1

Notes on: AWS Essentials: 0 -> 2) IAMJust a place to put some notes on the “AWS Essentials” course from https://linuxacademy.comBTW: This is an excellent course. If you want/need to learn about ‘AWS Essentials’ I’d highly recommend taking it!

0) Project Omega!https://www.lucidchart.com/documents/view/703f6119-4838-4bbb-bc7e-be2fb75e89e5/0

Image: Project Omega

1) Account Basics1.1) AWS Free Tierhttps://aws.amazon.comhttps://aws.amazon.com/free

AWS Free Tier: 12 Months FreeImportant: Beware of the usage limits of AWS Free Tier. If you exceed these limits you will be paying for services.

1.2) Create an AWS AccountYou will need a valid credit card to create an account.As long as you don’t exceed the AWS Free Tier limits, you won’t be charged.

1.3) AWS Documentationhttps://aws.amazon.com/documentation/

2) Identity & Access Management (IAM)

2

2.1) What is IAM?IAM (Identity & Access Management) is where you manage your AWS users and their access to AWS accounts and services.

The user created when you created the AWS account is called the “root” user.By default, any new users you create in the AWS account are created with NO access to any AWS services.

Image: Services -> Security, Identity & Compliance

2.2) IAM Initial Setup and Configuration- Delete your root access keys- Activate MFA on your root account- Create individual IAM users- Use groups to assign permissions- Apply an IAM password policy

Image: IAM Best Practices

MFA = Multi-Factor AuthenticationTwo options to get MFA code:i) Virtual MFA Device: App on smartphone or tablet like: Google Authenticatorii) Hardware Key Fob: Order it directly from AWS

Image: Manage MFA

3

Image: Manage Users

AWS best practice is to NEVER use your root account for day-to-day use.

Image: Password Policy Options

Image: Security Status: Green

2.3) Example IAM role:Create role:Step 1: Select role type = Amazon EC2Step 2: Establish Trust (skipped)Step 3: Attach policy = AmazonS3FullAccess

4

Step 4: Set role name (EC2) and review

Think of role as a group for other AWS services.

Image: EC2 role allows EC2 instances to call AWS services on your behalf

Image: IAM Resources

2.6) Quiz: IAM EssentialsT: IAM is where you manage your AWS users and their access to AWS features and services.

Q: If you want to grant S3 access to an EC2 instance, what should you do?A: Create an EC2 Role and attach an S3 access policy to it.

T: Multi-Factor Authentication (MFA) is an important part of account security that should be set on your “root” account.

Q: If a user has access to S3 through a group with an S3 policy attached, what happens if that user is removed from the group?A: The user no longer has access to S3.

Q: IAM policies can be directly attached to?A: Roles, Users, Groups

Notes on: AWS Essentials: 3) VPCJust a place to put some notes on the “AWS Essentials” course from https://linuxacademy.com

3) Virtual Private Cloud (VPC)3.1) AWS Global Infrastructurehttps://aws.amazon.com/about-aws/global-infrastructure/

3.2) VPC BasicsImage: Networking & Content Delivery -> VPC

5

AWS Definition: “Amazon Virtual Private Cloud  (Amazon VPC) lets you provision alogically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network  that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets and configuration of route tables and network gateways.”

Note: When you create an AWS account, a “default” VPC is created for you, including the standard components that are needed to make it functional.1) Internet Gateway (IGW)2) A route table (with predefined routes to the default subnets)3) A Network Access Control List (with predefined rules for access)4) Subnets to provision AWS resources in (such as EC2)

3.3) Internet Gateways (IGW)AWS Definition: “An Internet gateway is a horizontally scaled, redundant and highly available VPC component that allows communication between instances in your VPC and the Internet. It therefore imposes no availability risks or bandwidth constraints on your network traffic.”

Image: Default Gateway

IGW rules you need to know:1) Only 1 IGW can be attached to a VPC at a time.2) An IGW cannot be detached from a VPC while there are active AWS resources in the VPC  (such as an EC2 instance or RDS Database)

3.4) Route Tables (RTs)AWS Definition: “A route table contains a set of rules  - called routes  - that are used to determine where network traffic is directed.”

Image: “Default” VPC already has a “main” route table

6

Note: Status = “Black Hole” means data is going nowhere.

Route table rules you need to know:1) Unlike an IGW, you can have multiple “active” route tables in a VPC2) You cannot delete a route table if it has “dependencies” (associated subnets)

3.5) Network Access Control List (NACLs)AWS Definition: “A network access control list (NACL) is an optional layer of security  for your VPC that acts as a  firewall  for controller traffic in and out of one or more subnets.”

Note: Your “default” VPC already has a NACL in place and associated with the default subnets.

Inbound & Outbound Rules:(1) Rules are evaluated based on “Rule #” from lowest to highest.(2) The first rule evaluated that applies to the traffic gets immediately applied and executed.(3) For the “default” NACL, ALL Traffic is allowed (both inbound/outbound).

Image: “Default” NACL with ‘ALL Traffic’ allowed in and out

7

(4) “New” NACL: When you create a new NACL, ALL Traffic is DENIED by default.

Note: Inbound SSH traffic will always be on port 22. However, outbound SSH traffic can use “ephemeral” ports - which include TCP ports 1024-65535. To prevent connectivity issues with EC2 instances, allow all ports ranges on NACL outbound rules.

(5) A subnet can only be associated with ONE NACL at a time.(6) A NACL allows or denies traffic from entering a subnet. Once inside the subnet, other AWS resources (i.e. EC2 instances) may have an additional layer of security (security groups.)

3.6) SubnetsAWS Definition: “When you create a VPC, it spans all of the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability Zone. Each subnet must reside entirely within one Availability Zone and cannot span zones.”

Image: Default subnets, one in each availability zone*

*I’m using location = London, and as we see from the below there’s currently two Availability Zones for London.

Image: Region & Number of Availability Zones: Europe -> London

(1) Subnets MUST be associated with a route table.(2) A PUBLIC subnet HAS a route to the Internet.(3) A PRIVATE subnet does NOT have a route to the internet.(4) A subnet is located in ONE specific Availability Zone.

3.7) Availability Zones (VPC Specific)AWS Definition:“When you create a VPC, it spans all of the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability Zone. Each subnet must reside entirely within one Availability Zone and cannot span zones.”

8

Availability Zones are distinct locations that are engineered to be isolated from failures in other Availability Zones. By launching instances in separate Availability Zones, you can protect your applications from the failure of a single location.

High Availability: Creating your architecture in such a way that your “system” is always available (or has the least amount of downtime possible).

Fault Tolerant: The ability of your “system” to withstand failures in one (or more) of its components and still remain available.

3.8) Quiz: VPC EssentialsQ: What is the proper structure of AWS Global Infrastructure?A: Regions -> Availability Zones -> Data Centers -> AWS Services

T: A VPC is your private, logically isolated section of AWS.

T: Route Tables are what direct the flow of traffic between resources within a VPC.

Q: Availability Zones allow for this type of cloud architecture?A: Highly available and fault tolerant architecture.

T: An Internet Gateway MUST be attached to a VPC for AWS resources, such as an EC2 instance, to have access to the Internet.

Q: What is the security layer that allows/denies data from entering or exiting a subnet?A: Network Access Control List (NACL)

Q: VPC is an abbreviation for:A: Virtual Private Cloud

AWS VPC Dashboard -> Network ACL: List of Inbound/Outbound Rule Type/Protocol/Port RangeImage: AWS VPC Dashboard -> Network ACL: Adding Rules

Table of Type, Protocol and Port Range

Type                 | Protocol      | Port Range---------------------+---------------+-----------Custom TCP Rule      | TCP (6)       | 0 to 65535Custom UDP Rule      | UDP (17)      | 0 to 65535Custom ICMP Rule     | ICMP (1)      | {APPENDIX A}Custom Protocol Rule | {APPENDIX B}  |ALL TCP              | TCP (6)       | ALLALL UDP              | UDP (17)      | ALLALL IMCP - IPv4      | ICMP (1)      | ALLALL ICMP - IPv6      | IPv6-ICMP (58)| ALLALL Traffic          | ALL           | ALLSSH (22)             | TCP (6)       | 22telnet (23)          | TCP (6)       | 23

9

SMTP (25)            | TCP (6)       | 25nameserver (42)      | TCP (6)       | 42DNS (UDP) (53)       | UDP (17)      | 53DNS (TCP) (53)       | TCP (6)       | 53HTTP (80)            | TCP (6)       | 80POP3 (110)           | TCP (6)       | 110IMAP (143)           | TCP (6)       | 143LDAP (389)           | TCP (6)       | 389HTTPS (443)          | TCP (6)       | 443SMTPS (465)          | TCP (6)       | 465IMAPS (993)          | TCP (6)       | 993POP3S (995)          | TCP (6)       | 995MS SQL (1433)        | TCP (6)       | 1433Oracle (1521)        | TCP (6)       | 1521MySQL/Aurora (3306)  | TCP (6)       | 3306NFS (2049)           | TCP (6)       | 2049RDP (3389)           | TCP (6)       | 3389PostgreSQL (5432)    | TCP (6)       | 5432Redshift (5439)      | TCP (6)       | 5439WinRM-HTTP (5985)    | TCP (6)       | 5985WinRM-HTTPS (5986)   | TCP (6)       | 5986HTTP* (8080)         | TCP (6)       | 8080HTTPS* (8443)        | TCP (6)       | 8443---------------------+---------------+------

APPENDIX A: ICMP Port Range Options

Echo ReplyDestination UnreachableSource QuenchRedirect MessageAlternate Host AddressEcho RequestRouter AdvertisementRouter SolicitationTime ExceededParameter Problem: Bad IP headerTimestampTimestamp ReplyInformation RequestInformation ReplyAddress Mask RequestAddress Mask ReplyTracerouteDatagram Conversion ErrorMobile Host RedirectWhere Are YouHere I AmMobile Registration RequestMobile Registration ReplyDomain Name RequestDomain Name ReplySKIP Algorithm Discovery ProtocolPhoturis, Security Failures

APPENDIX B: Protocol Options

ALLHOPOPT (0)ICMP (1)IGMP (2)GGP (3)IPv4 (4)ST (5)TCP (6)CBT (7)EGP (8)IGP (9)BBN-RCC-MON (10)

10

NVP-II (11)PUP (12)ARGUS (13)EMCON (14)XNET (15)CHAOS (16)UDP (17)MUX (18)DCN-MEAS (19)HMP (20)PRM (21)XNS-IDP (22)TRUNK-1 (23)TRUNK-2 (24)LEAF-1 (25)LEAF-2 (26)RDP (27)IRTP (28)ISO-TP4 (29)NETBLT (30)MFE-NSP (31)MERIT-INP (32)DCCP (33)3PC (34)IDPR (35)XTP (36)DDP (37)IDPR-CMTP (38)TP++ (39)IL (40)IPv6 (41)SDRP (42)IPv6-Route (43)IPv6-Frag (44)IDRP (45)RSVP (46)GRE (47)DSR (48)BNA (49)ESP (50)AH (51)I-NLSP (52)SWIPE (53)NARP (54)MOBILE (55)TLSP (56)IPv6-ICMP (58)IPv6-NoNxt (59)IPv6-Opts (60)61CFTP (62)63SAT-EXPAK (64)KRYPTOLAN (65)RVD (66)IPPC (67)68SAT-MON (69)VISA (70)IPCV (71)CPNX (72)CPHB (73)WSN (74)PVP (75)BR-SAT-MON (76)SUN-ND (77)WB-MON (78)WB-EXPAK (79)ISO-IP (80)VMTP (81)SECURE-VMTP (82)VINES (83)IPTM (84)TTP (84)NSFNET-IGP (85)DGP (86)TCF (87)

11

EIGRP (88)OSPFIGP (89)Sprite-RPC (90)LARP (91)MTP (92)AX.25 (93)IPIP (94)MICP (95)SCC-SP (96)ETHERIP (97)ENCAP (98)99GMTP (100)IFMP (101)PNNI (102)PIM (103)ARIS (104)SCPS (105)QNX (106)A/N (107)IPComp (108)SNP (109)Compaq-Peer (110)IPX-in-IP (111)VRRP (112)PGM (113)114L2TP (115)DDX (116)IATP (117)STP (118)SRP (119)UTI (120)SMP (121)SM (122)PTP (123)ISIS over IPv4 (124)FIRE (125)CRTP (126)CRUDP (127)SSCOPMCE (128)IPLT (129)SPS (130)PIPE (131)SCTP (132)FC (133)RSVP-E2E-IGNORE (134)Mobility Header (135)UDPLite (136)MPLS-in-IP (137)manet (138)HIP (139)Shim6 (140)WESP (141)ROHC (142)253254

THE END

Notes on: AWS Essentials: 4) S3Just a place to put some notes on the “AWS Essentials” course from https://linuxacademy.com

4) Simple Storage Service (S3)4.1) S3 BasicsAWS Definition:“Amazon S3 has a simple web services interfaces that you can use to store and retrieve any amount of data, at any time, from anywhere on the web. It gives any user access to the same

12

highly scalable, reliable, fast, inexpensive data storage infrastructure that Amazon uses to run its own global network of web site. The service aims to maximize benefits of scale and to pass those benefits on to users.”

Image: AWS Console -> Services -> Storage -> S3

S3 = Simple Storage ServiceS3 is AWS’s primary storage service, and you can store any type of file in S3.

Buckets: Root level “Folders” you create in S3 are referred to as buckets.Folder: Any “subfolder” you create in a bucket is referred to as a folder.Objects: Files stored in a bucket are referred to as objects.

When you create a bucket, you must select a specific region for it to exist.Any data you upload to the S3 bucket will be physically located in a data center in that region.Best practice: Select the region that is physically closed to you, to reduce transfer latency - OR - create the bucket in a region closest to your customers.

Note: Some AWS services only work with/communicate with each other if they are in the same AWS region.

