AWS CPC Preparation

Services

EC2 (Elastic Compute Cloud)

Provides a secure, resizable compute capacity. With EC2 you don’t have to purchase hardware or deal with datacenter maintenance. EC2 instances can be started at stopped within minutes whenever the customer wants to.

You pay only when the instance is actually running, and cost is determined by instance type, AMI type, and region.

EC2 has multiple instance types

Pricing is separated into several types

EC2 is great at scalability. It has EC2 Auto Scaling which can automatically add or remove EC2 instances in response to application demand. If the demand starts hitting a threshold you specified, Auto Scaling will add new instances to keep up. This, of course, can be done in two different ways

You can even use these two scaling types together to scale faster. In an Auto Scaling Group you can set a minimum, desired, and maximum of instances.

The difference between user data and instance metadata is

A bastion host is an EC2 instance you can use to “jump through” and connect to databases inside VPCs EC2 has Instance Stores which is a temporary block level storage. This is usually a physical disk attached to the host server, so when the EC2 instance is stopped that Instance Store is terminated and deleted. This is because EC2 instances may not start back up on the same host and thus would lose access to the Instance Store. Elastic Block Storage volumes stay attached and accessible no matter how many times you start or stop an instance. These look like normal block level disks to the guest OS. You can use EBS Snapshots to take incremental backups of EBS volumes. EBS volumes automatically replicate inside their Availability Zone to prevent data loss.

Elastic Load Balancing (ELB)

A single point of contact for all incoming web traffic. ELB will distribute incoming application traffic across multiple resources. It works incredibly well with EC2 Auto Scaling.

default health check is 30 seconds. if a health check returns negative or times out, ELB will label the target group as OutOfService default time out interval is 5 seconds

If your applications are hosted on EC2 Classic, you’re going to need Classic Load Balancer (which appears to just be ELB. I dunno, ACloudGuru practice tests are weird).

Legacy Load Balancer: If applications are hosted on ELD

Lambda

Lambda lets you run code in a truly serverless fashion. You upload code to Lambda and set triggers, which can be anything from events from other AWS services, mobile applications, or HTTP endpoints. When triggered Lambda will run your code.

With Lambda you only pay for the amount of time your computing took. I think its calculated by the millisecond.

Container Based Systems

Theres a few different container systems offered AWS

RDS

Multi-AZ allows better availability

Multi-AZ is for High Availability, whereas Read Replicas are for performance. Technically Read Replicas will fail over allowing for high availability but the difference is in replication.

Read Replicas replicate asynchronously

Multi-AZ databases replicate synchronously

Simple Storage Service (S3)

Object level storage that stores data as objects in buckets. You can upload any file type with no overall storage limit, however individual files must be under 5TB.

You can set permission controls on files to control visibility and access.

You can set Bucket Policies to control visibility and access of buckets.

S3 has versioning to track changes to your objects over time.

S3 has a range of storage classes that can be selected based on how often you plan to retrieve your data and how available you need your data to be

reports can be delivered to an S3 bucket

you must have the “master account” own the bucket

that can then be ingested into something like Amazon Athena

Identity Access and Management (IAM)

Permissions for setting access to AWS services and APIs. IAM roles can be applied to users, security groups, and even things like EC2 instances.

IAM Users are identities that represent people that are signing in. You need to add permissions to users as they have none by default.

IAM Policy is a document that enables or disables the actual permission for resources.

IAM Groups are collections of IAM users that let you easily assign the same set of permissions to multiple users.

IAM Roles are identities you can assume temporarily to access permissions.

IAM supports Multi-factor Authentication for user sign in.

Shield

AWS Shield is a DDoS prevention service. It has two levels of protection

CloudWatch

You can set alarms that will automatically perform actions based on metrics.

You can also configure multiple dashboards and readings.

CloudTrail Insights

automatically detect unusual API activities in your AWS account

AWS Snow Family

A collection of physical devices used for physically transporting exabytes of data in and out of the AWS Cloud. It includes

Networking

AWS Virtual Private Cloud (VPC) allows you to provision isolated sections of the AWS Cloud. Inside of VPCs are Subnets, which are sections of a VPC that can contain resources such as EC2 instances.

A VPC must have an Internet Gateway to allow external public traffic to access your resources. If you just want access from private resources, you can use a Virtual Private Gateway.

Virtual Private Gateway

This allows protected internet traffic to enter the VPC through use of a VPN connection between the VPC and a private network, such as an on-premises datacenter or internal corporate network.

Route53

can provide different content for different geographical regions

external nameservers have a default TTL (time to live) of 24 hours meaning that AWS Route53 hosted zone changes can take 24 to 48 hours to update globally

Route53 has various routing policies

Web Application Firewall (WAF)

Uses web ACLs to define specific rules to block incoming traffic.

