3. AWS Fundamentals

Questions and Answers

An organization is planning to host a highly sensitive internal application on AWS, requiring it to be accessible only by users connected to the corporate network via a VPN. Which AWS networking configuration would BEST ensure that the application remains inaccessible from the public internet?

• Deploy the application within a private subnet and configure the route table to route outbound traffic to a NAT Gateway. (correct)
• Implement AWS Shield Advanced and configure it to block all traffic originating from outside the defined geographic region.
• Deploy the application within a public subnet but configure the security group to only allow inbound traffic from the VPN's CIDR block.
• Place the application behind an Application Load Balancer (ALB) configured with a listener that only accepts HTTPS traffic.

A global media company wants to distribute content with the lowest possible latency to its users worldwide. The company is considering storing its content in S3, but is concerned about the speed at which users can retrieve the content, particularly during peak hours. Which approach would provide the MOST effective solution to this challenge?

• Implement Amazon CloudFront and configure it to cache the content at edge locations around the world. (correct)
• Enable S3 Transfer Acceleration and instruct users to access the content via the Transfer Acceleration endpoint.
• Utilize S3 Cross-Region Replication to replicate the content to multiple regions and direct users to the closest region based on GeoDNS.
• Configure S3 to use provisioned IOPS and allocate a dedicated amount of throughput for each object stored in the bucket.

A financial services company operates a critical application that must be highly available. They've deployed the application across multiple Availability Zones within a single AWS Region. Despite this, they are concerned about dependencies on shared services within the region. Which architectural change would MOST effectively increase resilience against regional failures?

• Implement a warm standby architecture in a secondary AWS Region, using CloudFormation to automate failover.
• Utilize AWS Backup to regularly back up all application data and EC2 instances to a secondary AWS Region.
• Implement a multi-region active-active configuration, distributing traffic across multiple AWS Regions using Route 53. (correct)
• Enable S3 Cross-Region Replication to replicate application data to a secondary AWS Region.

A research team requires a highly secure environment for processing sensitive datasets. They want to isolate their AWS resources, ensuring no network connectivity to external networks. Which configuration would BEST meet these requirements?

Launch all resources within a custom VPC with no Internet Gateway or NAT Gateway attached. (A)

A development team is using AWS CodePipeline to automate their software delivery process. They wish the pipeline to branch to a new stage that only executes under a defined condition. Which CloudFormation construct BEST facilitates conditional resource creation based on input parameters?

Conditions, evaluated during stack creation to determine if specific resource configurations will be provisioned. (D)

An organization seeks to optimize cost management for infrequently accessed archived data. Which S3 storage class transition strategy would offer the MOST cost-effective storage solution while maintaining availability for occasional retrieval?

Implement S3 Intelligent-Tiering to automatically transition objects based on access patterns. (B)

An S3 bucket containing sensitive financial data requires enhanced access control and auditing. Which combination of mechanisms provides the MOST thorough security and compliance posture?

Configuring S3 Block Public Access, implementing bucket policies to restrict access to specified corporate IAM, and enabling S3 access logging. (B)

An application experiences performance bottlenecks due to high latency database queries. Which strategy would MOST effectively reduce database load and optimize data retrieval times?

Leverage Amazon ElastiCache to cache frequently accessed data, reducing the need to query the database directly. (D)

A machine learning team requires a cost-effective, serverless environment for running large-scale hyperparameter optimization jobs. Which service offers the MOST appropriate solution for this use case?

Amazon SageMaker with hyperparameter optimization, leveraging AWS Batch for scalable compute. (A)

After the implementation of strict VPC configuration rules, a user reports that they can no longer connect to their EC2 instance using SSH. Assuming that the security group has been opened to allow inbound traffic correctly, which of the following scenarios is MOST likely preventing the connection?