Consult detailed S3 Pricing: https://aws.amazon.com/s3/pricing/Free Tier use is available for S3 (currently 5GB)Storage Cost: Applies to data at rest in S3, charged per GB used, price varies based on region and storage class.Request pricing (moving data in/out of S3): PUT, COPY, POST, LIST, GET, Lifecycle Transitions Request, Data Retrieval, Data Archive, Data Restore

4.2) Buckets & ObjectsBucket Naming Rules:Bucket names -- must be unique across ALL of AWS (that’s for everyone in the world)- must be 3 to 63 characters in length- can only contain lowercase letters, numbers and hyphens- must not be formatted as an IP address

For more see: Bucket Restrictions and Limitations

Image: Amazon S3 -> Create Bucket

Steps to Create Bucket in Amazon S3:

13

1) Name and region2) Set properties3) Set permissions4) Review

Image: Amazon S3 > {Bucket Name}: Tabs

Bucket Level Properties: General Info, Permissions, Static Web Hosting, Logging, Events, Versioning, Lifecycle, Cross-Region Replication, Tags, Requester Pays, Transfer Acceleration

Folder Level Properties: General Info, Details

Object Level Properties: General Info, Details, Permissions, MetaData

4.3) Storage ClassesDetailed S3 pricing based on storage class: https://aws.amazon.com/s3/pricing/

A storage class represents the “classification” assigned to each Object in S3.

Available storage classes in order of most -> least expensive:- Standard (default): General, all-purpose storage- Reduced Redundancy Storage (RRS): Non-critical, reproducible objects- Infrequent Access (S3-IA): Accessed infrequently but immediately available- Glacier: Long-term archival storage (very low cost)

Each storage class has varying attributes that dictate things like:Storage cost, Object availability, Object durability, Frequency of access (to the object)

Durability: 99.99999999999% for Standard, S3-IA, Glacier, and 99.99% for RRS.Availability: 99.99% for Standard, RRS, and 99.9% for S3-IA (may take several hours for objects stored in Glacier to be retrieved.)

Each object is assigned a storage class, and this can be changed at any time (mostly).

Image: Example file with ‘Storage class’ = Standard

Object Durability = % over a one year time period that a file stored in S3 will NOT be lost.Object Availability = % over a one year time period that a file stored in S3 WILL be accessible.

Setting/changing storage class:- For new objects: set the proper settings prior to or during the upload process, or use object lifecycle policies.- For objects (and folders) in Standard/RRS/S3-IA you can manually switch storage class at any time via object properties.- To move an object to Glacier, must use object lifecycles (may take 1 to 2 days)

14

4.4) Object LifecyclesAn object lifecycle is a set of rules that automate the migration of an object’s storage class to a different storage class (or deletion), based on specified time intervals (to keep the S3 storage cost as low as possible).

Lifecycle functionality is located on the bucket level. A lifecycle policy can be applied to:- The entire bucket- One specific folder within a bucket- One specific object within a bucket

Image: Amazon S3 > {Your Bucket} > Management tab > + Add lifecycle rule

Steps to Create Lifecycle Rule in Amazon S3:1) Name and scope2) Transitions3) Expiration4) Review

4.5) PermissionsOn the Bucket level, you can control:- List (who can see the bucket name)- Upload/Delete- View Permissions- Edit Permissions

On the Object level, you can control:- Open/Download- View Permissions- Edit Permissions

You can share an S3 object with the world simply by clicking “Make Public”, and providing the link.

Image: Amazon S3 share a file with the world (make public)

15

4.6) Object VersioningS3 versioning is a feature that keeps track of and stores all old/new versions of an object so that you can access and use an older version if you like.S3 Versioning is either ON or OFF. Once ON it can only be SUSPENDED (cannot turn off) - once suspended, all previous objects with versions will still maintain their older versions. Versioning is set on the bucket level and applies to ALL objects in the bucket.

Image: Amazon S3 > {Your Bucket} > Enable versioning

4.7) Quiz: S3 EssentialsQ: What feature MUST be used to change an object’s storage class to Glacier?A: Lifecycles

T: S3 names must be unique across all AWS accounts worldwide, and must follow specific naming rules.T: S3 is a bulk storage service where you can store any type of file.T: S3 stands for Simple Storage Service.

Q: What is the S3 feature that allows you to store and access older iterations of objects?A: Versioning.

16

T: The four S3 Storage Classes include Standard, Reduced Redundancy, Infrequent Access and Glacier.

Q: If you have an object that is easily reproducible and must be quickly accessible, what would be the best storage class to use for it?A: Reduced Redundancy.

T: By setting proper permissions on the object level, you can allow the public to download the object via a URL.

Notes on: AWS Essentials: 5) EC2Just a place to put some notes on the “AWS Essentials” course from https://linuxacademy.com

5) Elastic Compute Cloud (EC2)5.1) EC2 BasicsAmazon Elastic Compute Cloud (Amazon EC2):- Provides scalable computing capacity in the Amazon Web Services (AWS) cloud.- Eliminates your need to invest in hardware up front, so you can develop and deploy applications faster.- Enables you to scale up or down to handle changes in requirements or spikes in popularity, reducing your need to forecast traffic.

Basic Computer   EC2Components     v Components---------------+-----------O/S            : AMIsCPU            : Instance TypeHard Drive     : EBSNetwork Card   : IP AddressingFirewall       : Security GroupsRAM            : RAM

Image: Services > Compute > EC2

Link: AWS: Instance Purchasing OptionsLink: Amazon EC2 Pricing

Note: Free Tier use is available for EC2.

EC2 Instance Purchasing Options  (most common):- On-Demand- Reserved- Spot

On-Demand (most expense):- Choose any instance type you like and provision/terminate at any time- Only charged when the instance is running (billed per hour)

Reserved (significant price discount):- Purchase an instance for a set time period of 1 or 3 years- Pay upfront, partial upfront, no upfront

17

- Charged regardless of how often you use it

Spot (substantial price discount):- “Bid” on an instance type, and only pay for and use when the spot price is equal or below your “bid” price- Allows Amazon to sell the use of unused instances for short amounts of time- Prices fluctuate based on supply and demand (billed per hour)- Instances automatically terminate when spot price > “bid” price

How are you charged for using EC2?

1) Purchasing Option

2) Instance Type (processing power):- General purpose- Compute optimized- GPU optimized- Memory optimized- Storage optimized- EBS optimized (option for higher IOPS performance)

3) AMI Type (varies on O/S):- Linux- Windows

4) Data Transfer (in/out of the instance)5) Region

5.2) Amazon Machine Images (AMIs)Amazon Machine Image (AMI) provides the information (template) required to launch an instance (virtual server.)

AMIs come in 3 main categories:1) Community AMIs: Free to use, essentially just an OS2) AWS Marketplace AMIs: Pay to use, generally package with additional licensed software3) My AMIs

Image: Amazon EC2 > Launch Instance

Image: AMI categories

5.3) Instance Types

18

When you launch and instance...The instance type determines the (virtual) hardware used for your instance.

Instance Type Components:(1) Family  (General Purpose, Compute Optimized, Memory Optimized, Storage Optimized)(2) Type(3) vCPUs(4) Memory (GiB)(5) Instance Storage (GB)(6) EBS-Optimized Available(7) Network Performance

5.4) Elastic Block Store (EBS)Amazon Elastic Block Store (EBS) provides block level storage volumes for use with EC2 instances.- EBS volumes are highly available and reliable storage volumes that can be attached to any running instance that is in the same Availability Zone.- EBS volumes that are attached to an EC2 instance are exposed as storage volumes that persist independently from the life of the instance.

AWS Definition of IOPs:“IOPs are a unit measure representing  input/output operations per second. The operations are measured in KiB, and the underlying drive technology determines the maximum amount of data that a volume type counts as a single I/O. I/O size is capped at 256 KiB for SSD volumes and 1024 KiB for HDD volumes.”

EBS volume size determines the amount of IOPS. Larger size = more IOPS.

“Root” vs Additional EBS Volumes(1) Every EC2 instance MUST have a “root” volume, which may or may not be EBS(2) By default, EBS “root” volumes are set to be deleted when the instance is terminated (you can choose to have EBS volume persist)(3) During the creation of an EC2 instance (and afterwards) you can add additional EBS Volumes to the instance.(4) Any Additional EBS volume can be attached or detached from the instance at any time, and is not deleted (by default) when the instance is terminated.

Snapshots:- A snapshot is an “image” of an EBS volume that can be stored as a backup of the volume OR used to create a duplicate. It is NOT an active EBS volume (cannot attach or detach to an EC2 instance.)- To restore create a new EBS volume using the snapshot as template.

Image: AWS Console > Services > EC2 > Elastic Block Store: (EBS) Volume and Snapshots

5.5) Security GroupsA security group acts as a virtual firewall that controls the traffic for one or more instances.- You associate one or more security groups with an instance.

19

- Can modify the rules for a security group at any time.- We evaluate all the rules from all the security groups that are associated with the instance.

Inbound and Outbound Rules- When you create a new Security Group, ALL inbound traffic is DENIED and ALL outbound traffic is ALLOWED by default.- All traffic is DENIED unless there is an EXPLICIT ALLOW rule for it (there are only ALLOW rules.)Best Practice: Allow ONLY traffic that is required.

Image: AWS Console > Services > EC2 > Network & Security > Security Groups

Note: In the image above, inbound just allows traffic from whatever is in the security group.

5.6) IP Addressing- (By default) ALL EC2 instances have a private IP address. Private IP addresses allow for instances to communicate with each other as long as they are located in the same VPC or broader private network.

- EC2 instances can be launched with or without a public IP address, depending on VPC/subnet settings. Public IP addresses are REQUIRED for the instance to communicate with the Internet.

Note: The “default” VPC and subnets are configured so that any new instance that is provisioned has a public IP address.

5.7) Provisioning EC2 (example)AWS Console > Services > EC2 > Launch Instance

Step 1) Quick Start: Amazon Linux (Free tier eligible) > SelectStep 2) Instance Type: General Purpose t2.micro (Free tier eligible) > Next: Configure Instance DetailsStep 3) Configure Instance Details: Configure > Next: Add Storage

Image: Step 3) Configure Instance Details (example)

20

Step 4) Add Storage: Configure > Next: Add Tags

Image: Step 4) Add Storage (example)

Step 5) Add Tag: Give the ‘Name’ key a value (optional) > Next: Configure Security GroupStep 6) Configure Security Group: Configure > Review and Launch

Image: Step 6) Configure Security Group (example)

Step 7) Review Instance Launch: Launch > Create a new key pair > Download Key Pair> Launch Instance

Image: Step 7) Downloading Key Pair prior to Launch Instance(s)

21

Give it a few minutes and your instance is up and running!

AWS Docs: Connect to Your Linux InstanceAWS Docs: Connecting to Your Linux Instance from Windows Using PuTTY

Image: AWS Console > Services > EC2 > Instances: Instances

Note: If you’re using the Free Tier, remember to stop your instances when you’re not using them.

5.8) Quiz: EC2 EssentialsT: When launching an EC2 instance, you need to select the AMI, Storage and Instance Type.

Q: What best describes IOPS?A: Read/write performance of storage volumes & Input/output operations per second

Q: If you were to remove the route to the IGW from a route table, what would happen to traffic inside the VPC?A: Traffic could be sent between EC2 instances inside the VPC but would not reach the Internet.

T: AMI = A preconfigured package that provides the information required to launch an EC2 instance.

T: Every EC2 instance is automatically assigned a private IP address. Public IP addresses are optional, but are required for direct Internet access.

T: EC2 stands for Elastic Compute Cloud

T: You can only configure ALLOW rules for security groups. If there is not an explicit allow rule for a certain type of traffic, then that traffic will be denied.

T: EBS volumes are the instance’s storage.

22

Notes on: AWS Essentials: 6) DatabasesJust a place to put some notes on the “AWS Essentials” course from https://linuxacademy.com

6) Databases6.1) RDS and DynamoDB BasicsTwo main categories of databases:(1) Relational Databases - “SQL”(2) Non-Relational Databases - “NoSQL”

RDS (Relational Database Service) for SQL databasesDynamoDB for NoSQL databases

Image: AWS Console > AWS Services > Database

RDS is a SQL database service that provides a wide range of SQL database options to select from:Amazon Aurora, MySQL, MariaDB, PostgreSQL, Oracle, and Microsoft SQL Server

Image: AWS Console > AWS Services > Database: RDS > Instances > Launch DB Instance

DynamoDB is a fast and flexible NoSQL database service for all applications that need consistent, single-digit-millisecond latency at any scale.DynamoDB can replace (is similar to): MongoDB, Cassandra DB, Oracle NoSQL

Image: AWS Console > AWS Services > Database: DynamoDB > Create Table (no ‘Select Engine’)

23

RDS (SQL)   vs   DynamoDB (NoSQL)

Stores related data in: tables vs JSON-like, name-value documentsTypically used for: very structured data (such as content lists) vs non-structured data(such as cataloguing documents)

RDS Pricing/Cost Overview

Free Tier is available for all RDS options except Aurora.

How are you charged for using RDS?(1) The RDS “engine”(2) RDS Instance Classes(3) Purchasing Terms: On-Demand or Reserved(4) Database Storage(5) Data Transfer (in/out of RDS)

https://aws.amazon.com/rds/pricing/

DynamoDB Pricing/Cost Overview

Free Tier use is available for DynamoDB.

How are you charged for using DynamoDB?(1) Provisioned Throughput Capacity(2) Indexed Data Storage(3) DynamoDB Streams(4) Reserved Capacity(5) Data Transfer (in/out of DynamoDB)

https://aws.amazon.com/dynamodb/pricing/

6.2) Provisioning an RDS MySQL Database(1) Creating a DB Subnet Group

Image: AWS Console > AWS Services > Database:RDS > Subnet Groups

24

(2) AWS Console > AWS Services > Database: RDS > Instances > Launch DB InstanceSelect: MySQL: MySQL Community EditionSpecify DB Details > Next Step

Image: Step 2: Specify DB Details

(3) Configure Advanced Settings > Launch DB Instance

Image: Step 3: Configure Advanced Settings

25

Note: The course shows an example using SSH tunnelling - via an EC2 instance - to connect to the database (which is in a private subnet).Note: Whenever you see a failed to connect issue, first thing you want to take a look at is: Security Groups, NACLs, route tables, and  Internet Gateway.

