Amazon Web Services (AWS) & Microsoft Azure & Alibaba Cloud & Google Cloud Platform (GCP)

PlAwAnSaI

Administrator

Multi Factor Authentication - MFA:
  • Users have access to account and can possibly change configurations or delete resources in AWS account
  • Want to protect Root Accounts and IAM users
  • MFA = password know + security device own
  • Alice > Password + MFA => Successful login
  • Main benefit of MFA:
    if a password is stolen or hacked, the account is not compromised
MFA devices options in AWS:
  • Virtual MFA device: Google Authenticator (phone only), Authy (multi-device), Duo
    Support for multiple tokens on a single device.
  • Universal 2nd Factor (U2F) Security Key: YubiKey by Yubico (3rd party)
    Support for multiple root and IAM users using a single security key
  • Hardware Key Fob MFA Device:
    Provided by Gemalto (3rd party)
  • Hardware Key Fob MFA Device for AWS GovCloud (US):
    Provided by SurePassID (3rd party)
How can users access AWS?:
  • To access AWS, have three options:
    • AWS Management Console (protected by password + MFA)
    • Command Line Interface (CLI): protected by access keys
    • Software Developer Kit (SDK) - for code: protected by access keys
  • Access Keys are generated through the AWS Console
  • Users manage their own access keys
  • Access Keys are secret, just like a password. Don't share them
  • Access Key ID ~= username
  • Secret Access Key ~= password
Example Access Keys:
  • Access key ID: AKIAREOC3O54I7ZEOWVC
  • Secret Access Key: VEcVINNDMqR5VnywD/oXQ7YHRmIt7tDcKpATsq6q
  • Remember: don't share access keys
IAM Roles for Services:
  • Some AWS service will need to perform actions on behalf
  • To do so, will assign permissions to AWS services with IAM Roles
  • Common roles:
    • EC2 Instance Roles
    • Lambda Function Roles
    • Roles for CloudFormation
IAM Security Tools:
  • IAM Credentials Report (account-level)
    • a report that lists all account's users and the status of their various credentials
  • IAM Access Advisor (user-level)
    • Access advisor shows the service permissions granted to a user and when those services were last accessed.
    • Can use this information to revise policies.
IAM Guidelines & Best Practices:
  • Don't use the root account except for AWS account setup
  • One physical user = One AWS user
  • Assign users to groups and assign permissions to groups
  • Create a strong password policy
  • Use and enforce the use of Multi Factor Authentication (MFA)
  • Create and use Roles for giving permissions to AWS services
  • Use Access Keys for Programmatic Access (CLI / SDK)
  • Audit permissions of account with the IAM Credentials Report
  • Never share IAM users & Access Keys
Summary:
  • Users: Map กับผู้ใช้จริง, มีรหัสผ่านสำหรับ AWS Console
  • Groups: มีแต่ผู้ใช้เท่านั้น
  • Policies: JSON document ที่ระบุการอนุญาตสำหรับผู้ใช้หรือกลุ่ม
  • Roles: สำหรับ Instance EC2 หรือบริการ AWS
  • Security: MFA + นโยบายรหัสผ่าน
  • Access Keys: เข้าถึง AWS โดยใช้ CLI หรือ SDK
  • Audit: รายงาน IAM Credential และ IAM Access Advisor
  • An IAM entity that defines a set of permissions for making AWS service requests, that will be used by AWS services is a proper definition of IAM Roles.
  • IAM Credentials Report is an IAM Security Tool. It lists all account's users and the status of their various credentials.
    The other IAM Security Tool is an IAM Access Advisor. It shows the service permissions granted to a user and when those services were last accessed.
  1. A company has a mobile game that reads most of its metadata from an Amazon RDS DB instances. As the game increased in popularity, developer noticed slowdowns related to the game's metadata load times. Performance metrics indicate that simply scaling the database will not help. A solution architect must explore all options that include capabilities for snapshots, replication, and sub-millisecond response times. The solution architect should recommend Add an Amazon ElastiCache for Redis layer in front of the database to solve the issues.
  2. A company has implemented one of its micro-services on AWS Lambda that accesses an Amazon DynamoDB table named Books. A solution architect is design an IAM policy to be attached to the Lambda function's IAM role, giving it access to put, update, and delete items in the Books table. The IAM policy must prevent function from performing any other actions on the Books table or any other. IAM policy would fulfill these needs and provide the LEAST privileged access is:
    {
    "Version": "2013-11-28",
    "Statement": [
    {
    "Sid": "PutUpdateDeleteOnBooks",
    "Effect": "Allow",
    "Action": [
    "dynamodb: PutItem",
    "dynamodb: UpdateItem",
    "dynamodb: DeleteItem"
    ],
    "Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/Books"
    }
    ]
    }
  3. A solution architect is designing the cloud architecture for a company that needs to host hundreds of machine learning models for its users. During startup, the models need to load up to 10 GB of data from Amazon S3 into memory, but they do not need disk access. Most of the models are used sporadically, but the users expect all of them to be highly available and accessible with low latency. Deploy models as Amazon Elastic Container Service (Amazon ECS) services behind an Application Load Balancer for each model solution meets the requirements and is MOST cost-effective.
  4. A company host a popular web application. The web application connects to a database running in a private VPC subnet. The web servers must be accessible only to customers on an SSL connection (Open an HTTPS port on the security group for web server and set the source to 0.0.0.0/0). The Amazon RDS for MySQL database services be accessible only from the web servers (Open the MySQL port on the database security group and attach it to the MySQL instance. Set the source to web server security group). This is a solution which a solution architect should design to meet the requirements without impacting applications.
  5. A company has a website deployed on AWS. The database backend is hosted on Amazon RDS for MySQL with a primary instance and five read replicas to support scaling needs. The read replicas should lag no more than 1 second behind the primary instance to support the user experience. As traffic on the website continues to increase, the replicas are falling further behind during periods of peak load, resulting in complaints from users when searches yield inconsistent results. A solution architect needs to reduce the replication lag as much as possible, with minimal changes to the application code or operational requirements. Migrate the database to Amazon Aurora MySQL. Replace the MySQL read replicas with Aurora Replicas and enable Aurora Auto Scaling solution meets these requirements.
cool.gif
 

PlAwAnSaI

Administrator

  • IAM Users:
    • Can belong to multiple groups
    • Don't have to belong to a group
    • Can have policies assigned to them
    • Access AWS using a username and a password
  • Don't use the root user account is an IAM best practice.
    Only want to use the root account to create first IAM user, and for a few account and service management tasks. For every day and administration tasks, use an IAM user with permissions.
  • JSON documents to define Users, Groups or Roles' permissions are IAM Policies.
    An IAM policy is an entity that, when attached to an identity or resource, defines their permissions.
  • Grant least privilege principle should apply regarding IAM Permissions.
    Don't give more permissions than the user needs.
  • Enable Multi-Factor Authentication (MFA) should do to increase root account security.
    It adds a layer of security, so even if password is stolen, lost or hacked, account is not compromised.
EC2 sizing & configuration options:
  • Operating System (OS): Linux, Windows or Mac OS
  • How much:
    • compute power & cores (CPU)
    • random-access memory (RAM)
    • storage space: Network-attached (EBS & EFS) / hardware (EC2 Instance Store)
  • Network card: speed of the card, Public IP address
  • Firewall rules: security group
  • Bootstrap script (configure at first launch): EC2 User Data
EC2 instance types: example
  • Instance: t2.micro, vCPU: 1, Mem 1 GiB, Storage: EBS-Only, Network Performance: Low to Moderate - is part of the AWS free tier (up to 750 hours per month)
  • t2.xlarge - 4 vCPU, Mem 16 GiB, Storage: EBS-Only, Network Performance: Moderate
  • c5d.4xlarge - 16 vCPU 32 GiB, Storage: 1 x 400 NVMe SSD, Network Performance: Up to 10 Gbps, EBS Bandwidth: 4.75 Gbps
  • r5.16xlarge - 64 vCPU 512 GiB, EBS-Only, Network Performance: 20 Gbps, EBS Bandwidth: 13.6 Gbps
  • m5.8xlarge - 32 vCPU 128 GiB, EBS-Only, Network 10 Gbps, EBS Bandwidth: 6.8 Gbps
    • m: instance class/family
    • 5: generation (AWS improves them over time)
    • 8xlarge: size within the instance class
  1. A company has two applications: a sender application that sends messages with payloads to be processed and a processing application intended to receive messages with payloads. The company wants to implement an AWS service to handle messages between the two applications. The sender application can send about 1,000 messages each hour. The messages may take up to 2 days to be processed. If the messages fail to process, they must be retained so that they do not impact the processing of any remaining messages. Integrate the sender and processor applications with an Amazon Simple Queue Service (Amazon SQS) queue. Configure a dead-letter queue to collect the messages that failed to process solution meets these requirements and is the MOST operationally efficient.
  2. A solution architect must create a highly available bastion host architecture. The solution needs to be resilient within a single AWS Region and should require only minimal effort to maintain. The solutions architect should Create a Network Load Balancer backed by an Auto Scaling with instances in multiple Availability zones as the target to meet these requirements.
  3. A company hosts its multi-tier applications on AWS. For compliance, governance, auditing, and security, the company must track configuration changes on its AWS resources and record a history of API calls made to these resources. A solution architect should Use AWS Config to track configuration changes and AWS CloudTrail to record API calls.
  4. A solution architect is moving the static content from a public website hosted on Amazon EC2 instances to an Amazon S3 bucket. An Amazon CloudFront distribution will be used to deliver the static assets. The security group used by the EC2 instances restricts access to a limited set of IP ranges. Access to the static content should be similarly restricted. Combination of steps will meet these requirements are:
    Create an origin access identity (OAI) and associate it with the distribution. Change the permissions in the bucket policy so that only the OAI can read the objects.
    Create an AWS WAF web ACL that includes the same IP restrictions that exist in the EC2 security group. Associate this new web AC with the CloudFront distribution.
  5. An application running on AWS uses an Amazon Aurora Multi-AZ deployment for its database. When evaluating performance metrics, a solution architect discovered that the database reads are causing high I/O and adding latency to the write requests against the database. The solution architect should Create read replica and modify the application to use the appropriate endpoint to separate the read requests from the write requests.
    Aurora Replicas are independent endpoints in an Aurora DB cluster, best used for scaling read operations and increasing availability. Up to 15 Aurora Replicas can be distributed across the Availability Zones that a DB cluster spans within an AWS Region.
    The DB cluster volume is made up of multiple copies of the data for the DB cluster. However, the data in the cluster volume is represented as a single, logical volume to the primary instance and to Aurora Replicas in the DB cluster.

    181012221_1379270602459160_8125862835741521100_n.jpg


    Aurora Fault Tolerance:
    • Fault tolerance across 3 AZs
    • Single logical volume
    • Aurora Replicas scale-out read requests
    • Up to 15 Aurora Replicas with sub-10ms replica lag
    • Aurora Replicas are independent endpoints
    • Can promote Aurora Replica to be a new primary or create new primary
    • Set priority (tiers) on Aurora Replicas to control order of promotion
    • Can use Auto Scaling to add replicas
    As well as providing scaling for reads, Aurora Replicas are also targets for multi-AZ. In this case the solution architect can update the application to read from the Multi-AZ standby instance.
  6. A company has multiple AWS accounts with applications deployed in the us-west-2 Region. Application logs are stored within Amazon S3 buckets in each account. The company wants to build a centralized log analyst solution that uses a single S3 bucket. Logs must not leave us-west-2 and the company wants to incur minimal operational overhead. Create an S3 Lifecycle policy that copies the objects from one of the application S3 buckets to the centralized S3 bucket is MOST cost-effective.
  7. A company is preparing to store confidential data in Amazon S3. For compliance reasons, the data must be encrypted at rest. Encryption key usage must be logged for auditing purposes. Key must be rotated every year. Server-side encryption with AWS KMS (SSE-KMS) customer master keys (CMKs) with automatic rotation is the MOST operationally efficient.
  8. An application launched on Amazon EC2 instances needs to publish Personally Identifiable Information (PII) about customers using Amazon Simple Notification Service (Amazon SNS). The application is launched in private subnets within an Amazon VPC. Use AWS PrivateLink is the MOST secure way to allow the application to access service endpoints in the same AWS Region.
cool.gif
 