The EC2 instance is deployed in a private subnet without a NAT Gateway or NAT instance allowing outbound connections. (C)

A system administrator is tasked with ensuring that a critical EC2 instance, which serves as a primary domain controller, is accessible even in the event of an Availability Zone failure. Which of the following solutions provides the MOST robust and automated failover mechanism?

Utilizing Amazon Route 53 DNS failover to redirect traffic to a backup EC2 instance in another Availability Zone. (D)

When evaluating AWS Regions, a solutions architect must consider governance separation. Which aspect of AWS Regions BEST ensures geopolitical or governance separation?

You will be affected by the laws and regulations of the region that your infrastructure is stored in. (B)

You need to choose between public and private AWS services. What is always true of a public AWS service when compared to a private one?

A public service is something which is accessed using public endpoints. (D)

Regions and Edge locations are central to the design of AWS solutions. Which of the following statements is most correct?

Edge locations generally only have content distribution services as well as some types of edge computing, but they are located in many more places than regions. (D)

S3 is a default option for many solutions on AWS. Which patterns can be performed well by S3?

S3 is not a file storage system. (D)

If you have four components to a resource running on AWS, what has to be the case if you are to avoid any costs (zero EC2 costs) when running an EC2 resource?

If a volume is attached to the instance and the instance is in a stop state, you will still see charges on your bill for EBS storage. (C)

High availability (HA) and Fault Tolerance (FT) have very precise and slightly nuanced meanings. Which statement is most correct?

Fault tolerance means operating through failure, High availability just about maximizing uptime. (C)

A bucket has a name that must be globally unique, so that's across all regions and all accounts of AWS. Considering that, what is correct regarding bucket and IAM user names?

You cannot have multiple IAM user called Fred in different accounts. (D)

A new member joins your team. They are not from a cloud background - how might you describe CloudFormation and the concepts it uses?

Without resources, the template wouldn't actually do anything with CloudFormation. (D)

S3 intelligent tiring will help manage cost and access on S3. Which S3 storage class is the best default if not this is not used?

S3 should be your default thought for any input TO AWS services. (C)

Flashcards

AWS Public Service

AWS services accessed using public endpoints, like S3.

AWS Private Service

AWS services running within a VPC, accessible only within that VPC.

Internet Zone

The Internet zone where internet services operate from.

Private Network

A network connected to a specific location, like your home.

Virtual Private Clouds (VPCs)

Isolated private networks within AWS; cannot communicate unless configured.

AWS Public Zone

Network zone where AWS public services with public endpoints operate.

AWS Global Infrastructure

A collection of smaller groupings of infrastructure connected by a high-speed network.

AWS Region

An area of the world selected by AWS with a full deployment of AWS infrastructure.

AWS Edge Location

Smaller than regions, useful for content distribution, located in many more places than regions.

Interact with AWS services

A way to interact with most AWS services in a specific geographical area.

Geographic Separation

Each region it is separated geographically so a problem in one region doesn't affect other region.

geopolitical

Country that the region is located within so you have governance separation.

Location Control

Region that gives you the ability to put infrastructure as close to your customers as possible.

Availability Zone (AZ)

Lower level architectural component available within AWS. isolated compute, storage, networking, power and facilities within a region

Globally Resilient Services

Services are designed to tolerate the failure of multiple regions without impacting service

Region Resilient Services

Services which operate in a single region with one set of data per region. if an AZ in the region fails, the service can continue operating. But if the region as a whole fails, then the service will fail.

AZ Resilient Services

Services that are run from a single availability zone. If the availability zone that that service is provisioned into fails, then that service will fail.

VPCs

Virtual private clouds; service to create private networks inside AWS.

Default VPC

maximum of one per region; comes pre-configured but is less flexible.

Default VPC CIDR

172.31.0.0/16; cannot be changed.

Subnets

short for subnetworks; each subnet in a VPC is in one availability zone.

IAAS

Infrastructure as a service.

EC2 Instances

virtual machines.