6.3) Quiz: RDS/DynamoDb EssentialsQ: What term describes the practice of using SSH to access a resource without a public IP address via a resource with a public IP address (inside of a VPC)?A: SSH tunnelling.

T: RDS stands for Relational Database ServiceT: Amazon RDS databases do not have a GUI in the AWS consoleT: RDS databases store data in tables using columns and rows, while DynamoDB stores data in JSON-like, name-value documents.T: There are free tier options available for all other RDS engines and DynamoDB, but not for Aurora.

Notes on: AWS Essentials: 7) SNSJust a place to put some notes on the “AWS Essentials” course from https://linuxacademy.com

7) Simple Notification Service (SNS)7.1) SNS BasicsSNS = An AWS service that allows you to automate the sending of email or text message notifications, based on events that happen in your AWS account.

In Amazon SNS, there are two types of clients:- Publishers  (producers): Communicate asynchronously with subscribers by producing and sending a message to a topic.

26

- Subscribers  (consumers): Consume/receive the message/notification over one of the supported protocols.

SNS Basic Components:- Topics: How you label and group different endpoints that you send messages to- Subscribers: The endpoints that a topic sends messages to.- Publishers: The human/alarm/event that gives SNS the message that needs to be sent.

Pricing/Cost Overview

https://aws.amazon.com/sns/pricing/Free Tier use is available for SNS.

Charged on:(1) Publishers: Number of SNS requests(2) Notification Deliveries: Number of subscribers the message is sent to(3) Data Transfer in/out of SNS

7.2) Using SNSImage: AWS Console > Services > Messagging: Simple Notification Service

Steps:1) Create a Topic2) Add Subscriptions3) Publish to the Topic

Note: For SMS and email endpoints, the subscriber MUST authorize the subscription to receive the message sent by the topic (Email: The subscriber clicks the “Confirm subscription” link in the email titled ‘AWS Notification - Subscription Confirmation’ from ‘{Display name}’ (no-reply@sns.amazonaws.com).

Image: Creating a Topic

Image: Creating an email Subscription

27

Image: Other Subscription Protocol Options

Note: SMS is only available in certain regions (see here)

Image: Publish to topic (manual button)

7.3) Quiz: SNS EssentialsQ: What are the three main components of SNS?A: Topics, subscriber and publishers.

T: Subscribers can consist of HTTP, SMS and email endpoints.

T: SNS allows you to automate the sending of email and text messages, based on events that happen in your AWS account.

T: SNS stands for Simple Notification Service.

Q: What are two primary use cases of SNS?A1: To notify the AWS account owner when current monthly billings reach a certain amount.A2: To alert a system admin of an EC2 failure.

Notes on: AWS Essentials: 8) CloudWatchJust a place to put some notes on the “AWS Essentials” course from https://linuxacademy.com

8) CloudWatch8.1) CloudWatch BasicsAmazon CloudWatch monitors your AWS resources and the applications you run on AWS, in real time. You can use Cloudwatch to collect and track metrics.CloudWatch alarms send notifications* or automatically make changes to resources based on rules that you define.*Trigger an SNS topic.

CloudWatch monitoring examples (view in Dashboards):- EC2: CPU Utilization, Status Checks, Disk Read/Writes- S3: Number of Objects, Bucket Size- Billing

28

Image: AWS Console > Services > Management Tools: CloudWatch

Pricing/Cost Overview:Free Tier use is available for CloudWatch.Charged (prices may vary depending on Region):(1) Per Dashboard(2) Detailed Monitoring for Amazon EC2 Instances(3) Amazon CloudWatch Custom Metrics(4) CloudWatch API Request(5) CloudWatch Logs(6) CloudWatch Events/Custom Eventshttps://aws.amazon.com/cloudwatch/pricing/

8.2) CloudWatch Metrics and AlarmsCreating Dashboard

Step 1: Click ‘Create dashboard’

Image: Services > CloudWatch > Dashboards: Create dashboard

Step 2: Give the dashboard a nameStep 3: Add a widget to the dashboard

Image: Add (widget) to this dashboard

29

Step 4: Add a metric to the widgetStep 5: Click ‘Create Widget’Step 6: Either add more widgets or click ‘Save dashboard’

Creating Alarms

Image: Services > CloudWatch > Alarms: Create Alarm

Billing Alarms

Image: How to enable Billing Alerts

Image: How to create a Billing Alarm

30

8.3) Quiz: CloudWatch EssentialsQ: Which are the three states of a CloudWatch alarm?A: Alarm, insufficient data, ok

T: CPU utilization is a great metric to measure how much of your EC2 instances’ compute capacity is being used.

T: CloudWatch alarms are based on thresholds you create for specific CloudWatch metrics.

T: CloudWatch is a service that allows you to monitor various metrics inside your AWS account.

T: CloudWatch alarms can trigger SNS topics.

Notes on: AWS Essentials: 9) ELBJust a place to put some notes on the “AWS Essentials” course from https://linuxacademy.com

9) Elastic Load Balancer (ELB)9.1) ELB BasicsELB = Elastic Load Balancer

ELB......evenly distributes incoming application traffic across multiple EC2 instances in multiple Availability Zones (increases fault tolerance.)...detects unhealthy instances and routes traffic only to healthy instances.

Pricing/Cost Overview

Free Tier use is NOT available for ELB.Charged:(1) Each hour or partial hour the load balancer is running(2) For each GB of data transferred through the load balancerNote: Prices may vary depending on Regionhttps://aws.amazon.com/elasticloadbalancing/classicloadbalancer/pricing/

9.2) Creating an ELBServices > EC2 > Load Balancing: Load Balancers > Create Load Balancer

Two types:(1) Application Load Balancer(2) Classic Load Balancer

31

Image: Services > EC2 > Load Balancing: Load Balancers > Create Load Balancer

High-Level Steps Creating an ELB:1. Define Load Balancer2. Assign Security Groups3. Configure Security Settings4. Configure Health Check5. Add EC2 Instances6. Add Tags7. Review

9.3) Quiz: ELB EssentialsQ: What best describes the purpose of an ELB?A: To evenly distribute traffic between EC2 instances.

T: Using an ELB with only one EC2 instance would provide NO additional benefit, and you would be charged money for using it.

T: ELB stands for Elastic Load Balancer.

T: Health checks are required so that the ELB does not serve traffic to an unhealthy EC2 instance.

Q: If you are using an ELB to serve web traffic to EC2 instances, what traffic MUST be allowed on the ELB’s security group, while also maintaining AWS security best practices?A: HTTP/Port 80

Notes on: AWS Essentials: 10) Auto ScalingJust a place to put some notes on the “AWS Essentials” course from https://linuxacademy.com

10) Auto Scaling10.1) Auto Scaling BasicsAuto Scaling = automates the process of adding (scaling up) OR removing (scaling down) EC2 instances based on traffic demand for you application.

You can create collections of EC2 instances called Auto Scaling groups.

32

If you specify scaling policies, then Auto Scaling can launch or terminate instances as demand on your application increases or decreases.

Note: Auto scaling is a service - not a physical offering - and will always stay in a VPC.

Auto Scaling Components:- Launch Configuration: The EC2 template used when Auto Scaling needs to add an additional server to your Auto Scaling Group.- Auto Scaling Group: All the rules and settings that govern when an EC2 server is automatically added or removed.

Pricing/Cost Overview:(1) Auto Scaling is FREE to use(2) You will be charged for the resources that Auto Scaling provisions!

10.2) Using Auto ScalingCreate Auto Scaling Group:Step 1: Create launch configuration1. Choose AMI2. Choose instance Type3. Configure details4. Add Storage5. Configure Security Group6. ReviewNote: 1 -> 6 above are the same as creating an EC2 instance.

Step 2: Create Auto Scaling group1. Configure Auto Scaling group details2. Configure scaling policies3. Configure Notifications4. Configure Tags5. Review

Image: Services > EC2 > Auto Scaling: Launch Configurations > Create Auto Scaling group

Image: 1. Configure Auto Scaling group details

33

Note: Here you select: Group size: Start with X  instances

Image: 1. Configure Auto Scaling group details: Advanced Details

Note: Here with ‘Receive traffic from one or more load balancers’  tickedNote: Here with ‘Health Check Type = ELB’ (default is EC2)

Image: 2. Configure scaling policies

Note: Here using ‘Use scaling policies to adjust the capacity of this group’Note: Here ‘Scale between 2 and 5 instances’Note: Here with ‘Increase Group Size’ and ‘Decrease Group Size’ policies set

34

Image: 3. Configure Notifications

Note: Send a notification to ... Whenever instances:  launch / terminate / fail to launch / fail to terminate

10.3) Quiz: Auto Scaling EssentialsT: Auto scaling provides automation that contributes to highly available and fault tolerant architecture. Auto scaling is not used to send messages (this is SNS).

Q: What are the main two components of Auto Scaling?A: Launch configuration and Auto Scaling group

Q: What best describes how you are charged for using Auto Scaling?A: Auto Scaling is free to use, but you are responsible to pay for any AWS resources that Auto Scaling provisions.

T: Auto Scaling is the process of scaling up and scaling down the number of EC2 instances based on traffic demands.

Notes on: AWS Essentials: 11) Route 53Just a place to put some notes on the “AWS Essentials” course from https://linuxacademy.com

11) Route 5311.1) Route 53 BasicsAmazon Route 53 performs 3 main functions:(1) Domain registration(2) Domain Name System (DNS) service(3) Health checking - Amazon Route 53 sends automated requests over the Internet to your application to verify that it is reachable, available and functional.

Pricing/Cost Overview

Free Tier use is NOT available for Route 53.https://aws.amazon.com/route53/pricing/

Charged for:(1) Number of hosted zones(2) Traffic flow (per policy)(3) Standard queries(4) Latency based routing(5) Geo DNS queries(6) Health checks(7) Register/transfer a domain

35

11.2) Using Route 53Image: Services > Networking & Content Delivery:Route 53

Image: Amazon Route 53

The   Amazon Route 53   Side Menu Bar

- Dashboard- Hosted zones- Health checks

Traffic flow- Traffic policies- Policy records

Domains- Registered domains- Pending request

11.3) Quiz: Route 53 EssentialsQ: In a highly available and fault tolerant architecture with multiple EC2 instances hosting a website, what is the purpose of Route 53?A: To populate external DNS servers with domain/IP address information AND to route incoming traffic to the ELB.

T: A web browser must have the IP address of a web server to locate it on the InternetT: DNS servers are used to translate common language web domains into IP addresses

Q: When you type a domain name into a web browser, what best describes the process that occurs to deliver the website content back to the browser?A: The browser sends a request to a DNS server asking for the IP address associated with the domain name.

36

Q: What best describes Route 53?A: A service to register domains and configure DNS records

Notes on: AWS Essentials: 12) LambdaJust a place to put some notes on the “AWS Essentials” course from https://linuxacademy.com

12) Lambda12.1) Lambda BasicsLambda is serverless computing.

AWS Lambda......is a compute service that lets you run code without provisioning or managing servers....executes your code only when needed and scales automatically.

Pay only for compute time you consume - no charge when your code is not running.All you need to do is supply your code in one of the languages that AWS Lambda supports*.*Currently: Node.js, Java, C# and Python.

Image: ‘Traditional AWS Architecture’ vs ‘AWS Lambda Architecture’

Pricing/Cost Overview

Free Tier use is available for Lambda!See: https://aws.amazon.com/lambda/pricing/

Charged:(1) Requests (to execute code)(2) Duration (the length of time it takes the code to execute)(3) Accessing data from other AWS services/resources

12.2) Lambda TestImage: AWS Services > Compute:Lambda

37

Image: AWS Lambda

Creating a Lambda Function(1) Select blueprint(2) Configure triggers(3) Configure function(4) Review

Executing (testing) the Lambda functionSelect the function and click the “Test” button

12.3) Quiz: Lambda EssentialsQ: What are the two primary ways you are charged for using Lambda?A: Execution requests and execution duration

T: AWS Lambda is a serverless compute platform.

Q: What AWS service will Lambda eventually replace?A: EC2

T: You are only charged (by the 100 millisecond) for how long it takes your code to run each time it is executed.

Q: What are the current languages that Lambda supports?A: Node.js, Java, C# and Python

Notes on: Linux Academy: AWS CSAA: 0

38

Just a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

Facebook (test your skills):www.facebook.com/cloudassessments

SoundCloud Podcast (latest updates on cloud):soundcloud.com/cloud-assessments

The Orion Papers:https://www.lucidchart.com/documents/view/bd4fb4e7-336e-4c8b-972d-048616da9f96/0https://labfiles.linuxacademy.com/aws-csa/orionpapers.html

What is a Solutions Architect?

In the world of AWS it means being competent in the following areas:- Designing and deploying scalable, highly available, and fault tolerant systems on AWS- Lift and shift of an existing on-premises application to AWS- Ingress and egress of data to and from AWS- Selecting the appropriate AWS service based on data, compute, database, or security requirements- Identifying appropriate use of AWS architectural best practices- Estimating AWS costs and identifying cost control mechanisms

Register for Exam:https://www.webassessor.com/wa.do?page=publicHome&branding=AMAZON

Tips & Tricks: Taking an AWS Certification Examhttps://linuxacademy.com/blog/amazon-web-services-2/tips-tricks-taking-an-aws-certification-exam/

How to prepare for the exam (with Linux Academy):(1) Watch and follow along with all video lessons(2) Complete every Live Lab (at least once)(3) Pass every section quiz with 100%(4) Pass the final practice exam 3 times(5) Memorize the instructor notecard deck(6) Read the provided AWS whitepapers

Image: ‘The Orion Papers’ from LinuxAcademy.com

Official AWS Certification Links

https://aws.amazon.com/certification/certification-prep/

Focus on the following whitepapers:

Architecting for the Cloud: AWS Best PracticesAWS Security Best Practices

39

Amazon Web Services: Overview of Security ProcessesAWS Well-Architected FrameworkDevelopment and Test on AWSBackup and Recovery Approaches Using AWSAmazon Virtual Private Cloud Connectivity OptionsHow AWS Pricing Works

Notes on: Linux Academy: AWS CSAA: 1) AWS Account & Physical OrganizationJust a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

Essential Certified Solutions Architect Terminology

High Availability refers to systems that are durable and likely to operate continuously without failure for a long time.For a solutions architect this means making sure your AWS application is always available when a user/customer tries to access it.

