Podcast
Questions and Answers
When using EC2 Instance Store, what is the primary risk developers must manage?
When using EC2 Instance Store, what is the primary risk developers must manage?
- High costs associated with persistent storage.
- Incompatibility with certain operating systems.
- Data loss if the EC2 instance is stopped or hardware fails. (correct)
- Network latency due to the distance to EBS.
An application requires a file system that can be simultaneously accessed by multiple EC2 instances across different Availability Zones. Which AWS storage solution is most suitable?
An application requires a file system that can be simultaneously accessed by multiple EC2 instances across different Availability Zones. Which AWS storage solution is most suitable?
- Elastic File System (EFS) (correct)
- EC2 Instance Store
- EBS Multi-Attach
- EBS Volume
You need to archive EBS Snapshots for compliance reasons, but want to minimize costs. You plan to restore them only in disaster recovery scenarios. Which storage option is most suitable?
You need to archive EBS Snapshots for compliance reasons, but want to minimize costs. You plan to restore them only in disaster recovery scenarios. Which storage option is most suitable?
- Standard EBS volumes
- S3 Glacier Instant Retrieval
- EBS Snapshot Archive (correct)
- S3 Standard Infrequent Access (IA)
Your application experiences increased read requests. How can you reduce the load on a single RDS instance without modifying the application’s database connection logic?
Your application experiences increased read requests. How can you reduce the load on a single RDS instance without modifying the application’s database connection logic?
Which of the following is NOT a benefit of using RDS Proxy?
Which of the following is NOT a benefit of using RDS Proxy?
Your application needs a caching solution to store frequently accessed data with high performance and support for complex data structures. Which AWS service best fits these requirements?
Your application needs a caching solution to store frequently accessed data with high performance and support for complex data structures. Which AWS service best fits these requirements?
You want to ensure your DNS records automatically direct traffic away from unhealthy EC2 instances. Which Route 53 feature should you implement?
You want to ensure your DNS records automatically direct traffic away from unhealthy EC2 instances. Which Route 53 feature should you implement?
Which Route 53 routing policy allows you to send a percentage of your traffic to different resources?
Which Route 53 routing policy allows you to send a percentage of your traffic to different resources?
Your application in a VPC needs to securely access S3 without traversing the public internet. What should you configure?
Your application in a VPC needs to securely access S3 without traversing the public internet. What should you configure?
What is the purpose of a NAT Gateway in a private subnet?
What is the purpose of a NAT Gateway in a private subnet?
You need to store frequently accessed data with low latency and high throughput. Which S3 storage class is most appropriate?
You need to store frequently accessed data with low latency and high throughput. Which S3 storage class is most appropriate?
What feature allows S3 to automatically move objects between different storage tiers based on access patterns, optimizing storage costs?
What feature allows S3 to automatically move objects between different storage tiers based on access patterns, optimizing storage costs?
How can you provide EC2 instances with temporary, limited-privilege access to AWS resources?
How can you provide EC2 instances with temporary, limited-privilege access to AWS resources?
What type of data can be retrieved from EC2 Instance Metadata?
What type of data can be retrieved from EC2 Instance Metadata?
You want to automate the process of moving S3 objects to Glacier after 6 months of creation. What S3 feature should you use?
You want to automate the process of moving S3 objects to Glacier after 6 months of creation. What S3 feature should you use?
Which S3 feature allows you to retrieve specific parts of an object, improving performance for certain applications?
Which S3 feature allows you to retrieve specific parts of an object, improving performance for certain applications?
Which S3 encryption type requires you to manage the encryption keys outside of AWS?
Which S3 encryption type requires you to manage the encryption keys outside of AWS?
How can you grant different applications different levels of access to objects within an S3 bucket, improving security and simplifying permission management?
How can you grant different applications different levels of access to objects within an S3 bucket, improving security and simplifying permission management?
You need to implement a CDN for your website to reduce latency for users worldwide. What AWS service should you use?
