3. [H] AWS Fundamentals

Questions and Answers

An organization requires a storage solution that can integrate with various AWS services for both input and output, providing scalable and economical storage. Which AWS service should they consider as their default choice?

• Amazon S3 (Simple Storage Service) (correct)
• Amazon EFS (Elastic File System)
• Amazon EBS (Elastic Block Store)
• Amazon EC2 Instance Store

A company desires to implement a solution utilizing AWS CloudFormation to automate the creation, updating, and deletion of their AWS infrastructure. They require a clear method to define and manage the ordering and presentation of input parameters within the AWS console. What section would be most appropriate in the CloudFormation template?

• Outputs
• Resources
• Metadata (correct)
• Parameters

An application hosted in AWS consists of multiple EC2 instances behind a load balancer and stores its static assets in an S3 bucket. There is a sudden surge in user traffic, causing high CPU utilization on the EC2 instances and increased latency for users accessing the application. Which of the following strategies should be implemented to ensure high availability and optimal performance during peak traffic?

• Migrate the application to a different AWS region with more available resources.
• Enable cross-region replication for the S3 bucket and manually add more EC2 instances behind the load balancer.
• Scale up the EC2 instances to larger instance types and increase IOPS for the S3 bucket.
• Implement auto-scaling for the EC2 instances and utilize CloudFront for caching the static assets in the S3 bucket. (correct)

A solutions architect is designing a system on AWS that requires a subset of resources within a VPC to be accessible directly from the public internet, while ensuring that the majority of resources remain isolated. What architectural pattern should the architect implement to meet these requirements?

Create public and private subnets within a single VPC, using a NAT Gateway for outbound internet access from the private subnet and an Internet Gateway for the public subnet. (D)

A financial firm is designing its AWS infrastructure to comply with strict regulatory requirements that mandate complete geopolitical separation and governance control over their data and applications. How should they configure their AWS environment to meet these requirements?

Deploy resources across multiple AWS Regions, ensuring each Region is located in a different country with distinct governance laws. (A)

An organization is using Amazon S3 to store large media files. They want to ensure that access to these files is highly available, even during peak usage, and that the files are delivered with low latency to users located around the world. Which solution would best meet these requirements?

Implement Amazon CloudFront to cache S3 content and use S3 Cross-Region Replication for disaster recovery. (C)

A web application hosted on EC2 instances within a VPC requires access to both public AWS services and resources in a peered VPC. How should you configure the network to ensure secure and efficient connectivity?

Use a NAT Gateway in the public subnet of the application's VPC and a VPC peering connection to the peered VPC. (A)

A company runs a critical application on AWS that requires immediate failover in the event of a disaster. They need to ensure minimal downtime and data loss. Which disaster recovery strategy aligns with these requirements?

Multi-Site (Active-Active) (A)

An organization wants to use CloudWatch to monitor the CPU utilization of their EC2 instances. They need to collect detailed metrics that are not available by default. What steps should they take to collect and view these custom metrics?

Install the CloudWatch Agent on the EC2 instances and configure it to push custom metrics to CloudWatch. (B)

A company has chosen Infrastructure as a Service (IaaS) as their cloud service model. According to the AWS Shared Responsibility Model, which of the following responsibilities falls on the customer?

Patching and securing the guest operating system on EC2 instances (D)

An architect needs to design an authentication system for accessing EC2 instances running Linux in a private subnet. The solution should be secure and follow AWS best practices. What approach should the architect implement?

Configure IAM roles for EC2 instances and use AWS Systems Manager Session Manager for secure shell access. (B)

A company wants to migrate their on-premises database to AWS while ensuring high availability and read scalability. Which AWS services and configurations should they use?

Amazon RDS with a Multi-AZ deployment and read replicas. (A)

A solutions architect is designing a DNS solution using Amazon Route 53 for a global web application. The application needs to direct users to different endpoints based on their geographic location, ensuring minimal latency and optimal user experience. Which Route 53 routing policy should the architect use?

Geolocation Routing Policy (C)

An organization uses a CloudFormation template to deploy their infrastructure. They want to ensure that a newly created EC2 instance always uses the most current Amazon Machine Image (AMI) for security and compliance reasons. How can they achieve this using CloudFormation?