PlAwAnSaI

Administrator

EC2 instance types/families:
  • General Purpose:
    • Great for a diversity of workloads such as web servers or code repositories
    • Balance between Compute, Memory, and Networking
    • Mac, T4g, T3, T3a, T2, M6g, M5, M5a, M5n, M5zn, M4, and A1
  • Compute Optimized:
    • Great for compute-intensive tasks that require high performance processors:
      • Batch processing workloads
      • Media trans-coding
      • High Performance web servers / Computing (HPC)
      • Scientific modeling & machine learning
      • Dedicated gaming servers
    • C6g, C6gn, C5, C5a, C5n, and C4
  • Memory optimized:
    • Fast performance for workloads that process large data sets in memory
    • Use cases:
      • High performance, relational/non-relational databases
      • Distributed web scale cache stores
      • In-memory databases optimized for BI (Business Intelligence)
      • Applications performing real-time processing of big unstructured data
    • R6g, R5, R5a, R5b, R5n, R4, X1e, X1, High Memory, and z1d
  • Storage Optimized:
    • Great for storage-intensive tasks that require high, sequential read and write access to large data sets on local storage
    • Use cases:
      • High frequency OnLine Transaction Processing (OLTP) systems
      • Relational & NoSQL databases
      • Cache for in-memory databases (for example, Redis)
      • Data warehousing applications
      • Distributed file systems
    • I3, I3en, D2, D3, D3en, and H1
  • Accelerated computing
Classic Ports to know:
  • 21 = FTP (File Transport Protocol) - upload files into a file share
  • 22 = SSH (Secure Shell) - log into a Linux instance
    And SFTP (Secure File Transport Protocol) - upload files using SSH
  • 80 = HTTP - access unsecured websites
  • 443 = HTTPS - access secured websites
  • 1433 = Microsoft SQL
  • 3389 = RDP (Remote Desktop Protocol) - log into a Windows instance
  1. A company receives structured and semi-structured data from various sources once every day. A solution architect needs to design a solution that leverages big data processing frameworks. The data should be accessible using SQL queries and business intelligence tools. The solution architect should recommend Use Amazon EMR to process data and Amazon Redshift to store data to build the MOST high-performing solution.
  2. The company must optimize its S3 storage costs while maintaining high availability and resiliency of stored assets. An image hosting company uploads its large assets to Amazon S3 Standard buckets. The company uses multipart upload in parallel by using S3 APIs and overwrites if the same object is uploaded again (Configure an S3 Lifecycle policy to clean up expired object delete markers). For the first 30 days after upload the objects will be accessed frequently. The objects will be used less frequently after 30 days but the access patterns for each object will be inconsistent (Move assets to S3 Standard-Infrequent Access (S3 Standard-IA) after 30 days).
  3. A company's legacy application is currently relying on a single-instance Amazon RDS MySQL database without encryption. Due to new compliance requirements, all existing and new data in this database must be encrypted. Take a snapshot of the RDS instance. Create an encrypted copy of the snapshot. And restore the RDS instance from the encrypted snapshot should this be accomplished.
  4. A company designed a stateless two-tier that uses Amazon EC2 in a single Availability Zone and an Amazon RDS multi-AZ DB instance. New company management wants to ensure the application is highly available. A solution architect should Configure Amazon Route 53 rules to handle incoming requests and create a multi-AZ Application Load Balancer.
  5. A company's dynamic website is hosted using on-premises servers in the United States. The company is launching its product in Europe and it wants to optimize site loading times for new European users. The site's backend must remain in the United States. The product is being launched in a few days, and an immediate solution is needed. The solution architect recommend Use Amazon CloudFront with a custom origin pointing to the on-premises servers.
  6. A global company plans to track and store information about local allergens in an Amazon DynamoDB table and query this data from its website. The company anticipates that website traffic will fluctuate. The company estimates that the combined read and write capacity units will range from 10 to 10,000 per second, depending on the severity of the conditions for the given day. A solution architect must design a solution that avoids throttling issues and manages capacity efficiently. The solutions architect should Use provisioned capacity mode and a scaling policy in DynamoDB auto scaling to meet MOST cost-effectively.
  7. A company operates an ecommerce website on Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. The site is experiencing performance issues related to a high request rate from illegitimate external systems with changing IP addresses. The security team is worried about potential DDoS attacks against the website. The company must block the illegitimate incoming requests in a way that has a minimal impact on legitimate users. A solution architect should recommend Deploy AWS WAF, associate it with the ALB, and configure a rate-limiting rule.
    Rate limit:
    For a rate-based rule, enter the maximum number of requests to allow in any five-minute period from an IP address that matches the rule's conditions. The rate limit must be at least 100.
    Can specify a rate limit alone, or a rate limit and conditions. If specify only a rate limit, AWS WAF places the limit on all IP addresses. If specify a rate limit and conditions, AWS WAF places the limit on IP addresses that match the conditions.
    When an IP address reaches the rate limit threshold, AWS WAF applies the assigned action (block or count) as quickly as possible, usually within 30 seconds. Once the action is in place, if five minutes pass with no requests from the IP address, AWS WAF resets the counter to zero.
  8. A company is deploying an application that processes large quantities of data in parallel. The company plans to use Amazon EC2 instances for the workload. The network architecture must be configurable to provide the lowest possible latency between nodes. By Place the EC2 instances in a single Availability Zone and Run the EC2 instances in a cluster placement group.
  9. A company is migrating a Linux-based web server group to AWS. The web servers must access files in a shared file store for some content to meet the migration date, minimal changes can be made. A solution architect should Create an Amazon Elastic File System (Amazon EFS) volume and mount it on all web servers.
  10. A mobile gaming company runs application servers on Amazon EC2 instances. The servers receive updates from players every 15 minutes. The mobile game creates a JSON object of the progress made in the game since the last update, and sends the JSON object an Application Load Balancer. As the mobile game is played, game updates are being lost. The company wants to create a durable way to get the updates in order. A solution architect should recommend Use Amazon simple Queue service (Amazon SQS) FIFO queue to capture the data and EC2 instances to process the messages in the queue to decouple the system.
cool.gif
 

PlAwAnSaI

Administrator

EC2 Nitro:
  • Underlying Platform for the next generation of EC2 instances
  • New virtualization technology
  • Allows for better performance:
    • Better networking options (enhanced networking, HPC, IPv6)
    • Higher Speed EBS (Nitro is necessary for 64,000 EBS IOPS - max 32,000 on non-Nitro)
  • Better underlying security
  • Instance types example:
    • Virtualized: A1, C5, C5a, C5ad, C5d, C5n, C6g, C6gd, C6gn, D3, D3en, G4, I3en, Inf1, M5, M5a, M5ad, M5d, M5dn, M5n, ....
    • Bare metal: a1.metal, c5.metal, c5d.metal, c5n.metal, c6g.metal, c6gd.metal...
Understanding vCPU:
  • Multiple threads can run on one CPU (multithreading)
  • Each thread is represented as a virtual CPU (vCPU)
  • Example: m5.xlarge: 4 CPU, 2 threads per CPU => 8 vCPU in total
Optimizing CPU options:
  • EC2 instances come with a combination of RAM and vCPU
  • But in some cases, may want to change the vCPU options:
    • # of CPU cores: can decrease it (helpful if need high RAM and low number of CPU) - to decrease licensing costs
    • # of threads per core: disable multithreading to have 1 thread per CPU - helpful for high performance computing (HPC) workloads
  • Only specified during instance launch
Capacity Reservations:
  • Ensure have EC2 Capacity when needed
  • Manual or planned end-date for the reservation
  • No need for 1 or 3-year commitment
  • Capacity access is immediate, get billed as soon as it starts
  • Specify:
    • The Availability Zone in which to reserve the capacity (only one)
    • The number of instances for which to reserve capacity
    • The instance attributes, including the instance type, tenancy, and platform/OS
  • Combine with Reserved Instances and Savings Plans to do cost saving
Scalability & High Availability:
  • Scalability means that an application / system can handle greater loads by adapting.
  • There are two kinds of scalability:
    • Vertical Scalability
    • Horizontal Scalability (= elasticity)
  • Scalability is linked but different to High Availability
  • Let's deep dive into the distinction, using a call center as an example
Vertical Scalability:
  • Means increasing the size of the instance
  • For example, application runs on a t2.micro
  • Scaling that application vertically means running it on a t2.large
  • Is very common for non distributed systems, such as a database.
  • RDS, ElastiCache are services that can scale vertically.
  • There's usually a limit to how much can vertically scale (hardware limit)
Horizontal Scalability:
  • Means increasing the number of instances / systems for application
  • Horizontal scaling implies distributed systems.
  • This is very common for web applications / modern applications
  1. A prediction process requires access to a trained model that is stored in an Amazon S3 bucket. The process takes a few seconds to process an image and make a prediction. The process is not overly resource-intensive does not require any specialized hardware, and takes less than 512 MB of memory to run. Amazon Lambda functions is the MOST effective compute solution for this use case.
  2. A solution architect is designing a new workload in which an AWS Lambda function will access an Amazon DynamoDB table. Create an IAM role with the necessary permissions to access the DynamoDB table. Assign the role to the Lambda function is the MOST secure means of granting the Lambda function access to the DynamoDB.
  3. A company is running a multi-tier web application on AWS. The application runs its database tier on Amazon Aurora MySQL. The application and database tiers are in the us-east-1 Region. A database administrator who regularly monitors the Aurora DB cluster finds that an intermittent increase in read traffic is creating high CPU utilization on the read replica and causing increased read latency of the application. A solution architect should Configure Aurora Auto Scaling for the read replica to improve read scalability.
  4. A company hosts a static website on-premises and wants to migrate the website to AWS. The website should load as quickly as possible for users around the world. The company also wants the most cost-effective solution/option. A solution architect should Copy the website content to an Amazon S3 bucket (Cheaper than EC2). Configure the bucket to serve/host static webpage content. To enable good performance for global users should Configure Amazon CloudFront with the S3 bucket as the origin. This will cache the static content around the world closer to users.
  5. A company wants to host a web application on AWS that will communicate to a database within a VPC. The application should be highly available. A solution architect should recommend Deploy a load balancer in multiple Availability Zones with an Auto Scaling group for the web servers, and then deploy Amazon RDS in multiple Availability Zones.
  6. A recent analysis of a company's IT expenses highlights the need to reduce backup costs. The company's chief information officer wants to simplify the on-premises backup infrastructure and reduce costs by eliminating the use of physical backup tapes. The company must preserve the existing investment in the on-premises backup applications and workflows. A solution architect should recommend Set up AWS Storage Gateway to connect with the backup applications using the iSCSI-virtual tape library (VTL) interface.
    Tape Gateway:
    • Some companies have backup processes using physical tapes (!)
    • With Tape Gateway, companies use the same processes but in the cloud
    • Virtual Tape Library (VTL) backed by Amazon S3 and Glacier
    • Back up data using existing tape-based processes (and iSCSI interface)
    • Works with leading backup software vendors.
    AWS-VTL-GATEWAY.png
  7. A company is preparing to deploy a data lake on AWS. A solution architect must define the encryption strategy for data at rest in Amazon S3. The company's security policy states:
    • Keys must be rotated every 90 days.
    • Strict separation of duties between key users and key administrators must be implemented.
    • Auditing key usage must be possible.
    The solutions architect should recommend Server-side encryption with AWS KMS managed keys (SSE-KMS) with customer managed customer master keys (CMKs).
  8. A recently acquired company is required to build its own infrastructure on AWS and migrate multiple applications to the cloud within a month. Each application has approximately 50 TB of data to be transferred. After the migration is complete this company and its parent company will do the require secure network connectivity with consistent throughput from their data centers to the applications. A solutions architect must ensure one-time data migration and ongoing network connectivity. AWS Snowball for the initial transfer and AWS Direct Connect for ongoing connectivity solution will meet these requirements.
  9. A user has underutilized on-premises resources. Elasticity AWS Cloud concept can BEST address this issue.
cool.gif
 

PlAwAnSaI

Administrator

EBS Snapshots:
  • Make a backup (snapshot) of EBS volume at a point in time
  • Not necessary to detach volume to do snapshot, but recommended
  • Can copy snapshots across AZ or Region
AMI Overview:
  • AMI = Amazon Machine Image
  • AMI are a customization of an EC2 instance
    • Add own software, configuration, operating system, monitoring...
    • Faster boot / configuration time because all software is pre-packaged
  • AMI are built for a specific region (and can be copied across regions)
  • Can launch EC2 instances from:
    • A Public AMI: AWS provided
    • Own AMI: make and maintain them yourself
    • An AWS Marketplace AMI: an AMI someone else made (and potentially sells)
AMI Process (from an EC2 instance):
  • Start an EC2 instance and customize it
  • Stop the instance (for data integrity)
  • Build an AMI - this will also create EBS snapshots
  • Launch instances from other AMIs
EC2 Instance Store:
  • EBS volumes are network drives with good but 'limited' performance
  • If need a high-performance hardware disk, use EC2 Instance Store
  • Better I/O performance
  • EC2 Instance Store lose their storage if they're stopped (ephemeral)
  • Good for buffer / cache / scratch data / temporary content
  • Risk of data loss if hardware fails
  • Backups and Replication are your responsibility
Local EC2 Instance Store:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/storage-optimized-instances.html#i2-instances-diskperf

EBS Volume Types Use cases:
General Purpose SSD:
  • Cost effective storage, low-latency
  • System boot volumes, Virtual desktops, Development and test environments
  • 1 GiB - 16 TiB
  • gp3:
    • Baseline of 3,000 IOPS and throughput of 125 MiB/s
    • Can increase IOPS up to 16,000 and throughput up to 1,000 MiB/s independently
  • gp2:
    • Small gp2 volumes can burst IOPS to 3,000
    • Size of the volume and IOPS are linked, max IOPS is 16,000
    • 3 IOPS per GB, means at 5,334 GB we are at the max IOPS
Provisioned IOPS (PIOPS) SSD:
  • Critical business applications with sustained IOPS performance
  • Or applications that need more than 16,000 IOPS
  • Great for databases workloads (sensitive to storage perf and consistency)
  • io1/io2 (4 GiB - 16 TiB):
    • Max PIOPS: 64,000 for Nitro EC2 instances & 32,000 for other
    • Can increase PIOPS independently from storage size
    • io2 have more durability and more IOPS per GiB (at the same price as io1)
  • io2 Block Express (4 GiB - 64 TiB):
    • Sub-millisecond latency
    • Max PIOPS: 256,000 with an IOPS:GiB ratio of 1,000:1
  • Supports EBS Multi-attach
Hard Disk Drives (HDD):
  • Cannot be a boot volume
  • 125 MiB to 16 TiB
  • Throughput Optimized HDD (st1)
    • Big Data, Data Warehouses, Log Processing
    • Max throughput 500 MiB/s - max IOPS 500
  • Cold HDD (sc1):
    • For data that is infrequently accessed
    • Scenarios where lowest cost is important
    • Max throughput 250 MiB/s - max IOPS 250
  • https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html
EBS Multi-Attach - io1/io2 family:
  • Attach the same EBS volume to multiple EC2 instances in the same AZ
  • Each instance has full read & write permissions to the volume
  • Use case:
    • Achieve higher application availability in clustered Linux applications (ex: Tera-data)
    • Applications must manage concurrent write operations
  • Must use a file system that's cluster-aware (not XFS, EX4, etc...)

  1. A web application runs on Amazon EC2 instances behind an Application Load Balancer. The application allows users to create custom reports of historical weather data. Generating a report can take up to 5 minutes. These long-running requests use many of the available incoming connections, making the system unresponsive to other users. A solution architect can make the system more responsive by Use Amazon SQS with AWS Lambda to generate reports.
  2. A solution architect should Update the bucket policy to deny if the PutObject does not have an x-amz-server-side-encryption header set to ensure that all objects uploaded to an Amazon S3 bucket are encrypted.
  3. An ecommerce website is deploying its web application as Amazon Elastic Container Service (Amazon ECS) container instances behind an Application Load Balancer (ALB). During periods of high activity, the website slows down and availability is reduced. A solution architect uses Amazon CloudWatch alarms to receive notifications whenever there is an availability issue so they can scale out resources. Company management wants a solution that automatically responds to such events. Should Set up AWS Auto Scaling to scale out the ECS service when there are timeouts on the ALB. Set up AWS Auto Scaling to scale out the ECS cluster when the CPU or memory reservation is too high.
  4. A company runs a web service on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across two Availability Zones. The company needs a minimum of four instances at all times to meet the required service level agreement (SLA) while keeping costs low. If an Availability Zone fails, the company can remain compliant with the SLA by Change the Auto Scaling group to use eight servers across two Availability Zones.
  5. A manufacturing company wants to implement predictive maintenance on its machinery equipment. The company will install thousands of IoT sensors that will send data to AWS in real time. A solution architect is tasked with implementing a solution that will receive events in an ordered manner for each machinery asset and ensure that data is saved for further processing at a later time. Use Amazon Kinesis Data Streams for real-time events with a partition for each equipment asset. Use Amazon Kinesis Data Firehose to save data to Amazon S3 solution would be MOST efficient.
    Amazon SQS Introduces FIFO Queues with Exactly-Once Processing and Lower Prices for Standard Queues. Can now use Amazon Simple Queue Service (SQS) for applications that require messages to be processed in a strict sequence and exactly once using First-in, First-out (FIFO) queues. FIFO queues are designed to ensure that the order in which messages are sent and received is strictly preserved and that each message is processed exactly once.
    Amazon SQS is a reliable and highly-scalable managed message queue service for storing messages in transit between application components. FIFO queues complement the existing Amazon SQS standard queues, which offer high throughput, best-effort ordering, and at-least-once delivery. FIFO queues have essentially the same feature as standard queues, but provide the added benefits of supporting ordering and exactly-once processing. FIFO queues provide additional features that help prevent unintentional duplicates from being sent by message producers or from being received by message consumers. Additionally, message groups allow multiple separate ordered message streams within the same queue.
cool.gif
 