You need to implement a CDN for your website to reduce latency for users worldwide. What AWS service should you use?
Your CloudFront distribution needs to restrict access to certain content based on user location. What feature should you use?
Your CloudFront distribution needs to restrict access to certain content based on user location. What feature should you use?
Which AWS service allows you to run containers without managing the underlying infrastructure?
Which AWS service allows you to run containers without managing the underlying infrastructure?
What setting allows ECS tasks access to AWS resources?
What setting allows ECS tasks access to AWS resources?
Which Elastic Beanstalk deployment strategy minimizes downtime and immediately switches traffic to a new, fully provisioned environment?
Which Elastic Beanstalk deployment strategy minimizes downtime and immediately switches traffic to a new, fully provisioned environment?
For repeatable infrastructure deployments, which AWS service allows you to define and manage infrastructure as code?
For repeatable infrastructure deployments, which AWS service allows you to define and manage infrastructure as code?
In CloudFormation, what is the purpose of Intrinsic Functions?
In CloudFormation, what is the purpose of Intrinsic Functions?
A development team wants to asynchronously process messages between microservices. Considering decoupling and scalability, which AWS service is most suitable?
A development team wants to asynchronously process messages between microservices. Considering decoupling and scalability, which AWS service is most suitable?
You need to send a single notification to multiple subscribers, including email, SMS, and SQS queues. Which AWS service should you use?
You need to send a single notification to multiple subscribers, including email, SMS, and SQS queues. Which AWS service should you use?
Your application needs to process a real-time stream of click events. Which AWS service is best suited for capturing, processing, and storing this data?
Your application needs to process a real-time stream of click events. Which AWS service is best suited for capturing, processing, and storing this data?
An application exhibits high latency and performance bottlenecks. Which AWS service should you use to identify performance issues and dependencies between components?
An application exhibits high latency and performance bottlenecks. Which AWS service should you use to identify performance issues and dependencies between components?
What logs all API calls made in your AWS account, providing an audit trail for security analysis and compliance?
What logs all API calls made in your AWS account, providing an audit trail for security analysis and compliance?
What is the primary benefit of using AWS Lambda?
What is the primary benefit of using AWS Lambda?
What is the purpose of Lambda Layers?
What is the purpose of Lambda Layers?
For AWS Lambda functions accessing resources inside a VPC, what configuration is necessary?
For AWS Lambda functions accessing resources inside a VPC, what configuration is necessary?
Which AWS service is a serverless, NoSQL database, ideal for applications requiring high scalability and low latency?
Which AWS service is a serverless, NoSQL database, ideal for applications requiring high scalability and low latency?
What feature allows you to improve DynamoDB read performance through the use of an in-memory cache?
What feature allows you to improve DynamoDB read performance through the use of an in-memory cache?
Which AWS service is best suited for building a RESTful API?
Which AWS service is best suited for building a RESTful API?
How can you protect your API Gateway endpoints from excessive requests?
How can you protect your API Gateway endpoints from excessive requests?
For building a CI/CD pipeline on AWS, which service allows you to define your build processes as code?
For building a CI/CD pipeline on AWS, which service allows you to define your build processes as code?
Which AWS service allows you to automate the deployment of applications to various targets, such as EC2 instances, Lambda functions, and on-premises servers?
Which AWS service allows you to automate the deployment of applications to various targets, such as EC2 instances, Lambda functions, and on-premises servers?
When developing applications on AWS with a focus on mobile and web apps, which service provides a set of tools and services to simplify the development workflow?
When developing applications on AWS with a focus on mobile and web apps, which service provides a set of tools and services to simplify the development workflow?
IAM Roles specify a Trust Policy. What does the Trust Policy define?
IAM Roles specify a Trust Policy. What does the Trust Policy define?
Flashcards
What is EC2?
What is EC2?
A web service that provides resizable compute capacity in the cloud; infrastructure as a service.