Use a CloudFormation mapping to look up the AMI ID dynamically based on the region and instance type. (C)

A development team is launching a new application on AWS and wants to automate infrastructure provisioning using infrastructure as code. Which of the following services should be considered?

AWS CloudFormation (D)

When designing a solution that requires private and public AWS services, what networking architecture should be implemented?

Utilize a combination of public and private subnets for accessing different resources. (B)

An organization is deploying resources in AWS and requires that the services are accessible only from within their VPC, ensuring no exposure to the public internet. Which AWS service characteristic is the MOST important consideration for achieving this?

Networking configuration of the service. (A)

A startup company is building its infrastructure on AWS and aims to minimize initial costs while still ensuring high availability for their web application. They are considering deploying all resources within a single AWS Region. Which factors are MOST critical in assessing the appropriateness of this single-region design?

The risk of correlated failures across Availability Zones within the Region. (A)

A global media company wants to ensure their content delivery service can withstand simultaneous failures in multiple AWS regions without any service interruption. Which AWS service characteristic is MOST crucial for achieving this goal?

Globally resilient architecture. (D)

A financial institution is migrating its trading platform to AWS and requires the highest possible level of resilience. They plan to distribute their application across multiple AWS regions. What is the MOST critical factor they must consider when selecting the regions?

The network latency between the selected regions. (D)

When designing a custom VPC, what is the MOST important consideration regarding its CIDR block?

Ensuring it does not overlap with any existing CIDR blocks, including those in peered VPCs or on-premises networks. (D)

A software development company uses custom VPCs in each of its AWS accounts. They use AWS Resource Access Manager(RAM) to share resources. What is the MOST significant implication for network management?

They are responsible for managing the network configuration, including routing and security, across all accounts involved in their applications. (A)

An organization’s security policy mandates that all VPC traffic must be inspected for malicious content. Which strategy provides the MOST effective and scalable solution?

Implementing a centralized inspection VPC with AWS Network Firewall to inspect all inbound and outbound traffic. (A)

A gaming company is designing its infrastructure to support millions of concurrent players. The game servers are deployed in multiple AWS regions to minimize latency for players worldwide. Which of the following configurations is MOST effective for directing players to the nearest available game server?

Using Amazon Route 53 with a geolocation routing policy to direct players to the closest region. (A)

A media company is distributing large video files globally using Amazon S3. They want to ensure that users experience the lowest possible latency when downloading these files. Which strategy is MOST effective for achieving this?

Using Amazon CloudFront to cache the video files at edge locations around the world. (B)

An organization is using CloudWatch to monitor the CPU utilization of their EC2 instances. They notice that the default CloudWatch metrics do not provide sufficient granularity for their needs. Which combination of steps should they take to collect and view additional metrics?

Install the CloudWatch agent on the EC2 instances, configure custom metrics, and create custom dashboards in CloudWatch. (A)

A security-conscious firm requires detailed auditing of all API calls made within their AWS environment, including the identity of the caller, the time of the call, and the resources accessed. Further, they must retain these logs for at least ten years to comply with regulatory requirements. What is the MOST appropriate approach to meet these requirements?

Enabling AWS CloudTrail, configuring a multi-region trail, storing logs in an S3 bucket with object lifecycle policies, and enabling S3 Object Lock for compliance. (D)

An organization is deploying a new application on AWS that requires high availability and fault tolerance. They plan to distribute their application across multiple Availability Zones within a single AWS Region. Which of the following AWS services is MOST crucial for achieving this goal?

Elastic Load Balancer (ELB) for distributing traffic across multiple Availability Zones. (D)

A development team is deploying a new microservices-based application on AWS. Each microservice needs to be deployed in a separate container and scaled independently. Which of the following AWS services would BEST facilitate this architecture?

Amazon EC2 Container Service (ECS) or Amazon Elastic Kubernetes Service (EKS). (D)

A large enterprise requires a hybrid cloud architecture where their on-premises data center is seamlessly connected to their AWS environment. They need to ensure that the connection is secure, reliable, and provides consistent network performance. Which of the following AWS services would BEST meet these requirements?