PlAwAnSaI

Administrator

EBS Encryption:
  • When create an encrypted EBS volume, get the following:
    • Data at rest is encrypted inside the volume
    • All the data in flight moving between the instance and the volume is encrypted
    • All snapshots are encrypted
    • All volumes created from the snapshot
  • Encryption and decryption are handled transparently (have nothing to do)
  • Encryption has a minimal impact on latency
  • EBS Encryption leverages keys from KMS (AES-256)
  • Copying an unencrypted snapshot allows encryption
  • Snapshots of encrypted volumes are encrypted
Encryption: encrypt an unencrypted EBS volume:
  • Create an EBS snapshot of the volume
  • Encrypt the EBS snapshot (using copy)
  • Create new EBS volume from the snapshot (the volume will also be encrypted)
  • Now can attach the encrypted volume to the original instance
EBS RAID Options:
  • EBS is already redundant storage (replicated within an AZ)
  • But what if want to increase IOPS to say 100,000 IOPS?
  • What if want to mirror EBS volumes?
  • Would mount volumes in parallel in RAID settings!
  • RAID is possible as long as OS supports it
  • Some RAID options are: 0, 1, 5 & 6 (not recommended for EBS)
RAID 0 (increase performance):
  • Combining 2 or more volumes and getting the total disk space and I/O
  • But one disk fails, all the data is failed
  • Use cases would be:
    • An application that needs a lot of IOPS and doesn't need fault-tolerance
    • A database that has replication already built-in
  • Using this, can have a very big disk with a lot of IOPS
  • For example:
    • two 500 GiB Amazon EBS io1 volumes with 4,000 provisioned IOPS each will create a...
    • 1,000 GiB RAID 0 array with an available bandwidth of 8,000 IOPS and 1,000 MB/s of throughput
RAID 1 (increase fault tolerance):
  • Mirroring a volume to another
  • If one disk fails, logical volume is still working
  • Have to send the data to two EBS volume at the same time (2 x network)
  • Use case:
    • Application that need increase volume fault tolerance
    • Application where need to service disks
  • For example:
    • two 500 GiB Amazon EBS io1 volumes with 4,000 provisioned IOPS each will create a...
    • 500 GiB RAID 1 array with an available bandwidth of 4,000 IOPS and 500 MB/s of throughput
EFS - Elastic File System:
  • Managed NFS (network file system) that can be mounted on many EC2
  • Works with EC2 instances in multi-AZ
  • Highly available, scalable, expensive (3 x gp2), pay per use
  • Use case: content management, web serving, data sharing, WordPress
  • Uses NFSv4.1 protocol
  • Uses security group to control access to EFS
  • Compatible with Linux based AMI (not Windows)
  • Encryption at rest using KMS
  • POSIX file system (~Linux) that has a standard file API
  • File system scales automatically, pay-per-use, no capacity planning!
Performance & Storage Classes:
  • EFS Scale:
    • 1,000s of concurrent NFS clients, 10 GB+/s throughput
    • Grow to Petabyte-scale network file system, automatically
  • Performance mode (set at EFS creation time):
    • General purpose (default): latency-sensitive use cases (web server, CMS, etc...)
    • Max I/O - higher latency, throughput, highly parallel (big data, media processing)
  • Throughput mode:
    • Bursting (1 TB = 50MiB/s + burst of up to 100MiB/s)
    • Provisioned: set throughput regardless of storage size, ex: 1 GiB/s for 1 TB storage
  • Storage Tiers (lifecycle management feature - move file after N days):
    • Standard: for frequently accessed files
    • Infrequent access (EFS-IA): cost to retrieve files, lower price to store
Installing the Amazon EFS client on Amazon Linux 2:
  • sudo yum install -y amazon-efs-utils
  • mkdir efs
  • ls
  • sudo mount -t efs -o tls fs-2571d165
    irritated.gif
    efs
  • The EFS folder will be shared folder for both EC2 instances
EBS vs EFS:
Elastic Block Storage:
  • EBS volumes...:
    • can be attached to only one instance at a time
    • are locked at the Availability Zone (AZ) level
    • gp2: IO increases if the disk size increases
    • io1: can increase IO independently
  • To migrate an EBS volume across AZ:
    • Take a snapshot
    • Restore the snapshot to another AZ
    • EBS backups use IO and shouldn't run them while application is handling a lot of traffic
  • Root EBS Volumes of instances get terminated by default if the EC2 instance gets terminated. (can disable that)
  1. A company sells datasets to customers who do research in artificial intelligence and machine learning (AIML). The datasets are large formatted files met are stored in an Amazon S3 bucket in the us-east-1 Region. The company hosts a web application that the customers use to purchase access to a given dataset. The web application is deployed on mutate Amazon EC2 instances behind an Application Load Balancer. After a purchase is made customers receive an S3 signed URL that allows access to the files.
    The customers are distributed across North America and Europe. The company wants to reduce the cost that is associated with data transfers and wants to maintain or improve performance. A solution architect should Configure S3 Transfer Accelerator on the existing S3 bucket Direct customer requests to the S3 Transfer Acceleration endpoint Continue to use S3 signed URLs for access control.
  2. A company is running a multi-tier ecommerce web application in the AWS Cloud. The application runs on Amazon EC2 Instances with an Amazon RDS MySQL Multi-AZ DB instance. Amazon RDS is configured with the latest generation instance with 2,000 GB of storage in an Amazon EBS General Purpose SSD (gp2) volume. The database performance impacts the application during periods of high demand.
    After analyzing the logs in Amazon CloudWatch Logs, a database administrator finds that the application performance always degrades when the number of read and write IOPS is higher than 6,000. A solution architect should Replace the volume with a Provisioned IOPS (PIOPS) volume to improve the application performance.
  3. A solution architect needs to design a low-latency solution for a static single-page application accessed by users utilizing a custom domain name. The solution must be serverless, encrypted in transit, and cost-effective. Amazon S3 and CloudFront combination of AWS services and features should the solution architect use.
  4. A company purchased Amazon EC2 Partial Upfront Reserved Instances for a 1-year term. A solutions architect wants to analyze how much the daily effective cost is with all possible discounts. Show amortized costs view must the solutions architect choose in the advanced options of Cost Explorer to get the correct values.
cool.gif
 

PlAwAnSaI

Administrator

Elastic File System:
  • Mounting 100s of instances across AZ
  • EFS share website files (WordPress)
  • Only for Linux Instances (POSIX)
  • EFS has a higher price point than EBS
  • Can leverage EFS-IA for cost savings
  • Instance in us-east-1a just got terminated, and the attached EBS volume is now available. Colleague can't seem to attach it to instance in us-east-1b. Because EBS volumes are AZ locked.
    EBS Volumes are created for a specific AZ. It is possible to migrate them between different AZ through backup and restore.
  • Have provisioned an 8TB gp2 EBS volume and running out of IOPS. Mount EBS volumes in RAID 0 or Change to an io1 volume type are ways to increase performance.
    EBS IOPS peaks at 16,000 IOPS or equivalent 5,334 GB.
  • RAID 0 leverage EBS volumes in parallel to linearly increase performance, while accepting greater failure risks.
  • Although EBS is already a replicated solution, company SysOps advised to use a RAID 1 mode that will mirror data and will allow instance to not be affected if an EBS volume entirely fails.
  • Mount an EFS have the same data being accessible as an NFS drive cross AZ on all EC2 instances.
    EFS is a network file system (NFS) and allows to mount the same file system on EC2 instances that are in different AZ.
  • Instance Store have a high-performance cache for application that mustn't be shared. Don't mind losing the cache upon termination of instance.
    Instance Store provide the best disk performance.
  • Use an EC2 Instance Store can run a high-performance database that requires an IOPS of 210,000 for its underlying filesystem.
    It is possible to run a database on EC2. It is also possible to use instance store, but there are some considerations to have. The data will be lost if the instance is stopped, but it can be restarted without problems. One can also set up a replication mechanism on another EC2 instance with instance store to have a standby copy. One can also have back-up mechanisms. It's all up to how want to set up architecture to validate requirements.
AWS RDS Overview:
  • RDS stands for Relational Database Service
  • It's a managed DB service for DB use SQL as a query language.
  • It allows to create databases in the cloud that are managed by AWS
    • PostgreSQL
    • MySQL
    • MariaDB
    • Oracle
    • Microsoft SQL Server
    • Aurora (AWS Proprietary database)
Advantage over using RDS versus deploying DB on EC2:
  • RDS is a managed service:
    • Automated provisioning, OS patching
    • Continuous backups and restore to specific timestamp (Point in Time Restore)!
    • Monitoring dashboards
    • Read replicas for improved read performance
    • Multi AZ setup for DR (Disaster Recovery)
    • Maintenance windows for upgrades
    • Scaling capability (vertical and horizontal)
    • Storage backed by EBS (gp2 or io1)
  • BUT can't SSH into instances
  1. A company receives data (different sources and implements multiple applications to consume this data. There are many short-running jobs that run only on the weekend. The data arrives in batches rather then throughout the entire weekend. The company needs an environment on AWS to ingest and process this data while maintaining the order of the transactions. Amazon Simple Queue Service (Amazon SQS) with AWS Lambda is the MOST cost-effective manner.
  2. A company serves content to its subscribers across the world using an application running on AWS. The application has several Amazon EC2 instances in a private subnet behind an Application Load Balancer (ALB). Due to a recent change in copyright restrictions the chief information officer (CIO) wants to block access for certain countries. Use Amazon CloudFront to serve the application and deny access to blocked countries.
    'block access for certain countries.' can use geo restriction, also known as geo blocking, to prevent users in specific geographic locations from accessing content that are distributing through a CloudFront web distribution.
  3. A company has three VPCs named Development, Testing, and Production in the us-east-1 Region. The three VPCs need to be connected to an on-premises data center and are designed to be separate to maintain security and prevent any resource sharing. A solution architect needs to find a scalable and secure solution. The solution architect should recommend Create VPC peers from all the VPCs to the Production VPC. Use an AWS Direct Connect connection from the Production VPC back to the data center.
  4. A company runs an internal browser-based application. The application runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple Availability Zones. The Auto Scaling group scales up to 20 instances during work hours, but scales down to 2 instances overnight. Staff are complaining that the application is very slow when the day begins, although it runs well by mid-morning. The scaling should be changed by Implement a scheduled action that sets the desired capacity to 20 shortly before the office opens to address the staff complaints and keep costs to a minimum.
  5. A company is rolling out a new web service, but is unsure how many customers the service will attract. However, the company is unwilling to accept any downtime. A solution architect could recommend Amazon RDS to the company to keep.
  6. A solution architect needs to design a centralized logging solution for a group of web applications running on Amazon EC2 instances. The solution requires minimal development effort due to budget containts. The architect should recommend Install and configure Amazon CloudWatch Logs agent in the Amazon EC2 instances.
  7. A company has an application workflow that uses an AWS Lambda function to download and decrypt files from Amazon S3. These files are encrypted using AWS Key Management Service Customer Master Keys (AWS KMS CMKs). A solution architect needs to design a solution that will ensure the required permissions are set correctly. By Grant the decrypt permission for the Lambda IAM role in the KMS key's policy and Create a new IAM role with the kms decrypt permission and attach the execution role to the Lambda function.
  8. A company has developed a micro-services application. It uses a client-facing API with Amazon API Gateway and multiple internal services hosted on Amazon EC2 instances to process user requests. The API is designed to support unpredictable surges in traffic, but internal services may become overwhelmed and unresponsive for a period of time during surges. A solution architect needs to design a more reliable solution that reduces errors when internal services become unresponsive or unavailable. Should Use Amazon Simple Queue Service (Amazon SQS) to store user requests as they arrive. Change the internal services to retrieve the requests from the queue for processing.
  9. A company stores user data in AWS. The data is used continuously with peak usage during business hours. Access patterns vary, with some data not being used for months at a time. A solution architect must choose a cost-effective solution that maintains the highest level of durability while maintaining high availability. Should use Amazon S3 intelligent-Tiering storage solution.
cool.gif
 

PlAwAnSaI

Administrator

RDS Backups:
  • Backups are automatically enabled in RDS
  • Automated backups:
    • Daily full backup of the database (during the maintenance window)
    • Transaction logs are backed-up by RDS every 5 minutes
    • => ability to restore to any point in time (from oldest backup to 5 minutes ago)
    • 7 days retention (can be increase to 35 days)
  • DB Snapshots:
    • Manually triggered by the user
    • Retention of backup for as long as want
Storage Auto Scaling:
  • Helps increase storage on RDS DB instance dynamically
  • When RDS detects running out of free database storage, it scales automatically
  • Avoid manually scaling database storage
  • Have to set Maximum Storage Threshold (maximum limit for DB storage)
  • Automatically modify storage if:
    • Free storage is less then 10% of allocated storage
    • Low-storage lasts at least 5 minutes
    • 6 hours have passed since last modification
  • Useful for applications with unpredictable workloads
  • Supports all RDS database engines (MariaDB, MySQL, PostgreSQL, SQL Server, Oracle)
Read Replicas for read scalability:
  • Up to 5 Read Replicas
  • Within AZ, Cross AZ or Cross Region
  • Replication is ASYNC, so reads are eventually consistent
  • Replicas can be promoted to their own DB
  • Applications must update the connection string to leverage read replicas
Read Replicas:
Use Cases:
  • Have a production database that is taking on normal load
  • Want to run a reporting application to run some analytics
  • Create a Read Replica to run the new workload there
  • The production application is unaffected
  • Read replicas are used for SELECT (=read) only kind of statements (not INSERT, UPDATE, DELETE)
Network Cost:
  • In AWS there's a network cost when data goes from one AZ to another
  • For RDS Read Replicas within the same region, don't pay that fee
Multi AZ (Disaster Recovery):
  • SYNC replication
  • One DNS name - automatic app failover to standby
  • Increase availability
  • Failover in case of loss of AZ, network, instance or storage failure
  • No manual intervention in apps
  • Not used for scaling
  • The Read Replicas be setup as Multi AZ for Disaster Recovery (DR)
From Single to Multi-AZ:
  • Zero downtime operation (no need to stop the DB)
  • Just click on 'modify' for the database
  • The following happens internally:
    • A snapshot is taken
    • A new DB is restored from the snapshot in a new AZ
    • Synchronization is established between the two databases
https://github.com/sqlectron/sqlectron-gui/releases/tag/v1.30.0