Instance sizes

Choose from various sizes and capabilities for that instance. These choices influence the resources that the instance gets.

Instance Charge

The charge for running the instance, so an amount for CPU and memory that the instance consumes.

Instance Components

CPU, memory, disk and networking.

Instance State

running, stopped and terminated.

AMI

an image of an EC2 instance

AMI Boot Volume

Contains the boot volume of the instance.

Connect to Windows instances

use RDP, the remote desktop protocol

Connect to Linux instances

Use SSH protocol.

S3

storage platform that runs from all AWS regions with Internet.

That Data has a Home

Your data that's inside a bucket has a primary home region and it never leaves that region unless you as an architect or one of your system admins configures that data to leave.

Bucket Names

needs to be globally unique, so that's across all regions and all accounts of AWS

S3 buckets

an S3 bucket has no complex structure

Folders

The object key.

CloudFormation

Automates AWS infrastructure creation, updates and deletion.

Templates

AWS infrastructure using CloudFormation.

Template Resources

The only mandatory part of a CloudFormation template.

Template Description

Free text field which lets the author of the template add, as the name suggests, add a description.

Template Metadata

A way that you can force how the Ul presents the template.

Template Parameters

Section of a template is where you can add fields which prompt the user for more information.

Template Mappings

Can create lookup tables.

Template Conditions

Allow decision making in the template and can set certain things in a template that will only occur if a condition is met.

Template Outputs

way that once the template is finished, it can present outputs based on what's being created, updated or deleted.

CloudWatch

Core product inside AWS which is a support service which is used by almost all other AWS services, especially for operational management and monitoring.

CloudWatch

A way to collect metrics inside/outside AWS; Also has agents for specific logs

CloudWatch Logs

allows for the collection, monitoring and actions based on logging data

CloudWatch Events

If an AWS service does something, e.g an EC2 instance, then CloudWatch Events will generate an event which can perform another action.

Data Srouces

AWS products and service

Metrics Diagram

this data is injected into CloudWatch and it's managed as metrics

Diagram I've Provider

what this store has to be is one to see if these are for rent

You Enable monitoring

This is a set of servers logging data for CPU

Name Space

A Container.

Namespace Name

is easy with this to keep this from been messy

Time Ordered Structure

It is a collection of related datapoints in a time

2 Elements

So the 1st is a time stamp which includes where the measurement was conduced.

Allow CloudWatch

are name value pairs, which allow CloudWatch to separate things or provide different perspectives of things within a metric

Operational Data

A cloud product which collects and manages operational data on your behalf

AWS's responsibility

AWS is responsible for the security of the cloud

Your Responsiblity

Customer is responsible for security in the cloud

High Availability (HA)

Aims to ensure agreed operational performance (usually uptime), above normal

Fault Tolerance(FT)

Enables a system to continue operating, with some fault, within the system

Disaster Recovery (DR)

A set of policies that allow continuity of tech systems after a human or natural disasters

Route 53 Features

First, route 53 allows you to register domains. Second it stores zone files.

Two Main

First, route 53 allows you to register domains, and Second , it can host zone files for you on managed nameservers, which it provides.