AWS Direct Connect with dedicated network connections. (C)

An organization wants to use CloudFormation to deploy resources in multiple AWS accounts and regions. They need to ensure that the deployments are consistent and follow a defined governance model. What approach should they implement?

Use CloudFormation StackSets to deploy stacks across multiple accounts and regions. (D)

Which feature of CloudFormation allows you to control the order in which input parameters are presented to a user when launching a stack through the AWS Management Console?

Metadata. (C)

A financial firm is deploying a sensitive application on AWS and must comply with regulations that require complete isolation of their data and applications from other customers. Which architectural decision is MOST important for ensuring this isolation?

Using dedicated hardware, such as Dedicated Hosts or Dedicated Instances. (A)

An organization is adopting a multi-account AWS environment and wants to implement a centralized billing and governance strategy. Which AWS service is MOST suitable for managing multiple AWS accounts and consolidating billing?

AWS Organizations. (C)

A company wants to automate the process of creating AMIs (Amazon Machine Images) for their EC2 instances. They need to ensure that the AMIs are up-to-date with the latest security patches and software updates. Which AWS service would BEST facilitate this?

EC2 Image Builder. (A)

A company wants to implement a robust disaster recovery strategy for their critical applications running on AWS. They require minimal downtime and data loss in the event of a disaster. Which strategy should be implemented?

Multi-Site (Active-Active). (B)

A global e-commerce company wants to use Route 53 to route users to different versions of their website based on their web browser. Users with older browsers should be directed to a simplified version of the site, while users with modern browsers should be directed to the full version. Which routing should you use?

Weighted Routing Policies. (D)

A company has an application hosted on EC2 instances behind a load balancer. They want to implement a mechanism to automatically scale the number of EC2 instances based on the incoming traffic. Which AWS service should they use?

Amazon EC2 Auto Scaling. (A)

How can you minimize costs for an EC2 instance?

Terminating the instance. (C)

A solutions team is developing a system that will have users who need 1000 buckets, what is the way to avoid a hard limit to get to this amount?

Adding users, which has potentially thousands of users, what you can do is take a single bucket and divide it up using prefixes, so those folders that aren't really folders. And then in that way you can have multiple users using one bucket. (C)

An admin is about to change DNS records. What should they do before they actually change the records out?

Changing the TTL values. (B)

Are CNAME's useful for pointing to where a user is going?

This is correct, because if the IP version four address of the server changes, it's just the single record to update the A record, because the three CNAMEs reference that A record, they'll automatically get updated. (C)

What is the TXT(Text) record type used for?

For proving ownership, or can be used to fight spam, so you can add certain information to a domain indicating which entities are authorized to send email on your behalf. (D)

In terms of metrics, what is used to store data in CloudWatch?

Datapoints. (C)

What is the CloudWatch namespace for?

All others are true. (C)

What happens to an AZ in a region fails for any reason in terms of Regionally Resilient Services?

The service can continue operating. (D)

If you select an AWS Region, what does this mean for storing your companies data?

You can select a region, and by doing so, you have geopolitical or governance separation. (C)

What's the point of 'high availability' over 'fault tolerance'?

All of the above. (D)

Fill in the blank: Disaster ___________ is used when Fault-Tolerant methods fail.

Recovery. (B)

An EC2 instance is stopped, although, things are slightly different. What are you not charged?

CPU or Memory costs. (C)

Which of the following is required as the foundation configuration for many AWS tools and services for creating secure and functional architectures?

VPCs. (D)

What are your responsibilities for a IaaS environment?

You manage the operating system, any containers, any runtimes, the data on the instance, the application, and any ways in which it interfaces with its customers. (A)

You are designing a web application that will be hosted on EC2 instances within an AWS VPC. The application requires access to a set of sensitive configuration parameters, such as database passwords. What is a secure and scalable way to manage these parameters?

Store the parameters in AWS Systems Manager Parameter Store and grant the EC2 instances access via IAM roles. (D)

When setting up a VPC, what should you keep in mind about CIDR blocks?