What is Elastic Block Storage (EBS)?
What is Elastic Block Storage (EBS)?
Storage volumes that are networked drives attached to EC2 instances, persisting independently.
What is an EBS Snapshot?
What is an EBS Snapshot?
A backup copy of an EBS volume, stored in S3.
What is an Amazon Machine Image (AMI)?
What is an Amazon Machine Image (AMI)?
Signup and view all the flashcards
What is EC2 Instance Store?
What is EC2 Instance Store?
Signup and view all the flashcards
What is a GP2/GP3 EBS volume?
What is a GP2/GP3 EBS volume?
Signup and view all the flashcards
What is a IO1/IO2 EBS volume?
What is a IO1/IO2 EBS volume?
Signup and view all the flashcards
What is a SC1 EBS volume?
What is a SC1 EBS volume?
Signup and view all the flashcards
What is Elastic File System (EFS)?
What is Elastic File System (EFS)?
Signup and view all the flashcards
What is Elastic Load Balancing (ELB)?
What is Elastic Load Balancing (ELB)?
Signup and view all the flashcards
What is an Application Load Balancer?
What is an Application Load Balancer?
Signup and view all the flashcards
What is a Network Load Balancer (NLB)?
What is a Network Load Balancer (NLB)?
Signup and view all the flashcards
What is a Gateway Load Balancer?
What is a Gateway Load Balancer?
Signup and view all the flashcards
What is Auto Scaling (ASG)?
What is Auto Scaling (ASG)?
Signup and view all the flashcards
What is Relational Database Service (RDS)?
What is Relational Database Service (RDS)?
Signup and view all the flashcards
What are RDS Read Replicas?
What are RDS Read Replicas?
Signup and view all the flashcards
What is Aurora?
What is Aurora?
Signup and view all the flashcards
What is RDS Proxy?
What is RDS Proxy?
Signup and view all the flashcards
What is ElastiCache?
What is ElastiCache?
Signup and view all the flashcards
What is Route 53?
What is Route 53?
Signup and view all the flashcards
What is Route53 Health Checks?
What is Route53 Health Checks?
Signup and view all the flashcards
What is a VPC?
What is a VPC?
Signup and view all the flashcards
What is an Internet Gateway?
What is an Internet Gateway?
Signup and view all the flashcards
What is NAT Gateway/Interface?
What is NAT Gateway/Interface?
Signup and view all the flashcards
What is a Network ACL (NACL)?
What is a Network ACL (NACL)?
Signup and view all the flashcards
What is a Security Group?
What is a Security Group?
Signup and view all the flashcards
What is VPC Peering?
What is VPC Peering?
Signup and view all the flashcards
What is Simple Storage Service (S3)?
What is Simple Storage Service (S3)?
Signup and view all the flashcards
What defines S3 buckets?
What defines S3 buckets?
Signup and view all the flashcards
What is S3 Replication?
What is S3 Replication?
Signup and view all the flashcards
What S3 Standard?
What S3 Standard?
Signup and view all the flashcards
What is S3 Infrequent Access?
What is S3 Infrequent Access?
Signup and view all the flashcards
What is Glacier?
What is Glacier?
Signup and view all the flashcards
What is IAM
What is IAM
Signup and view all the flashcards
What are Advanced S3 rules?
What are Advanced S3 rules?
Signup and view all the flashcards
What is KMS
What is KMS
Signup and view all the flashcards
What is SNS?
What is SNS?
Signup and view all the flashcards
What is SQS?
What is SQS?
Signup and view all the flashcards
What is Kinesis?
What is Kinesis?