Security - Encryption:
  • At rest encryption:
    • Possibility to encrypt the master & read replicas with AWS KMS - AES-256 encryption
    • Encryption has to be defined at launch time
    • If the master is not encrypted, the real replicas cannot be encrypted
    • Transparent Data Encryption (TDE) available for Oracle and SQL Server
  • In-flight encryption:
    • SSL certificates to encrypt data to RDS in flight
    • Provide SSL options with trust certificate when connecting to database
    • To enforce SSL:
      • PostgreSQL: rds.force_ssl=1 in the AWS RDS Console (Parameter Groups)
      • MySQL: Within the DB:
        GRANT USAGE ON *.* TO 'mysqluser'@'%' REQUIRE SSL;
  1. A company's near-real-time streaming application is running on AWS. As the data is ingested a job runs on the data and takes 30 minutes to complete. The workload frequently experiences high latency due to large amounts of incoming data. A solution architect needs to design a scalable and serverless solution to enhance performance. The solution architect should Use Amazon Kinesis Data Firehose to ingest and Amazon EC2 instances in an Auto Scaling group to process the data.
  2. A company that operates a web application on premises is preparing to launch a newer version of the application on AWS. The company needs to route requests to either the AWS-hosted or the on-premises-hosted application based on the URL query string. The on-premises application is not available from the internet, and a VPN connection is established between Amazon VPC and the company's data center. The company wants to use an Application Load Balancer (ALB) for this launch. Should Use two ALBs: one for on premises and one for the AWS resource. Add hosts to the target group of each ALB. Create a software router on an EC2 instance based on the URL query string.
  3. A start-up company has a web application based in the us-east-1 Region with multiple Amazon EC2 instances running behind an Application Load Balancer across multiple Availability Zones. As the company's user base grows in the us-west-1 Region, it needs the solution with low latency and high availability. A solution architect should Provision EC2 instances and configure an Application Load Balancer in us-west-1. Create an accelerator in AWS Global Accelerator that uses an endpoint group that includes the load balancer endpoints in both Regions.
  4. A company hosts its application in the AWS Cloud. The application runs on Amazon EC2 instances behind an Elastic Load Balancer in an Auto Scaling group and with an Amazon DynamoDB table. The company wants to ensure the application can be made available in another AWS Region with minimal downtime. A solution architect should Create an AWS CloudFormation template to create EC2 instances and a load balancer to be executed when needed. Configure the DynamoDB table_as a global table. And configure DNS failover to point to the new disaster

    recovery Region's load balancer to meet with the LEAST amount of

    downtime.
  5. A solution architect is using Amazon S3 to design the storage architecture of a new digital media application. The media files must be resilient to the loss of an Availability Zone. Some files are accessed frequently while other files are rarely accessed in an unpredictable pattern. The solution architect must minimize the costs of storing and retrieving the media files by use S3 Intelligent-Tiering.
  6. A company recently deployed a new auditing system to centralize information about operating system versions, patching, and installed software for Amazon EC2 instances. A solution architect must ensure all instances provisioned through EC2 Auto Scaling groups successfully send reports to the auditing system as soon as they are launched and terminated. Use EC2 Auto Scaling lifecycle hooks to execute a custom script to send data to the audit system when instances are launched and terminated is MOST efficiency solution.
  7. A development team needs to host a website that will be accessed by other teams. The website contents consist of HTML, CSS, client side JavaScript, and images. Create an Amazon S3 bucket and host the website there is the MOST cost-effective.
cool.gif
 

PlAwAnSaI

Administrator

AWS Cost Calculator Overview:
Pricing Philosophy - High volume / low margin businesses are in core DNA:
  • Trade CapEx for variable expense: Pay for what use
  • Economies of scale provide with lower costs: 80 price reductions since 2006
  • Pricing model choice to support variable and stable workloads: On-demand / Spot / Reserved Instances / Saving Plan
  • Save more money as you grow bigger: Tiered pricing, Volume discounts, and Custom pricing
Compute:Amazon EC2:
  • Linux | Windows
  • Arm and x86 architectures
  • General purpose and workload optimized
  • Bare metal, disk, networking capabilities
  • Packaged | Custom | Community AMIs
  • Multiple purchase options: On-demand, RI, Spot
Operating Systems Supported:
  • Windows 2003R2 / 2008 / 2008R2 / 2012 / 2012R2 / 2016 / 2019
  • Amazon Linux
  • Debian
  • Suse
  • CentOS
  • Red Hat Enterprise Linux
  • Ubuntu
  • Etc.
Processor and architecture:
  • Intel® Xeon® Scalable (Skylake) processor
  • NVIDIA V100 Tensor Core GPUs
  • AMD EPYC processor
  • Amazon ARM based Cloud Processor
  • FPGAs for custom hardware acceleration
Right compute for the right application and workload

Naming Explained - c5n.xlarge:
  • c: Instance family
    • a: ARM
    • c: Compute Intensive
    • d: Dense storage
    • f: FPGA
    • g: GPU (Graphics Intensive)
    • h: HDD (Big Data Optimized)
    • i: high I/O
    • m: Most scenarios (General Purpose)
    • p: Premium GPU (General Purpose GPU)
    • r: Random-access (Memory Optimized)
    • t: Turbo (Burstable performance); a1 also
    • x: eXtra-large (In-memory)
    • z: high frequency (Compute and Memory Intensive)
  • 5: Instance generation
  • n: Attribute
  • xlarge: Instance size
  1. Which service?
  2. Which instance type?
    • EC2: General Purpose / Compute / Memory / etc.
    • S3
  3. Purchasing Options:
    • On-Demend: Pay for compute capacity by the second with no long-term commitments
    • Reserved Instances
    • Spot Instances
    • Savings Plans: Because Reserved Instances fixed instance type
    To optimize EC2, combine three purchase options!
  4. gp3 vs gp2: gp3 is recommend with better performance & cheaper price
https://calculator.aws/#/estimate?id=5491ecc080df4414a1436dc69ecfc156b3a43a48
RDS Encryption Operations:
  • Encryption RDS backups:
    • Snapshots of:
      • un-encrypted RDS database are un-encrypted
      • encrypted RDS database are encrypted
    • Can copy a snapshot into an encrypted one
  • To encrypt an un-encrypted RDS database:
    • Create a snapshot of the un-encrypted database
    • Copy the snapshot and enable encryption for the snapshot
    • Restore the database from the encrypted snapshot
    • Migrate applications to the new database, and delete the old database
Security - Network & IAM:
  • Network Security:
    • RDS database are usually deployed within a private subnet, not in a public one
    • RDS security works by leveraging security groups (the same concept as for EC2 instances) - it controls which IP / security group can communicate with RDS
  • Access Management:
    • IAM policies help control who can manage AWS RDS (through the RDS API)
    • Traditional Username and Password can be used to login into the database
    • IAM-based authentication can be used to login into RDS MySQL & PostgreSQL
IAM Authentication:
  • IAM database authentication works with MySQL and PostgreSQL
  • Don't need a password, just an authentication token obtained through IAM & RDS API calls
  • Auth token has a lifetime of 15 minutes
  • Benefits:
    • Network in/out must be encrypted using SSL
    • IAM to centrally manage users instead of DB
    • Can leverage IAM Roles and EC2 Instance profiles for easy integration
Security - Summary:
  • การเข้ารหัส at rest:
    • จะทำก็ต่อเมื่อสร้าง Instance DB ขึ้นเป็นครั้งแรก
    • หรือ: unencrypted DB => snapshot => คัดลอก snapshot โดยเข้ารหัส => สร้าง DB จาก snapshot
  • ความรับผิดชอบของคุณ:
    • ตรวจสอบกฎขาเข้าของ Port / IP / กลุ่มความปลอดภัยใน DB SG
    • การสร้างผู้ใช้ในฐานข้อมูลและสิทธิ์หรือจัดการผ่าน IAM
    • การสร้างฐานข้อมูลโดยมีหรือไม่มีการเข้าถึงแบบสาธารณะ
    • ตรวจสอบให้แน่ใจว่ามีการกำหนดค่ากลุ่ม Parameter หรือ DB ให้อนุญาตเฉพาะการเชื่อมต่อ SSL
  • ความรับผิดชอบของ AWS:
    • ไม่มีการเข้าถึง SSH
    • ไม่มีการ Manual Patch ฐานข้อมูล
    • ไม่มีการ Manual Patch ระบบปฏิบัติการ
    • ไม่มีวิธีตรวจสอบ Underlying Instance
  1. A medical records company is hosting an application on Amazon EC2 instances. The application processes customer data files that are stored on Amazon EC2 instance. The EC2 instances access Amazon S3 over the internet, but they do not require any other network access. A new requirement mandates that the network traffic for file transfers take a private route and not be sent over the internet. Move the EC2 instances to private subnets. Create a VPC endpoint for Amazon S3, and link the endpoint to the route table_for the private subnets change to the network architecture should a solution architect recommend.
  2. A software vendor is deploying a new software-as-a-service (SaaS) solution that will be utilized by many AWS users. The service is hosted in a VPC behind a Network Load Balancer. The software vendor wants to provide access to this service to users with the least amount of administrative overhead and without exposing the service to the public internet. A solution architect should Connect the service in the VPC with an AWS PrivateLink endpoint. Have users subscribe to the endpoint.
  3. A company has created a multi-tier application for its ecommerce website. The website uses an Application Load Balancer that resides in the public subnets, a web tier in the public subnets, and a MySQL cluster hosted on Amazon EC2 instances in the private subnets. The MySQL database needs to retrieve product catalog and pricing information that is hosted on the internet by a third-party provider. A solution architect must devise a strategy that maximizes security without increasing operational overhead. The solutions architect should Deploy a NAT gateway in the public subnets. Modify the private subnet route table to direct all internet-bound traffic to the NAT gateway.
cool.gif
 

PlAwAnSaI

Administrator

Amazon Aurora:
  • Is a proprietary technology from AWS (not open sourced)
  • Postgres and MySQL are both supported as Aurora DB (that means drivers will work as if Aurora was a Postgres or MySQL database)
  • Is 'AWS cloud optimized' and claims 5x performance improvement over MySQL on RDS, over 3x the performance of Postgres on RDS
  • Storage automatically grows in increments of 10GB, up to 64 TB.
  • Can have 15 replicas while MySQL has 5, and the replication process is faster (sub 10 ms replica lag)
  • Failover is instantaneous. It's HA native.
  • Costs more than RDS (20% more) - but is more efficient
High Availability and Read Scaling:
  • 6 copies of data across 3 AZ:
    • 4 copies out of 6 needed for writes
    • 3 copies out of 6 need for reads
    • Self healing with peer-to-peer replication
    • Storage is striped across 100s of volumes
  • One Aurora Instance takes writes (master)
  • Automated failover for master in less than 30 seconds
  • Master + up to 15 Read Replicas serve reads
  • Support for Cross Region Replication
DB Cluster:
  • Writer Endpoint: Pointing to the master
  • Reader Endpoint: Connection Load Balancing
Features:
  • Automatic fail-over
  • Backup and Recovery
  • Isolation and security
  • Industry compliance
  • Push-button scaling
  • Automated Patching with Zero Downtime
  • Advanced Monitoring
  • Routine Maintenance
  • Backtrack: restore data at any point of time without using backups
Security:
  • Similar to RDS because uses the same engines
  • Encryption at rest using KMS
  • Automated backups, snapshots and replicas are also encrypted
  • Encryption in flight using SSL (same process as MySQL or Postgres)
  • Possibility to authenticate using IAM token (same method as RDS)
  • You are responsible for protecting the instance with security groups
  • Can't SSH
Custom Endpoints:
  • Define a subset of Aurora Instances as a Custom Endpoint
  • Example: Run analytical queries on specific replicas
  • The Reader Endpoint is generally not used after defining Custom Endpoints
Serverless:
  • Automated database instantiation and auto-scaling based on actual usage
  • Good for infrequent, intermittent or unpredictable workloads
  • No capacity planning needed
  • Pay per second, can be more cost-effective
Multi-Master:
  • In case want immediate failover for write node (HA)
  • Every node does R/W - vs promoting a RR as the new master
Global:
  • Aurora Cross Region Read Replicas:
    • Useful for disaster recovery
    • Simple to put in place
  • Global Database (recommended):
    • 1 Primary Region (read / write)
    • Up to 5 secondary (read-only) regions, replication lag is less than 1 second
    • Up to 16 Read Replicas per secondary region
    • Helps for decreasing latency
    • Promoting another region (for disaster recovery) has an RTO of < 1 minute
Machine Learning:
  • Enables to add ML-based predictions to applications via SQL
  • Simple, optimized, and secure integration between Aurora and AWS ML services
  • Supported services:
    • Amazon SageMaker (use with any ML model)
    • Amazon Comprehend (for sentiment analysis)
  • Don't need to have ML experience
  • Use cases: fraud detection, ads targeting, sentiment analysis, product recommendations
IAM Policies Structure:
  • {
    "Version": "2012-10-17", // policy language version, always include '2012-10-17'
    "Id": "S3-Account-Permissions", // an identifier for the policy (optional)
    "Statement": [ // one or more individual statements (required)
    {
    "Sid": "1", // an identifier for the statement (optional)
    "Effect": "Allow", // whether the statement allows or denies access (Allow, Deny)
    "Principal": { // account/user/role to which this policy applied to
    "AWS": [arn:aws:iam;;123456789012:root"]
    },
    "Action": [ // list of actions this policy allows or denies
    "s3:GetObject",
    "s3:putObject"
    ],
    "Resource": ["arn:aws:s3:::mybucket/*"] // list of resources to which the actions applied to
    "Condition": { // for when this policy is in effect (optional)
    "ForAnyValue:StringEquals": {
    "aws:CalledVia": [
    "cloudformation.amazonaws.com"
    ]
    }
    }
    }
    ]
    }
  1. A solution architect is performing a security review of a recently migrated workload. The workload is a web application that consists of amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The solution architect must improve the security posture and minimize the impact of a DDoS attack on resources. Create a custom AWS Lambda function that adds identified attacks into a common vulnerability pool to capture a potential DDoS attack. Use the identified information to modify a network ACL to block access is MOST effective solution.
  2. A solution architect needs to ensure that all Amazon Elastic Block Store (Amazon EBS) volumes restored from unencrypted EBS snapshots are encrypted. The solution architect should Create a new volume and specify the symmetric customer master key (CMK) to use for encryption.
cool.gif
 