It does not overlap, this allows proper communication. (C)

A financial services company is implementing security measures for their AWS environment. To adhere to compliance and auditing standards, they must ensure immutability of their AWS CloudTrail logs. What specific configuration will accomplish this?

Enable S3 Object Lock on the S3 bucket storing CloudTrail logs. (D)

What is the MOST accurate description of the difference between public and private AWS services from a networking perspective?

Public services are accessible via public endpoints, while private services are accessed within a VPC or its connections. (A)

When considering AWS Regions, what is the MOST significant difference between interacting with a global service like IAM and a regional service like EC2?

Global services do not require region selection, while regional services require explicit region selection during interaction. (A)

An organization is architecting an application that requires the lowest possible latency for users worldwide. How should they BEST leverage AWS Regions and edge locations to achieve this?

Deploy the application in multiple AWS Regions and use Route 53 latency-based routing to direct users to the Region with the lowest latency. (D)

What is the PRIMARY distinction between Availability Zones (AZs) regarding their physical construction?

AZs can consist of one or more data centers, but the exact composition is not exposed to AWS customers. (C)

An organization requires its AWS environment to have an audit trail that meets specific regulatory standards, including tracking user identity, time of API calls, and accessed resources. Logs need to be retained immutably for at least seven years. Which combination of AWS services and functionalities BEST achieves this?

Enable AWS CloudTrail with S3 bucket delivery, use S3 object lock in governance mode for log immutability, and configure lifecycle policies for cost-effective storage. (D)

When designing a multi-account AWS environment with centralized billing and governance, what is the strategic advantage of using AWS Organizations in conjunction with service control policies (SCPs)?

To restrict the AWS services and actions that users and roles can perform in member accounts, enforcing organizational compliance and security policies. (D)

What is the MOST important reason an organization should ensure immutability for its AWS CloudTrail logs?

To prevent accidental deletion or modification of logs, ensuring a reliable audit trail for compliance and security investigations. (C)

If an organization is designing an application using EC2 instances in a custom VPC with a mix of public and private subnets, what is the MOST effective approach to allow instances in the private subnet access to the internet for software updates while minimizing security risks.

Configure a NAT Gateway in the public subnet and route traffic from the private subnet through it. (A)

Which AWS service is the MOST suitable storage option for hosting static web content, including HTML, CSS, JavaScript, images, and videos, ensuring high availability and scalability with low latency for users worldwide?

Simple Storage Service (S3) coupled with CloudFront (A)

An organization wants to migrate some workloads to the cloud but needs to continue to host some applications within there existing private network, what would you recommend they use as a core component for creating a hybrid environment?

Direct Connect Gateway (DXGW) in conjunction with Virtual Private Cloud (VPC) (D)

An AWS security engineer must ensure that only properly configured EC2 instances can communicate with one another over the network. Which of the following configurations offers the MOST granular and dynamic approach to achieve this?

Security Groups (C)

What does it mean when there is a globally unique naming scope constraint that apply to an AWS service, like S3?

The name chosen for an object must be unique among all existing objects in AWS, regardless of the AWS account or AWS Region. (A)

When thinking about CloudWatch namespacing, what things can be said about them?

AWS data goes into AWS / then the function name. (D)

What best exemplifies implementing compute 'high availability'?

Maximizing runtime with automatic recovery. (C)

When discussing EC2 and the difference between the stopped and terminated states, what can be said is the result regarding payments?

Stopping an instance will bill for EBS storage. Terminating removes all resources. (B)

In the context of the AWS Shared Responsibility Model, what is a KEY distinction in security responsibilities when using EC2 compared to RDS?

With EC2, the customer is responsible for OS configuration and patching, while with RDS, AWS manages OS-level tasks. (D)

When designing an infrastructure that relies heavily on S3, as a Solutions Architect, how to handle a client that wants more than 1000 buckets?

Use prefixes to create data separation. (D)

When setting and configuring a Public Hosted Zone, what can you say is true about them?

The name servers live logically on the AWS public zone. (D)

When handling AWS DNS, what should you do if a migration will happen?

It would be advisable to make sure to set the caching as low as possible before to avoid issues. (C)

When automating AWS infrastructure, what is the role of CloudFormation stacks?