Signup and view all the flashcards
Study Notes
EC2 Fundamentals
- Elastic Compute Cloud (EC2) provides infrastructure as a service
- EC2 rents virtual machines (VMs), stores data on drives (EBS), distributes load (ELB), and auto-scales (ASG)
EC2 Classes
- An Instance class is defined by the type of instance, it's generation and size
- In
m5.2xlarge
,m
is the instance class,5
is its generation, and2xlarge
is its size - General Purpose instance class type performs across various workloads
- Compute Optimized instance class type is used for high performance processing with machine learning, media transcoding and game servers utilising the "C" class
- Storage Optimized instance class type is suited for large datasets in memory and in-memory databases with the "R" class
EC2 Instance Storage
- Elastic Block Store (EBS) connects a network drive to an EC2 instance
- Can only be attached to one instance at a time
- EBS is regional, residing in a specific Availability Zone, but can be moved between AZs via snapshotting
- Snapshots are backup copies of EBS volumes which are recommended, but are not required to detach as they can copy EBS volumes across Availability Zones
- EBS Snapshot Archive provides cheaper storage but takes 24-72 hours to restore
- Fast Snapshot Restore enables fast full initialization with no latency
- Recycle bin for EBS snapshots sets up recovery rules that retains them up to 1 year
- Amazon Machine Images (AMI) customizes EC2 instances with faster boot and configurations as software is pre-installed and can be copied over to other regions
- Faster storage in EC2 Instance Store has limited performance compared to EBS and uses physical drives
- EC2 Instance Store loses data if an EC2 instance is stopped and is non-persistent
- Instance Store is useful for buffers, caches, and temporary data, however data loss is possible is hardware fails and developers are responsible for backups and replication
- EBS General Purpose SSD volumes balances price and performance (GP2/GP3)
- EBS Highest performance volumes are for mission critical data access (IO1/IO2)
- EBS Low cost HDD volumes are available for less frequent access (SC1/ST1)
- Only General Purpose and IO EBS volumes can be used for boot volumes
- EBS Multi-Attach can attach the same EBS volume to multiple EC2 instances in the same AZ with a max of 16 instances, using a cluster-aware file system, and is limited to IO1 & IO2 volumes
- Elastic File System (EFS) network file system is mounted to multiple EC2 instances across availability zones (AZs)
EBS vs EFS
EBS | EFS | Instance Store |
---|---|---|
One instance attach (except IO1/2) | More expensive | Physically attached |
Locked to an AZ | NFS mounted to multiple AZs | Deleted on unmount |
IO increases as size increases (GP2) | ||
Can increase IO independently GP3 | ||
Can migrate AZ via snapshot | ||
Terminated with EC2 by default |
- EFS is only compatible with Linux AMIs
ELB and ASG
- Elastic Load Balancer (ELB) distributes incoming application traffic
- ELB different types include Classic Load Balancer, Application Load Balancer, Network Load Balancer, and Gateway Load Balancer
Classic Load Balancer
is deprecated and supports HTTP(s), TCP, SSL protocolsApplication Load Balancer
supports HTTP(S), WebSocket protocolsNetwork Load Balancer
supports TCP, UDP protocolsGateway Load Balancer
balances Layer 3 network protocol (IP, ICMP)
Application Load Balancer
- Application Load Balancer (ALB) balances Layer 7 HTTP traffic across machines or containers
- ALB supports HTTP2 + WebSocket and redirects HTTP to HTTPS
- ALB routes based on URL, Path, Hostname, Query String, and Headers which is appropriate for microservices or containers in ECS
- ALB can direct Target Groups to: EC2 instances, ECS Tasks, Lambda Functions, and IP Addresses
- ALBs include fixes to hostname with Client IP, proto and port set in headers using "X-Forwarded-For”
Network Load Balancer
- Network Load Balancer (NLB) balances TCP and UDP traffic with higher performance and lower latency than ALB
- NLB provides IP address per Availability Zone to direct traffic to Target Groups including EC2 instances, Private IPs, and ALBs
- Health checks support for TCP, HTTP, HTTPS protocols
- Sticky sessions redirect the same client to the same backend
Gateway Load Balancer