Hosted Zone

Which means that the data is accessible on the public Internet

NS Records

The 1st record is to touch on those nameserver records

DNS Zone

To know about A & AAAA records do in the code

The CNAME Record Type

record is which will know that this is

Record Is Use

is the which will have to follow so email with that cone

Add TX Records

add arbitrary code to that chain for the right person

Know What is the DNS

is is something that will give you record that is , this has to

Study Notes

AWS Public vs Private Services

• Public AWS services are accessed using public endpoints and can be accessed from anywhere with an internet connection
• Simple Storage Service (S3) exemplifies a public service
• Private AWS services run within a Virtual Private Cloud (VPC), accessible only to resources within or connected to that VPC
• Permissions control who can access a service, while networking determines how the service is accessed
• The focus is on networking when distinguishing public vs private services
• The internet zone services operate from online stores, Gmail, and online games
• AWS has private zones called VPCs, which are isolated and require configuration to allow communication
• Services like EC2 instances can be placed in private zones
• The AWS public zone sits between the public internet and AWS private zone networks
• AWS public services operate from the network zone with public endpoints like S3
• Accessing AWS public services from a public internet connection uses the public internet for transit to and from the AWS public zone
• Private zone resources can access the public internet if the EC2 instance has a public IP address
• Attaching an Internet Gateway (IGW) to a VPC allows access to public AWS services like S3 without touching the public internet

AWS Global Infrastructure

• While AWS markets itself as a global cloud platform, it is a network of smaller infrastructure groupings connected by a global high-speed network
• Solutions architects utilize this structure to design systems resilient to failure and are highly available
• AWS regions, edge locations, and availability zones are infrastructure components
• Services are resilient in various ways: globally, regionally, or by zone
• AWS regions do not directly line up with continents of countries, they are AWS creations
• AWS regions have compute services, storage, database products, AI analytics etc
• AWS adds regions all the time. Regions include Northern Virginia, Ohio, California, Oregon in the US, and Frankfurt, Ireland, London and Paris in Europe, Sao Paulo in South America
• Geographically spread regions enable solutions architects to design systems that withstand global disasters
• When interacting with most AWS services, interaction occurs with the service in a specific region
• Amazon's Elastic Compute Cloud in Northern Virginia is separate from Elastic Compute Cloud in Sydney
• AWS deploys regions as fast as business and local planning allows
• AWS provides edge locations because it often can't have a region in everyone's town or city
• Edge locations are smaller than regions
• Content distribution services and some forms of edge computing happen at edge locations
• Edge locations are useful for companies that need to store TV shows and movies near users
• Edge locations allow for low latency and high speed distribution
• Transfer is slower and latency is higher as data is further from end users
• Solutions architects often use regions and edge locations together
• For example, Netflix runs its infrastructure from multiple regions worldwide
• Content could be delivered at faster speeds if it were stored in many different edge locations
• The Australian AWS region in Sydney has a Netflix customer in Melbourne stream content from a local edge location
• AWS has a website that allows for visualization of the global AWS network
• Note on this map, how there are far fewer regions than edge locations
• All of these regions are connected using high speed networking links
• Private AWS networking is utilized for efficient system deployments in AWS
• In the AWS console, you must pick a region in the EC2 area
• Some global services, such as IAM or Route 53, don't allow region selection
• Regions provide resiliency, with each region being geographically separate
• A problem in one won't affect another in a separate geographical region
• With AWS, you can place infrastructure in one region and know that it won't be impacted by faults in another
• Regions are designed to be 100% isolated allowing AWS to achieve fault tolerance
• You can select a region, and by doing so, you have geopolitical or governance separation
• AWS commits that if you place data in one region, then unless you configure it, it won't leave that region
• Regions allow you to tune your architecture for performance by placing infrastructure close to customers
• EC2 in Sydney resources is inside a region
• A region is generally referred to in one of two ways, using the region code or the region name
• The Sydney AWS region code is ap-southeast-2
• The region name is Asia Pacific (Sydney)
• You should become comfortable using both the region code and region name
• You are given isolated infrastructure inside a region with Availability Zones
• Availability zones are isolated compute, storage, networking, power and facilities within a region
• If a region has an isolated area issue, and it happens in one availability zone, then other availability zones should still function
• As a solutions architect, you can distribute components across multiple availability zones
• You can design solutions that distribute components across multiple availability zones
• An availability zone is a logical thing inside AWS
• You can think of an availability zone as a data centre, however, this isn't entirely correct
• An availability zone could be one data centre or part of multiple data centres
• AWS will not show you what an availability zone is, just that it's isolated from each other with high speed redundant networking
• You can place services across multiple availability zones to make them resilient with VPCs
• Globally resilient services operates globally with a single database, and the product's data is replicated across multiple AWS regions
• A region can fail, and the service continues running
• It would take the world to fail for a globally resilient service to experience outage
• You don't pick a region with globally resilient services
• Examples include IAM and Route 53.
• Multiple region failures won't impact IAM and Route 53
• Region resilient services operates in one region with data set per region
• You could create an RDS database in Sydney and one in Northern Virginia
• Region resilient services usually replicate data inside the region to multiple availability zones
• If an AZ in a region fails, the region resilient service can continue
• If the whole region fails, then the region resilient service will fail
• AZ resilient services run from single availability zone
• If the availability zone fails, then that service will fail
• AZ resilient services are extremely prone to failure if there are zone problems