Stacks create logical resources. (C)

Flashcards

AWS Public Service

Accessed with public endpoints over the internet.

AWS Private Service

Runs within a Virtual Private Cloud (VPC).

Networking in AWS Services

Networking parameter concerned with whether a service is accessed using public endpoints or runs within a VPC.

Internet Gateway (IGW) in VPCs

Allows private zone resources to access the public Internet; Crucially: data communicates via the Public zone.

AWS Region

The full deployment of AWS infrastructure in a selected geographic area.

AWS Edge Location

Smaller than regions, mainly for content distribution and edge computing.

Region Specific AWS services

Interact with a service that specific region.

Geographic Separation of AWS Regions

Isolated and separate geographically, a disaster in one should not affect another.

Geopolitical Separation of AWS Regions

Affected by the laws and regulations of the region it's located in.

Location Control via AWS Regions

Place infrastructure close to customers for performance.

Referring to an AWS Region

Use the Region Code or the Region Name.

Availability Zone (AZ)

Lower-level, isolated construct within a region with its own compute, storage, networking, and power.

Localized Failure Scope

Isolated issues like power outage, gas explosion.

Availabilty Zone Data Centers

Logical component inside AWS, can consist of one or more data centers, connected with high speed networks.

Resilience Levels

Globally resilient, region-resilient, AZ-resilient.

Globally Resilient AWS Service

Globally with a single database, data replicated actoss multiple AWS regions.

Region Resilient AWS Service

Operate in single region with one set of data per region, can continue if an AZ fails.

AZ Resilient AWS Service

A service run from a single availability zone, if the AZ service will fail. Service is prone to failure.

VPC (Virtual Private Cloud)

A virtual network inside AWS. Regional service made of of multiple AZ's.

VPC Scope

VPC is within an AWS Account and one region.

VPC Isolation

Available by default, can communicate only with other the same, isolated from internet. Can configure otherwise.

Two Types of VPCS

Two types: there can only be one per region, and custom VPCs.

Custom VPCs

Configure as you want while following AWS VPC, 100 percent private by default.

Default VPCs

They come preconfigured, Networking config is handled by AWS, Less flexible

VPC Configuration

Regionally resilient; operates in one region over multiple availability zones.

VPC CIDR

Unique assigned IP range inside VPC, if configured, can communicate in/out of VPC.

VPC Subnet

Smaller range within a VPC that resides in a single availability zone.

Subnet IPs and Resiliency

Default VPC subnets are given the range of IP Address and define the start end which any private services will use.

Facts of default VPC

Exists: 1, removable. Predicatable CIDR. Pre Configured: IGW, security, IPs

EC2 (Elastic Compute Cloud)

AWS service to provision and get access to Virtual machines known as EC2 instances.

EC2 Private Service

Private and run by default in AWS private Zone. When launching set any access.

EC2 State and Charges

EC2, what is what determines charge by compute, memory, and if stopped they charge storage.

AMI (Amazon Machine Image)

Image of an C2 Instance, from which to create from.

Connecting to EC2 Instance.

Remote Desktop Protocol, windows access on port 3398/ linux SSH protocol port 22

Cloudwatch (CW)

Collects and manages operational data like metrics logs. Alerts.

Cloud Watch Metrics.

AWS Services, Apps On Prem - Can Install an Agent.

Cloudwatch Logs

Allows the collection monitoring of logs by AWS, Custom Logs outside AWS require agent instillation

CloudWatch Events.

Generate event/perform based on service, maybe ec2 instances what can preform actions like start/Stop

Cloud Watch Architecture

Data injection to Cloud watch and is managed in logs where a metric is very soon, is three types.

What Name Space.

Used for container data / Way keep from messy from areas

Metric a Collection of Data - Datapoint

The structure of the Datapoint which is time order, you can have CPU utilization, network out/in, disk utilization they all be metric.

Dimentions

Name: Instance, Value: Instance ID = seperation of the EC2

Alarms

Created, Linked -> Metric

Shared Responsibility

Responsibility in cloud, responsible for security in cloud.

