AWS+Certified+Solutions+Architect+Associate+Slides.pdf

Chat with Document Quiz & Flashcards

Document Details

AstoundedMahoganyObsidian

Uploaded by AstoundedMahoganyObsidian

Tags

AWS certification cloud architecture solutions architect

Related

Full Transcript

SECTION 1 Let's Get Started! © Digital Cloud Training | https://digitalcloud.training The SAA-C03 Exam © Digital Cloud Train...

SECTION 1 Let's Get Started! © Digital Cloud Training | https://digitalcloud.training The SAA-C03 Exam © Digital Cloud Training | https://digitalcloud.training The SAA-C03 Exam Level: Associate Length: 130 minutes Format: 65 questions Cost: $150 USD Delivery Method: Testing center or online Scoring: Scaled score between 100 – 1000 Minimum passing score of 720 © Digital Cloud Training | https://digitalcloud.training The SAA-C03 Exam Question format: Multiple-choice: Has one correct response and three incorrect responses Multiple-response: Has two or more correct responses out of five or more options © Digital Cloud Training | https://digitalcloud.training The SAA-C03 Exam Domain 1: Design Secure Architectures Task Statement 1.1: Design secure access to AWS resources Task Statement 1.2: Design secure workloads and applications Task Statement 1.3: Determine appropriate data security controls Domain 2: Design Resilient Architectures Task Statement 2.1: Design scalable and loosely coupled architectures Task Statement 2.2: Design highly available and/or fault-tolerant architectures © Digital Cloud Training | https://digitalcloud.training The SAA-C03 Exam Domain 3: Design High-Performing Architectures Task Statement 3.1: Determine high-performing and/or scalable storage solutions Task Statement 3.2: Design high-performing and elastic compute solutions Task Statement 3.3: Determine high-performing database solutions Task Statement 3.4: Determine high-performing and/or scalable network architectures Task Statement 3.5: Determine high-performing data ingestion and transformation solutions © Digital Cloud Training | https://digitalcloud.training The SAA-C03 Exam Domain 4: Design Cost-Optimized Architectures Task Statement 4.1: Design cost-optimized storage solutions Task Statement 4.2: Design cost-optimized compute solutions Task Statement 4.3: Design cost-optimized database solutions Task Statement 4.4: Design cost-optimized network architectures © Digital Cloud Training | https://digitalcloud.training AWS Account Overview © Digital Cloud Training | https://digitalcloud.training AWS Account Overview It’s an IAM best practice to create individual users and to avoid using the Root account AWS Account Unique email address required AWS IAM User Group Role Policy IAM can be used to create users, Account Root User groups, roles and policies The Root user has full control over the account © Digital Cloud Training | https://digitalcloud.training AWS Account Overview Authentication: IAM principals authenticate to IAM using the console, API, or CLI AWS Account AWS Management Console Authorization: IAM principals can then create resources AWS IAM across AWS Regions us-west-1 us-east-1 ap-southeast-2 EC2 RDS EC2 RDS EC2 RDS S3 ALB S3 ALB S3 ALB All AWS identities and resources are created within the AWS account © Digital Cloud Training | https://digitalcloud.training Create your AWS Free Tier Account © Digital Cloud Training | https://digitalcloud.training What you need… Credit card for setting up the account and paying any bills Unique email address for this account Check if you can use a dynamic alias with an [email protected] existing email address [email protected] [email protected] AWS account name / alias Phone to receive an SMS verification code © Digital Cloud Training | https://digitalcloud.training Configure Account and Create a Budget © Digital Cloud Training | https://digitalcloud.training Account Configuration Configure Account Alias Enable access to billing for IAM users Update billing preferences Create a budget and alarm © Digital Cloud Training | https://digitalcloud.training Install Tools and Configure AWS CLI © Digital Cloud Training | https://digitalcloud.training Install Tools and Configure AWS CLI ✓ Download the code (from the next lesson) ✓ Install Visual Studio Code ✓ Install and Configure the AWS CLI ✓ Access AWS CloudShell © Digital Cloud Training | https://digitalcloud.training SECTION 2 AWS Identity and Access Management (IAM) © Digital Cloud Training | https://digitalcloud.training AWS Identity and Access Management (IAM) © Digital Cloud Training | https://digitalcloud.training AWS Identity and Access Management (IAM) IAM Principals must be authenticated to send requests (with a few exceptions) AWS Account RunInstances User Role Federated Application AWS IAM User Actions are EC2 authorized A principal is a person or application that on AWS can make a request for an action or GetBucket resources Console operation on an AWS resource S3 CLI CreateUser AWS determines whether Identity- Resource- to authorize the request based policy based policy API IAM (allow/deny) © Digital Cloud Training | https://digitalcloud.training Users, User Groups, Roles and Policies AWS Account Roles are used for delegation The user gains the and are assumed permissions applied to the group through the policy Policies define the permissions User Group for the identities or resources they are associated with User User Groups Role Policy User Identity-based policies can be applied to users, groups, and roles © Digital