- Gateway Load Balancer provides firewalls, IDS, payload manipulation and serves as a gateway for other IP traffic on the IP layer
- Gateway Load Balancers can drop, inspect, or manipulate data and balances to target groups including EC2 and Private IPs with GENEVER protocol 6081
Cross Zone Load balancing
- Cross Zone Load Balancing helps to balances traffic across AZs and distributes traffic equally across instances in Target Groups, not the AZs
Server Name Indication
- Server Name Indication allows loading of multiple SSL certs on one server
Connection Draining
- Connection draining provides the time to complete in progress requests before de-registering or unhealthy EC2 instances
Auto Scaling Groups
- Auto Scaling Groups (ASG) balances scaling up and down with demand and recreating unhealthy instances
- ASG auto-registers on load balancers and creates launch templates of AMIs, Instance types, EBS vols, SSH Keys, LBs with min size, max size, initial capacity, and scale policy options
Scaling Policies
- Dynamic Scaling uses target tracking that scales depending on load (eg: CPU 40% average) and Simple/Step scaling which scales through CloudWatch alarms
- Scheduled Scaling anticipates usage patterns and Predictive Scaling forecasts traffic for pre-scaling
RDS ElastiCache Aurora
- Relational Database Service (RDS) supports Postgres, MySQL, Microsoft SQL, MariaDB, Oracle, IBM DB2, and Aurora
- RDS benefits from Manged service which auto-patches and updates automatically backups and restores easily and monitoring read replicas, multi-AZ, and scales storage
- RDS cannot provide SSH access
- RDS can provision up to 15 read replicas within an AZ, cross AZ, or across all regions in AWS has inherent network and monetary costs
- RDS multi-AZ is used for disaster recovery with one DNS, but auto failover
- Aurora has high performance Postgres, MySQL and DSQL infrastructures & implementations within 6 copies in 3 AZs
- Aurora stripes storage across hundreds of volumes with failover under 30 seconds and has read/write endpoint with auto load-balancing with encryption-at-rest and in-flight
RDS Proxy
- RDS Proxy allows application pooling/share DB connections
- RDS Proxy is a severless server with HA and auto scalable and reduces RDS + Aurora failover by 66%
- ElastiCache is a managed Redis and Memcache
- Redis offers multi-AZ with auto failover, read replicas and makes use of backup and restore and sets & sorted sets
- Memcache provides Sharding-distributed architecture with No HA, no persistence, and no backup/restore
- Lazy load caching strategy asks cache and uploads RD and update cache if info is missing
- Write-Through caching uploads when updated DB to update cache which is always up to date
Amazon Memory DB
- Amazon Memory DB is Redis-compatible, durable in-memory DB with ultra-fast performance
- To encrypt a DB, create a snapshot which encrypts and restors a snapshot
Route 53
- Amazon Route 53 is a HA, managed, scalable domain naming system (DNS) that can update records
- Hosted Zones host records that route traffic to a domain or its subdomains
- DNS Record Types include A - IPv4, AAAA - IPv6, CNAME- Hostname which cannot create for top node of hostname and points the main domain to ALB hostname, and NS - Name Server
- Routing policies include Simple, Weighted and Latency-based
- Simple routing policies will route to a single resource
- Weighted routing policies control the percentage that goes to to each resource of the same record type
- Latency-Based routing directs to resources that provide optimal latency
- Route53 Health Checks provides Auto failover by stopping routing traffic to unhealthy services
- Health checks can check the first 5KB of a response to determine health while calculate health checks like AND, OR, NOT
- CloudWatch alarms can also be set up and used as the health check (within VPC) and status of health checks
- Routing policies have Failover-alternative by returning alternative records when EC2 instances goes down (healthcheck fails)
- Geolocation defines specific records for regions with a default
- Geo-Proximity routes traffic by geographic location (You can choose more, or less traffic to a given resource using a BIAS)
- Bias shrinks or grows geographic region size based on rules for client CIDR
- Multi-value returns multiple values for clients to choose with traffic flow visual editor to manage routing