High - Availability

Guarantee level of a optimal preform, a higher then normal

Fault- Tolerance

Continue operating while the present and fixed means through failure with no impact.

Disaster - Recovery

Tools and processing to recovery and keep vital what follows a human endused designer.

Route 53

Route 53 manage system DNS product

Domain Register - Relationship.

Where DNS allows registries that with all allow top name like .com files

Host Zone

Put zone all managed.

Host Zone (Public)

All data accessible all can access this location and is public and not private by linked to one and accesible what type.

Name Server.

Record with types what Delegation and Allow allow DNS ocours.

A Record AND aaa

Address version, to record names to IP.

Cannical Naming / DNS ShortCut

CName records /Creates shorty cut of the DNS

MX Record

The email and with that works internet , what know what serve is email too from,.

TXT Record /

Alot record arbitrary. Used is domain ownership and is to find to spam.

Study Notes

AWS Public vs Private Services

• AWS services have two main categories which are public and private services
• The terms AWS public and private services are related to networking only
• Public services are accessed using public endpoints including S3, simple storage service
• S3 is accessible from anywhere with an internet connection
• Private AWS services reside within a VPC (Virtual Private Cloud)
• Only resources within the VPC or connected to it can access private services
• Both public and private services involve permissions and networking for access control
• In public cloud environments there are two network types which are internet, and private networks
• AWS has private zones known as Virtual Private Clouds (VPCs)
• VPCs are isolated; unable to communicate unless configured
• Private networks cannot be reached from the the internet and must be configured for access
• Services like EC2 instances can be placed in VPCs
• When accessing AWS public services with a public internet connection, communication uses the public internet to transit to and from the AWS public zone
• Private networks can connect via configuration with VPNs or Direct Connect
• Attaching an internet gateway to a VPC provides private zone resources access to the public internet if the EC2 instance is assigned a public IP address
• Data communicates with the public service via the AWS public zone and does not touch the public internet

AWS Global Infrastructure

• AWS is built as a global cloud platform which is really a collection of infrastructure groups which are connected using a global highspeed network
• Solutions architects can use this to design resilient, highly available systems
• Infrastructure components include AWS regions, edge locations, and availability zones
• Regions are geographic areas selected by AWS that contain full deployments of AWS infrastructure which have compute, storage, database products and AI analytics
• Regions are all geographically separate so they can withstand global disasters
• Interacting with most AWS services means interacting with that service inside a specific region
• Amazon's Elastic Compute Cloud in Northern Virginia is separate from Elastic Compute Cloud in Sydney
• AWS also provides edge locations in areas where deploying regions is not possible
• Edge locations are smaller, contain content distribution services and some edge computing, and there are more of them than regions
• Regions and edge locations are commonly used by a solutions architect in a system
• Regions are where infrastructure runs while content can be stored in the many edge locations to be delivered at higher speeds
• It is possible to visualize the global AWS network on the AWS website
• The AWS console presents regions and with EC2, users must select a region
• Global services like IAM or Route 53, do not require this region selection
• Regions are separated geographically and are isolated fault domains which means disaster in one region does not affect others
• Benefits of regions include that the country the region is located in has geopolitical or governance separation
• You can choose a region that conforms to your political system or governance
• If data is placed in one region, AWS guarantees it will not leave without your configuration
• This allows you to place data in the region where your audience lives
• Regions provide location control so you can locate infrastructure closer to customers
• Regions are not the only level of granularity available for solutions architects, there are others within regions

Regions and AZs

• Each region has a region code and region name
• Sydney's region code is ap-southeast-2 and its region name is Asia Pacific Sydney
• Region provide resilience and if infrastructure in the Sydney region fails the mirror won't be affected in North Virginia
• Every region comes with multiple availability zones (AZs) which could be 2, 3, 4, 5, or even 6
• Sydney has three availability zones ap-southeast-2a, 2b, and 2c
• Availability zones give you isolated infrastructure inside a region
• They are isolated compute, storage, networking, power and facilities within a region
• You can design solutions across multiple Availability Zones for resilience
• Virtual private cloud, or VPC, can work across multiple AZs for resilience
• Globally resilient services are relatively few inside AWS
• A globally resilient service operates globally with a single database and data replicates across multiple regions allowing the service to keep running
• Examples of globally resilient services are IAM and Route 53 where you don't have to select a region and tolerate failure of multiple regions
• Region resilient services are services that operate in a single region with one set of data per region where databases could exist
• They often replicate data to multiple availability zones allowing the service to keep running if an AZ fails
• AZ resilient services are run from a single availability zone and will fail if that AZ fails

