of New Objects and Eventual Consustency for PUTS and deletes
-
Elastic Map Reduce can give root access i.e. can be SSHed
-
When trying to grant an amazon account access to S3 using access control lists method of identification is email address or canonical userID
-
AWS Export/Import supports- I/E in S3, import to EBS, import to Glacier but not Export to Glacier
-
AWS trusted advisor service wont take care of Vulneribility scans on existing VPCs
-
You should use provisioned IOPS for any requirement of 10,000 IOPS or more
-
The different types of virtualization available on EC2 - Para-virtual (PV) and Hardware Virtual Machine
-
AWS Import/Export allows for the importation of large data sets, using external hard disks which are sent directly to amazon, therefore bypassing the internet amy be faster.
-
A bucket that has static webhosting enabled on it will always have the format; - https://.s3-website-.amazonaws.com
-
DynamoDB is automatically redundant across multiple availability zones.
-
Decommissioning and destruction of storage media is a AWS Responsibility
-
OS Level access is possible in EC2 and Elastic Map Reduce.
-
Configure encryption when creating the EBS volume. You could use the OS to encrypt a new volume after mounting it to an EC2 instance, however the quickest and most efficient way would be to encrypt the volume when you first provision it.
-
1024Kb is the block size in redshift columnar storage
-
In a Autoscaling group there is more than one Availability Zone with this number of instances, Auto Scaling selects the Availability Zone with the instances that use the oldest launch configuration.
-
Can make use of an OS level logging tools such as iptables and log events to CloudWatch or S3.
-
The "Owner" refers to the identity and email address used to create the account AWS account.
-
SQS long polling doesn’t return a response until a message arrives in the queue, reducing your overall cost over time. Short polling WILL return empty responses.(ReturnMessageWaitTimeInSeconds)
-
Proactive Cyclic Scaling allows you to scale during the desired time window.
-
Once a VPC is set to Dedicated hosting, it is not possible to change the VPC or the instances to Default hosting.
-
With the Resource Groups tool, you use a single page to view and manage your resources.
-
Route53 has a security feature that prevents internal DNS from being read by external sources. The work around is to create a EC2 hosted DNS instance that does zone transfers from the internal DNS, and allows itself to be queried by external servers.
-
A public IP address is not managed on the instance, it is an alias applied as a n/w address translation of the private ip address
-
Strongly Consistent reads can be taken care in development but cost can increase
239 VPC peering does not support edge to edge routing.
-
Poor timing of SQS processes can significantly impact the cost effectiveness of the solution.
-
AWS does not copy launch permissions, user-defined tags, or Amazon S3 bucket permissions from the source AMI to the new AMI.
-
Combined Value and Name must not exced 400KB in DynamoDB
-
AWS Instance Store looses info when
- Failure
- Instance Stops
- Terminates Will nit fail on a Reboot AMI Created created will not have the instance data.
-
For data integrity its good to stop and then take a snapshot and then create an AMI in EBS Backed instance else AWS takes care to reboot if we take AMI snapshot w/o stopping. Snapshots are incremental and both Snapshots and AMI incure charges unless deleted
-
Reduce imput split size in Elastic Map Reduce cinfiguration, increase simultaneous mapper tasks to have more processing
-
HTTPS is for client server and SSL/TLS is for server to say a DB connection
-
By default all the incoming requests are denied, explicit allow overrides default, explicit deny overrides any allows
-
EMR has Hadoop Engine
-
Elastic BeanStalk - Worker environment tier provisions resources to support to handle background processing tasks - Tier that processes Web Requests is Web Server Tier
-
In NoSql - secondary indexes are only one and are created at the time of creating the table
-
Server Access log provides record of any access to the S3 object.
-
Signed URLs allow controlled access to authenticated users.
-
On Demand EC2 instances are billed on hourly basis and we can stop them explicitly, Reserved are like a longer time period contract and Decicated ones are specific hardware, Elastic Ip stays with the EC2 instance even after stopping..