Cloud Training | https://digitalcloud.training IAM Users The root user has full permissions. It’s a best practice to avoid using the root user account + enable MFA Email used Account Root User for signup Friendly name: Andrea Eric Ethan Andrea Amazon Resource Name: AWS IAM arn:aws:iam::625148252389 :user/Andrea Up to 5000 individual user accounts can be created. Users have no permissions by default Authentication via username/password for console or access keys for API/CLI © Digital Cloud Training | https://digitalcloud.training IAM User Groups Admin Group Development Group Operations Group The user gains the Eric Sunil Ethan Lee Andrea permissions applied to the group through the policy User Groups are The main reason to use groups collections of users is to apply permissions to users using policies © Digital Cloud Training | https://digitalcloud.training IAM Authentication Methods John is authenticated and Username: John can perform operations in Password: Eo28720*! the console MFA Token: (optional) John AWS IAM AWS Management Console CLI Access key ID: AKIAXP4J2EKUQIQJTJLV Secret access key: wiMjGpewNMRHFi9ud0pJwh7NBX4F6i AWS IAM AWS API API Access keys are used for programmatic access © Digital Cloud Training | https://digitalcloud.training Root User vs IAM User User Login Details Permissions Root User Email address Full - Unrestricted Friendly name: John + IAM User AWS account ID or Alias IAM Permissions Policy © Digital Cloud Training | https://digitalcloud.training Creating IAM Users and Groups © Digital Cloud Training | https://digitalcloud.training IAM Authentication and MFA © Digital Cloud Training | https://digitalcloud.training IAM Authentication Methods Username: John John is authenticated and can Password: Eo28720*! perform operations in the console MFA Token: (optional) John AWS IAM AWS Management Console CLI Access key ID: AKIAXP4J2EKUQIQJTJLV Secret access key: wiMjGpewNMRHFi9ud0pJwh7NBX4F6i AWS IAM AWS API API Access keys are used for programmatic access © Digital Cloud Training | https://digitalcloud.training Multi-Factor Authentication Something you know: Something you have: Something you are: EJPx!*21p9% Password © Digital Cloud Training | https://digitalcloud.training Multi-Factor Authentication Something you know: Something you have: e.g. Google Authenticator on your smart phone Virtual MFA IAM User EJPx!*21p9% Hardware device Password Security keys and time-based one-time password (TOTP) tokens © Digital Cloud Training | https://digitalcloud.training Setup Multi-Factor Authentication (MFA) © Digital Cloud Training | https://digitalcloud.training Permissions Boundaries © Digital Cloud Training | https://digitalcloud.training Permissions Boundaries Policy allows full control of S3, Developers CloudWatch, EC2, and IAM S3:ListBuckets Amazon S3 iam:CreateUser The operation fails because Joanne the permissions boundary does not allow it IAM Permissions Boundary The permissions boundary sets the maximum permissions that Permissions the entity can have boundaries are attached to users and roles © Digital Cloud Training | https://digitalcloud.training Privilege Escalation IAMFullAccess Lindsay is assigned permissions to AWS IAM only and cannot launch AWS resources iam:CreateUser Lindsay IAM Lindsay applies the AdministratorAccess policy to the X-User account AdministratorAccess Lindsay is now able to login with the X-User X-User account and gain full privileges to the AWS account Lindsay mines bitcoins AWS Batch © Digital Cloud Training | https://digitalcloud.training Preventing Privilege Escalation Lindsay is assigned permissions to AWS IAM only and cannot IAMFullAccess launch AWS resources iam:CreateUser Lindsay applies the AdministratorAccess Lindsay IAM policy to the X-User account AdministratorAccess Permissions Boundary The permissions boundary X-User ensures that users created by Lindsay have the same or Lindsay does not have more privileges fewer permissions when logging in as X-User and cannot launch AWS resources © Digital Cloud Training | https://digitalcloud.training IAM Policy Evaluation © Digital Cloud Training | https://digitalcloud.training Evaluation Logic © Digital Cloud Training | https://digitalcloud.training Steps for Authorizing Requests to AWS 3. Evaluating all policies 1. Authentication – AWS within the account authenticates the principal that makes the request Identity-based policy User Resource- Request context: based policy AWS IAM Actions – the actions or operations the principal wants to perform Console Resources – The AWS resource object upon which actions are performed s3:GetObject Principal – The user, role, federated user, or application that sent the request CLI Environment data – Information about the S3 Bucket IP address, user agent, SSL status, or time of day Resource data – Data related to the 4. Determining whether a API request is allowed or denied resource that is being requested 2. Processing the request context © Digital Cloud Training | https://digitalcloud.training Types of Policy Identity-based policies – attached to users, groups, or roles Resource-based policies – attached to a resource; define permissions for a principal accessing the resource IAM permissions boundaries – set the maximum permissions an identity-based policy can grant an IAM entity AWS Organizations service control policies (SCP) – specify the maximum permissions for an organization or OU Session policies – used with AssumeRole* API actions © Digital Cloud