AWS Default Virtual Private Cloud (VPC)

• A virtual private cloud (VPC) is a private network inside AWS used to connect AWS private networks or connect AWS private networks to your on-premises networks
• A VPC is within a single AWS account and region
• VPCs are private and isolated by default unless you decide otherwise
• They are also regionally resilient and operate from multiple availability zones
• VPCs by default are private and isolated including from the public AWS zone and internet
• There are two VPC types which are default and custom where there is a maximum of one default VPC per region
• Custom VPCs are custom and offer the ability to configure them as long as the rules and limits of VPCs are followed
• Also, they require end-to-end configuration and are 100% private by default
• They are used for serious AWS deployments where specific configurations are used; they can be configured in numerous forms; and linked to other VPCs, cloud platforms, and on-premises networks
• Unlike custom VPCs, AWS creates default VPCs with one per region
• They are pre-configured in a specific that AWS handles but they are less flexible as a result
• VPCs are created within an AWS account specifically that a region can have multiple custom VPCs inside where VPCs must be configured for communication outside the private network
• Every VPC has an allocated IP address range known as a VPC CIDR
• Everything within a VPC uses the CIDR range of that VPC, from which all connections will originate
• Custom VPCs can have multiple CIDR ranges while default VPCs only have one that is 172.31.0.0/16
• VPCs subdivide into subnets which are short for subnetworks, where every subnet resides in a single availability zone
• Default VPCs are pre-configured to have one subnet in every availability zone in the region
• Each subnet uses part of the VPC's CIDR range that must not overlap
• VPCs are resilient by deploying into a region and breaking down into subnets and if the availability zone containing the subnet it also fails but other subnets in other availability zones will operate normally
• Default VPC facts include there only being one per region that can be removed and recreated and that default VPC CIDR is always 172.31.0.0/16
• Subnets contain a /20 in every AZ and there is an internet gateway and security group and provides public IPv4 addresses
• Because services assume the default VPC is always there, leaving the default VPCs is a best practice as long as they are not used for anything production related

Elastic Compute Cloud (EC2) Basics

• EC2 provides virtual machines known as EC2 instances
• EC2 is a service that uses Instances as its base component
• It runs in the AWS private zone running, by default in VPC subnets
• EC2 instance launches must have configured public access that its VPC can support
• launching an instance in a specific availability zone makes EC2 AZ resilient
• CPU, Memory Disk and Networking define the EC2 instance
• You should only be charged for resources that are used while the instance is operational
• Instances use several storage types (the Elastic Block Store)
• EC2 instances have a defined lifecycle and go through states known as running, stopped, and terminated where you are charged for a running instance
• Terminated instances do not incur charges but are a non-recoverable action
• The only way to ensure no future EC2 costs is to terminate the instance and delete local resources
• An Amazon Machine Image (AMI) is an image of an EC2 instance used to create EC2 instances like a server image used to create virtual machines
• AMIs have attached permissions that control which accounts can use the AMI
• An AMI can be set as public for everyone, private for the owner, or explicit for specific AWS accounts
• AMIs include the boot volume of the instance(C: Drive) to store the OS
• Block Mapping Device configures links the volumes to create an instance and how they interface with the operating system

Connecting to EC2

• To connect to launched e2 instances, you must know that EC2 instances can run different operating systems like Linux and Windows
• Windows instances connect using RDP port 3389 while Linux Instances Use SSH protocol which runs on 22
• Linux instances authenticate to the instance using SSH key pairs
• SSH key pairs come in two parts with 1 private that you download once when creating the instance
• And the Public component which is kept safe in AWS to authenticate
• In Windows, use the private key to access the administrator password using remote desktop protocol