Fault Tolerance is the property that enables a system to continue operating properly in the event of the failure of one or more of its components.A fault tolerant AWS application would be one where one of its web servers can fail, and it still serves traffic to visitors (even repair itself.)

Scalability is the ability of a system to easily increase in size and capacity in a cost effective way (usually based on usage demand.)

Elasticity is the ability of a system to increase and decrease in size (usually based on usage demand).In architecting applications, it usually refers to the ability of an application to increase and decrease server capacity on demand.

Cost Efficient: choosing the correct options to make a system as inexpensive as possible.

Secure: following proper security guidelines and best practices to secure a system.

AWS Best Practices is a set of guidelines outlined by AWS that should be followed when provisioning and using their services.

Quiz: Account & Physical Organization

T: Each Availability Zone has at least one AWS data center and sometimes up to 5 or 6 data centers.T: Availability Zones do NOT span across regions. Availability zones DO provide for highly available and fault tolerant architecture, but an AZ is contained within a region.

Q: What are the main benefits of AWS regions?A: Regions allow you to place AWS resources in the area of the world closest to your customers who access those resources.A: Regions allow you to design applications to conform to specific laws and regulations for specific parts of the world.

Q: What are the benefits of an Availability Zone?A: Each Availability Zone is isolated from each other to ensure fault tolerance.A: Availability Zones have direct, low latency connections to each other.

Q: Besides regions and their included Availability Zones, which of the following is another “regional” data center location used for content distribution?A: Edge Location*

40

Q: What best describes the concept of elasticity?A: The ability of a system to increase and decrease in size

T: Fault Tolerance is a system ability allowing the system to continue to operate even when one of its components fail.

Q: What best describes the concept of High Availability?A: A durable system that can operate for long periods of time without failure.

Q: What are the two primary ways that AWS users interface with AWS?A: AWS CLIA: AWS Console

*An Edge Location is an AWS datacenter which does not contain AWS services.It is used to deliver content to parts of the world (e.g. CloudFront)

Image: AWS Edge Location

Notes on: Linux Academy: AWS CSAA: 2) IAM (Identity & Access Management)Just a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

Continuing from and expanding upon: AWS Essentials: IAM

Navigation

AWS Services > Security, Identity & Compliance: IAM

41

Left Panel: Dashboard, Groups, Users, Roles, Policies, Identity providers, Account settings, Credential report, Encryption Keys

Image: IAM Dashboard

Additional Information:IAM best practicesIAM documentationWeb Identity Federation PlaygroundPolicy SimulatorVideos, IAM release history and additional resources

IAM Essentials

IAM is global to all AWS regions (creating a user account will apply to all the regions)Practice the “Principle of Least Privilege” when administering AWS accounts, users, groups, and roles.

IAM Policies

By default an explicit deny always overrides an explicit allowIAM provides pre-built policy templates (currently 265), examples:- Administrator access: Full access to ALL AWS resources- Power user access: Admin Access except user/group management- Read only access

IAM Users

User ARN = User Amazon Resource NameUsers credentials should NEVER be stored or “passed” to an EC2 instance

IAM Groups

Allows for easier access management to AWS resources

IAM Roles

42

Roles must be used because policies cannot be directly attached to AWS services.An EC2 instance can only have ONE role attached at a time (e.g. access to S3).“Identity Provider Access” role: a “role” for access to AWS Accounts and Resources through Active Directory, SSO, or similar.

IAM API Keys

API Access Keys are required to make programmatic calls to AWS from the:- AWS CLI- Tools for PowerShell- AWS SDKs- Direct HTTP API calls

API Access Key Facts:- Only available ONE time (user creation OR reissue a new set of keys)- After creation, you can only see the Access Key ID (never the Secret Key ID)- NEVER create or store API keys on an EC2 instance

IAM Quiz

Note: T = True statement.

T: If an IAM access policy has both an allow rule and a deny rule for the same service, the DENY rule will supersede the allow rule.

Q: You create a new IAM user for AUSER in you company’s AWS account. On AUSER’s first day, you ask AUSER to make a change to a Cloudwatch alarm in an Auto Scaling group. AUSER reports no access to Cloudwatch or Auto Scaling in the AWS console. What is a possible explanation for this?A: You have not added the appropriate IAM permissions and access policies to AUSER; there is a non-explicit deny to all new users.

T: An IAM user can have many IAM permission policies attached to them at the same time, either directly attached or through groups.

Q: What best describes an IAM role?A: A role is something that another entity can “assume”

Q: AUSER will be overseeing the company’s DynamoDB database, so you attached the “AmazonDynamoDBFullAccess” IAM policy to AUSER’s IAM user. 6 months later, AUSER was promoted to manager and added to the “Managers” IAM group. The “Managers” group does not have the “AmazonDynamoDBFullAccess” policy attached to it. What will happen to AUSER’s DynamoDB access?A: Nothing, as an IAM user can have multiple IAM permission policies attached to them at the same time, either directly to the user or through an associated IAM group.

T: By default, when an IAM user is created, it has a non-explicit “deny” for all AWS services.

Q: What are the main benefits of IAM groups?

43

A: Assigning IAM permission policies to more than one user at a time.A: Easier user/policy management.

T: Best practice is to NEVER store or pass IAM credentials to an EC2 instance.

Q: What best describes the “Principal of Least Privilege”?A: Users should be granted permission to access only the resources they need to do their assigned job.

Q: The common use for IAM is to manage what?A: Users, Groups, Roles, Access Policies, API Keys, Password Policies, Multi-Factor Authentication

Q: EC2 instance must have the ability to access other AWS resources. What is the best way to manage this access?A: Use an IAM role to manage temporary credentials for applications that run on an EC2 instance. The role will supply temporary permissions that applications can use when they make calls to other AWS resources.

Q: API Access Keys are required to make programmatic calls to AWS from which of the following?A: AWS CLI, Tools for PowerShell, AWS SDKs, Direct HTTP API calls

Q: You notice that one of the groups has two conflicting permissions attached: one that allows S3 access, and one that denies S3 access. If your goal is to allow members of the group to have S3 access, what needs to be done?A: You must remove the deny policy, as a deny policy will override an allow policy.

The Orion Papers: IAM

Image: Linux Academy: The Orion Papers: IAM

44

Bonus Item: How to Allow IAM Users and Roles (other than just the “root” account) Access to Billing Information

Log in https://aws.amazon.com with your “root” account.Click on the User dropdownClick on My AccountAnd scroll down to  ‘IAM User and Roles Access to Billing Information’Tick the box to  ‘Activate IAM Access’Click Update

Image: IAM User and Roles Access to Billing Information

Notes on: Linux Academy: AWS CSAA: 3) Introduction to AWS VPC NetworkingJust a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

Continuing from: AWS Essentials: VPC

VPC Dashboard

45

AWS Services > Networking & Content Delivery: VPC

Left Panel:Virtual Private Cloud: Your VPCs, Subnets, Route Tables, Internet Gateways, Egress Only Internet Gateways, DHCP Options Sets, Elastic IPs, Endpoints, NAT Gateways, Peering ConnectionsSecurity: Network ACLs, Security GroupsVPN Connections: Customer Gateways, Virtual Private Gateways, VPN Connections

Image: VPC Dashboard

Additional Information:VPC DocumentationAll VPC Resources

VPC EssentialsCDN = Content Delivery Network

VPC Network Routing BasicsA PUBLIC subnet HAS a route to the Internet (it is associated with a route table that has an IGW attached)A PRIVATE subnet does NOT have a route to the Internet (it is associated with a route table that does NOT have an IGW attached)

VPC Security BasicsNACLs: Best practice to increment numbers by 10, so if you have to place a rule in a certain order, it does not create an issue.

Security groups: Are security for the instance level. They support only ‘allow’ rules. Best practice is to allow ONLY traffic that is required.

VPC Basics QuizT: For a subnet to be considered public, it must have a route to the Internet. Having a route to the Internet means that it must be associated with a route table that points to the IGW.

Q: You have been tasked with auditing the security of your VPC. As part of this process, you need to start by analysing what traffic is allowed to and from various EC2 instances. What two parts of the VPC do you need to check to accomplish this task?

46

A: Security Groups and NACLsE: Security Groups and NACLs are the two parts of the VPC Security Layers. Security Groups are a firewall on the instance level, and NACLs are a firewall on the subnet level.

Q: What best describes how NACLs rules work?A: Rules are evaluated by rule number, from lowest to highest, and executed immediately when a matching allow/deny rule is found.

T: A VPC can only have one IGW attached at a time.

Q: If data is travelling from a customer, over the open Internet, to a web site you are hosting on an EC2 instance in an AWS VPC, what is the order of components that data will travel through?A: IGW -> Route Table -> NACL -> Subnet -> Security Group -> EC2 Instance

Q: You work for a financial institution that is preparing to (possibly) migrate their on-premise infrastructure to AWS. As part of this process, you have been tasked with preparing the cloud strategy that will be presented to your CTO. As part of this presentation, you need to highlight several of the top benefits of using an AWS VPC. Which of the following benefits do you highlight in this section of the presentation?A: The ability to have both public and private subnetsA: The ability to extend your on-premise network to the cloud via VPNA: The ability to provide a DNS server for your VPC

Q: Your company’s management team has been considering moving their on-premise network to AWS. You have been called into a meeting to brief the management team on some specifics of AWS. One of the first questions you are asked is what exactly a VPC is. How should you respond?A: An AWS VPC closely resembles a traditional on-premise network, with the added benefit of AWS infrastructure.

T: NACLs are stateless, and security groups are stateful.E: NACLs are stateless, which means that return request traffic must have an allow rule set up for that return traffic to enter or leave the subnet. Security groups are stateful, which means that return request traffic does not need an allow rule set up for that return traffic to enter or leave the security group.

Q: You are the lead Solutions Architect for a healthcare company and are managing an application running on multiple EC2 instances. Those EC2 instances must have the ability to access other AWS resources. What is the best way to manage this access?A: Use an IAM role to manage temporary credentials for applications that run on an EC2 instance. The role will supply temporary permissions that applications can use when they make calls to other AWS resources.

T: All subnets, regardless of being public or private, can communicate with each other inside of a VPC.E: Since each route table has a local target with the destination of the VPCs CIDR block range, all subnets within a VPC can communicate with each other.

T: In the default VPC, all subnets have a route to the Internet.

Physical & Networking Layer: VPCImage: Basic VPC Infrastructure

47

Notes on: Linux Academy: AWS CSAA: 4) EC2 (Elastic Compute Cloud)Just a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

Expanding Upon: AWS Essentials: EC2

EC2 DashboardAWS Services > Compute: EC2

Left Panel:- EC2 Dashboard- Events- Tags- Reports- Limits+ INSTANCES: Instances / Spot Requests / Reserved Instances / Dedicated Hosts+ IMAGES: AMIs / Bundle Tasks+ ELASTIC BLOCK STORE: Volumes / Snapshots+ NETWORK & SECURITY: Security Groups / Elastics IPs / Placement Groups / Key Pairs / Network Interfaces+ LOAD BALANCING: Load Balancers / Target Groups+ AUTO SCALING: Launch Configurations / Auto Scaling Groups+ SYSTEMS MANAGER SERVICES: Run Command / State Manager / Configuration Compliance / Automations / Patch Compliance / Patch Baselines+ SYSTEMS MANAGER SHARED RESOURCES: Managed Instances / Activations / Documents / Maintenance Windows / Parameter Store / Patches

48

Image: EC2 Dashboard

Additional Information:Getting Started GuideDocumentationAll EC2 ResourcesForumsPricing

EC2 Bootstrapping, User-Data and Meta-DataViewing User-Data & Instance Meta-Data:When logged into an EC2 instance, you can view the instance user-data used during creation, or meta-data, by executing one of the following commands:curl http://169.254.169.254/latest/user-data  (displays bootstrapping commands)curl http:// 169.254.169.254/latest/meta-data (displays AMI, instance type, etc)

QuizQ: IOPS are measured in what size “chunks?”A: IOPS are measured in chunks of 256KB or smaller

Q: What best describes how EBS snapshots work?A: Snapshots are incremental in nature and are stored in S3

Q: You are a Solutions Architect and your company is interested in moving some workload to AWS.  You are concerned that it will be very challenging to manage and control all of the EC2 servers that will need to be deployed – specifically, how to insure that fellow employees are installing the company approved operating system version, with the right libraries and runtimes and with the proper configuration settings.  What EC2 feature will best allow you to control this?A: You can have a company policy stipulating that any new instance must be launched using a custom Amazon Machine Image (AMI) which specifies exactly which software and associated settings you want to have installed on every new EC2 instance.

T: AMIs are what dictate the instances operating system and other software settings. It is the "instance type" which determines the instances virtual hardware.

Q: What best describes the characteristics of EBS volumes?A: They are persistent and can live past the lifetime of the instance.

49

Q: If you are running a legacy application that has hard-coded static IP addresses and is running on an EC2 instance, what is the best failover solution that allows you to keep the same IP address on a new instance?A: Elastic IP addresses (EIPs) are designed to be attached/detached and moved from one EC2 instance to another. They are a great solution for keeping a static IP address and moving it to a new instance if the current instance fails. This will reduce or eliminate any downtime users may experience.

Q: If you are running an application in a production environment and must add a new EBS volume with data from a snapshot, what should you do to avoid degraded performance during the volume's first use?A: Initialize the data by readying each storage block on the volumeE: Volumes created from an EBS snapshot must be initialized. Initializing occurs the first time a storage block on the volume is read, and the performance impact can be impacted by up to 50%. You can avoid this impact in production environments by manually reading all the blocks.