VPC
- Virtual Private Cloud (VPC) is a private network to deploy AWS resources as subnets which are partitions that are either private or public and they can define access throughout route-tables and belongs to an AZ
- Network Address Translation (NAT) allows private subnets to access the Internet, and firewalls, called Network Access Control Lists (NACL) controls access to and from a subnet
- VPC endpoints allows connections to services using a private network to increase security and decrease latency instead of public WWW network
- Subnets tied to an AZ represents a network partition
- Internet Gateway provides internet access on the VPC level and NAT Gateways/Interface enables internet access to private subnets
- Network Access Control List (NACL) provides a stateless firewall for inbound and outbound rules and Security Groups provides a stateful firewall at the EC2 level
- VPC Peering connects two VPCs together with a non-overlapping IP range
- VPC Flow Logs tracks network traffic logs and Site-to-site VPN creates a VPN over the internet between VPC and on-prem network
- DirectConnects establishes a dedicated connection to AWS by switching on-prem datacenters
S3 Intro
- Simple Storage Service (S3) provides infinite scaling storage at a regional level but buckets must have globally unique names across regions
- Files are saved as objects with the key as the file path name including the bucket s3://my-bucket/file_1.txt with object max size of 5TB
- Objects over 5GB must use multi-part upload with S3 pre-signed URLs that are tokens encoded in a URL
- S3 replication includes Cross-Region Replication (CRR) and Same-Region Replication (SRR) but requires object versioning, which disables new objects replicated where existing objects can be replicated using S3 Batch Replication
- S3 Replication deletion markers are not replicated
S3 Storage Classes
- S3 Standard offers 99.99% availability for frequently accessed data with low latency and high throughput
- S3 Infrequent Access provides lower costs though there is still rapid access such as with S3-Standard-IA stores data in minimal of 3 AZs and with S3-One-Zone-IA which stores in single AZ at 20% cheaper rate
- Glacier Storage Classes provide Low-cost storage for archiving backups with storage and retrieval costs
- Glacier Instant Retrieval has millisecond retrieval with 90 day storage
- Glacier Flexible Retrieval offeres retrieval options for 1-5 mins, 3-5 hours, 5-12 hours with 180 day storage minimum
- Glacier Deep Archive comes with 12-48 hour access and 180 day storage minimums
- Intelligent Tiering automatically moves objects between tiers for a small monthly fee with no retrieval fees
AWS CLI SDK IAM Roles Policies
- EC2 Instances can query metadata on themselves including Role names, dynamic data like IP addresses, and the launch script
- EC2 Metadata retrieval is not an IAM policy, and IMDSV2 requires a PUT to create a session token with a time-to-live of up to 6 hours
- MFA in CLI performs authentication using: “aws sts get-session-token” with token code from MFA
Advanced Amazon S3
- S3 Lifecycle rules transition objects auto across storage types, which moves objects to standard IA 60 days after creation and then to Glacier after 6 months
- S3 Expiration rules delete after a time-period using time-to-live (TTL) depending on prefix or object tags
- S3 Event Notifications trigger for create, remove, and restore events but requires an SQS, SNS, or Lambda policy to be made as well as object name filtering
- S3 Event Notifications are also sent to EventBridge
- S3 Performance includes highly scalable 100-200ms for first byte, 3500 PUT/COPY/POST/DELETE ops/sec per prefix, and 5000 HEAD/GET ops/sec per prefix
- Multi-part upload is suited files over 100MB which is mandatory for files over 5GB
- S3 Transfer Acceleration transfers files to AWS edge location, and then forwards to the S3 bucket over the internal AWS network and is closer to the client, with 50-500% faster variability
- S3 Byte Range Fetch retrieves partial files by parallelizing in order to increase fetch speed
- S3 Select & Glacier Select are services with SQL implementation (select) with a CSV file containing parts of S3 storage with returned data
Amazon S3 Security