AWS Direct Connect

This is a dedicated private connection between your datacenter and a VPC. It’s specifically built for high bandwidth, low latency operation and can help reduce network costs.

Network Access Control List (ACL)

Every packet that crosses subnets gets checked against a network ACL to see if it has permission to leave or enter. To control instance level security you use Security Groups.

Security Groups

Every EC2 instance automatically comes with a security group which blocks all incoming access. The difference between Security Groups and network ACLs is that Security Groups are stateful while network ACLs are not. Security Groups, by default, allow all return traffic. network ACLs are stateless and don’t make any special considerations for return traffic, they still check every packet.

VPC Peering

two VPCs in different regions can share traffic between each other

used to replicated data geographically

still uses AWS backbone infrastructure

Processes

Regions

Regions are geographically distinct groups of datacenters. Service prices and availability can vary per region depending on what physical hardware AWS has set up.

Regions contain multiple Availability Zones. They’re close enough to have low latency but far enough to reduce the chances that multiple are affected by disasters.

Plan for failure and deploy your application to multiple instances across multiple availability zones.

Amazon CloudFront can store cached copies of your static content in Edge Locations to increase customer access speed.

AWS Well-Architected

Well-Architected is a framework and AWS Console tool that can help customers operate with best practices.

The pillars of the Well-Architected framework are

When building cloud-based systems you want to

A monolithic application would be made with tightly coupled components. If a single component fails, so does the entire application.

With a microservices approach, components are loosely coupled and if a single component fails, the rest of them continue to work.

Right-Sizing

Right-sizing means selecting the best services and infrastructure that will run your environment for the lowest cost. It sounds like a no-brainer but matching instance types and sizes to your workload and capacity requirements is often overlooked.

It’s also looking at deployed resources and asking what can we eliminate and downsize without compromising capacity or other requirements.

Shared Responsibility Model

This means that AWS protects the infrastructure that runs the services.

This means that the customer is responsible for what they use the services for. The depth of this depends on the service, in the case of EC2 the customer is responsible for guest OS patches and security while in the case of Aurora they are only responsible for network rules and database security.

Multi-factor Authentication

Forces people to verify their identity with multiple separate pieces of information. Often this is a password and a randomized code sent through email, sms, or authenticator applications.

AWS Organizations

Help organize multiple AWS accounts for the same company. AWS accounts are free and disposable so separating divisions, teams, projects, and more into their own AWS account is a good idea.

Organizations allow you to centrally control permissions for accounts in your org using Service Control Policies (SCPs). These allow you to place restrictions on the AWS services, resources, and API endpoints that users and roles can access.

You can drill down and group accounts into Organizational Units (OUs) to manage similar accounts. OUs can be assigned policies to block AWS services that don’t meet certain regulatory requirements. OUs can only have a single parent.

Compliance Reports

AWS Artifact Agreements let you sign agreements with AWS regarding use of certain types of information throughout AWS services. AWS Artifact Reports can provide compliance reports from third-party auditors. This proves that AWS is in compliance of regulatory standards.

Penetration Testing

The Customer Service Policy for Penetration Testing will tell you that customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for EC2 instances, NAT gateways, ELBs, “and other 7 services“

Theory

Benefits of the cloud

AWS Cloud Adoption Framework (CAF)

CAF has 6 areas of focus, called Perspectives

There are 6 strategies for migrating to the cloud

  1. Rehosting: moving applications without changing
  2. Replanting: make a few optimizations and move
  3. Refactoring/re-architecting: reimagining how application is architected using cloud-native features
  4. Repurchasing: moving from traditional license to a software-as-a-service model
  5. Retaining: keeping mission-critical applications in the source environment
  6. Retiring: removing applications that are no longer needed

Pricing

With AWS you pay for what you use.

Some services have a reservation system. There are also some volume-based discounts.

AWS Free Tier has a few different options, Always Free, 12 Months Free, and Trials.

The 12 Months Free is the 12 months after you first sign up where you get some additional free services.

AWS Pricing Calculator

The Pricing Calculator lets you explore services and their prices in a way that lets you set basic use cases to match your situation.

AWS Billing & Cost Management Dashboard

Monitor and analyze your costs

Consolidated Billing

Consolidate billing from multiple accounts using AWS Organizations.

Using this you can share bulk discount pricing, Savings Plans, and Reserved Instances across your organization.

Support Plans

AWS offers multiple support plans

Trusted Advisor

Has multiple categories:

Technical Account Manager

With an Enterprise support plan you get a Technical Account Manager that is your primary point of contact.

They can provide expertise across the full range of AWS services and help design solutions to match your use-case.

Backlinks