Q: What command should you run if you want to view an instance's user-data?A: curl http://169.254.169.254/latest/user-data

Q: Your company has been thinking about moving its networking resources over to AWS. Your boss is particularly interested in the AWS shared responsibility model, as it will allow him to offload some traditional responsibilities to AWS. He says that he is happy that AWS will now handle the following responsibilities listed below. However, you know that he is wrong and that AWS does not handle all of them as part of the shared responsibility model. Which ... are not handled by AWS?A1: Security GroupsA2: Applying an SSL Certificate to an ELBA3: Installation of custom firewall softwareE: In the shared responsibility model, AWS is responsible for DDOS protection, port scanning protection, and ingress network filtering. You are responsible for managing Security Groups, Applying an SSL Certificate to an ELB, and Installation of custom firewall software.

T: A key pair is a combination of a public and private key that is used for authenticating users when logging into an EC2 instance.E: The public key pair is stored on the instance, and the private key is given to you when the instance is created.

Q: If you are designing an application that requires fast (10Gbps), low-latency connections between EC2 instances, what EC2 feature should you use?A: Placement groupsE: Placement groups are a clustering of EC2 instances in one Availability Zone with fast (10Gbps) connections between them. This service is used for applications that need extremely low-latency connections between instances.

Q: You work in the IT department of a Fortune 500 financial services company. Your company has hundreds of servers and also uses VMware for certain applications. You happened to run into one of the senior directors in the hallway today, and she told you that she had just read an article on cloud computing that mentioned EC2 instances and was wondering what that was. What would be the best analogy to use in explaining to her what EC2 is?A: EC2 is analogous to our internal VMware environment and provides companies with virtual servers that run in the cloud.

Q: What happens to data stored on an instance store volume when an EC2 instance is stopped or shutdown?A: The data will be deletedE: Since instance store volumes are ephemeral, data will NOT be persistent and WILL be deleted if the instance is stopped or shut down.

AWS Account & Services Layer: EC2Image: AWS Account & Services Layer (compute services)

50

Image: AWS Account & Services Layer (EC2)

APPENDIX: AWS Elastic File System (EFS)Images: AWS Console > Storage: EFS

51

“An Amazon EFS file system is accessed by EC2 instances running inside one of your VPCs. Instances connect to a file system by using a network interface called a mount target. Each mount target has an IP address, which we assign automatically or you can specify.”

Image: EFS > Create File System - Step 1: Configure file system access

Create File System

Step 1: Configure file system access1.1: Select VPC1.2: Create mount targets

Step 2: Configure optional settings2.1: Add tags2.2: Choose performance mode:- General Purpose (default)- Max I/O2.3: Enable encryption

EFS Things to KnowElastic File System (EFS):

- EFS is a storage option for EC2 that allows for a scalable storage option- EFS storage capacity is elastic-- The storage capacity will increase and decrease as you add or remove files-- Applications running on an EC2 instance using EFS will always have the storage they need, without having to provision and attach larger storage devices- EFS is fully-managed (no maintenance required)- Supports the Network File System version 4.0 and 4.1 (NFSv4) protocols when mounting- Best performance when using an EC2 AMI with Linux Kernel 4.0 or newer

52

Benefits of EFS:- The EFS file system can be accessed by one (or more) EC2 instance at the same time-- Shared file access across all your EC2 instances-- Applications that span multiple EC2 instances can access the same data- EFS file systems can be mounted to on-premise servers (when connected to your VPC via AWS Direct Connect)-- This allows you to migrate data from on-prem servers to EFS and/or use it as a backup solution- EFS can scale to petabytes in size, while maintaining low-latency and high levels of throughput- You pay only for the amount of storage you are using

Security:- Control file system access through POSIX permissions- VPC for network access control, and IAM for API access control- Encrypt data at rest using AWS Key Management Service (KMS)

When to use:- Big Data and analytics- Media processing workflows- Web Servicing & Content Management

APPENDIX: Steps to   Encrypt Existing Amazon EBS Volume (Data-at-Rest) 1: Change the instance state (stop the instance)2: Create a snapshot3: Copy snapshot to change it to an encrypted snapshot4: Create EBS volume from the snapshot5: Attch volume to EC2 instance

Notes on: Linux Academy: AWS CSAA: 5) LambdaJust a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

Expanding/Refreshing Upon: AWS Essentials: Lambda

- Lambda is a “serverless” computing platform.

- Serverless means that you can run code without provisioning or managing servers (so if you want to run code, you don’t have to spin up an EC2 instance and install software, you can just create a “Lambda function”, drop your code in it, and execute it.)

- Lambda scales the required compute power automatically with your code

- You pay only for the compute time you consume (to the 100 millisecond)

- By default, it is highly available, fault-tolerant, scalable, elastic, and cost efficient

-   Lambda integrates with many other AWS services

- Current supported languages include:   Node.js, Java, C#, Python

Q: When should you use Lambda over EC2?

53

A: Generally you want to use Lambda when you want to run code that is in response to events, such as:

- Changes to Amazon S3 buckets

- Updates to an Amazon DynamoDB table

- Custom events generated by your applications or devices

Notes on: Linux Academy: AWS CSAA: 6) Introduction to CloudWatch, CloudTrail and SNSJust a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

CloudWatch

- Used to   monitor   AWS services such as EC2

- It provides centralized logging and performance metrics for AWS resources   (e.g. ‘CPU Utilization’ of an EC2 instance, or network usage)

- CloudWatch   Alarms   can be used as   triggers   (i.e. to trigger an auto-scaling event)

CloudTrail

- Is an   API logging service   that logs all API calls made to AWS

- It does not matter if the API calls originate from the CLI, SDK, or console

- Logs can help address security concerns

- You can log and view each action performed by a user on your AWS account

Simple Notification Services (SNS)

- SNS is an AWS service that allows you to   automate the sending of notifications   (e.g. email and text messages) based on events that occur in your AWS account

- SNS coordinates and manages the delivery of messages to specific end points

- SNS is integrated into many AWS services, so easy to setup and use

- With   CloudWatch and SNS , a full environment monitoring solution could be created that will notify administrators with alerts like:   capacity issues, downtime, changes in the environment...

54

Notes on: Linux Academy: AWS CSAA: 7) Advanced Networking: Highly Available & Fault Tolerant VPC NetworkingJust a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

EC2 Management Console Screenshots

Services > EC2 > LOAD BALANCING

-   Load Balancers

-   Target Groups

Services > EC2 > AUTO SCALING

- Launch Configurations

- Auto Scaling Groups

Image: Services > EC2 > LOAD BALANCING: Load Balancers > Create Load Balancer

Note: The Learn more  link.

Image: Services > EC2 > LOAD BALANCING: Target Groups > Create target group

55

Image: Services > EC2 > AUTO SCALING: Auto Scaling Groups

Links:

Getting Started with Auto Scaling

Things to Know

Elastic Load Balancer (ELB) Essentials

-   Load balancing   (as a concept) is a common method used for distributing incoming traffic among servers

- An   Elastic Load Balancer   is an EC2 service that automates the process of distributing incoming traffic (evenly) to all the instances that are associated with the ELB

56

- An elastic load balancer can load balance traffic to multiple EC2 instances located across multiple availability zones

-- This allows for highly available and fault tolerant architecture

- Elastic load balancing should be paired with Auto Scaling to enhance high availability and fault tolerance, AND allow for automated scalability and elasticity

- An ELB has its own DNS record set that allows for direct access from the open internet

Other important ELB facts:

- When used within a VPC, an ELB can act as an   internal   load balancer and load balance to internal EC2 instances on private subnets (as often done with multi-tier applications)- ELBs will automatically stop serving traffic to an instance that becomes unhealthy (via health checks)

- An ELB can help reduce compute power on an EC2 instance by allowing for an SSL certificate to be applied directly to the elastic load balancer

Classic Elastic Load Balancer:

- A “classic” elastic load balancer is designed for   simple   balancing of traffic to multiple EC2 instances

- There are no granular routing “rules” - all instances get routed to evenly, and no special routing request can be made based on a specific content request from the user

- Classic load balancing is best used when all instances (that are being served traffic) contain the same data

Image: Classic ELB (all instances have the same content)

Application Elastic Load Balancer:

57

- An “Application” elastic load-balancer is designed for   complex   balancing of traffic to multiple EC2 instances using   Content-based “rules”

- Content-based rules (setup on the listener) can be configured using:

--   Host-based rules:   Route traffic based on the host field of the HTTP header

--   Path-based rules:   Route traffic based on the ULR path of the HTTP header

-- This allows you to structure your applications as smaller services, and even monitor/auto-scale based on traffic to specific “ target groups ”

- An Application ELB also supports ECS Containers, HTTPS, HTTP/2, WebSockets, Access Logs, Sticky Sessions, and AWS WAF (Web Application Firewall)

Image: Application ELB

Quiz

Q: What   best   describes the purpose of an   Elastic Load Balancer ?

A: To   evenly distribute traffic among multiple EC2 instances in separate Availability Zones .

E: An ELB is used BEST when it is distributing traffic to EC2 instances located in separate Availability Zones. This provides for higher availability and is more fault tolerant than distributing traffic to EC2 instances in the same AZ.

58

Q: If you want to create architecture that meets the   minimum requirement for high availability and fault tolerance , which option would you choose?

A: An   ELB distributing traffic to an Auto Scaling group that has a minimum of two instances that are located in separate Availability Zones .

E: Having a minimum of two instances is required in case one of them fails and is no longer "available." Two AZs are required in case of one of them fails and is no longer "available." Auto Scaling is required so that failed instances will be automatically terminated and replaced with healthy instance OR to increase the amount of instances if demand increases (improving availability and fault tolerance).

Q: What happens when an   EC2 instance that is being served traffic from an ELB becomes unhealthy ?

A: The   ELB will stop serving traffic to it   and divert its traffic to a healthy instance.

E: The ELB will stop serving traffic to it and divert its traffic to a healthy instance, as this is all it can do. It is Auto Scaling which can take an unhealthy instance, terminate it, and replace it with a new instance.

Q: What best describes a   scaling policy ?

A: A   set of CloudWatch metric thresholds   that dictate when to add or remove instances from the Auto Scaling group.

E: Scaling policies belong to the Auto Scaling group. The policies themselves dictate (via chosen CloudWatch metrics thresholds) when instances should be added or removed.

T:   An SSL certificate can be applied to an ELB.

E: You can apply an SSL certificate to an ELB and have that as the central point for your secure connection before passing the traffics onto subsequent EC2 instances.

T:   Elasticity is a primary benefit of using Auto Scaling .

E: Auto Scaling provides elasticity to your architecture by automating the process of easily scaling up OR down the number of instances being used by your application.

Q: What is the proper solution you should enact to   prevent your application from crashing due to a sudden increase in demand ?

A: Auto Scaling

E: Auto Scaling is what provides your architecture with the ability to automate the process of adding more instances to avoid crashes (due to sudden increase in demand). Scaling policies are PART of Auto Scaling but are not the overall solution.

T:   An ELB can serve traffic to instances located inside a private subnet.

59

E: Placing instances in a private subnet creates a higher level of security for the data stored on them. By using an ELB, the ELB can take public traffic from the open Internet and route into private subnets (and back out).

T:   Target Groups   allow us to assign different sets of EC2 instances different traffic using content- based rules in an Application Elastic Load Balancer

E: Target Groups are where we assign different sets of EC2 instances to receive traffic in an Application Load Balancer. Launch Configurations and AutoScaling Groups can be used with either Load Balancing type.

Q: What are the   two main components of AWS Auto Scaling ?

A:   Launch configuration   and   Auto Scaling groups

E: A launch configuration is an EC2 template that will be used by the Auto Scaling group. The Auto Scaling group holds the rules that govern when instances will be provisioned or terminated.

T: It is   Auto Scaling   that   contains scaling policies   (which dictate the Cloudwatch thresholds for adding/removing instances),   not   Elastic Load Balancer.

Q: You are designing an environment that requires a complex balancing of traffic to EC2 instances using content-based rules, such as host-based or path-based. Which of the following AWS services would you choose?

A:   Application Elastic Load Balancer

E: Application Elastic Load Balancers allow us to configure content-based rules to balance traffic based on different content-based rules.

Physical & Networking Layer: Highly Available & Fault Tolerant

Image: Physical & Networking Layer: Highly Available & Fault Tolerant

60

Notes on: Linux Academy: AWS CSAA: 8) Advanced Networking: Advanced VPC Networking for Increased SecurityJust a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

AWS Console ScreenshotsA Bastion Host  is an EC2 instances that lives in a public subnet, and is used as a “gateway” for traffic that is destined for instances that live in private subnets.

NAT Gateway:AWS Services > Networking & Content Delivery > VPCNAT GatewaysCreate a NAT Gateway

Image: Create a NAT Gateway

61

Things to Know

Bastion Host:

- A Bastion Host is an EC2 instance that lives in a public subnet, and is used as a “gateway” for traffic that is destined for instances that live in private subnets- This means that we can use a bastion host as a “portal” to access EC2 instances that are located in a private subnet- A bastion host is considered the “critical strong point” of the network - as all traffic must pass through it first- A bastion host should have increased and extremely tight security (usually with extra 3rd party security and monitoring software installed)- A bastion host can be used as an access point to “ssh” into an internal network (to access private resources) without a VPN (virtual private network)

“A system identified by the firewall administrator as a critical strong point in the network’s security. Generally, bastion hosts will have some degree of extra attention paid to their security, may undergo regular audits, and may have modified software” - Marcus J Ranum

NAT Gateway:

- A NAT Gateway is designed to provide EC2 instances that live in a private subnet with a route to the internet (so they can download software packages and updates)- A NAT Gateway will prevent any hosts located outside of the VPC from initiating a connection with instances that are associated with it- A NAT Gateway will only allow incoming traffic through if a request for it originated from an instance in a private subnet- A NAT Gateway is needed because instances launched into private subnets can’t communicate with the open internet- Placing instances in a private subnet creates a higher level of security, but also creates the limitation of the instances not being able to download software and software updates

A NAT Gateway MUST:- Be created in a public subnet- Be part of the private subnets route table

NAT Instance:

- A NAT Instance is identical to a NAT gateway in its purpose- However, it is executed differently by configuring an actual EC2 instance to do the same job- A NAT Instance is starting to become more of a legacy feature in AWS

QuizQ: You work for a company that has been experiencing attacks on its network. Management has asked that your design a solution that will provide increased security for EC2 instances containing sensitive data, while still allowing employees to access the data when needed. Which of the following suggestions is best?A: Place the EC2 instances into private subnets, and set up a bastion host so employees can access them.E: Placing EC2 instances into private subnets is a great way to increase their security, since they will no longer be directly accessible from any host outside of the VPC. Adding a bastion host to the architecture will allow authorized users to gain access to the internal resources (instances in private subnets) while providing an additional "hardened" layer of security.