-
A VPC endpoint enables you to create a private connection between your VPC and another AWS service without requiring access over the Internet, through a NAT device, a VPN connection, or AWS Direct Connect.
-
Elastic N/W interfaces in VPC- EC2 with reased IP Address is an ENI, creates a dual homed
-
IPsec is a VPC security protocol.
-
VPG is a AWS VPC side, CGW is VPC thats customer side
-
DHCP option set helps resolve the DNS name outside the AWS.
-
When a EC2-VPC instance is stopped - EIP remains attached, ENI is detached, underlying host computer is changed
-
AutoScaling - Manual, Scheduled, on demand, maintain given instances(terminate the unhealthy ones with new ones)
-
Elastic Load Balancer - Internet, Internal, HTTPS(using SSL)
-
Autoscaling has Minimum size and Launch Configuration
-
IAM policy has - action, service, resourse, effect(ASE R,assiatant software engineer Resources)
-
EC2 roles produce tokens
-
MFA, Passcode policy, ip address policy
-
AWS RDS read repplicas can be done across regions and are supported in Aurora, PostGres, MySQL. Replication can be done across geography/region
-
SQS queue has a default Visibility Timeout of 30 secs and extendable to 12 hours. Long polling ReceiveMessage wauts for 1 to 20 seconds else again execute the ReceiveMessage function
-
In SNS Publisher sends to Subscriber a message via a Topic
-
SQS has properties of MessageID and Body that contains Key-Value pairs of uninterpreted data
-
Multiple SWF in same domain can interact w/ each other but in another domain can not. SWF ensures that a Task is done only ONCE.
-
Create SNS topic and have multiple SQS servises subscribe to the SNS Topic.
-
SQS default message retention is 4 days and max is 14 days and SWF has 1 year retention.
-
After a delete of topic name, new can be created in 30-60 seconds also depends in the number of active subscribers
-
After SNS publises a topic successfully it can not be recalled
-
Long polling max wait is 20 secs
-
SQS wont guarantee delivery order.
-
Ms SQL enterprice can be provisioned in AWS RDS on a Bring your own licence
-
MySQL, Maria, Postgres, Aurora have read replica.
-
All AWS RDS have multi AZ.query is best suited to fond one object or meta data.
-
SPF records are used to verify authorised mail sent from your domain
-
All DNS records have SOA Records by default
-
Route53 does Fail check, dns registration, dns service but not Load Balancing
-
CNAME can be used to convert on Domanin name to another
-
TXT record are used to store raw info about a Host
-
Route53 can create Public and Private hosted zones, TCP is used when the response size is 512 Bytes, UPD is used to serve mostly requests
-
Route53 can route to S3 static websites, ELS, EC2, RDS, CloudFront
-
Redis is used when we need to take backups and restore, sort and rank(suited in leader boards apps), clones and read replicas. Memcached is for simple object store for simple partition
- Redis scales horizontally - Replication Group and add clusters
- Memcached - add nodes to clusters
- Redis has one node, Memcached has 20 nodes by default limit
- AutoDiscovery can be turned on in the client side for scaling events
-
Chef is Related with OpsWorks. BeanStalk is related with just delpoyinhg code, the service takes acre of provisioning resources, autoscaling, firewalls, configurations
-
AWS Config
-
AWS IT Controls include - People, Technology and Processes.
-
For a distribured denial of service and minimize the attack area-
- Reduce the number of internet entry points.
- Obfuscate necessary internet points to a level that untrusted end users can not ccess them.
- Ading non-critical entry points
-
AZ- has multiple data centers and redundant power with networking capabilities.
-
S3 Webhosted url fromat - example-bucket-name.s3-website-AWS-region.amazonaws.com
-
An object docs/doc1.html in a examplebucket - http://examplebucket.s3-website-us-east-1.amazonaws.com/docs/doc1.html
XXXXXXXXXXXXXXXXX-------CLEARED-------XXXXXXXXXXXXXXXXX