Training | https://digitalcloud.training Evaluating Policies within an AWS Account Identity-based Identity-based Identity-based policy policy policy Resource-based Permisions Organizations policy Effective boundary Effective SCP Effective permissions permissions permissions © Digital Cloud Training | https://digitalcloud.training Determination Rules 1. By default, all requests are implicitly denied (though the root user has full access) 2. An explicit allow in an identity-based or resource-based policy overrides this default 3. If a permissions boundary, Organizations SCP, or session policy is present, it might override the allow with an implicit deny 4. An explicit deny in any policy overrides any allows © Digital Cloud Training | https://digitalcloud.training IAM Policy Structure © Digital Cloud Training | https://digitalcloud.training API Actions Each AWS service has its own set of actions that describe tasks you can perform with that service Amazon EC2 " "Action": "ec2:RunInstances" Amazon RDS ""Action": "rds:StopDBInstance" AWS IAM ""Action": "iam:ChangePassword" Amazon S3 ""Action": "s3:GetObject" © Digital Cloud Training | https://digitalcloud.training Reading IAM Policies All properties in a single statement block are evaluated together A policy may contain more than one permission statement © Digital Cloud Training | https://digitalcloud.training Reading IAM Policies The effect is either allow or deny Action lists the specific A * is a wildcard resource operations that the policy affects Resource lists the specific resources that the policy applies to © Digital Cloud Training | https://digitalcloud.training Permission Statements - Conditions Conditions allow for context- based decisions. In this example, access is allowed Mon-Fri during business hours © Digital Cloud Training | https://digitalcloud.training IAM Policy Example – Source IP Address Condition The specific API action is defined The effect is to deny the API action if the IP address is not in the specified range © Digital Cloud Training | https://digitalcloud.training IAM Policy Example – Encryption Condition You can tell this is a resource-based policy as it has a principal element defined The policy grants read and write access to an EFS file systems to all IAM principals ("AWS ": "*") the policy condition element requires that SSL/TLS encryption is used © Digital Cloud Training | https://digitalcloud.training IAM Policy Example – Prefix Condition A variable is used for the s3:prefix that is replaced with the user’s friendly name The actions are allowed only within the user’s folder within the bucket © Digital Cloud Training | https://digitalcloud.training Access Evaluation Tools © Digital Cloud Training | https://digitalcloud.training IAM Best Practices © Digital Cloud Training | https://digitalcloud.training AWS IAM Best Practices Require human users to use federation with an identity provider to access AWS using temporary credentials Require workloads to use temporary credentials with IAM roles to access AWS Require multi-factor authentication (MFA) Rotate access keys regularly for use cases that require long-term credentials Safeguard your root user credentials and don't use them for everyday tasks Apply least-privilege permissions Get started with AWS managed policies and move toward least- privilege permissions © Digital Cloud Training | https://digitalcloud.training AWS IAM Best Practices Use IAM Access Analyzer to generate least-privilege policies based on access activity Regularly review and remove unused users, roles, permissions, policies, and credentials Use conditions in IAM policies to further restrict access Verify public and cross-account access to resources with IAM Access Analyzer Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions Establish permissions guardrails across multiple accounts Use permissions boundaries to delegate permissions management within an account © Digital Cloud Training | https://digitalcloud.training Architecture Patterns – AWS IAM © Digital Cloud Training | https://digitalcloud.training Architecture Patterns – AWS IAM Requirement Solution A select group of users only should be Create a group for the users and apply a allowed to change their IAM passwords permissions policy that grants the iam:ChangePassword API permission An Amazon EC2 instance must be Create a role and assign a permissions delegated with permissions to an policy to the role that grants access to Amazon DynamoDB table the database service A company has created their first AWS Use AWS managed policies that are account. They need to assign aligned with common job functions permissions to users based on job function © Digital Cloud Training | https://digitalcloud.training Architecture Patterns – AWS IAM Requirement Solution A solutions architect needs to restrict Create an IAM permissions policy and access to an AWS service based on the use the Condition element to control source IP address of the requester access based on source IP address A developer needs to make Instruct the developer to create a set of programmatic API calls from the AWS access keys and use those for CLI programmatic access A group of users require full access to Create a permissions policy that uses a all Amazon EC2 API actions wildcard for the Action element relating to EC2 (ec2:*) © Digital Cloud Training | https://digitalcloud.training SECTION 3 Amazon Elastic Compute Cloud (EC2) © Digital Cloud Training | https://digitalcloud.training