62

Q: You have provisioned several EC2 instances into private subnets; however, you now have the problem of not being able to download any new software packages or updates. Which if of the following provides the best solution?A: Create a NAT Gateway in a public subnet and create a route to it in the route table associated with the private subnets.E: A NAT gateway provides the most secure solution for granting EC2 instances in private subnet the ability to download software packages. However, the NAT gateway MUST be placed in a public subnet, and a route to it must be created in the route table associated with the private subnets.

Q: What are two primary requirements of a NAT Gateway (or NAT instance)?A: A NAT gateway must be provisioned into a public subnet, and it must be part of the private subnet's route table.E: A NAT gateway must be provisioned into a public subnet (so that it has a route to the internet), and it must part of the private subnet's route table (so that the private instances have a route to the NAT gateway). A NAT gateway does not require a bastion host to work (but can be used in combination).

T: A NAT Gateway will only allow return traffic if that traffic has been specifically asked for by an internal resource.E: A NAT Gateway will not allow any unsolicited traffic through. All traffic that passes through it MUST have been asked for by a resource inside the VPC.

Q: What best describes the difference between a bastion host and a NAT gateway?A: A bastion host is used as a "gateway" for traffic that is destined for instances located in a private subnet, whereas a NAT gateway provides instances in a private subnet with a route to the Internet.E: A bastion host is used as a "gateway" for traffic that is destined for instances located in a private subnet, whereas a NAT gateway provides instances in a private subnet with a route to the Internet. A NAT does provide protection for instances in a private subnet, but its primary goal is to allow instances in the private subnet a route to the Internet (to download software packages).

AWS Physical & Networking Layer: Bastion Host & NAT NetworkingImage: AWS Physical & Networking Layer: Bastion Host & NAT Networking

63

Notes on: Linux Academy: AWS CSAA: 9) Advanced Networking: Network Connectivity TroubleshootingJust a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

Common Issues

EC2 Troubleshooting:Connectivity issues to an EC2 instance- Correct ports on the security group may not be open

Cannot attach an EBS volume to an EC2 instance- EBS volumes must live in the same availability zone as the EC2 instance they are attached to- You can create a snapshot from the volume and launch the volume in the correct availability zone

Cannot launch additional instances- You have probably reached the EC2 limit and need to contact AWS to increase the limit

Unable to download package updates- The EC2 instance may not have a public/Elastic IP address, and/or does not belong to a public subnet

Applications seeming to slow down on T2 micro instances- T2 micro instances utilize CPU credits (for “burstable” processing), so chances are your application is using too much processing power and needs a larger instance or different instance type

AMI unavailable in other regions- AMI’s are only available in the regions that they are created- An AMI can be copied to another region but will receive a new AMI id

“Capacity error” when attempting to launch an instance in a placement group- Start and stop all the instances in the placement group (AWS tries to locate them as close as possible)

VPC Troubleshooting:New EC2 instances are not automatically being assigned a public IP address- Modify the Auto-Assign Public IP setting on the subnet

NAT Gateway is configured but instances inside a private subnet still cannot download packages- Need to add 0.0.0.0/0 route to the NAT gateway on the route table for private subnets

Traffic is not making it to the instances even though security group rules are correct- Check the Network Access Control Lists to ensure the proper ports from the proper sources are open (also check your IGW and route table settings)

Error when attempting to attach multiple internet gateways to a VPC- Only one internet gateway can be attached to a VPC at any given time

Error when attempting to attach multiple Virtual Private gateways to a VPC- Only one Virtual Private Gateway can be attached to a VPC at any given time

VPC Security group (for EC2 instances) does not have enough rules for the required application- Assign the EC2 instance to multiple security groups

64

Cannot SSH/communicate with resources inside of a private subnet- Either you have not setup a VPN, or you have not connected to an EC2 instance (Bastion host) within the VPC to launch a connection from

Successful site-to-site VPN connection but unable to access extended resources- Need to add on-premise routes to the Virtual Private Gateway route table

Failure to create a VPC peering connection between two VPC’s in different regions- Peering connections can only be created between two VPC’s in the same region

ELB Troubleshooting:Load balancing is not occurring between instances in multiple availability zones- Make sure “Enable Cross-Zone load balancing” has been selected

Instances are healthy but are not registering as healthy with the ELB- Check configuration for the “health check” to make sure you have selected the proper ring protocol, ping port, and ping path

The ELB is configured to listen on port 80, but traffic is not making it to the instances that belong to the ELB- You may have mistaken the “Listeners” for the security group. Listeners are not the same as the security group rules, port 80 needs to be open on the security group that the ELB is using.

Access logs on web servers show IP address of the ELB not the source traffic- Enable Access Logs to Amazon S3 (found under “attributes”)

Unable to add instances from a specific subnet to the ELB- Most likely the subnet that the instance lives in has not been added to the ELBs configuration

Auto Scaling Troubleshooting:An Auto Scaled instance continues to start and stop (or create/terminate) in short intervals- The scale-up and scale-down thresholds may be too close to each other. Either raise the scale-up threshold or lower the scale-down threshold.

Auto Scaling does not occur even though scaling policies are configured correctly- The “max” number of instances set in the auto scaling group may have been reached

Quiz: Connectivity Troubleshooting QuizT: You cannot peer two VPCs that are located in different AWS regions.

T: NACLs are the security layer for a subnet (not security groups.)

Q: You have just provisioned a fleet of EC2 instances and realized that none of them have a public IP address. What settings would need to be changed for the next fleet of instances to be created with public IP addresses?A: Modify the auto-assign public IP setting on the subnet.E: The auto assigning of IP addresses resides in the settings of the SUBNET you are provisioning the instances in. By default, new subnets have auto-assign IP addresses disabled.

Q: You have an application currently running on five EC2 instances as part of an Auto Scaling group. For the past 30 minutes all five instances have been running at 100% CPU Utilization; however, the Auto Scaling group has not added any more instances to the group. What is a likely cause?A1: The Auto Scaling group's MAX size is set at fiveA2: You already have 20 on-demand instances running

65

E: The number of instances in an Auto Scaling group cannot exceed its set MAX limit, regardless of scale-up policies. Also, unless you request an increase from AWS, you cannot have more than 20 on-demand instances running at one time.

T: There can be many reasons why you cannot download software packages besides the instance being provisioned in a private subnet. For example, creating an instance without a public IP address or not having the proper ports open on the security group can cause issues downloading software.

Q: You are using a T2 instance type and are starting to notice that most of the time your application is running very slow. What would be an appropriate course of action?A: Move the application to a large instance type.E: T2 instance types rely on "burstable" CPU credits for processing power. If your application is constantly using all the CPU credits, then you may experience slow downs when you run out of credits. The solution to this would be to move the application to an instance running a large instance type.

Q: You are running an analysis on traffic that is accessing your web application. However, you notice that the IP address for every visitor is the IP address of the Elastic Load Balancer. How should fix this problem so that the logs reflect the IP address of the originating host?A: Enable access logs on the ELB and store them in an S3 bucket.

Q: You have an ELB distributing traffic a fleet of EC2 instances inside your VPC, evenly spread across two Availability Zones. However, you realize that only half of the instances are actually receiving traffic. What is the most likely cause of this problem?A: Cross-zone load balancing has not been enabled.E: Cross-zone load balancing must be enabled for it to serve traffic evenly to all instances in all associated Availability Zone.

Q: If you have an EBS volume in Availability Zone us-east-1d and you want to attach it to an EC2 instance in Availability Zone us-east-1a, what procedure should you follow?A: Create a snapshot of the volume in us-east-1d, then create a new volume from the snapshot, choosing to place it in us-east-1a. Attach the new volume to the instance.E: EBS volumes cannot be used across Availability Zones; however, since snapshots are stored in S3, new volumes can be created from a snapshot and placed into any Availability Zone.

T: A VPC can only have one IGW attached to it at a time.

Notes on: Linux Academy: AWS CSAA: 10) Storage Services: S3 (Simple Storage Service)Just a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

Expanding on: AWS Essentials: S3

Documentationhttps://aws.amazon.com/documentation/s3/

Things to Know

S3 Essentials:- As AWS’ main storage service, S3 can serve many purposes when designing highly available, fault tolerant, and secure application architecture. Including:-- Bulk (basically unlimited) static object storage

66

-- Various storage classes to optimize cost vs. needed object availability/durability-- Object versioning-- Access restrictions via S3 bucket policies/permissions-- Object management via lifecycle policies-- Origin for CloudFront CDN-- File shares and backup/archiving for hybrid networks (via AWS Storage Gateway)

Important S3 Facts:- Objects stay within an AWS region and are synced across all AZ’s for extremely high availability and durability- You should always create an S3 bucket in a region that makes sense to its purpose:-- Serving content to customers-- Sharing Data with EC2

S3 Read Consistency Rules:- ALL regions now support read-after-write consistency for PUTS of new objects into S3.-- Objects can be immediately available after “putting” an object in S3- All regions use eventual consistency for PUTS overwriting existing objects and DELETES of objects

S3 Buckets:- Buckets are the main storage container of S3, and contain a grouping of information and have sub name spaces that are similar to folders (called folders)- Tags can be used to organize buckets (i.e. tag based on application the bucket belongs to)- Each bucket must have a unique name across ALL of AWS- Bucket limitations:-- Only 100 buckets can be created in an AWS account at a time-- Bucket ownership cannot be transferred once a bucket is created-- Bucket names must be in lowercase

S3 Objects:- Objects are static files that contain metadata information:-- Set of name-key pairs-- Contain information specified by the user, and AWS information such as storage type- Each object must be assigned a storage type, which determines the object’s availability, durability, and cost- By default, all objects are private- Objects can:-- Be as small as 0 bytes and as large as 5 TB-- Have multiple versions (if versioning is enabled)-- Be made publicly available via a URL-- Automatically switch to a different storage class or deleted (via lifecycle policies)-- Encrypted-- Organized into “sub-name” spaces called folders

Object Encryption:- SSE (Server Side Encryption):-- S3 can encrypt the object before saving it on the partitions in the data centers and decrypt it when it is downloaded-- AES-256- Or you can use your own encryptions keys:-- Considered client side encryption where you encrypt the data before upload- SSL terminated endpoints for the API

S3 Folders:- For simplicity, S3 supports the concept of “folders”- This is done only as a means of grouping objects

67

- Amazon S3 does this by using key-name prefixes for objects

Amazon S3 has a flat structure, there is no hierarchy like you would see in a typical file system.

S3 Permissions:- All buckets and objects are private by default - only the resource owner has access- The resource owner can grant access to the resource (buckets/objects) through S3 “resource based policies” OR access can be granted through a traditional IAM user policy- Resource based policies (for S3) are:

+ Bucket policies-- Are policies that are attached only to the S3 bucket (not an IAM user)-- The permissions in the policy are applied to all objects in the bucket-- The policy specifies what actions are allowed or denied for a particular user of that bucket - such as:--- Granting access to an anonymous User--- Who (a “principal”) can execute certain actions like PUT or DELETE--- Restriction access based off of IP address (generally used for CDN management)

+ S3 access control lists-- Grant access to uses in other AWS accounts or to the public-- Both buckets and objects has ACLs-- Object ACLs allow us to share an S3 object with the public via a URL link

S3 Storage Classes:- A storage class represents the “classification” assigned to each Object in S3. Current Storage Class types include:-- Standard-- Reduced Redundancy Storage (RRS)-- Infrequent Access (S3-IA)-- Glacier

- Each storage class has varying attributes that dictate things like:-- Storage cost-- Object availability-- Object durability-- Frequency of access (to the object)

+ Standard:- Designed for general, all-purpose storage- Is the default storage option- 99.999999999 object durability (“eleven nines”)- 99.99% object availability- Is the most expensive storage class

+ Reduced Redundancy Storage (RRS):- Designed for non-critical, reproducible objects- 99.99% object durability- 99.99% object availability- Is less expensive than the standard storage class

+ Infrequent Access (S3-IA):- Designed for objects that you do not frequently access, but must be immediately available when accessed- 99.999999999% object durability- 99.90% object availability- Is less expensive than the standard/RRS storage classes

68

+ Glacier:- Designed for long-term archival storage (not to be used for backups)- May take several hours for objects stored in Glacier to be retrieved- 99.999999999% object durability- Is the cheapest S3 storage class (very low cost)

Glacier:- Amazon Glacier is an archival storage type- Used for data that is NOT accessed frequently- “Check out” and “check in jobs” can take several hours, meaning how long it can take for the data to be changed and/or retrieved- Integrates with Amazon S3 lifecycle policies for easy archiving- Very inexpensive and cost effective archival storage solution- Glacier should NOT be used as a backup solution

NOTE: Glacier now offers three levels of data retrieval (pricing varies):- Expedited: 1-5 minutes- Standard: 3-5 hours- Bulk: 5-12 hours

S3 Versioning:- S3 versioning is a feature to manage and store all old/new/deleted versions of an object- By default, versioning is disabled on all buckets/objects- Once versioning is enabled, you can only “suspend” versioning (it cannot be fully disabled)- Suspending versioning only prevents new version from being created. All objects with existing version will maintain their older versions.- Versioning can only be set on the bucket level and applies to ALL objects in the bucket- Lifecycle policies can be applied to specific versions of an object- Versioning and lifecycle policies can both be enabled on a bucket at the same time- Versioning can be used with lifecycle policies to create a great archiving and backup solution in S3

Lifecycle Policies:An object lifecycle policy is a set of rules that automate the migration of an object’s storage class to a different storage class (or deletion) based on specified time intervals:- By default, lifecycle policies are disabled on a bucket/object- Are customizable to meet your company’s data retention policies- Great for automating the management of object storage and to be more cost efficient- Can be used with versioning to create a great archiving and backup solution in S3

Example:(1) I have a work file that I am going to access every day for the next 30 days(2) After 30 days, I may only need to access that file once a week for the 60 next days(3) After which (90 days total) I will probably never access that file again but want to keep it just in case

S3 Event Notifications:- S3 events notifications allow you to setup automated communication between S3 and other AWS services when a selected event occurs in an S3 bucket

- Common event notification triggers include:-- RRSObjectLost (used for automating the recreation of lost RRS objects)-- ObjectCreated (for all or the following specific APIs called)--- Put--- Post

69

--- Copy--- CompleteMultiPartUpload

- Events notification can be sent to the following AWS services:-- SNS-- Lambda-- SQS Queue

Note: RRS objects might be things like thumbnails.