- S3 (SSE-S3) Encryption handled, managed and owned by AWS is encrypted with server-side AES256 with the right header "X-amz-server-size-encryption: AES-256”
- Uses crypto key stored in KMS with audit logging in CloudTrail with header “X-amz-server-size-encryption: aws:kms” (contributes to KMS quota/limits)
- Keys are stored by uses keys managed outside of AWS with HTTPS being the main transfer and provided as a header with AWS never stores it
- Encryption takes place entirely on client-side with no AWS access
- S3 Access Logs stores logs pushed to another bucket from the same region (cannot be logged in the bucket itself)
- S3 Access Points simplifies permission access for applications by creating specific access points as restricted to a VPC while creating a VPC Endpoint with access to the bucket
- S3 Object Lambda uses an endpoint where an S3 access pointer and a lambda is defined with the use case to redact information
CloudFront
-
CloudFront is a global content delivery network (CDN) with 250 points of presence and Denial of Service (DDOS) protection throughout regions
-
CloudFront can originate from S3 buckets with enhanced Origin Access Control (OAC) which can also be used as ingress points as well as create custom origins such as ALB, EC2, S3 websites
-
CloudFront caches at edge locations that is definable using Origin Request Policy which passes headers cookies and query strings through origins
-
CloudFront can also allow/block country IP addresses with a 3rd-party GeoIP service | CloudFront | S3 Cross-region Replication | | --- | --- | | Uses global edge network | Manual setup per region | |Cached at edge locations with TTL | Files updated real-time | | Great for static content | Read-only | | | Great for dynamic content |
-
CloudFront can cache HTTP Headers, Cookies, Query Strings to include or exclude
-
Cache policies can be applied to path patterns
-
Client requests to to Edge location to EC2 or ALB require the edge location being outside of the VPC and public respectively
-
Access to content to specific users by Restricting access to content to users
-
Allows for Signed URLs that provide singular access to files, and uses Signed Cookies to enable access to multiple files that enables configurable expiration and IP whitelisting
Advanced CloudFront
- CloudFront edge locations vary in price with three prices: All, Class 100 USA Canada Europe Israel, Class 200+ others
- CDN creates Origin Groups from at least primary and failover origins with failover criteria to ensure HA
- CDN provides Feild level data encryption for sensitive data in an encrypted form at the edge location before then can be decrypted where on the origin (in a private key) whether EC2.
- cdn enables the config of real-time logging with configurable sample field + data points to a kinesis data stream or a kinesis firehose to output logging information to a s3 bucket
ECS, ECR and Fargate
- Elastic Container Service (ECS) runs AWS containers as an ECS Task on ECS Cluster
- ECS Runs on Fargate - serverless, pay-as-you-go compute engine with no management, EC2 - you choose resources and manage capacity
- ECS Tasks run under an AWS IAM Role to permit tasks to execute on certain services through policy
- ECS Tasks are defined in Task definintion
EC2 Instance Profile
is used by the ecs agent- ELB -> ECS Tasks
- You can mount EFS Volumes to ECS Task, which means you can share that storage
- Cannot mount S3
- AWS Copilot - CLI to build, release and operate containerized apps Scale based on:
- CPU
- RAM
- ALB request-per-target
- TargetTracking - CloudWatch Metric
- StepScaling - CloudWatch Alarm
- Scheduled Scaling
Example Architectures
- Upload to S3 bucket triggers event in Amazon EventBridge. EB runs ECS Task.ECS Task fetches from S3 (via API) and saved into DB
- Amazon EventBridge runs ECS task on a schedule (e.g. every hour)
- ECS Task polls SQS for messages
- Auto-scale on queue size
- bin pack is a setting such that leave least memoery and cpu such that it lowers fragmentation
- Random - Placed evenly based on a value (e.g. AZ)
- To config docher push run; aws ecr get-login-password -region eu-west-1 | docker login
EKS
- Nodegroups are of two types: ManagedNodeGroups and Self-Managing ManagedNodeGroups Creates/manages EC2 instances for you Can be part of an AutoScalingGroup to auto scale Self-Managed Create nodes (EC2) yourself where you can use prebuil AMI