Amazon EC2 Overview © Digital Cloud Training | https://digitalcloud.training Amazon Elastic Compute Cloud (EC2) EC2 instances run Windows, Linux, or MacOS An EC2 instance is a virtual server EC2 Instance EC2 Instance EC2 Instance Website EC2 hosts are Windows OS managed by AWS EC2 Instance EC2 Instance EC2 Instance EC2 Instance EC2 Instance EC2 Instance A selection of instance types come with varying combinations EC2 Host Server of CPU, memory, storage and networking © Digital Cloud Training | https://digitalcloud.training Public, Private, and Elastic IP addresses Type Description Public IP address Lost when the instance is stopped Used in Public Subnets No charge Associated with a private IP address on the instance Cannot be moved between instances Private IP address Retained when the instance is stopped Used in Public and Private Subnets Elastic IP address Static Public IP address You are charged if not used Associated with a private IP address on the instance Can be moved between instances and Elastic Network Adapters © Digital Cloud Training | https://digitalcloud.training Public Subnets Public Subnet Route Table Destination Target 172.31.0.0/16 Local VPC 0.0.0.0/0 igw-id Availability Zone Public-IP or Public subnet Elastic IP EC2 Instance Private subnet Internet gateway © Digital Cloud Training | https://digitalcloud.training Public Subnets Public Subnet Route Table Destination Target 172.31.0.0/16 Local VPC 0.0.0.0/0 igw-id Availability Zone Public subnet Elastic-IP NAT gateway Private-IP Private subnet Private-IP Internet gateway Private Subnet Route Table EC2 Instance Destination Target 172.31.0.0/16 Local 0.0.0.0/0 nat-gateway-id © Digital Cloud Training | https://digitalcloud.training Launching Amazon EC2 Instances © Digital Cloud Training | https://digitalcloud.training Launching an EC2 Instance Select an instance type EC2 Instance A snapshot is a point-in- time backup of an instance Family Type vCPUs Memory (GiB) An AMI defines the configuration General purpose t2.micro 1 1 of the instance Compute optimized c5n.large 2 5.25 Amazon Machine Image Memory optimized r5ad.large 2 16 EBS Snapshot (AMI) Storage optimized d2.xlarge 4 30.5 GPU instances g2.2xlarge 8 15 You can customize your Linux Microsoft instance and create a The instance type Windows custom AMI defines the hardware profile (and cost) Customized AMI © Digital Cloud Training | https://digitalcloud.training Connecting to Amazon EC2 © Digital Cloud Training | https://digitalcloud.training Amazon EC2 User Data and Metadata © Digital Cloud Training | https://digitalcloud.training Amazon EC2 Metadata Instance metadata is data about your EC2 instance Instance metadata is available at http://169.254.169.254/latest/meta-data Examples: © Digital Cloud Training | https://digitalcloud.training Amazon EC2 Metadata Examples ctd.: © Digital Cloud Training | https://digitalcloud.training IMDSv1 vs IMDSv2 Instance Metadata Service (IMDS) comes in two versions: IMDSv1 – is older and less secure IMDSv2 – is newer, more secure, and requires a session token for authorization Default EC2 launch settings may disable IMDSv1 © Digital Cloud Training | https://digitalcloud.training Amazon EC2 User Data AWS Management Console The code is run when Batch and PowerShell the instance starts for scripts can be run on the first time Windows Web Server © Digital Cloud Training | https://digitalcloud.training Amazon EC2 User Data via the AWS CLI aws ec2 run-instances --instance-type t2.micro --image-id ami-0440d3b780d96b29d --user-data file://user_data.sh The user data is supplied by specifying the file © Digital Cloud Training | https://digitalcloud.training Amazon EC2 User Data User data must be base64-encoded Encoding is automatic with the console and AWS CLI User data is limited to 16 KB, in raw form, before it is base64-encoded User data only runs the first time you launch your instance © Digital Cloud Training | https://digitalcloud.training Launch Instance with User Data and Metadata © Digital Cloud Training | https://digitalcloud.training Access Keys and IAM Roles with EC2 © Digital Cloud Training | https://digitalcloud.training Using Access Keys with Amazon EC2 AWS Cloud The access key is VPC associated with an IAM account Availability Zone Public subnet AWS CLI configured with access keys S3 Bucket IAM User EC2 Instance Private subnet Policy The access key will use the permissions assigned to the IAM user © Digital Cloud Training | https://digitalcloud.training Using Access Keys with Amazon EC2 AWS Cloud VPC The role is assumed Availability Zone by the EC2 instance Public subnet Credentials are not stored on the instance S3 Bucket IAM Role EC2 Instance Private subnet Policy © Digital Cloud Training | https://digitalcloud.training Practice with Access Keys and IAM Roles © Digital Cloud Training | https://digitalcloud.training EC2 Placement Groups © Digital Cloud Training | https://digitalcloud.training EC2 Placement Groups Cluster – packs instances close together inside an Availability Zone. This strategy enables workloads to achieve the low-latency network performance necessary for tightly-coupled node-to-node communication that is typical of HPC applications Partition – spreads your instances across logical partitions such that groups of instances in one partition do not share the underlying hardware with groups of instances in different partitions. This strategy is typically used by large distributed and replicated workloads, such as