AWS Default Virtual Private Cloud (VPC)

• They also connect your AWS private networks to your on-premises or multi-cloud deployments when you're creating a hybrid environment
• You will need to understand VPCS as they'll be lots of networking and VPC related questions in the exam
• A VPC is a virtual network inside AWS
• A VPC is within 1 account and 1 region
• A VPC is always private and isolated unless you choose otherwise
• There are two types of VPC - Default VPC and Custom VPCs
• VPCs are regional services, meaning that they're regionally resilient
• VPCS operate from multiple availability zones in a specific AWS region
• A VPC by default is private and isolated
• Services deployed into the same VPC can communicate, but the VPC is isolated from other VPCs and from the public AWS zone and public Internet unless otherwise configured
• To the default VPC, one exception to this
• There are two types of VPC available inside a region, the default VPC
• Of which there is a maximum of one per region, and custom VPCs
• Custom VPCs are custom, and you can configure them in any way that you want, stay in line with VPCS
• Default VPCS are initially created by AWS and there is one per region created by default
• These come pre-configured in a very specific way and all of the networking configuration is handled on your behalf by AWS
• Default VCs
• One per region - can be removed and recreated
• Default VPC CIDR is always 172.31.0.0/16
• /20 Subnet in each AZ in the region
• Internet Gateway (IGW) security Group (SG) & NACL
• Subnets assign public IPv4 addresses
• A default VPC is created once per region when an AWS account is first created
• One default VPC per region, and they can be deleted and recreated from the console UI
• Default VPCS will always have the same IP range and '1 subnet per AZ' architecture.

Elastic Compute Cloud (EC2) Basics

• Provides Virtual Machines Instances
• Private service by-default - uses VPC networking -Resilient - Instance fails if AZ fails
• Different instance sizes and capabilities
• On-Demand Billing- Per second
• Local on-host storage or Elastic Block Store (EBS)
• EC2 is IAAS, it's infrastructure as a service
• It provides access to virtual machines known as EC2 instances
• It is configured to launch into a single VPC subnet
• It's configured to launch into a specific VPC subnet
• You're also have to configure any public access to your account
• Now, because an instance is launched into a specific subnet, and because a subnet is in a specific availability zone, it means that EC2 is AZresilient
• In AWS, there are several states
• Running Instance
• Stopped Instance
• Terminated Instance
• You can also move from Running instance to Stopped Instance
• the CPU memory and networking
• The disk which you do have any storage changes
• But you need to pay special care on attention, because is not the reversible
• A or Amazon machine image is, as the name suggests, is an image of an EC2 instance
• You can use AMI to create an EC2 instance, or an AMI can be created from an EC2 instance
• AMI Permissions
• public - everyone Allowed
• Owner Inplicit allows
• -Explicit-specific AWS accounts allowed
• When youre connecting to Linux instances, you log in using the SSH key