PlAwAnSaI

Administrator

Amazon ElastiCache Overview:
  • The same way RDS is to get managed Relational Databases...
  • Is to get managed Redis or Memcached
  • Caches are in-memory databases with really high performance, low latency
  • Helps reduce load off of databases for read intensive workloads
  • Helps make application stateless
  • AWS takes care of OS maintenance / patching, optimizations, setup, configuration, monitoring, failure recovery and backups
  • Using involves heavy application code changes
Solution Architecture - DB Cache:
  • Applications queries ElastiCache, if not available, get from RDS and store in ElastiCache.
  • Helps relieve load in RDS
  • Cache must have an invalidation strategy to make sure only the most current data is used in there.
User Session Store:
  • User logs into any of the application
  • The application writes the session data into ElastiCache
  • The user hits another instance of application
  • The instance retrieves the data and the user is already logged in
Redis vs Memcached:
  • REDIS:
    • Multi AZ with Auto-Failover
    • Read Replicas to scale reads and have high availability
    • Data Durability using AOF persistence
    • Backup and restore features
  • MEMCACHED:
    • Multi-node for partitioning of data (sharding)
    • No high availability (replication)
    • Non persistent
    • No backup and restore
    • Multi-threaded architecture
Cache Security:
  • All caches in ElastiCache:
    • Do not support IAM authentication
    • IAM policies on ElastiCache are only used for AWS API-level security
  • Redis AUTH:
    • Can set a 'password/token' when create a Redis cluster
    • This is an extra level of security for cache (on top of security groups)
    • Support SSL in flight encryption
  • Memcached:
    • Supports SASL-based authentication (advanced)
Patterns:
  • Lazy Loading: all the read data is cached, data can become stale in cache
  • Write Through: Adds or update data in the cache when written to a DB (no stale data)
  • Session Store: store temporary session data in a cache (using TTL features)
  • There are only two hard things in Computer Science: cache invalidation and naming things
Redis Use Case:
  • Gaming Leaderboards are computationally complex
  • Redis Sorted sets guarantee both uniqueness and element ordering
  • Each time a new element added, it's ranked in real time, then added in correct order
  • RDS database struggles to keep up with the demand of the users from website. Million users mostly read news, and don't post news very often. An ElastiCache cluster and RDS Read Replicas solution is adapted to do indeed help with scaling reads.
  • Have setup read replicas on RDS database, but users are complaining that upon updating their social media posts, they do not see the update right away. Because Read Replicas have asynchronous replication and therefore it's likely users will only observe eventual consistency.
  • Multi AZ RDS feature does not require to change SQL connection string.
    Multi AZ keeps the same connection string regardless of which database is up. Read Replicas imply need to reference individually in application as each read replica will have its own DNS name.
  • Enable Multi AZ to ensure Redis cluster will always be available (high availability).
  1. Write a custom AWS Lambda function to generate the thumbnail and alert the user. Use the image upload process as an event source to invoke the Lambda function. The solution architect should Create Amazon Simple Notification Service (Amazon SNS) notification topics and subscriptions. Use one subscription with the application to generate the thumbnail.
  2. A company has a three-tier, stateless web application. The company's web and application tiers run on Amazon EC2 instances in an Auto Scaling group with an Amazon Elastic Block Store (Amazon EBS) root volume, and the database tier runs on Amazon RDS for PostgreSQL. The company's recovery point objective (RPO) is 2 hours. A solutions architect should recommend Retain the latest Amazon Machine Images (AMIs) of the web and application tiers. Configure daily Amazon RDS snapshots and use point-in-time recovery to meet the RPO to enable backups for this environment.
  3. A company has thousands of edge devices that collectively generate 1 TB of status alerts each day. Each alert is approximately 2 KB in size. A solution architect needs to implement a solution to ingest and store the alerts for future analysis.
    The company wants a highly available solution. However the company needs to minimize costs and does not want to manage additional infrastructure. Additionally, the company wants to keep 14 days of data available for immediate analysis and archive any data older than 14 days. Create an Amazon Simple Queue Service (Amazon SQS) standard queue to ingest the alerts and set the message retention period to 14 days. Configure consumers to poll the SQS queue check the age of the message and analyze the message data as needed if the message is 14 days old, the consumer should copy the message to an Amazon S3 bucket and delete the message from the SQS queue is the MOST operationally efficient solution.
  4. A company is running a highly sensitive application on Amazon EC2 backed by an Amazon RDS database Compliance regulations mandate that all personally identifiable information (PII) be encrypted at rest. The LEAST amount of changes to the infrastructure is Configure Amazon Elastic Block Store (Amazon EBS) encryption and Amazon RDS encryption with AWS Key Management Service (AWS KMS) keys to encrypt instance and database volumes.
  5. A company is processing data on a daily basis. The results of the operations are stored in an Amazon S3 bucket analyzed daily for one week and then must remain immediately accessible for occasional analysis. Configure a lifecycle policy to transition the objects to Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA) after 30 days is the MOST cost-effective storage solution alternative to the current configuration.
  6. A company is creating a new application that will store a large amount of data. The data will be analyzed hourly and will be modified by several Amazon EC2 Linux instances that are deployed across multiple Availability Zones. The needed amount of storage space will continue to grow for the next 6 months. A solution architect should recommend Store the data in Amazon S3 Glacier Update the S3 Glacier vault policy to allow access to the application instances.
  7. An application running on an Amazon EC2 instance needs to access an Amazon DynamoDB table. Both the EC2 instance and the DynamoDB table are in the same AWS account. A solution architect must configure the necessary permissions. Create an IAM role with the appropriate policy to allow access to the DynamoDB table. Create an instance profile to assign this IAM role to the EC2 instance solution will allow least privilege access to the DynamoDB table from the EC2 instance.
  8. A company plans to store sensitive user data on Amazon S3. Internal security compliance requirement encryption of data before sending it to Amazon S3. Server-side encryption with customer-provided encryption keys should a solution architect recommend.
cool.gif
 

PlAwAnSaI

Administrator

AWS Cost Optimization:

How We Saved Over $1,000 By Building CloudForecast With Serverless And AWS Lambda:
https://www.cloudforecast.io/blog/how-we-saved-money-using-aws-serverless-lambda
http://awscostlabs.com
  1. How many instances could right-size?
  2. What benefits could get from using reserved instances?
  3. How many of instances need to be running 24x7?
  4. How many instances are configured for auto-scaling?
  • Application functions on an ASG behind an ALB. Users have to constantly log back in and rather not enable stickiness on ALB as fear it will overload some servers. Should Store session data in ElastiCache is a common pattern to ensuring different instances can retrieve user's state if needed.
  • One analytics application is currently performing its queries against main production database. These queries slow down the database which impacts the main user experience.Should Setup a Read Replica to improve the situation.
    It will help as analytics application can now perform queries against it, and these queries won't impact the main production database.
  • Have a requirement to use TDE (Transparent Data Encryption) on top of KMS. Oracle and MS SQL Server database technologies support TDE on RDS.
  • Aurora Global Databases allow to have cross region replication. It ensure a database available in another region if a disaster happens to main region.
  • Can enhance the security of Redis cache to force users to enter a password by Use Redis Auth.
  • Company has a production Node.js application that is using RDS MySQL 5.6 as its data backend. A new application programmed in Java will perform some heavy analytics workload to create a dashboard, on a regular hourly basis. Want to the final solution to minimize costs and have minimal disruption on the production application, should Create a Read Replica in a different AZ and run the analytics workload on the replica database.
  • Would like to create_a disaster recovery strategy for RDS PostgreSQL database so that in case of a regional outage, a database can be quickly made available for Read and Write workload in another region. The DR database must be highly available. Should Create a Read Replica in a different region and enable multi-AZ on the main database.
  • Managing a PostgreSQL database and for security reasons, would like to ensure users are authenticated using short-lived credentials. Use PostgreSQL for RDS and authenticate using a token obtained through the RDS service.
    In this case, IAM is leveraged to obtain the RDS service token, so this is the IAM authentication use case.
  • PostgreSQL and MySQL RDS database technologies support IAM authentication.
  • An application is running in production, using an Aurora database as its backend. Development team would like to run a version of the application in a scaled-down application, but still be able to perform some heavy workload on a need-basis. Most of the time, the application will be unused. CIO has tasked with helping the team while minimizing costs by Use Aurora Serverless.
  • Company would like to have a MySQL database internally that is going to be available even in case of a disaster in the AWS cloud. Should setup Multi AZ.
    Consider a disaster to be an entire Availability Zone going down. In which case Multi-AZ will help. If want to plan against an entire region going down, backups and replication across regions would help.
  1. A product manager of an ecommerce website is launching a new product line next month. The application hosting the website runs on Amazon EC2 instances in an Auto Scaling group behind a load balancer. Testing has been performed, and the maximum load at launch has been estimated. Traffic to the application is expected to decrease gradually within the first few weeks after the launch. This workload is the only one on this account that is expected to scale during launch. Purchase Reserved instance (RIs) with zonal scope to reserve capacity and get the discount to compute. Then cancel the RIs after the launch. And Purchase scheduled instances to reserve capacity for the launch, and run them on a daily schedule during peak capacity hours combination of steps is MOST cost-effective to ensure that will be adequate capacity when the application scales at launch.
  2. A company's near-real-time streaming application is running on AWS. As the data is ingested a job runs on the data and takes 30 minutes to complete. The workload frequently experiences high latency due to large amounts of incoming data. A solution architect needs to design a scalable and serverless solution to enhance performance. Should Use Amazon Kinesis Data Firehose to ingest and EC2 instances in an Auto Scaling group to process the data.
  3. A company's security policy requires that all AWS API activity in its AWS accounts be recorded for periodic auditing. The company needs to ensure that AWS CloudTrail is enabled on all of its current and future AWS accounts using AWS Organizations. Add all existing accounts under the organization's root. Define and attach a service control policy (SCP) to every account that prevents users from disabling CloudTrail is MOST secure.
  4. A company is running an application on AWS to process weather sensor data that is stored in an Amazon S3 bucket. Three batch jobs run hourly to process the data in the S3 bucket for different purpose. The company wants to reduce the overall processing time by running the three applications in parallel using an event-based approach. A solution architect should Enable S3 Event Notifications for new objects to separate Amazon Simple Queue Service (Amazon SQS) FIFO queues. Create an additional SQS queue for each application and subscribe each queue to the initial topic for processing.
  5. A company's website is using an Amazon RDS MySQL Multi-AZ DB instance for its transactional data storage. There are other internal systems that query this DB instance to fetch data for internal batch processing. The RDS DB instance slows down significantly the internal systems fetch data. This impacts the website's read and write performance, and the users experience slow response times. Add a read replica to the RDS DB instance and configure the internal systems to query the read replica solution will improve the website's performance.
    Amazon RDS Read Replicas enhanced performance. Can reduce the load on source DB instance by routing read queries from applications to the read replica. Allow to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. Because read replicas can be promoted to master status, they are useful as part of a sharding implementation.
    To further maximize read performance, Amazon RDS for MySQL allows to add table indexes directly to Read Replicas, without those indexes being present on the master.
  6. A solution architect is designing an application for a two-step order process. The first step is synchronous and must return to the user with little latency. The second step takes longer, so it will be implemented in a separate component. Orders must be processed exactly once and in the order in which they are received. The solution architect should Create an SNS topic and subscribe an Amazon SQS FIFO queue to that topic.
cool.gif
 

PlAwAnSaI

Administrator

EC2 User Data:
  • It is possible to bootstrap our instances using an EC2 User data script.
  • bootstrapping means launching commands when a machine starts
  • That script is only run once at the instance first start
  • EC2 user data is used to automate boot tasks such as:
    • Installing updates / software
    • Downloading common files from the internet
    • Anything can think of
  • The EC2 User Data Script runs with the root user
AWS Route 53 Overview:
  • Is a Managed DNS (Domain Name System)
  • DNS is a collection of rules and records which helps clients understand how to reach a server through its domain name.
  • In AWS, the most common records are:
    • A: hostname to IPv4
    • AAAA: hostname to IPv6
    • CNAME: hostname to hostname
    • Alias: hostname to AWS resource.
  • Can use:
    • public domain names own (or buy)
      application1.mypublicdomain.com
    • private domain names that can be resolved by instances in VPCs.
      application1.company.internal
  • Has advanced features such as:
    • Load balancing (through DNS - also called client load balancing)
    • Health checks (although limited...)
    • Routing policy: simple, failover, geolocation, latency, weighted, multi value
  • Pay $0.5 per month per hosted zone
DNS Records TTL (Time to Live):
  • High TTL: (e.g. 24hr):
    • Less traffic on DNS
    • Possibly outdated records
  • Low TTL: (e.g. 60 s):
    • More traffic on DNS
    • Records are outdated for less time
    • Easy to change records
  • TTL is mandatory for each DNS record
  • https://toolbox.googleapps.com/apps/dig
CNAME vs Alias:
  • AWS Resources (Load Balancer, CloudFront...) expose an AWS hostname:
    lb1-1234.ap-southeast-1.elb.amazonaws.com and want myapp.mydomain.com
  • CNAME:
    • Points a hostname to any other hostname. (app.mydomain.com => blabla.anything.com)
    • ONLY FOR NON ROOT DOMAIN (ex: something.mydomain.com)
    • myapp.mydomain.com => LB DNS name
  • Alias:
    • Points a hostname to an AWS Resource (app.mydomain.com => blabla.amazonaws.com)
    • Works for ROOT DOMAIN and NON ROOT DOMAIN (aka mydomain.com)
    • Free of charge
    • Native health check
Simple Routing Policy:
  • Use when need to redirect to a single resource
  • Can't attach health checks to simple routing policy
  • If multiple values are returned, a random one is chosen by the client
  1. A company receives inconsistent service from its data center provider because the company is headquartered in an area affected by natural disasters. The company is not ready to fully migrate to the AWS Cloud, but it wants a failure environment on AWS in case the on-premises data center fails. The company runs web servers that connect to external vendors. The data available on AWS and on premises must be uniform. A solution architect should recommend Configure an Amazon Route 53 failover record. Run application servers on Amazon EC2 instances behind an Application Load Balancer in an Auto Scaling group. Set up AWS Storage Gateway with stored volumes to back up data to Amazon S3 to the LEAST amount of downtime.
  2. An application running on AWS generates audit logs of operational activities. Compliance requirements mandate that the application retain the logs for 5 years. Should Save the logs in an Amazon S3 Glacier vault and define a vault lock policy.
  3. A company wants to migrate its 1PB on-premises image repository to AWS. The images will be used by a serverless web application Images stored in the repository are rarely accessed, but they must be immediately available. Additionally, the images must be encrypted at rest and protected from accidental deletion. Should Store the images in an Amazon S3 bucket in the S3 Standard-Infrequent Access (S3 Standard-IA) storage class. Enable versioning: default encryption, and MFA Delete on the S3 bucket.
  4. A company has 150 TB of archived image data stored on-premises that needs to be moved to the AWS Cloud within the next month. The company's current network connection allows up to 100 Mbps uploads for this purpose during the night only. Order multiple AWS Snowball devices to ship the data to AWS is the MOST cost-effective mechanism to move this data and meet the migration deadline.
    Use network during the night only = 24 - 9 = 15 hrs/day, 100 Mbps x 60 = 6Gbps/min x 60 = 360 Gbps/hr x 15 = 5.4 Tbps/day, deadline next month = 5.4 x 30 days = 162 Tbps/month / 8 = 20.25 TB.