Hadoop, Cassandra, and Kafka Spread – strictly places a small group of instances across distinct underlying hardware to reduce correlated failures © Digital Cloud Training | https://digitalcloud.training Cluster Placement Group Region VPC Availability Zone Cluster Placement Group Uses enhanced networking, EC2 Instances low network latency and high throughput for inter- instance traffic © Digital Cloud Training | https://digitalcloud.training Partition Placement Group Region VPC Each partition is located on Availability Zone Availability Zone a separate AWS rack Partition 1 Partition 2 Partition 3 Partitions can be in multiple AZs (up to 7 per AZ) EC2 Instances EC2 Instances EC2 Instances © Digital Cloud Training | https://digitalcloud.training Spread Placement Group Region VPC Availability Zone Each instance is located on Availability Zone a separate AWS rack © Digital Cloud Training | https://digitalcloud.training EC2 Placement Group Use Cases Tightly-coupled application that requires low-latency, high throughput network traffic between instances Cluster Distributed and replicated Partition NoSQL database; requires separate hardware for node groups Spread Small number of critical instances that should be kept separate from each other © Digital Cloud Training | https://digitalcloud.training Network Interfaces (ENI, ENA, EFA) © Digital Cloud Training | https://digitalcloud.training Network Interfaces (ENI, ENA, EFA) Availability Zone Private subnet Public subnet 172.31.15.89 Additional ENIs can be 52.63.195.113 attached from subnets eth1 eth0 within the same AZ EC2 Instance The primary network Availability Zone interface has a private IP Private subnet Public subnet and optionally a public IP You cannot attach ENIs from subnets in different AZs © Digital Cloud Training | https://digitalcloud.training Network Interfaces (ENI, ENA, EFA) Elastic network Elastic network Elastic Fabric interface adapter Adapter Basic adapter type for when you Enhanced networking Use with High Performance don’t have any high-performance performance Computing and MPI and ML use requirements Higher bandwidth and lower cases Can use with all instance types inter-instance latency Tightly coupled applications Must choose supported instance Can use with all instance types type © Digital Cloud Training | https://digitalcloud.training Public, Private and Elastic IP Addresses © Digital Cloud Training | https://digitalcloud.training Public, Private and Elastic IP Addresses AWS Account Availability Zone Public subnet Public subnet 172.31.15.89 172.31.55.108 54.66.202.9 52.63.195.113 eth1 eth0 EC2 Instance A public IP address is a dynamic address An Elastic IP address is Elastic IP a static address © Digital Cloud Training | https://digitalcloud.training Public, Private and Elastic IP Addresses AWS Account Availability Zone Public subnet Public subnet 172.31.15.89 172.31.55.108 54.66.202.9 52.63.195.113 eth1 eth0 EC2 Instance eth0 EC2 Instance Both ENIs and EIPs can be remapped to a different instance © Digital Cloud Training | https://digitalcloud.training Public, Private and Elastic IP Addresses AWS Account Availability Zone Public subnet Public subnet 172.31.55.108 54.66.202.9 eth1 eth0 EC2 Instance Availability Zone Public subnet Public subnet eth1 eth0 EC2 Instance EIPs can be remapped across AZs © Digital Cloud Training | https://digitalcloud.training Public, Private and Elastic IP addresses Name Description Public IP address Lost when the instance is stopped Used in Public Subnets No charge Associated with a private IP address on the instance Cannot be moved between instances Private IP address Retained when the instance is stopped Used in Public and Private Subnets Elastic IP address Static Public IP address You are charged if not used Associated with a private IP address on the instance Can be moved between instances and Elastic Network Adapters © Digital Cloud Training | https://digitalcloud.training NAT for Public Addresses © Digital Cloud Training | https://digitalcloud.training NAT for Public Addresses Src: 3.104.75.244 Dest: 54.23.86.101 Src: 54.23.86.101 Dest: 3.104.75.244 Src: 172.31.32.63 Dest: 54.23.86.101 Src: 54.23.86.101 Dest: 172.31.32.63 172.31.32.63 IGW performs 1:1 NAT 3.104.75.244 eth0 Public / Elastic Internet Association gateway The Internet Gateway performs NAT © Digital Cloud Training | https://digitalcloud.training Working with ENIs and IP Addresses © Digital Cloud Training | https://digitalcloud.training Private Subnets and Bastion Hosts © Digital Cloud Training | https://digitalcloud.training Private Subnets and Bastion Hosts Region VPC Public Subnet Route Table Availability Zone Destination Target Public subnet Public-IP 172.31.0.0/16 Local 0.0.0.0/0 igw-id Private-IP Private subnet Private-IP Internet gateway Private Subnet Route Table Destination Target 172.31.0.0/16 Local © Digital Cloud Training | https://digitalcloud.training Private Subnets and Bastion Hosts © Digital Cloud Training | https://digitalcloud.training NAT Gateways and NAT Instances Overview © Digital Cloud Training | https://digitalcloud.training NAT Gateways Region The NAT gateway is created in the public subnet VPC Main Route Table Availability Zone Destination Target Public subnet 10.0.0.0/16 Local NAT gateway Elastic-IP 0.0.0.0/0 igw-id Private-IP Private Route Table Private subnet Internet Private-IP gateway Destination Target 10.0.0.0/16 Local 0.0.0.0/0 nat-gateway-id EC2 Instance The NAT gateway ID must be specified