Simple Storage Service (S3) Basics

• A global storage platform, regional based, and resilient
• A Public Service, Unlimited data, and multi-user
• Movies, Audio, Photos, Text, Large Data sets
• An Economical and accessed via UI/CLI/API/HTTP
• Objects & Buckets
• It might initially appear confusing, that if you utilize the user interface you can't seem to select a region
• But you select that region to create things
• To talk about objects. You can think about objects like files
• Object main components
• The object key: Object Key is similar to the file name -Value: The value is the data or the contents of the object
  • It has metadata, access control
• Buckets are created in a specific AWS region
  • Example: Sydney aka ap-southeast-2 as an example
• The data inside a bucket has a primary home region and the blast Radius is a region
• A bucket name needs globally unique across all regions and across all accounts Bucket Summary Items
• Bucket names are GLOBALLY UNIQUE
• 3-63 chars, all lowercase, and no underscores
• Start w/ lowercase letter or number
• Can’t be formatted like an IP
• Buckets - 100 soft & 1000 hard per account
• Unlimited Objects (O Bytes-5 TB)
• Key - Name, value-Data
• If you are designing a system that uses S3 and the users of that system or store data inside S3, you kind implement a solution that has a bucket per unit for users
• An object consists of a key value and others
• S3 is an object storage system, not a file system not block storage system

CloudFormation (CFN) Basics

• AWS CloudFormation is a tool which lets you create, update, and delete infrastructure in AWS in a consistent and repeatable way using templates
• Templates allow CloudFormation to automate the creation and modification of AWS resources/ Services you need for various use cases
• A CloudFormation consists of YAML and JSON which can be configured to achieve the same thing
• All templates resources, at least one telling CloudFormatuon what to do
• If resources are updating, then it updates this resource
• The resources section of a template is the only mandatory part of the CloudFormation template, which makes sense
• Is a free text field which lets the author of the template at, as the name suggests,a description
• Now you can select the region and you have to both has A description and an AWS template
• Version then the description needs to immediately follow the template format

CloudWatch (CW) Basics

• CloudWatch performs three main jobs. and its important that you understand all three
• Collects and manages operational data Metrics - AWS Products. Apps, on premises CloudWatch Logs - AWS Products. Apps, on premises CloudWatch Events - AWS Services & Schedules
• CloudWatch is a product which collects and manages operational data on your belief
• Can think of CloudWatch has three main products in one, so lest talk about those
• Most metrics in AWS is gathered natively
• You're only pay for what you consume. So this is resources that use while the instance is operational
• Cloudwatch comes with the agent installed in and configured metrics
• Now, the second part of the CloudWatch, is called CloudWatch Logs, this allows the collection, monitoring, and action based on logging data
• It can be Linux, Windows firewall logs and servers
• Now, with it the parent CloudWatch product for on-premises infrastructure, custom logs, or anything outside of what exposed to AWS natively, then you'll need to install the CloudWatch Agent
• Last, leave got CloudWatch Events and this functions act as an event hub
• CloudWatch performs 3 main roles which are CloudWatch metrics and logs and cloudwatch event
• AWS/ serviceAWS/EC2, is the namespace that is used for all metric data for EC2
• But an alarm based, but on the criteria that you set, can also move into an AlARM state, and that means that something bad has happened (the metric in some way isn't in good state)
• Dimensions are name value pairs, which allow CloudWatch to separate things or provide different perspectives of things within a metric
• Most commonly seen with sending data points into CloudWatch
• EC2 AWS also send in the instance

Shared Responsibility Model

• It's AWSs way of making sure that it's clear and that you understand fuel which elements you manage with the elements it manages
• AWS are responsible to the sector the cloud.
• The customer is responsible for the security in the cloud
• Provide for you as a series that you can sue
• Also include the client data encryption

High Availability (HA) Fault-Tolerance (FT) and Disaster Recover (DR)

• High Availability aims to ensure an agreed level of operational purposes, usually uptime
• When do is about managing systems of active for a higher performance
• High availability systems and about keeping the system operational about automatic recovery of issues
• Systems designed to work through failure with no disruption
• I had to talk about disaster is about design and system that work together