    AWS-Snow-Family-1024x768.jpg
  5. A company is migrating to the AWS Cloud. A file server is the first workload to migrate. Users must be able to access the file share using the Server Message Block (SMB) protocol should use Amazon FSx AWS managed service.
  6. A company has an API-based inventory reporting application running on Amazon EC2 instances. The application stores information in an Amazon DynamoDB table. The company's distribution centers have an on-premises shipping application that calls an API to update the inventory before printing shipping labels. The company has been experiencing application interruptions several times each day, resulting in lost transactions. A solution architect should recommend Configure Amazon API Gateway to call the EC2 inventory application APIs to improve application resiliency.
  7. A company requires operating system permission on a relational database server. A solution architect should suggest Multiple Amazon EC2 instances in a database replication configuration that uses two Availability Zones as a configuration for a highly available database architecture.
  8. A manufacturing company has machine sensors that upload csv files to an Amazon S3 bucket. These csv files must be converted into images and must be made available as soon as possible for the automatic generation of graphical reports by Design an AWS Lambda function that converts the csv files into images and stores the images in the S3 bucket. Invoke the Lambda function when a csv file is uploaded. The images become irrelevant after 1 month, but the csv files must be kept to train machine learning (ML) models twice a year. The ML trainings and audits are planned weeks in advance by Create S3 Lifecycle rules for csv files and image files in the S3 bucket. Transition the csv files from S3 Standard to S3 One Zone-Infrequent Access (S3 One Zone-IA) 1 day after they are uploaded. Expire the image files after 30 days.
  9. A company is using a VPC peering strategy to connect its VPCs in a single Region to allow for cross-communication. A recent increase in account creations and VPCs has made it difficult to maintain the VPC peering strategy, and the company expects to grow to hundreds of VPCs. There are also new requests to create site-to-site VPNs with some of the VPCs. A solutions architect has been tasked with creating a centrally networking setup for multiple accounts, VPCs, and VPNs. Should Configure a transit gateway with AWS Transit Gateway and connected all VPCs and VPNs.
  10. A company has many applications on Amazon EC2 instances running in Auto Scaling groups. Company policy requires that the data on the attached Amazon Elastic Block Store (Amazon EBS) volumes be retained. Should Disable the Delete on Termination attribute for the Amazon EBS volumes.
cool.gif
 

PlAwAnSaI

Administrator

Weighted Routing Policy:
  • Control the % of the requests that go to specific endpoint
  • Helpful to test 1% of traffic on new app version for example
  • Helpful to split traffic between two regions
  • Can be associated with Health Checks
Latency:
  • Redirect to the server that has the least latency close to users
  • Super helpful when latency of users is a priority
  • Latency is evaluated in terms of user to designated AWS Region
  • Thailand may be directed to the Australia (if that's the lowest latency)
  • https://www.bitcatcha.in.th/vpn-ที่ดีที่สุด
Health Checks:
  • Have X failed => unhealthy (default 3)
  • After X passed => health (default 3)
  • Default Interval: 30s (can set to 10s - higher cost)
  • About 15 health checkers will check the endpoint health
  • => one request every 2 seconds on average
  • Can have HTTP, TCP and HTTPS (no SSL verification)
  • Possibility of integrating with CloudWatch
  • Can be linked to Route53 DNS queries!
Failover:
  • Primary & Secondary (disaster recovery)
  • Primary need Health check (mandatory)
Geo Location:
  • Different from Latency based!
  • This is routing based on user location
  • Like a static routing (eg. Thailand should go to 11.22.33.44, HongKong go to 22.33.44.55)
  • Should create a 'default' policy (in case there's no match on location)
Geoproximity:
  • Route traffic to resources based on the geographic location of users and resources
  • Ability to shift more traffic to resources based on the defined bias
  • To change the size of the geographic region, specify bias values:
    • To expand (1 to 99) - more traffic to the resource
    • To shrink (-1 to -99) - less traffic to the resource
  • Resources can be:
    • AWS resources (specify AWS region)
    • Non-AWS resources (specify Latitude and Longitude)
  • Must use Route 53 Traffic Flow (advanced) to use this feature
Multi Value:
  • Use when routing traffic to multiple resources
  • Want to associate a Route 53 health checks with records
  • Up to 8 healthy records are returned for each Multi Value query
  • Multi Value is not a substitute for having an ELB
A Registrar:
  • A domain name registrar is an organization that manages the reservation of Internet domain names
  • Famous names: GoDaddy, Google Domains, Etc...
  • And also... Route53 (e.g. AWS)!
  • Domain Registrar != DNS
3rd Party Registrar:
  • If buy domain on 3rd party website, can still use Route53.
  1. Create a Hosted Zone in Route 53
  2. Update NS Records on 3rd party website to use Route 53 name servers
  • Domain Registrar != DNS
  • (But each domain registrar usually comes with some DNS features)
  1. A company hosts its static website content from an Amazon S3 bucket in the us-east-1 Region. Content is made available through an Amazon CloudFront origin pointing to that bucket. Cross-Region replication is set up to create a second copy of the bucket in the ap-southeast-1 Region. Management wants a solution that provides greater availability for the website. Should Configure failover routing in Amazon Route 53 and Set up a CloudFront origin group with the us-east-1 bucket as the primary and the ap-southeast-1 bucket as the secondary.
  2. A company is running a database on Amazon Aurora. The database is idle every evening. An application that performs extensive reads on the database experiences performance issues during morning hours when user traffic spikes. During these peak periods, the application receives timeout errors when reading from the database. The company does not have a dedicated operations team and needs an automated solution to address the performance issues. Should Migrate the database to Aurora Serverless and Configure Aurora Auto Scaling with Aurora Replicas.
  3. A company is hosting an application in its own data center. The application uses Amazon S3 for data storage. The application transfers several hundred terabytes of data every month to and from Amazon S3. The company needs to minimize the cost of this data transfer. Should Create an AWS Storage Gateway file gateway. Deploy the software appliance in the company's data center. And Configure the application to use the file gateway to store and retrieve files.
  4. A solution architect must design a solution for a persistent database that is being migrated from on-premises to AWS. The database requires 64,000 IOPS according to the database administrator. If possible, the database administrator wants to use a single Amazon Elastic Block Store (Amazon EBS) volume to host the database instance. Should Create an Nitro-based Amazon EC2 instance with an Amazon EBS Provisioned IOPS SSD (io1) volume attached. Configure the volume to have 64,000 IOPS.
  5. A company has thousands of edge devices that collectively generate 1 TB of status alerts each day. Each alert is approximately 2 KB in size. A solutions architect needs to implement a solution to ingest and store the alerts for future analysis.
    The company wants a highly available solution. However, the company needs to minimize costs and does not want to manage additional infrastructure. Additionally, the company wants to keep 14 days of data available for immediate analysis and archive any data older than 14 days. The MOST operationally efficient solution is Create an Amazon Simple Queue Service (Amazon SQS) standard queue to ingest the alerts and set the message retention period to 14 days. Configure consumers to poll the SQS queue check the age of the message and analyze the message data as needed if the message is 14 days old, the consumer should copy the message to an Amazon S3 bucket and delete the message from the SQS queue.
  6. A company operates a website on Amazon EC2 Linux instances. Some of the instances are failing. Troubleshooting points to insufficient swap space on the failed instances. The operations team lead needs a solution to monitor this. A solution architect should recommend Configure an Amazon CloudWatch SwapUsage metric dimension. Monitor the SwapUsage dimension in the EC2 metrics in Cloud Watch.
  7. A company is using Amazon EC2 to run its big data analytics workloads. These variable workloads run each night, and it is critical they finish by the start of business the following day. A solution architect has been tasked with designing the MOST cost-effective solution. Should use Reserved Instances.
  8. A company provides an API to its users that automates inquiries for tax computations based on item prices. The company experiences a larger number of inquiries during the holiday season only that cause slower response times. A solution architect needs to design a solution that is scalable and elastic. The solution architect should Design a REST API using Amazon API Gateway that accepts the item names. API Gateway passes item names to AWS Lambda for tax computations.
cool.gif
 

PlAwAnSaI

Administrator

  • Have purchased 'coolcompany.com' on the AWS registrar and would like for it to point to lb1-1234.ap-southeast-1.elb.amazonaws.com. Alias sort of Route 53 record is POSSIBLE to set up for this.
    The DNS protocol does not allow to create a CNAME record for the top node of a DNS namespace (coolcompany.com), also known as the zone apex.
  • Have deployed a new Elastic Beanstalk environment and would like to direct 5% of production traffic to this new environement, in order to monitor for CloudWatch metrics and ensuring no bugs exist. Weighted type of Route 53 records allows to do so.
    Weighted allows to redirect a part of the traffic based on a weight (hence a percentage). It's common to use to send a part of a traffic to a new application deploying.
  • After updating a Route 53 record to point 'app.domain.com' from an old Load Balancer to a new load balancer, it looks like the users are still not redirected to new load balancer. It's because of the TTL.
    DNS records have a TTL (Time To Live) in order for clients to know for how long to caches these values and not overload the DNS with DNS requests. TTL should be set to strike a balance between how long the value should be cached vs how much pressure should go on the DNS.
  • Want users to get the best possible user experience and that means minimizing the response time from servers to users. Latency routing policy will help.
    Latency will evaluate the latency results and help users get a DNS responce that will minimize their latency (e.g. response time).
  • Have a legal requirement that people in any country but France should not be able to access website. Geolocation Route 53 record helps in achieving this.
  • Have purchased a domain on Godaddy and would like to use it with Route 53. Need to Create a public hosted zone and update the 3rd party registrar NS records to make this work.
    Private hosted zones are meant to be used for internal network queries and are not publicly accessible. Public Hosted Zones are meant to be used for people requesting website through the public internet. Finally, NS records must be updated on the 3rd party registrar.
Stateless Web App: WhatsTheTime.com:
  • Allows people to know what time it is
  • Don't need a database
  • Want to start small and can accept downtime
  • Want to fully scale vertically and horizontally, no downtime
  1. Only one t2.micro access by EC2's Public IP
    If restart, IP will change =>
  2. + Elastic IP Address
    If too much users t2.micro isn't enough =>
  3. Change to m5.large with 1st downtime
    If too much users m5.large isn't enough =>
  4. Horizontally scaling by + more m5.large, - Elastic IP due to many IPs by + Route 53 with A Record instead
    But when remove the instance, due to the Route 53 TTL, some users can't access that time =>
  5. + Public-facing ELB & Health Checks & Restricted Security groups to Private EC2 instances, change Route 53 A Record to Alias Record due to ELB IP changing all the time
    But now, adding and removing instances manually is pretty hard to do =>
  6. + Auto Scaling group
    If disaster happen, the entire web will go down due to only one AZ =>
  7. + Multi-AZ both ELB & EC2: 2 AZ & one EC2 reserved instance for each
Stateful Web App: Clothes.com:
  • Allows people to buy clothes online.
  • There's a shopping cart
  • Having hundreds of users at the same time
  • Need to scale, maintain horizontal scalability and keep it as stateless as possible
  • Users should not lose their shopping cart
  • Users should have their details (address, etc) in a database
  1. Use final architecture of WhatsTheTime.com
    When user request change the EC2, the shopping cart is lost =>
  2. Enable ELB Stickiness
    If the EC2 terminated for some reason, the shopping cart is still lost =>
  3. Use User Web Client Cookies instead of ELB Stickiness and making web app stateless
    But Security risk & Cookies must be less than 4KB =>
  4. Just Send session_id in Web Cookies & + ElastiCache to store sessions (alternative: DynamoDB)
  5. + RDS to store user data
    If one RDS isn't enough =>
    1. + another RDS for Read Replicas, the old one do a Master (writes)
    2. Use ElastiCache to cache data from RDS
    Route 53 is already highly available, there is Multi AZ feature both RDS & ElastiCache
    Tight Security with security groups referencing each other
  1. A solution architect needs to design a highly available application consisting of web, application, and database tiers, HTTPS content delivery should be as close to the edge as possible, with the least delivery time. Should use Amazon EC2 instances in private subnets. Configure a public Application Load Balancer with multiple redundant. Amazon CloudFront to deliver HTTPS content using the EC2 instances as the origin is MOST secure.
  2. A healthcare company stores highly sensitive patient records. Compliance requires that multiple copies be stored in different locations. Each record must be stored for 7 years. The company has a service level agreement (SLA) to provide records to government agencies immediately for the first 30 days and then within 4 hours of a request thereafter. A solution architect should recommend Use Amazon S3 with cross-Region replication enabled. After 30 days, transition the data to Amazon S3 Glacier using lifecycle policy.
  3. A company is planning to build a new web application on AWS. The company expects predictable traffic most of the year and very high traffic on occasion. The web application needs to be highly available and fault tolerant with minimal latency. A solution architect should recommend Use Amazon EC2 instances in an Auto Scaling group with an Application Load Balancer across multiple Availability Zones.
  4. A company runs analytics software on Amazon EC2 instances. The software accepts job requests from users to process data that has been uploaded to Amazon S3. Users report that some submitted data is not being processed. Amazon CloudWatch reveals that the EC2 instances have a consistent CPU utilization at or near 100%. The company wants to improve system performance and scale the system based on user load. A solution architect should Create a copy of the instance. Place all instances behind an Application Load Balancer.
  5. A solution architect needs to design a network that will allow multiple Amazon EC2 instances to access a common data source used for mission-critical data that can be accessed by all the EC2 instances simultaneously. The solution must be highly scalable, easy to implement and support the NFS protocol. Should Create an Amazon EFS file system. Configure a mount target in each Availability Zone. Attach each instance to the appropriate mount target.
  6. A solution architect is designing a new service behind Amazon API Gateway. The request patterns for the service will be unpredictable and can change suddenly from 0 requests to over 500 per second. The total size of the data that needs to be persisted in a backend database is currently less than 1 GB with unpredictable future growth. Data can be queried using simple key-value requests. Should use AWS Lambda and Amazon DynamoDB.
cool.gif
 