in the private subnet RT © Digital Cloud Training | https://digitalcloud.training NAT Instances Region Must disable source/destination checks VPC Main Route Table Availability Zone Destination Target Public subnet 10.0.0.0/16 Local NAT Instance Elastic-IP Uses a special AMI with 0.0.0.0/0 igw-id the string “amzn-ami- Private-IP vpc-nat” in the name Private Route Table Private subnet Destination Target Private-IP Internet 10.0.0.0/16 Local gateway 0.0.0.0/0 nat-instance-id EC2 Instance The NAT instance ID must be specified in the private subnet RT © Digital Cloud Training | https://digitalcloud.training NAT Instance vs NAT Gateway NAT Instance NAT Gateway Managed by you (e.g. software updates) Managed by AWS Scale up (instance type) manually and use Elastic scalability up to 45 Gbps enhanced networking No high availability – scripted/auto-scaled Provides automatic high availability within an AZ HA possible using multiple NATs in multiple and can be placed in multiple AZs subnets Need to assign Security Group No Security Groups Can use as a bastion host Cannot access through SSH Use an Elastic IP address or a public IP Choose the Elastic IP address to associate with a address with a NAT instance NAT gateway at creation Can implement port forwarding through Does not support port forwarding manual customisation © Digital Cloud Training | https://digitalcloud.training Private Subnet with NAT Gateway © Digital Cloud Training | https://digitalcloud.training EC2 Instance Lifecycle © Digital Cloud Training | https://digitalcloud.training EC2 Instance Lifecycle Launch Start pending AMI Reboot Stop rebooting running stopping stopped Stop-Hibernate Terminate Relevant to EBS-backed volumes only shutting-down Terminate terminated © Digital Cloud Training | https://digitalcloud.training EC2 Instance Lifecycle Stopping EC2 instances EBS backed instances only No charge for stopped instances EBS volumes remain attached (chargeable) Data in RAM is lost Instance is migrated to a different host Private IPv4 addresses and IPv6 addresses retained; public IPv4 addresses released Associated Elastic IPs retained © Digital Cloud Training | https://digitalcloud.training EC2 Instance Lifecycle Hibernating EC2 instances Applies to supported AMIs Contents of RAM saved to EBS volume Must be enabled for hibernation when launched Specific prerequisites apply When started (after hibernation): The EBS root volume is restored to its previous state The RAM contents are reloaded The processes that were previously running on the instance are resumed Previously attached data volumes are reattached and the instance retains its instance ID © Digital Cloud Training | https://digitalcloud.training EC2 Instance Lifecycle Rebooting EC2 instances Equivalent to an OS reboot DNS name and all IPv4 and IPv6 addresses retained Does not affect billing Retiring EC2 instances Instances may be retired if AWS detects irreparable failure of the underlying hardware that hosts the instance When an instance reaches its scheduled retirement date, it is stopped or terminated by AWS © Digital Cloud Training | https://digitalcloud.training EC2 Instance Lifecycle Terminating EC2 instances Means deleting the EC2 instance Cannot recover a terminated instance By default, root EBS volumes are deleted Recovering EC2 instances CloudWatch can be used to monitor system status checks and recover instance if needed Applies if the instance becomes impaired due to underlying hardware / platform issues Recovered instance is identical to original instance © Digital Cloud Training | https://digitalcloud.training Nitro Instances and Nitro Enclaves © Digital Cloud Training | https://digitalcloud.training AWS Nitro System Nitro is the underlying platform for the next generation of EC2 instances Support for many virtualized and bare metal instance types Breaks functions into specialized hardware with a Nitro Hypervisor Specialized hardware includes: Nitro cards for VPC Nitro cards for EBS Nitro for Instance Storage Nitro card controller Nitro security chip Nitro hypervisor Nitro Enclaves © Digital Cloud Training | https://digitalcloud.training AWS Nitro System Improves performance, security and innovation: Performance close to bare metal for virtualized instances Elastic Network Adapter and Elastic Fabric Adapter More bare metal instance types Higher network performance (e.g. 100 Gbps) High Performance Computing (HPC) optimizations Dense storage instances (e.g. 60 TB) © Digital Cloud Training | https://digitalcloud.training AWS Nitro Enclaves Isolated compute environments Runs on isolated and hardened virtual machines No persistent storage, interactive access, or external networking Uses cryptographic attestation to ensure only authorized code is running Integrates with AWS Key Management Service (KMS) Protect and securely process highly sensitive data: Personally identifiable information (PII) Healthcare data Financial data Intellectual Property data © Digital Cloud Training | https://digitalcloud.training Amazon EC2 Pricing Options © Digital Cloud Training | https://digitalcloud.training Amazon EC2 Pricing Options On-Demand Reserved Standard rate - no discount; no 1 or 3-year commitment; commitments; dev/test, short-term, or up to 75% discount; steady-state, unpredictable workloads predictable workloads and reserved capacity Spot Instances Dedicated Instances Get discounts of up to 90% for unused Physical isolation at the host hardware level capacity. Can be terminated