S3 Static Web Hosting:- Amazon S3 provides an option for a low-cost, highly reliable web hosting service for static websites (content that does not change frequently)- When enabled, static web hosting will provide you with a unique endpoint (URL) that you can point to any properly formatted file stored in an S3 bucket. Supported formats include:-- HTML-- CSS-- JavaScript- Amazon Route 53 can also map human-readable domain names to static web hosting buckets, which are ideal for DNS failover solutions

Cross-Origin Resource Sharing (CORS):- CORS is a method of allowing a web application located in one domain to access and use resources in another domain- This allows web applications running JavaScript or HTML5 to access resources in an S3 bucket without using a proxy server- For AWS, this (commonly) means that a web applications hosted in one S3 bucket can access resources in another S3 bucket

Image: CORS configuration

Single Operation Upload:- A single operation upload is “traditional” upload where you upload the file in one part- A single operation upload can upload a file up to 5GB in size, however any file over 100MB should use multipart upload

Multipart Upload:- Multipart upload allows you to upload a single object as a set of parts- Allows for uploading parts of a file concurrently- Allows for stopping/resuming file uploads- If transmission of any part fails, you can retransmit that part without affecting other parts- After all parts of your object are uploaded Amazon S3 assembles these parts and creates the object

70

- Required for objects 5GB and larger, and highly suggested for use when objects are 100MB and larger- Can be used to upload a file up to 5TB in size

AWS Import/Export:- AWS Import/Export gives the ability to take on-premise data and physically snail mail it to AWS (using a device that you own)- AWS will import that data to S3, EBS, or Glacier within one business day of the physical device arriving at AWS- Benefits:-- Off-site backup policy-- Quickly migrate LARGE amounts of data to the cloud (up to 16TB per job)-- Disaster recovery (AWS will even take S3 data and ship it back to you)

Snowball:- Snowball is a petabyte-scale data transport solution- Snowball uses an AWS provided secure transfer appliance- Quickly move large amounts of data into and out of the AWS cloud

Storage Gateway:- Connects local data center software appliances to cloud based storage such as Amazon S3

Gateway-Cached Volumes- Create storage volumes and mount them as iSCSI devices on the on-premise servers- The gateway will store the data written to this volume in Amazon S3 and will cache frequently accessed data on-premise in the storage device

Gateway-Stored Volumes- Store all the data locally (on-premise) in storage volumes- Gateway will periodically take snapshots of the data as incremental backups and stores them on Amazon S3

QuizT: S3 can be used as an option for low-cost, reliable web hosting for STATIC (not dynamic) web sites.

Q: Through what process are objects moved from the standard storage class to Glacier?A: Lifecycle policiesE: Objects uploaded and stored using the standard storage class must use lifecycles to move them to Glacier.

T: All S3 buckets are private by default.

Q: You have a static web page hosted in an S3 bucket, Your requests for a file from a website in another S3 bucket keep failing. What is the most likely solution?A: Enable CORS configuration on the S3 bucketsE: S3 buckets are in different domains. CORS (cross-origin resource sharing) will allow for domains to share resources. So, enabling CORS on the S3 buckets is the best solution.

T: The S3 infrequent access (S3-IA) storage class has object durability of 99.999999999% and availability of 99.90%E: S3-IA has the same durability as S3-standard but has a slightly slower availability since these objects are expected to be accessed much less frequently.

71

Q: You are currently running an application on AWS that hosts customers' photo albums. For each main photo uploaded, your application generates a thumbnail for use in the mobile version of the application. What is the most cost effective storage solution, while also providing the highest level of availability and durability?A: Use the standard storage class for the main photos and the reduced redundancy storage class for the thumbnails.E: Since the customers' main photos cannot be reproduced, storing them in the standard storage class will provide the highest level of availability and durability. The thumbnails can be easily reproduced from the main photos, so you can store them in reduced redundancy storage, which has lower durability, but is cheaper than standard.

Q: If need to upload a file to S3 that is 500MB in size, what data transit option should you use?A: Multi-part uploadE: Multi-part upload should be used uploading any file over 100MB in size (and required for an object over 5GB in size - up to 5TB in size). Single operation upload may be used but is not recommended. Import/export and Snowball are used for datasets that are larger than 5TB.

Q: Your company has petabytes of data that it wants to move from their on-premise network to AWS. What AWS solution should you use?A: AWS SnowballE: Snowball is a service provided by AWS for moving extremely large (petabytes) of data into AWS.

Q: You work for a hospital that is required to store patient's medical records for a minimum of 10 years. Most of these records will never be accessed but must be made available upon request (within a few hours). What is the most cost-effective storage option?A: GlacierE: Glacier is an AWS solution for archival storage, which is designed for long-term storage of data that is very rarely accessed.

Q: What best describes what occurs when you suspend object versioning?A: All existing objects retain their current and past versions, and no new versions are created when updated object are uploaded.E: When you suspend versioning, S3 retains all current and existing past versions. However, all new objects will overwrite the existing current version. No new versions will be created.

Q: What is the object durability and availability advertised by AWS for their S3 standard storage service?A: Durability of 99.999999999% and availability of 99.99%E: S3 standard storage class is advertised as having object durability of 99.999999999% (known as 11 nines) and availability of 99.99%

Architecture DiagramsImage: AWS Account & Services Layer (Storage Services)AWS’s main storage services is S3. S3 has many different methods of importing, exporting, and syncing data with on-premise networks.

72

Image: AWS Account & Services Layer (Simple Storage Service)

Image: Using Route 53 to target Static Web Hosting on S3

73

Notes on: Linux Academy: AWS CSAA: 11) Advanced DNS, CSN and Failover NetworkingJust a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

Things to Know

Route 53 Essentials:- Route 53 is a domain management service (DNS hosting solution) provided by AWS- Key features include:+ Domain Registration-- Register domain names+ Doman Name System (DNS) service-- Translates friendly domain names into IP addresses-- Amazon Route 53 responds to DNS queries using a global network of authoritative DNS servers, which reduces latency+ Health Checking-- Amazon Route 53 sends automated requests over the internet to your application to verify that it’s reachable, available, and functional

- Route 53 can manage external DNS for domain routing (routing to the proper AWS resources such as a CloudFront distribution, ELB, EC2 instance, or RDS server)- Route 53 is commonly used with an ELB to direct traffic from the domain to the ELB (and thus have traffic evenly distributed among servers running your applications)- Route 53 can also be used to manage internal DNS for custom internal hostnames within a VPC as long as the VPC is configured for it- Latency, GEO, basic, and failover routing policies allow for region-to-region fault tolerant architecture design- You can easily configure for failover to S3 (if website bucket hosting is enabled) or CloudFront

74

Route 53 Hosted Zones:- A Hosted Zone stores DNS records for your domain- Basically, it contains the rules (record sets) that tells Route 53 what to do with a DNS request

- There are both public and private hosted zones:-- A public hosted zone is a container that holds information about how you want to route traffic on the Internet for a domain and its subdomains-- A private hosted zone is a container that holds information about how you want to route traffic for a domain and its subdomains within one or more Amazon Virtual Private Clouds

- After you create a hosted zone for your domain, you can create resource record sets to tell the Domain Name System (DNS) how you want traffic to be routed for that domain- Hosted zones come pre-populated with NS (name server) and SOA (start of authority) record sets

Route 53 Record Sets:- Record sets are instructions that actually match domain names to IP addresses- Record sets are comprised of various options, including:-- Record type-- Standard/alias-- Routing policy-- Evaluate target health

Common record types include:- A: Used to point a domain to an IPv4 IP address- AAAA: Used to point a domain to an IPv6 IP address- CNAME: Used to point a host/name to another host/name- MX: Used to route email (mail exchange)

Alias Record Sets:- Instead of an IP address (standard record sets), an alias record set contains a pointer to an AWS specific resource, such as:-- An elastic load balancer-- CloudFront distribution-- Elastic Beanstalk environment-- Amazon S3 bucket that is configured as a static website

Routing Policy:- Simple: Route all traffic to one endpoint- Weighted: Route traffic to multiple endpoints (manual load balancing)- Latency: Route traffic to an endpoint based on the users’ latency to various endpoints- Failover: Route traffic to a “secondary” endpoint if the “primary” is unavailable- Geolocation: Route traffic to an endpoint based on the geographical location of the user

Evaluate Health Check:- Can monitor the health of your application and trigger an action

S3 for DNS Failover:- By using a failover routing policy in a Route 53 DNS record set, an S3 bucket can be used as a failover endpoint- This can provide an extremely reliable backup solution if your primary endpoint fails- And even though S3 should only be used for static web hosting, it gives you the opportunity to provide your users with some type of information unil the primary endpoint is working again- An S3 bucket can also be used as a primary endpoint, if you just want to host a simple static site

75

Note: For a DNS record to use an S3 bucket as an endpoint, the bucket name MUST be the same as the domain name.

CloudFront Essentials- CloudFront is a global CDN which delivers content from an “origin” location (the source of the content) to an “edge” location (AWS CDN data center)- An edge location allows the caching of static objects from the origin location- An origin can be an:-- S3 bucket-- Elastic Load Balancer that distributes requests among origin EC2 instances- CloudFront can integrate with Route 53 for “alternate” CNAMES-- This allows you to create a URL such as http://cdn.mydomain.com that works with your distribution

CloudFront Benefits:- Users experience lower latency and content load time- Reduces load on your applications resources (origin services) - thus reducing cost

Updating Cached Files:- Caching is done based off the object name- In order to server a new version of an object, either create a new object with a new name or create an “invalidation” on the CloudFront distribution based off the object name- “Invalidations” have a cost, so if you have to invalidate a large CloudFront distribution then perhaps you should just create a new distribution and move DNS names- Cached objects can also be set with a specific expiration time/date, or set to not cache at all

Signing URLs:- Signed URLs allow access to “private content” by creating a temporary, one-time-use URL based off of the number of seconds you want it to be accessible- Signed with a X.509 certificate

CloudFront Performance Considerations- CloudFront performance can be affected by:

+ File size and type of file+ Having to remake the request from the Edge location to the origin-- Downloading the object from the origin takes time-- As well as writing it to cache and responding to the end user request-- The more requests that have to go to the origin, the higher the load is on your source - which can also cause latency and load performance issues

+ The end location that the user’s request goes to is dependent upon a “DNS check” to determine the closest EDGE location - so slow DNS issues can cause performance issues

+ Query strings (request to the origin to serve a specific object) reduce cache “hits”-- It reduces performance because query strings are often unique so it reduces the cache hits and also requires extra “work” in order to forward to the origin location

- CloudFront performance can be increased by:-- Longer cache periods increases performance (less frequent request to the source)

Quiz: DNS, CDN, and Failover QuizQ: You are migrating your existing web application from your on-premise data center to the AWS cloud. As part of testing your AWS infrastructure, you only want to have 20% of traffic to hit AWS resources and the other 80% to hit your on-premise resources. What record set routing policy should you choose to accomplish this?A: Weighted

76

E: A weighted routing policy allows for "manual" load balancing between different endpoints.

T: An alias record set contains a pointer to an AWS-specific resource.E: An alias record set contains a pointer to an AWS-specific resource and is used to direct traffic to ELBs, CF distributions, and S3 buckets.

T: CloudFront caching is based on the object's file name (not its type).

Q: If you want to point a domain name to an AWS elastic load balancer in Route 53, how would you need to configure the record set?A: Alias with a type "A" record setE: You will need to configure the record set as a type "A" alias. An alias allows you to point the domain to an AWS-specific endpoint, such as an ELB, Cloudfront distribution, or S3 bucket (as opposed to just an IPv4 IP address).

T: A public hosted zone should be used for routing Internet traffic for a domain, and a private hosted zone should be used for routing traffic within a VPC.

Q: What is a main benefit of using a CloudFront distribution?A: Reduces load on your applications resourcesE: Once an object is cached at an edge location, all other requests for that object will be handled by the edge location, not your application. This can significantly reduce the amount of times your resources are hit.

Q: You have set up a CloudFront distribution but find that instead of each edge location serving up objects that should be cached, your application's origins are being hit for each request. What could be a possible cause of this behavior?A: The cache expiration time is set to zeroE: If the cache expiration time is not set (or set to zero), then CF will not cache objects at the edge location. This will prompt the behavior where the edge location will have to request the same object from the origin for reach request.

Q: Your CloudFront distribution is performing well, but you are still getting too many request at the origin locations. What could be one way to increase CloudFront performance?A: Increase the cache expiration timeE: If your cache expiration times are too short, you may have request from the edge location to the origin occurring when they are not required. If you increase the cache expiration date, you should experience less hits to the origin.