Simple Storage Service (S3) Basics

• S3 is a global storage platform that is regional and based-resilient
• It is a public service and can accept unlimited data for multiple users, and is economical and can be accessed via UI/CLI/API/HTTP
• S3 can store Objects and Buckets
• Runs from all AWS regions; can be accessed anywhere with internet
• Its regional based data is stored in specific AWS region at rest
• S3 is regionally resilient and meaning data is replicated across availability zones in that region so it tolerates failure of an AZ with ability to replicate data between them
• AWS Users select a region when you create an S3 bucket
• S3 is the default starting point, unless your requirement isn't delivered by S3 and you can cope with unlimited data amounts
• Objects are data that resides in an S3 bucket
• An Object contains an object key (filename) identifying object in a bucket where bucket and key uniquely access the object
• An object value is the value of objects which varies in size zero bytes up to five terabytes in size
• Objects also have a version ID, metadata, access control, as well as resources
• Buckets must be created in a specific AWS regions which affects data sovereignty, and also provides blast radius of failure for an error
• Bucket names must be globally unique across all regions and accounts of AWS, no IAM user can be called the same name across multiple AWS buckets
• Buckets can hold unlimited number of objects and objects themselves range from zero to five terabytes of size which essentially means unlimited bytes can be stored making it infinitely scalable
• S3 buckets have no complex structure as the system is flat and all objects reside at the same level, despite emulated file system appearances implemented with "/" characters as folder and file names
• Common S3 problems include AWS tricks questions, where it tests knowledge when you try to create a bucket a lot of the time, because somebody else already has that bucket name
• S3 buckets also have name length restrictions, lowercase restrictions, and period or ip formatting restrictions that must be followed
• bucket have a soft limit of 100 and a hard limit, So you can increase all the way up to this hard limit using support requests. And this hard limit is 1000

S3 Patterns and Anti-Patterns

• Don’t use bucket per user for data retention because it violates limitations on bucket availability and potentially thousands of system requests

• If your system needs bucket use prefixes or those folders that aren't really folders so there is multiple user in a one bucket

• Zero to infinite objects with 0 bytes to 5 tbs

• Remeber the key a objects

• You don't have to remember now

• S3 should be your default thought for any of things

• and for offloading things

• The 2 components are key an value and you don't have to remember them now this worth noting down an make it flaschcards and use them later in your studies

• S3 object store- it’s not

• file

• Block

• Great for large scale data storage or Distribution

• you can't mount data

• it is for large scaled data for data

• S3 SHOULD be your default for any things input and for many Aws

CloudFormation (CFN) Basics

• CloudFormation is a tool that lets you create, update and delete infrastructure in AWS in a consistent and repeatable way using templates instead of manually creating and editing

• CloudFormation relies on templates to work

• AWS infrastructure is created using cloudformation from the selected templates

• templates can be updated and reapplied causing CloudFormation to update existing infrastructure and can be used to delete said infrastructure entirely

• CloudFormation templates are written in YAML or JSON, to achieve the same thing and can be converted easily between the two

• All templates have resource at lead 1. And It's the resources section

• Then CloudFormation what if resouce are delete to it,

• If resources are delete from a template and are Applied with what there physical Resource are deleted.

• The Resource section of a template the only mandatory what makes sense withour the template woudn't actualu do anything

• Use example has resource defined on it

• The Discription this lets know what are the description

• Now the only restricted which you need to both description and both template force.

• Now Meta data this is what you woudn't want to task abut Meta data has some pretty a function

CloudWatch (CW) Basics

• CloudWatch is a core infrastructure product that has operational magenment and monitoring as well as performs 3 main jobs

• CloudWatch collects and manages operational data

• CloudWatch produces metrics aws product apps on premise

• CloudWatch logs aws product apps and on the on premises

• CloudWatch Events - aws servcies and schedule.

• CloutWatch is a management of the on your behalf

• The operation data is the data geterated by anv enviorment and any data for

• you can think of CloutWatch it collect metrci and montior action

• metric Aws prodcut for applicatins

• cloud watch this is a puvlic service or it is called metric

• One aspect of a cloutWath that any native

• if

• some typer of what softwARE to DO with this is exmapler outside

• will you