at any time from instances belonging to other customers; pay per instance Dedicated Hosts Savings Plans Physical server dedicated for your use; Commitment to a consistent amount of Socket/core visibility, host affinity; pay per usage (EC2 + Fargate + Lambda); Pay by host; workloads with server-bound software $/hour; 1 or 3-year commitment licenses © Digital Cloud Training | https://digitalcloud.training Amazon EC2 Billing Commercial Linux distros such as Red Hat EL and SUSE ES use hourly pricing Billed per hour; Billed per second; Minimum of 1 hour Minimum of 1 minute Per-second billing is for Amazon Linux, Windows and Ubuntu in On- Demand, Reserved, and Spot forms Volumes billed per second; Minimum of 1 minute © Digital Cloud Training | https://digitalcloud.training Amazon EC2 Reserved Instances (RIs) Standard RI Convertible RI Term is 1 or 3 years Can pay All Upfront, Partial Upfront, No Upfront Change AZ, Change AZ, instance size (Linux), instance size (Linux), networking type networking type + Use ModifyReservedInstances API Change family, OS, tenancy, payment option Use ExchangeReservedInstances API © Digital Cloud Training | https://digitalcloud.training Amazon EC2 Reserved Instances (RIs) Tenancy: Default or Dedicated When the attributes of a used instance match the attributes of an RI the discount is applied Availability Zone Region Does not reserve capacity; Reserves capacity in discount applies to all AZs specified AZ © Digital Cloud Training | https://digitalcloud.training Amazon EC2 On-Demand Capacity Reservations Reserve compute capacity for your Amazon EC2 instances in a specific Availability Zone Any duration can be specified Mitigates against the risk of being unable to get On-Demand capacity Does not require any term commitments and can be cancelled at any time When you create a Capacity Reservation, you specify: The Availability Zone in which to reserve the capacity The number of instances for which to reserve capacity The instance attributes, including the instance type, tenancy, and platform/OS © Digital Cloud Training | https://digitalcloud.training AWS Savings Plans Compute Savings Plan EC2 Savings Plan 1 or 3-year; hourly 1 or 3-year; hourly commitment to usage of commitment to usage of Fargate, Lambda, and EC2 within a selected EC2; Any Region, family, Region and Instance size, tenancy, and OS Family; Any size, tenancy and OS © Digital Cloud Training | https://digitalcloud.training Amazon EC2 Spot Instances Spot Instance: One or more EC2 instances Spot Fleet: launches and maintains the number of Spot / On-Demand instances to meet specified target capacity EC2 Fleet: launches and maintains specified number of Spot / On-Demand / Reserved 2-minute warning if AWS instances in a single API call need to reclaim capacity – available via instance metadata and CloudWatch Can define separate OD/Spot capacity Events targets, Spot price, instance types, and AZs © Digital Cloud Training | https://digitalcloud.training Spot Block Requirement: Uninterrupted for Solution: Spot Block 1-6 hours Pricing is 30% - 45% less than On-Demand © Digital Cloud Training | https://digitalcloud.training Dedicated Instances and Dedicated Hosts Characteristic Dedicated Instances Dedicated Hosts Enables the use of dedicated physical servers X X Per instance billing (subject to a $2 per region fee) X Per host billing X Visibility of sockets, cores, host ID X Affinity between a host and instance X Targeted instance placement X Automatic instance placement X X Add capacity using an allocation request X © Digital Cloud Training | https://digitalcloud.training Amazon EC2 Pricing Use Cases © Digital Cloud Training | https://digitalcloud.training Amazon EC2 Pricing Use Cases On-Demand Developer working on a small project for several hours; cannot be interrupted Reserved Scheduled Reserved Compute-intensive, cost- sensitive distributed computing; can withstand Spot Instances interruption Dedicated Instances Steady-state, business critical, line-of-business application; Dedicated Hosts continuous demand © Digital Cloud Training | https://digitalcloud.training Amazon EC2 Pricing Use Cases On-Demand Reporting application, runs for 6 hours a day, 4 days per week Reserved Scheduled Reserved Database with per-socket licensing Spot Instances Dedicated Instances Security-sensitive application, requires dedicated hardware; Dedicated Hosts per-instance billing © Digital Cloud Training | https://digitalcloud.training Architecture Patterns – Amazon EC2 © Digital Cloud Training | https://digitalcloud.training Architecture Patterns – Amazon EC2 Requirement Solution Company needs to run a short batch Add the bash script to the user data of script to configure Amazon EC2 Linux the EC2 instances instances after they are launched A tightly coupled High Performance Launch EC2 instances in a single AZ in a Computing (HPC) workload requires cluster placement group and use an low-latency between nodes and Elastic Fabric Adapter (EFA) optimum network performance LoB application receives weekly bursts Use reserved instances for minimum of traffic and must scale for short required workload and then use Spot periods – need the most cost-effective instances for the bursts in traffic solution © Digital Cloud Training | https://digitalcloud.training Architecture Patterns - Amazon EC2 Requirement Solution A single instance application uses a Attach an Elastic IP address to the EC2 static public IP address. In the event of instance. Remap