PlAwAnSaI

Administrator

Stateful Web App: WordPress.com:
  • Trying to create a fully scable WordPress website
  • Want that website to access and correctly display picture uploads
  • User data, and the blog content should be stored in a MySQL database.
  1. Use 5. architecture of Clothes.com
    If want to go big & scale up better & easier to upwrite =>
  2. Change from RDS to Aurora MySQL Multi AZ & Read Replicas

    amazon-rds-deep-dive-5-638.jpg

  3. Use EBS for storing images
    But when scaling 2 EC2, each have their own EBS, one EBS is no image present =>
  4. Use EFS instead to share data between EC2s
Instantiating Applications quickly:
  • When launching a full stack (EC2, EBS, RDS), it can take time to:
    • Install applications
    • Insert initial (or recovery) data
    • Configure everything
    • Launch the application
  • Can take advantage of the cloud to speed that up!
  • EC2 Instances:
    • Use a Golden AMI: Install applications, OS dependencies etc.. beforehand and launch EC2 instance from the Golden AMI
    • Bootstrap using User Data: For dynamic configuration, use User Data scripts
    • Hybrid: mix Golden AMI and User Data (Elastic Beanstalk)
  • RDS Databases:
    • Restore from a snapshot: the database will have schemas and data ready!
  • EBS Volumes:
    • Restore from a snapshot: the disk will already be formatted and have data!
Developer problems on AWS:
  • Managing infrastructure
  • Deploying Code
  • Configuring all the databases, load balancers, etc
  • Scaling concerns
  • Most web apps have the same architecture (ALB + ASG)
  • All the developers want is for their code to run!
  • Possibly, consistently across different applications and environments
AWS ElasticBeanStalk Overview:
  • Is a developer centric view of deploying an application on AWS
  • It uses all the component's have seen before:
    EC2, ASG, ELB, RDS, etc...
  • But it's all in one view that's easy to make sense of!
  • Still have full control over the configuration
  • Is free but pay for the underlying instances
  • Managed service:
    • Instance configuration / OS is handled by beanstalk
    • Deployment strategy is configurable but performed
  • Just the application code is the responsibility of the developer
  • Three architecture models:
    • Single Instance deployment: good for dev
    • LB + ASG: great for production or pre-production web applications
    • ASG only: great for non-web apps in production (workers, etc...)
  • ElasticBeanStalk has three components:
    • Application
    • Application version: each deployment gets assigned a version
    • Environment name (dev, test, prod...): free naming
  • Deploy application versions to environments and can promote application versions to the next environment
  • Rollback feature to previous application version
  • Full control over lifecycle of environments
  • Support for many platforms:
    • Go, Java SE / with Tomcat
    • .NET on Windows Server with IIS
    • Node.js, PHP
    • Python, Ruby
    • Packer Builder
    • Single Container / Multicontainer / Preconfigured Docker
  • If not supported, can write custom platform (advanced)
  1. A company is running a global application. The application's users submit multiple videos that are then merged into a single video file. The application uses a single Amazon S3 bucket in the us-east-1 Region to receive uploads from users. The same S3 bucket provides the download location of the single video file that is produced. The final video file output has an average size of 250 GB.
    The company needs to develop a solution that delivers faster uploads and downloads of the video files that are stored in Amazon S3. The company will offer the solution as a pay for the increased speed. A solution architect should Enable S3 Transfer Acceleration for the S3 bucket in us-east-1. Configure the application to use the bucket's S3-accelerate endpoint domain name for the upload and download links for users who have a subscription.
  2. A company plans to host a survey website on AWS. The company anticipates an unpredictable amount of traffic. This traffic results in asynchronous updates to the database. The company wants to ensure that writes to the database hosted on AWS do not get dropped. The company should write its application to handle these database requests by Configure the application to publish to an Amazon Simple Notification Service (Amazon SNS) to Subscribe the database to the SNS topic.
  3. A company has developed a database in Amazon RDS for MySQL. Due to increased support team is reporting slow reads against the DB instance and recommends adding a read replica. A solution architect should Allow long-running transactions to complete on the source DB instance and Enable automatic backups on the source instance by settings the backup retention period to a value other than 0 before implementing this change.
  4. A company is building a document storage application on AWS. The Application runs on Amazon EC2 instances in multiple Availability Zones. The company requires the document store to be highly available. The documents need to be returned immediately when requested. The lead engineer has configured the application to use Amazon Elastic Block Store (Amazon EBS) to store the documents, but is willing to consider other options to meet the availability requirement. A solution architect should recommend Use Amazon EBS for the EC2 instance root volumes. Configure the application to build the document store on Amazon S3.
  5. A web application must persist order data to Amazon S3 to support neat-real time processing. A solution architect needs create an architecture that is both scalable and fault tolerant. Should Write the order event to an Amazon Simple Queue Service (Amazon SQS) queue. Use the queue to trigger an AWS Lambda function that parsers the payload and writes the data to Amazon S3. And Write the order event to an Amazon Simple Notification Service (Amazon SNS) topic. Use an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger an AWS Lambda function that parses the payload and writes the data to Amazon S3.
  6. The DNS provider that hosts a company's domain name records is experiencing outages that cause service disruption for a website running on AWS. The company needs to migrate to a more resilient managed DNS service and wants the service to run on AWS. A solution architect should Create an Amazon Route 53 public hosted zone for the domain name. Import the zone file containing the domain records hosted by the previous provider to rapidly migrate the DNS hosting service.
cool.gif
 

PlAwAnSaI

Administrator

  • Have an ASG that scales on demand based on the traffic going to new website: Triangle.Com. Would like to optimize for cost, so have selected an ASG that scales based on demand going through ELB. Still, want solution to be highly available so have selected the minimum instances to 2. Can further optimize the cost while respecting the requirements by Reserve two EC2 instances.
    This is the way to save further costs as know will run 2 EC2 instances no matter what.
  • Offload data in RDS, Store the session data in ElastiCache, or Send the session data through the client cookies help make application tier stateless.
  • Looking to store shared software updates data across 100s of EC2 instances. The software updates should be dynamically loaded on the EC2 instances and shouldn't require heavy operations. Should Store the software updates on EFS and mount EFS as a network drive.
    EFS is a network file system (NFS) and allows to mount the same file system to 100s of EC2 instances. Publishing software updates their allow each EC2 instance to access them.
  • As a solution architect managing a complex ERP software suite, orchestrating a migration to the AWS cloud. The software traditionally takes well over an hour to setup on a Linux machine, and would like to make sure application does leverage the ASG feature of auto scaling based on the demand. Recommend speed up the installation process by Use a Golden AMI.
    Golden AMI is a standard in making sure snapshot a state after an application installation or pulling dependencies so that future instances can boot up from that AMI quickly.
  • Creating an application and would like for it to be running with minimal cost in a development environment with Elastic Beanstalk. Should run it in Single Instance Mode.
    This will create one EC2 instance and one Elastic IP.
  • Deployments on Elastic Beanstalk have been painfully slow, and after looking at the logs, realize this is due to the fact that dependencies are resolved on each EC2 machine at deployment time. Can speed up deployment with the minimal impact by Create a Golden AMI that contains the dependencies and launch the EC2 instances from that.
Amazon S3
Another base block of AWS:

Introduction:
  • Amazon S3 is one of the main building blocks of AWS
  • It's advertised as 'infinitely scaling' storage
  • It's widely popular and deserves its own section
  • Many websites use Amazon S3 as a backbone
  • Many AWS services uses Amazon S3 as an integration as well
Overview - Buckets:
  • Amazon S3 allows people to store objects (files) in 'buckets' (directories)
  • Must have a globally unique name
  • Are defined at the region level
  • Naming convention:
    • No uppercase & underscore
    • 3-63 characters long
    • Not an IP
    • Must start with lowercase letter or number
Objects:
  • (files) have a Key
  • The key is the FULL path:
    • s3://my-bucket/my_file.txt
  • The key is composed of prefix + object name:
    • s3://my-bucket/my_folder1/another_folder/my_file.txt
  • There's no concept of 'directories' within buckets (although the UI will trick to think otherwise)
  • Just keys with very long names that contain slashes ('/')
  • Object values are the content of the body:
    • Max Size is 5TB (5,000GB)
    • If uploading more than 5GB, must use 'multi-part upload'
  • Metadata (list of text key / value pairs - system or user metadata)
  • Tags (Unicode key / value pair - up to 10) - useful for security / lifecycle
  • Version ID (if versioning is enabled)
  1. A company has an application with a REST-based Interface that allows data to be received in near-real time from a third-party vendor. Once received, the application processes and stores the data for further analysis. The application is running on Amazon EC2 instances.
    The third-party vendor has received many 503 Service Unavailable Errors when sending data to the application. When the data volumes spikes, the compute capacity reaches its maximum limit and the application is unable to process all requests. A solution architect should recommend Use Amazon Kinesis Data Streams to ingest the data. Process the data using AWS Lambda functions to provide a more scalable solution.
  2. A company has three VPCs named Development, Testing and Production in the ap-southeast-1 Region. The three VPCs need to be connected to an on-premises data center and are designed to be separate to maintain security and prevent any resource sharing. A solution architect needs to find a scalable and secure solution. The solutions architect should recommend Create a new VPC called Network. Within the Network VPC create an AWS Transit Gateway with an AWS Direct Connect connection back to the data center. Attach all the other VPCs to the Network VPC.
  3. A company is developing a serverless web application that gives users the ability to interact with real-time analytics from online games. The data from the games must be streamed in real time. The company needs a durable, low-latency database option for user data. The company does not know how many users will use the application. Any design considerations must provide response times of single-digit milliseconds as the application scales. Should use Amazon CloudFront and DynamoDB.
  4. A company hosts its multi-tier, public web application in the AWS Cloud. The web application runs on Amazon EC2 instances and its database runs on Amazon RDS. The company is anticipating a large increase in sales during an upcoming holiday weekend. A solutions architect needs to build a solution to analyze the performance of the web application with a granularity of no more than 2 minutes. The solution architect should Enable detailed monitoring on all EC2 instances. Use Amazon CloudWatch metrics to perform further analysis.
  5. A company runs a web application that is backed by Amazon RDS. A new database administrator caused data loss by accidentally editing information in a database table. To help recover from this type of incident, the company wants the ability to restore the database to its state from 5 minutes before any change within the last 30 days. Automated backups feature should the solution architect include in the design.
  6. A company has an application that uses Amazon Elastic File System (Amazon EFS) to store data. The files are 1 GB in size or larger and are accessed often only for the first few days after creation. The application data is shared across a cluster of Linux servers. The company wants to reduce storage costs for the application. A solution architect should Configure a lifecycle policy to move the files to the EFS Infrequent Access (IA) storage class after 7 days.
  7. A company must migrate 20 TB of data from a data center to the AWS Cloud within 30 days. The company's network bandwidth is limited to 15 Mbps and cannot exceed 70% utilization. A solution architect should Use AWS Snowball.
    70% of 15 Mbps = 10.5 Mbps, 30 days all day & night just 3.402 TB.
  8. A company is designing a new application that runs in a VPC on Amazon EC2 instances. The application stores data in Amazon S3 and uses Amazon DynamoDB as its database. For compliance reasons, the company prohibits all traffic between the EC2 instances and other AWS services from passing over the public internet. A solution architect can Configure gateway VPC endpoints to Amazon S3 and DynamoDB.
cool.gif
 

PlAwAnSaI

Administrator

Versioning:
  • Can version files in Amazon S3
  • It is enabled at the bucket level
  • Same key overwrite will increment the 'version': 1, 2, 3....
  • It is best practice to version buckets:
    • Protect against unintended deletes (ability to restore a version)
    • Easy roll back to previous version
  • Notes:
    • Any file that is not versioned prior to enabling versioning will have version 'null'
    • Suspending versioning does not delete the previous versions
Encryption for Objects:
  • There are 4 methods of encrypting objects in S3
    • SSE-S3: encrypts S3 objects using keys handled & managed by AWS
    • SSE-KMS: leverage AWS Key Management Service to manage encryption keys
    • SSE-C: when want to manage own encryption keys
    • Client Side Encryption
  • It's important to understand which ones are adapted to which situation.
SSE-S3:
  • Object is encrypted server side
  • AES-256 encryption type
  • Must set header: "x-amz-server-side-encryption":"AES256"
SSE-KMS:
  • encryption using keys handled & managed by KMS
  • KMS Advantages: user control + audit trail
  • Object is encrypted server side
  • Must set header: "x-amz-server-side-encryption":"aws:kms"
SSE-C:
  • server-side encryption using data keys fully managed by the customer outside of AWS
  • Amazon S3 does not store the encryption key provide
  • HTTPS must be used
  • Encryption key must provided in HTTP headers, for every HTTP request made
Client Side Encryption:
  • Client library such as the Amazon S3 Encryption Client
  • Clients must encrypt data themselves before sending to S3
  • Clients must decrypt data themselves when retrieving from S3
  • Customer fully manages the keys and encryption cycle
Encryption in transit (SSL/TLS):
  • Amazon S3 exposes:
    • HTTP endpoint: non encrypted
    • HTTPS endpoint: encryption in flight
  • Are free to use the endpoint want, but HTTPS is recommended
  • Most clients would use the HTTPS endpoint by default
  • Encryption in flight is also called SSL / TLS
Security:
  • User based:
    • IAM policies - which API calls should be allowed for a specific user from IAM console
  • Resource Based:
    • Bucket policies - bucket wide rules from the S3 console - allows cross account
    • Object Access Control List (ACL) - finer grain
    • Bucket ACL - less common
  • Note: an IAM principal can access an S3 object if:
    • the user IAM permissions allow it OR the resource policy ALLOWS it
    • AND there's no explicit DENY
Bucket Policies:
  • JSON based policies:
    {
    "Version": "2013-11-28",
    "Statement": [
    {
    "Sid": "PublicRead",
  • "Effect": "Allow", // Allow / Deny
  • "Principal": "*", // The account or user to apply the policy to
  • "Action": [ // Set of API to Allow or Deny
    "s3:GetObject"
    ],
  • "Resource": [ // buckets and objects
    "arn:aws:s3:::examplebucket/*"
    ]
    }
    ]
    }
  • Use S3 bucket for policy to:
    • Grant public access to the bucket
    • Force objects to be encrypted at upload
    • Grant access to another account (Cross Account)
Bucket and object settings for Block Public Access:
  • Granted through:
    • new / any access control lists (ACLs)
    • new public bucket or access point policies
  • Block public and cross-account access to buckets and objects through any public bucket or access point policies
  • These setting were created to prevent company data leaks
  • If know bucket should never be public, leave these on
  • Can be set at the account level
Security - Other:
  • Networking:
    • Supports VPC Endpoints (for instances in VPC without www internet)
  • Logging and Audit:
    • S3 Access Logs can be stored in other S3 bucket
    • API calls can be logged in AWS CloudTrail
  • User Security:
    • MFA Delete: Multi Factor Authentication can be required in versioned buckets to delete objects
    • Pre-Signed URLs: URLs that are valid only for a limited time (ex: premium video service for logged in users)
  1. A company has been running a web application with an Oracle relational database in an on-premises data center for the past 15 years. The company must migrate the database to AWS. The company needs to reduce operational overhead without having to modify the application's code. Should Use AWS Database Migration Service (AWS DMS) to migrate the database servers to Amazon RDS.
  2. A solution architect must design a solution that uses Amazon CloudFront with an Amazon S3 origin to store a static website. The company's security policy requires that all website traffic be inspected by AWS WAF. The solution architect should comply with Configure Amazon CloudFront and Amazon S3 to use an origin access identity (OAI) to restrict access to the S3 bucket. Enable AWS WAF on the distribution.
  3. A company is designing a new application that runs in a VPC on Amazon EC2 instances. The application stores data in Amazon S3 and uses Amazon DynamoDB as its database. For compliance reasons, the company prohibits all traffic between the EC2 instances and other AWS services from passing over the public internet. A solution architect can Configure gateway VPC endpoints to Amazon S3 and DynamoDB.
  4. A company has a custom application running on an Amazon EC2 instance that:
    • Reads a large amount of data from Amazon S3
    • Performs a multi-stage analysis
    • Writes the results to Amazon DynamoDB
    The application writes a significant number of large, temporary files during the multi-stage analysis. The process performance depends on the temporary storage performance. Multiple Amazon S3 buckets with Transfer Acceleration for storage would be the fastest storage option for holding the temporary files.
  5. A company wants to run a hybrid workload for data processing. The data needs to be accessed by on-premises applications for local data processing using an NFS protocol and must also be accessible from the AWS Cloud for further analytics and batch processing. Should Use an AWS Storage Gateway file gateway to provide file storage to AWS, then perform analytics on this data in the AWS Cloud.
  6. A company's website hosted on Amazon EC2 instances processes classified data stored in Amazon S3. Due to security concerns, the company requires a private and secure connection between its EC2 resources and Amazon S3. Should Set up S3 bucket policies to allow access from a VPC endpoint.
cool.gif
 