- AWS Fargate completely managed by AWS
- *Need to specify StorageClass manifest
- *Use Container Storage Interface (CSI) driver
- *Supports EBS, EFS, FSx Lustre, FSx NetApp
Elastic BeanStock
- eb cli, for a dev-centric to deploying all infrastructure for an application using eb create|status|open|deploy|terminate Deployment Strategies
- All at once - downtime, fastest Rolling - split instances into batches Rolling with additional batch - First batch, new EC2 instances are created ratherthan existing Immutable - Deploy on new instances instead of existing
- *After EB env created the load balance cannot and should not be changed To create new one , the best practice is to copy setting but make sure RDS instance are not set to provision or they may be linked to the EB lifecycle
Cloudformation
- Declarative way to outline an infrastructure stack of AWS resources by the use of a
- Version controlled the IAC using code
- Repeatable environments created through templates stored in buckets are modified with Application composer/code editor or manually through a console input or through a yaml edit/AWS CLI call
Parameters/ Intrinsic Functions
Instrinsic fincitons
Fn::Ref - Reference parameters (in YAML: "!Ref")
- *returns the ID of another resource Fn::GetAttr - Get attribute for any resource attribute
Fn::FindInMap*Find in a MAP !FindInMap [, !Ref "AWS::Region", ""] Fn::InputValue - Import value from a previous export that has been outputted If Else use!Equals [!Ref EnvType, "prod"]
If something cannot be created use rollbacks by way of creating the stack, creating updates (rolls back or continues through a process if you fix. If something cannot Be create the code will break,
You can provide capabilities and policies for new Need to provide CAPABILITY_NAMED_IAM or CAPABILITY_IAM when CF is creating/modifying.If you delete there is such that the delete policy default of delete or can be retain /create a snapshot A stack policy is what is allowed when updating and what is a not
Custom Resource
- Create custom made resources that are not available in cloud formation but instead use outside scripts
CDK
- Cloud Development Kid is cloud infrastructure as codew Define cloud infrastructure as code provisioned through CloudFormation using Two parts: CloudFormation commands;
Amplify
- Is to deploy in conjunction with mobile and and web frameworks and integrates with EB
Cognito
Cognito is the identity access and serverless db of user where the name is is unique but the rest can be assigned Directory of federated identities that can be exchanged for temporary AWS credentials by a lambda trigger for events(like sign up) custom domain usagemust create and must create Adaptive authentication such that requires mfa or locks things due to odd account activity You can store api and security information for usage . This is the managed part and a basic summary
- Event Bridge* can be trigged by the actions.
STep fucntions
- Can have long running auditable workflows up to a year
- Express which does stream has runs up to 35 minutes. There support to to write to response
Aync
- Is to manage a callback of the action that occurs , think S3 and is defined as tasks tasks are done and coded for , which a does what's Called a runner by which it all works but it a graphql managed service on ws
- Can use cognity access and it with access*
Advanced Identity
- S3 (a union of IAM and bucket policy will be used - default deny) Possible to use variables in Policies that can be attached and passed Trust Policy - Roles can only be passed to what their trust policy allows;
Services
- managed service by Microsoft with local A D connections Private or not ,
AWS Security
CloudTrail can be used to audit all usages of a KMS key with Keys that can berotated , and all is done at a region level and can you can transfer snapshots but it all at a cost and it always done at the cost of AWS itself , AWS always knows
Key that can can only controlled.You must define each user etc for what done, Use limits because there is only so many things Encrypt data key with K MS then you it with and you can get by default code. Use DEK or reduce load on A PI with KMS with Lambda for more sense
- Redice the cost for using bucket keys
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.