the EIP in the event of failure, the address must be remapped failure to a failover instance A fleet of Amazon EC2 instances run in Deploy NAT Gateways into multiple AZs private subnets across multiple AZs. and update route tables Company needs a redundant path to the internet A team of engineers must administer Deploy a bastion host in a public subnet EC2 instances in private subnets from and instruct the engineers to use the remote locations using SSH bastion host to “jump” to the instances in private subnets © Digital Cloud Training | https://digitalcloud.training Architecture Patterns - Amazon EC2 Requirement Solution An application uses several EC2 Launch the instances in a spread instances. Architect must eliminate the placement group across distinct risk of correlated hardware failures underlying hardware Application requires enhanced Choose an instance type that supports networking capabilities enhanced networking and ensure the ENA module is installed and ENA support is enabled Instance needs close to bare metal Use an AWS Nitro instance type performance, EFA, and high performance networking © Digital Cloud Training | https://digitalcloud.training SECTION 4 Elastic Load Balancing, and Auto Scaling © Digital Cloud Training | https://digitalcloud.training Scaling Up vs Scaling Out © Digital Cloud Training | https://digitalcloud.training Stateful vs Stateless Applications Stateless Stateful No “state” is Amazon stores recorded about information the user's session about activity Person checks a Person browses / weather website purchases on Amazon © Digital Cloud Training | https://digitalcloud.training Stateful vs Stateless Applications No data is stored on the web server, it is stateless eCommerce Application Database Server Application Server Web Server User The cart items are stored in cookies When the user purchases, the application on the computer layer processes the order and records the data in the database. This is stateful © Digital Cloud Training | https://digitalcloud.training Stateful vs Stateless Applications No data is stored on the web server, it is stateless eCommerce Application Database Server Application Server Web Server User The cart items are stored in cookies When the user purchases, the application on the computer layer processes the order and records the data in the database. This is stateful © Digital Cloud Training | https://digitalcloud.training Scalability and Elasticity: Scaling Up Web service Operating System © Digital Cloud Training | https://digitalcloud.training Scalability and Elasticity: Scaling Up Web service Scaling up means adding Operating System resources to the server © Digital Cloud Training | https://digitalcloud.training Scalability and Elasticity: Scaling Out Web service Web service Web service Operating System Operating System Operating System Web service Web service Web service Operating System Operating System Operating System © Digital Cloud Training | https://digitalcloud.training Scaling Up vs Out c5.xlarge, 4 vCPU, 8 GB RAM t2.micro, 1 vCPU, 1 GB RAM Scaling UP Scaling OUT © Digital Cloud Training | https://digitalcloud.training Which scaling model should be used? Scale UP EC2 with MySQL DB Scale OUT EC2 with Static Website © Digital Cloud Training | https://digitalcloud.training Amazon EC2 Auto Scaling © Digital Cloud Training | https://digitalcloud.training Amazon EC2 Auto Scaling Automatically launches and terminates instances Maintain availability and scale capacity Works with EC2, ECS, and EKS Integrates with many AWS services, including: CloudWatch for monitoring and scaling Elastic Load Balancing for distributing connections EC2 Spot Instances for cost optimization Amazon VPC for deploying instances across AZs © Digital Cloud Training | https://digitalcloud.training Amazon EC2 Auto Scaling 1. Automatic scaling 2. Maintaining availability Auto Scaling launches an extra instance Availability Zone Availability Zone Public subnet Public subnet Auto Scaling group EC2 Status Checks fail ASG replaces CloudWatch notifies failed instance Auto Scaling Metric reports Metrics Metrics Amazon CloudWatch CPU > 80% © Digital Cloud Training | https://digitalcloud.training Amazon EC2 Auto Scaling Scaling is horizontal (scales out) Provides elasticity and scalability Responds to EC2 status checks and CloudWatch metrics Can scale based on demand (performance) or on a schedule Scaling policies define how to respond to changes in demand © Digital Cloud Training | https://digitalcloud.training Configuration of an Auto Scaling Group A Launch Template Configure purchase options specifies the EC2 – On-demand vs instance configuration Spot Configure VPC Launch Template Launch Config and Subnets AMI and instance type AMI and instance type EBS volumes EBS volumes Attach Load Security groups Security groups Balancer Key pair Key pair IAM instance profile Purchasing option (e.g. Spot) User data IAM instance profile Configure health Shutdown behavior User data checks EC2 & ELB Termination protection Placement group name Capacity reservation Group size and Tenancy Launch Configurations are scaling policies Purchasing option (e.g. Spot) replaced by launch templates and have fewer features © Digital Cloud Training | https://digitalcloud.training Amazon EC2 Auto Scaling Health checks EC2 = EC2 status checks ELB = Uses the ELB health checks in addition to EC2 status checks Health check grace period How lon

Use Quizgecko on...
Browser
Open
Browser
Browser