PlAwAnSaI

Administrator

  • Database กำลัง Run อยู่บน EC2 instance, Software มีการ Backup ข้อมูลที่ต้องใช้ Block Storage,EBS Cold HDD Volume มีต้นทุนน้อยที่สุด
  • Amazon Simple Queue Service และ Elastic Load Balancing ช่วยอำนวยความสะดวกในการใช้งานสถาปัตยกรรมที่มีความเป็นอิสระต่อกัน (Loosely Coupled)
  • Web มี SLA 99% ในด้านประสิทธิภาพการทำงานที่จะตอบสนองต่อ Request ในเวลาน้อยกว่า 1 วินาที ในการทำงานหนักและแบบปกติ การกระจาย Request ไปยัง 4 Instance สามารถรองรับได้ หาก Availability Zone นึง Down ยังจะมีความพร้อมใช้งานสูงในราคาที่คุ้มค่า โดยการใช้ 4 Instance เท่าเดิม แต่ให้มี 2 Availability Zone (ระบบอาจทำงานในสภาวะที่ไม่เต็มรูปแบบ)
    หากต้องการความสามารถทนทานต่อความเสียหาย ควรปรับใช้ 8 Instance ใน 2 Availability Zone
  • มีแผนจะใช้ CloudFormation กับ Instance Linux EC2 ใน 2 Region โดยใช้ Amazon Machine Image (AMI) เดียวกัน ทำได้โดยการ Map AMI เนื่องจากว่า ID ของ AMI จะแตกต่างกันในแต่ละ Region
  • สามารถเข้าถึงผลลัพธ์ของคำสั่ง Print ของ Lambda ได้จาก CloudWatch Logs
  • Instance EC2 ใช้ EBS ในการจัดเก็บ State มีการ Snapshot EBS ทุกวัน เมื่อระบบล่ม กู้ขึ้นมาได้จาก Snapshot โดยใช้เวลา 10 นาที
    Recovery Time Objective (RTO) = 10 นาที, Recovery Point Objective (RPO) = 1 วัน
    https://monsterconnect.co.th/rpo-rto
  • พื้นที่จัดเก็บแบบ Object ของ Amazon S3 แตกต่างจากพื้นที่จัดเก็บแบบ Block และ File:
    • S3 ช่วยให้จัดเก็บ Object ได้ไม่จำกัดจำนวน
    • Object จะคงสภาพ - วิธีเดียวที่จะเปลี่ยน Byte ใด Byte หนึ่ง คือต้องแทนที่ Object
    • Object จะได้รับการจำลองทั่วทุก Availability Zone ภายใน Region เดียว
  • คุณสมบัติของ Amazon EBS:
    • ข้อมูลที่จัดเก็บไว้จะได้รับการจำลองโดยอัตโนมัติภายใน Availability Zone
    • Drive ข้อมูลสามารถเข้ารหัสได้
  1. A company's website provides users with downloadable historical performance reports. The website needs a solution that will scale to meet the company's website demands globally. The solution should be cost-effective, limit the provisioning of infrastructure resources, and provide the fastest possible response time. A solution architect should recommend Amazon CloudFront and S3.
  2. A company is using AWS Key Management Service (AWS KMS) customer master keys (CMKs) to encrypt AWS Lambda environment variables. A solution architect needs to ensure that the required permissions are in place to decrypt and use the environment variables. Add AWS KMS permissions in the Lambda execution role and function policy steps must the solution architect take to implement the correct permissions.
  3. A company operates a website on Amazon EC2 Linux instances. Some of the instances are failing. Troubleshooting points to insufficient swap space on the failed instances. The operations team lead needs a solution to monitor this. A solution architect should recommend Configure an Amazon CloudWatch SwapUsage metric dimension. Monitor the SwapUsage dimension in the EC2 metrics in CloudWatch.
  4. {
    "Version": "2013-11-28",
    "Statement": [
    {
    "Sid": "1",
    "Effect": "Allow", // Group members are allowed
    "Action": "ec2:*", // Group members are permitted any other Amazon EC2 action
    "Resource": "*",
    "Condition": {
    "StringEquals": {
    "ec2:Region": "ap-southeast-1" // permissions for / within the ap-southeast-1 Region
    }
    }
    },
    {
    "Sid": "2",
    "Effect": "Deny",
    "Action": [
    "ec2:StopInstances", // the ec2 StopInstances
    "ec2:TerminateInstances" // and ec2 TerminateInstances
    ],
    "Resource": "*",
    "Condition": {
    "BoolIfExists": {"aws.MultiFactorAuthPresent": false} // only when logged in with multi-factor authentication (MFA)
    }
    }
    ]
    }
  5. A company runs a web application that is backed by Amazon RDS. A new database administrator caused data loss by accidentally editing information in a database table. To help recover from this type of incident, the company wants the ability to restore the database to its state from 5 minutes before any change within the last 30 days. Automated backups feature should the solution architect include in the design.
  6. A bicycle sharing company is developing a multi-tier architecture to track the location of its bicycles during peak operating hours. The company wants to use these data points in its existing analytics platform. A solution architect must determine the most viable multi-tier option to support this architecture. The data points must be accessible from the REST API. Should Use Amazon API Gateway with Amazon Kinesis Data Analytics for storing and retrieving location data.
  7. A company has deployed a multiplayer game for mobile devices. The game requires live location tracking of players based on latitude and longtitude. The data store for the game must support rapid updates and retrieval of locations.
    The game uses an Amazon RDS for PostgreSQL DB instance with read replicas to store the location data. During peak usage periods, the database is unable to maintain the performance that is needed for reading and writing updates. The game's user base is increasing rapidly. Deploy an Amazon ElastiCache for Redis cluster in front of the existing DB instance. Modify the game to use Redis should a solution architect do to improve the performance of the data tier.
  8. A company has created an isolated backup of its environment in another Region. The application is running in warm standby mode and is fronted by an Application Load Balancer (ALB). The current failover process is manual and requires updating a DNS alias record to point to the secondary ALB in another Region. A solution architect should Enable an Amazon Route 53 health check to automate the failover process.
  9. A company's facility has badge readers at every entrance throughout the building. When badges are scanned, the readers send a message over HTTPS to indicate who attempted to access that particular entrance.
    A solution architect must design a system to process these messages from the sensors. The solution must be highly available, and the results must be made available for the company's security team to analyze. Create an HTTPS endpoint in Amazon API Gateway. Configure the API Gateway endpoint to invoke an AWS Lambda function to process the messages and save the results to an Amazon DynamoDB table system architecture should the solution architect recommend.
  10. A company operates a website on Amazon EC2 Linux instances. Some of the instances are failing. Troubleshooting points to insufficient swap space on the failed instances. The operations team lead needs a solution to monitor this. A solution architect should recommend Configure an Amazon CloudWatch SwapUsage metric dimension. Monitor the SwapUsage dimension in the EC2 metrics in CloudWatch.
cool.gif
 

PlAwAnSaI

Administrator

  • ฐานข้อมูล MySQL, MariaDB, PostgreSQL, Oracle, SQL Server, และ Aurora ของ Amazon Relational Database Service (Amazon RDS) รองรับ Read Replica.
  • Amazon DynamoDB เหมาะที่สุดสำหรับฐานข้อมูลที่ไม่สัมพันธ์
  • สถานะ Session, ตะกร้าสินค้า, และ Catalog สินค้า เป็นตัวเลือกที่ดีที่จะจัดเก็บไว้ใน Cache
  • Amazon ElastiCache มี 2 แบบ คือ Memcached และ Redis
  • ควรใช้ Auto Scaling, Elastic Load Balancer, และ CloudWatch ทำงานร่วมกันเพื่อเปิดใช้งานการปรับขนาดอัตโนมัติของ Instance EC2

    20140105144132.png

  • Launch Configuration คือ Template ที่ Auto Scaling ใช้เพื่อเรียกใช้ Instance ที่ได้รับการกำหนดค่าอย่างสมบูรณ์โดยอัตโนมัติ
  • สถานีวิทยุแห่งหนึ่งจัดการประกวดแข่งขันขึ้นมาทุกวันในช่วงเที่ยง โดยจะทำการประกาศ ทำให้อัตราการรับส่งข้อมูลพุ่งขึ้นสูงสุดอย่างทันทีทันใด ซึ่งจำเป็นต้องใช้ Instance EC2 จำนวน 8 Instance ในการประมวลผล ส่วนช่วงเวลาทั่วไปต้องใช้ Instance EC2 จำนวน 2 Instance การสร้างกลุ่ม Auto Scaling ที่มีขั้นต่ำ 2 Instance และตั้งเวลาให้ปรับจำนวนขึ้นเมื่อเวลา 11:40 น.
  • Application หนึ่งทำงานบน Instance EC2 ในกลุ่ม Auto Scaling, Application นี้ทำงานได้อย่างเหมาะสมที่สุดบน Instance EC2 จำนวน 9 Instance และต้องมี Instance ที่กำลังทำงานอยู่อย่างน้อย 6 Instance เพื่อรักษาประสิทธิภาพการทำงานขั้นต่ำที่ยอมรับได้ในช่วงเวลาสั้นๆ การ Run 9 Instance ใน 3 Availability Zone เป็นการกำหนดค่ากลุ่ม Auto Scaling ซึ่งตอบสนองความต้องการแบบนี้ได้คุ้มค่าที่สุด
  • ลักษณะของบริการ Auto Scaling บน AWS:
    • ตอบสนองต่อสภาพการเปลี่ยนแปลงโดนการเพิ่มหรือยกเลิก Instance Amazon EC2
    • เรียกใช้ Instance จาก Amazon Machine Image (AMI) ที่ระบุ
    • บังคับใน Instance Amazon EC2 ทำงานตามจำนวนขั้นต่ำ
  • Web Application กำลังทำงานบน Instance EC2 จำนวน 6 Instance ซึ่งกระจายอยู่ใน 2 Availability Zone ที่อยู่หลัง ELB Classic Load Balancer, ฐานข้อมูลเป็น MySQL ซึ่งทำงานบน Instance EC2 สามารถเพิ่มความพร้อมใช้งานของ Application ได้โดยการเรียกใช้ Instance EC2 สำหรับ Web ในกลุ่ม Auto Scaling และในส่วนฐานข้อมูลย้ายไป Instance Multi-AZ RDS MySQL Database
  • สามารถติดตามจำนวน Error 404 ที่ผู้ใช้เห็นใน Web Application ที่ Run บน Amazon EC2 Instance ได้โดยใช้ CloudWatch Logs เพื่อรับบันทึกของ Web Server จาก EC2 Instance.
  • Application Run บน EC2 Instance ต้องเข้าถึง Bucket ใน S3 การ Attach IAM Role กับ EC2 Instance โดย Policy ที่อนุญาตให้เข้าถึง Bucket ใน S3 เพื่อให้ Application สามารถเข้าถึง Bucket ได้อย่างปลอดภัย
  • ผู้ดูแลระบบ AWS ลาออกจากบริษัทวันนี้ ผู้ดูแลระบบมีสิทธิ์เข้าถึง Root User และ IAM User ของเค้าเอง Account เหล่านี้ใช้สร้าง IAM User อื่นๆ และ Key สามารถปกป้องโครงสร้างพื้นฐานของ AWS ได้โดยการ เปลี่ยนรหัสผ่านและเพิ่ม MFA ให้กับ Root User, Rotate Key และเปลี่ยนรหัสผ่าน IAM User อื่น, และลบ IAM User ของผู้ดูแลระบบทิ้งไป
  1. A company operates a two-tier application for image processing. The application uses two Availability Zones, each with one public subnet and one private subnet. An Application Load Balancer (ALB) for the web tier uses the public subnets. Amazon EC2 instances for the application tier use the private subnets.
    Users report that the application is running more slowly than expected. A security audit of the web server log files shows that the application is receiving millions of illegitimate requests from a small number of IP addresses. A solution architect needs to resolve the immediate performance problem while the company investigates a more permanent solution. The solution architect should recommend Modify the network ACL for the web tier subnets. Add an inbound deny rule for the IP addresses that are consuming resources.
  2. A company's security team requests that network traffic be captured in VPC Flow Logs. The logs will be frequently accessed for 90 days and then accessed intermittently. A solution architect should Use Amazon S3 as the target. Enable an S3 Lifecycle policy to transition the logs to S3 Standard-Infrequent Access (S3 Standard-IA) after 90 days.
  3. A company recently started using Amazon Aurora as the data store for its global ecommerce application. When large reports are run developers report that the ecommerce application is performing poorly. After reviewing metrics in Amazon CloudWatch, a solution architect finds that the ReadIOPS and CPUUtilization metrics are spiking when monthly reports run. Increase the Provisioned IOPS on the Aurora instance is the MOST cost-effective solution.
  4. An application runs on Amazon EC2 instances across multiple Availability Zones. The instances run in an Amazon EC2 Auto Scaling group behind an Application Load Balancer. The application performs best when the CPU utilization of the EC2 instances is at or near 40%. A solution architect should Use a target tracking policy to dynamically scale the Auto Scaling group to maintain the desired performance across all instances in the group.
  5. A company's legacy application is currently relying on a single-instance Amazon RDS MySQL database without encryption. Due to new compliance requirements all existing and new data in this database must be encrypted. Should Take a snapshot of the RDS instance. Create an encrypted copy of the snapshot. Restore the RDS instance from the encrypted snapshot.
  6. An ecommerce company hosts its analytics application in the AWS Cloud. The application generates about 300 MB of data each month. The data is stored in JSON format. The company is evaluating a disaster recovery solution to back up the data. The data must be accessible in milliseconds if it is needed, and the data must be kept for 30 days. Amazon Elasticsearch Service (Amazon ES) MOST cost-effectively.
  7. A company has created an isolated backup of its environment in another Region. The application is running in warm standby mode and is fronted by an Application Load Balancer (ALB). The current failover process is manual and requires updating a DNS alias record to point to the secondary ALB in another Region. A solution architect should Enable an Amazon Route 53 health check to automate the failover process.
  8. A company has two VPCs that are located in the ap-southeast-2 Region within the same AWS account. The company needs to allow network traffic between these VPCs. Approximately 500 GB of data transfer will occur between the VPCs each month. Set up a VPC peering connection between the VPCs. Update the route tables of each VPC to use the VPC peering connection for inter-VPC communication is the MOST cost-effective solution to connect these VPCs'.
  9. A company hosts its static website content from an Amazon S3 bucket in the ap-southeast-1 Region. Content is made available through an Amazon CloudFront origin pointing to that bucket. Cross-Region replication is set up to create a second copy of the bucket in the us-east-1 Region. Management wants a solution that provides greater availability for the website. Configure failover routing in Amazon Route 53 and Set up a CloudFront origin group with the ap-southeast-1 bucket as the primary and the us-east-1 bucket as the secondary should a solution architect take to increase availability.
  10. A company is developing a new online gaming application. The application will run on Amazon EC2 instances in multiple AWS Regions and will have a high number of globally distributed users. A solution architect must design the application to optimize network latency for the users. The solution architect should Configure AWS Global Accelerator. Create Regional endpoint groups in each Region where an EC2 fleet is hosted. And Create a Content Delivery Network (CDN) by using Amazon CloudFront. Enable caching for static and dynamic content, and specify a high expiration period.
cool.gif
 
Top