Q: What is an absolute rule when using an S3 bucket for Route 53 DNS failover?A: The S3 bucket must be the same as the domain nameE: To use an S3 bucket for Route 53 DNS failover, the bucket name must match the domain name.

T: A CloudFront origin is the source of the object, and an edge location is where the object is cached.

Architecture DiagramsImage: Physical & Networking Layer - Networking

77

Image: Physical & Networking Layer - CloudFront

Notes on: Linux Academy: AWS CSAA: 12) Hybrid Environments and VPC PeeringJust a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

78

Things to Know

VPN Essentials:- A virtual private network enables the ability to extend a subnet from one geographic location to another geographic location on two separate networks- Extending the subnets allows the network at location “A” to communicate internally with all resources at location “B”- This is essentially “extending” the on-premise network to the cloud, or the cloud to the on-premise network

- For AWS, this allows us to communicate with all resources (like an EC2 instance) internally without the need for public IP addresses and an internet gateway- It also provides an additional level of security by ensuring that traffic sent using the VPN is encrypted

- The VPN connection has two parallel routes (IPsec tunnels), which is for redundancy- Only one Virtual Private Gateway can be attached to a VPC (just like only one IGW can be attached to a VPC)- A VPC can have both a VPG and an IGW attached at the same time

Customer Gateways:- A customer gateway is a physical device or software application at the on-premise location that acts as the “connector” to the VPN connection- In your AWS account, the customer gateway component is where you configure the public IP (internet routable static IP) address of the physical device or software application at the on-premise location

Note: Both a VPG and a Customer Gateway are required to establish a VPN connection

VPN Connection:- The VPN connection is the actual link between the virtual private gateway and the customer gateway- This connection is setup and managed in AWS- Each connection uses two IPsec tunnels for redundancy

Virtual Private Gateway (VPG):- A virtual private gateway acts as the “connector” on the VPC (AWS) side of the VPN connection- The VPG is connected to the VPC

Note: Both a VPG and a Customer Gateway are required to establish a VPN connection

Router:- AWS has dispensed with the concept of having users physically setup and manage a “router”- However, it is important to understand that route tables are actually part of a “router” assigned to your VPC

- When setting up a VPN, the route table (for the subnet you wish to extend) must include routes for the on-premise network that are used by the VPN, and point them to the Virtual Private Gateway

Direct Connect Essentials:- AWS Direct Connect is a service that provides a dedicated network connection between your network and one of the AWS Direct Connect locations

79

- This is done through an authorized Direct Connect Provider (i.e. Verizon or other ISPs)- Does not require hosting any router/hardware at the Direct Connect Partner location, only requires a Direct Connect location and a participating backbone provider- An AWS Direct Connect location provides access to the AWS region it is associated with- It does not provide access to other AWS regions

Direct Connect Benefits:+ Reduce network costs:-- Reduce bandwidth commitment to corporate ISP over public internet-- Data transferred over direct connect is billed at a lower rate by Amazon (data in/out)+ Increase network consistency-- Dedicated private connections reduce latency (over sending the traffic via public routing)+ Dedicated private network connection to on-premise:-- Connect the direct connect connection to a VGW in your VPC for a dedicated private connection from on-premise to VPC-- Use Multiple VIFs (Virtual Interfaces) to connect to multiple VPCs

Image: ‘Route w/out Direct Connect’ v ‘Route with Direct Connect’

Cross-network Connection (Cross Connect):The physical connection between your network and the Direct Connect authorized partner, which then handles the routes and connections to AWS networks

Private Virtual Interface:- A Private Virtual Interface allows you to interface with an AWS (VPC)-- With automatic route discovery using BGP-- Requires a public or private ASN number- Can only communicate with internal IP addresses inside of EC2- Cannot access public IP addresses, as Direct Connect is NOT an internet provider- This is a dedicated private connection which works like a VPN- For best practice, use two Direct Connect connections for active-active or active-failover availability- You can also use VPN as a backup to direct connect connections- You can create multiple private virtual interfaces to multiple VPC’s at the same time

Public Virtual Interface:- A Public Virtual Interface allows you to use a Direct Connect connection to connect to public AWS endpoints:-- Any AWS service (for example: DynamoDB and Amazon S3)- Requires public CIDR block range- And even though we are accessing public endpoints, the connection maintains consistent traffic consistency as it is sent over your dedicated network

Storage Gateway Essentials:- Storage Gateway connects local data center software appliances to cloud based storage such as Amazon S3- It does this through the Storage Gateway virtual appliance, which connects directly to your local infrastructure as a file server, a local disk volume, or as a virtual tape library (VTL)

80

- It can maintain frequently accessed data on-premises (providing low-latency performance) which storing all other data in:-- S3-- EBS-- Glacier- Storage Gateway also integrates your data with:-- AWS encryption-- Identity management-- Monitoring

Gateway-Cached Volumes- Create storage volumes and mount them as iSCSI devices on the on-premise servers- The gateway will store the data written to this volume in Amazon S3 and will cache frequently accessed data on-premise in the storage device

Gateway-Stored Volumes- Store all the data locally (on-premise) in storage volumes- Gateway will periodically take snapshots of the data as incremental backups and stores them on Amazon S3

VPC Peering Essentials:- VPC peering is used to extend your private network from one VPC, or one subnet, or specifically one instance, to another VPC- This is for sharing internal resources, via private IP addresses- VPC peering can only occur between two VPCs that are in the same region- You cannot configure VPC peering between VPCs in two different regions- You can however configure VPC peering between two VPCs in different accounts (but only if they are in the same region)- To peer VPCs, they must have separate (non-overlapping) CIDR block ranges- Transitive connections are not allowed- You can configure the peering to connect the entire VPC, or just specific subnets

Architecture DiagramsImage: AWS Physical & Networking Layer (Hybrid Environments)

81

Image: AWS Physical & Networking Layer (Virtual Private Networks)

Image: Physical & Networking Layer (AWS Direct Connect)

82

Image: Physical & Networking Layer (AWS Storage Gateway)

Image: Physical & Networking Layer (VPC Peering)

83

Quiz: Hybrid QuizQ: If AWS asks you to configure the connection between your on-premise data center and a Direct Connect Authorized Provider, what would you be configuring?A: The cross-network connectionE: The cross-network connection is the connection between your on-premise data center and the Direct Connect Authorized Provider.

Q: You are trying to establish a VPC peering connection but are having difficulties locating the other VPC. What is most likely the cause?A: The other VPC is in a different regionE: For a VPC peering connection to be established, both VPCs must be in the same region.

T: You can peer VPCs that are in two different AWS accounts, but they must be in the same region.

Q: What two components are required to establish a VPN connection?A: Virtual Private Gateway and Customer GatewayE: The VPG and Customer Gateway are the two "connectors" on both sides of the VPN connection (and both are required).

T: An AWS VPC connection automatically has two parallel IPsec tunnels for redundancyT: A VPC can have both an IGW and a VPG attached at the same time (but only one of each).

Q: You have set up an AWS Direct Connect connection for your company but still want to create a backup solution in case the Direct Connect connections fails. What solution should use as the backup?A: AWS virtual private networkE: A virtual private network is a great backup solution for AWS direct connect. A virtual private network provides the same access, just with fewer benefits.

T: VPC peering does not allow transitive connections.

Q: If you need a dedicated, low latency connection to AWS from your on-premises data center, what solution should you choose?

84

A: AWS Direct ConnectE: AWS Direct Connect is a service that provides a dedicated network connection between your data center and one of AWS's Direct Connect locations. One of the main benefits of Direct Connect is a low-latency connection.

Q: You have been asked to set up architecture that extends the AWS VPC to your company's on-premise data center. What do you need to set up to accomplish this?A: Virtual Private NetworkE: You will need to set up and configure a virtual private network. A VPN is what allows you to extend subnets inside your VPC to your on-premise data center.

Q: What best describes a Customer Gateway?A: An on-premises, physical device that acts as the "connector" for the VPN connection.E: The Customer Gateway is a physical or software application that is located at your on-premise data center. It is the VPN connector on the data center side (of the connection) and must be configured with a static public IP address.

T: A Public Virtual Interface allows you to interface with AWS resources that have a public endpoint (like S3 or DynamoDB).

Notes on: Linux Academy: AWS CSAA: 13) The AWS CLIJust a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

Things to KnowAWS Command Line Interface Documentation- AWS CLI User Guide- AWS CLI Reference

AWS Command Line Interface (CLI):- The AWS Command Line Interface (generally referred to as the “CLI”) is a text based interface for accessing and administering AWS resources.

- All commands executed using the CLI are API calls - and require API Key configuration

Image: AWS Command Line Interface (example)

Notes on: Linux Academy: AWS CSAA: 14) Database ServicesJust a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

Database Services

85

Image: Architecture: Account & Services Layer: Database Services

i) Relational Database ServiceImage: Architecture: Account & Services Layer: Relational Database Service

RDS Essentials:- RDS is a fully managed Relational Database Service:

86

+ Does not allow access to the underlying operating system (fully-managed)+ You connect to the RDS database server in the same way you would connect to a traditional on-premise database instance (i.e. MySQL command line)+ RDS has the ability to provision/resize hardware on demand for scaling+ You can enable Multi-AZ deployments for backup and high availability solutions+ Utilize Read Replicas (MySQL/PostgreSQL/Aurora) - to help offload hits on your primary database+ Relational databases are databases that organize stored data into tables+ The associated tables have defined relationships between them

- Databases Supported by RDS:+ MySQL+ MariaDB+ PostgreSQL+ Oracle+ MS SQL Server+ Aurora:-- Is a home grown Relational Database that has been forked from, and fully compatible with MySQL-- It has five times better performance than MySQL and a lower price point than commercial databases

- Benefits of running RDS instead of a database on your own instance:+ Automatic minor updates+ Automatic backups (point-in-time-snapshots)+ Not required to manage the operating system+ Multi-AZ with a single click+ Automatic recovery in event of a failover

RDS Multi-AZ Failover:- Multi-AZ failover (Automatic AZ-Failover) synchronously replicates data to a backup (stand-by) database instance located in another availability zone (but in the same region)

- In the event of:+ Service outage in an availability zone+ Primary DB instance failure+ Instance server type is changed+ Manual failover initiated+ Updating software version+ AWS will automatically switch the CNAME DNS record from the primary instance to the stand-by instance

- RDS backups are taken against the stand-by instance to reduce I/O freezes and slow down IF multi-az is enabled

- In order for multi-az to work, your primary database instance must be launched into a “subnet group”-- NOTE: An RDS instance must be launched into a subnet (inside a VPC) just like an EC2 instance. So the same security/connectivity rules, and highly available/fault tolerant concepts apply.

RDS Backups:- AWS provides automated point-in-time backups against the RDS database instance- Automated backups are deleted once the database instance is deleted and cannot be recovered (but you can take your own snapshots of backups before deleting)- Backups on database engines only work correctly when the database engine is “transactional” but do currently work for all supported database types- MySQL requires InnoDB for reliable backups

RDS Read Replicas:

87

- Read replicas are asynchronous copies of the primary database that are used for read only purposes (only allow “read connections”)- When you write new data to the primary database, AWS copies it for you to the read replica- You can create and have multiple read replicas for a primary database- Read replicas can be created from other read replicas (so no performance hit on the primary database)- MySQL, MariaDB, PostgreSQL, and Aurora currently support read replicas- You can monitor replication lag using CloudWatch

Benefits of using Read Replicas:- Read Replicas allow for all read traffic to be redirected from the primary database to the read replica. This will greatly improve the performance on the primary database.- Read replicas allow for elasticity in RDS - you can add more read replicas as demand increases- You can promote a read replica to a primary instance- MySQL:-- Replicate for importing/exporting data to RDS-- Can replicate across regions

When should you use Read Replicas?- High volume, non-cached database read traffic (elasticity)- Running business function such as a data warehousing- Importing/Exporting data into RDS- Rebuilding indexes:-- Ability to promote read replica to a primary instance

ii) DynamoDB

DynamoDB Essentials:- DynamoDB is a fully-managed, NoSQL database service provided by AWS- It is similar to MongoDB, but is a home-grown AWS solution- Is schemaless and uses a key-value store- You specify the required throughput capacity, and DynamoDB does the rest (being fully-managed)

- Being fully-managed means:+ Service manages all provisioning (and scaling) of underlying hardware+ Fully distributed, and scales automatically with demand and growth+ Built as a fault tolerant highly available service-- On the back end, it fully synchronizes the data across all of the availability zones within the region you create the DynamoDB tables in

- DynamoDB also easily integrates with other AWS services, such as Elastic MapReduce+ Can easily move data to a Hadoop cluster in Elastic MapReduce

- Popular use cases include:+ IOT (storage meta data)+ Gaming (storing session information, leaderboards)+ Mobile (Storing user profiles, personalization)

iii) ElastiCache

ElastiCache Essentials:- ElastiCache is a fully managed, in-memory cache engine- ElastiCache is used to improve database performance by caching results or requires that are made to a database

88

- ElastiCache is great for large, high-performance or high-taxing queries - and can store them inside of a cache (Elastic Cache Cluster) that can be accessed later (instead of repeat request continually hitting the primary database)- So it reduces load on the database which increases performance- ElastiCache allows for managing web sessions and also caching dynamic generated data

- Available engines to power ElastiCache include:+ Memcached (Mem-Cached-D)+ Redis- Generally, the applications needs to be built to work with either Redis or Memcached- Popular options like MySQL have Memcached plugins, which allow an application to easily work with ElastiCache (if using Memcached as the engine)

iv) Redshift

Redshift Essentials- Amazon Redshift is a petabyte-scale data warehousing service- It is fully-managed and scalable- Generally used for big-data analytics and it can integrate with most popular business intelligence tools, including:+ Jaspersoft+ Microstrategy+ Pentaho+ Tableau+ Business Objects+ Cognos

Quiz: Databases QuizT: AWS provides automated backups of RDS databases, which are point-in-time snapshots.

Q: What are two benefits of using read replicas?A1: Creates elasticity in RDSA2: Improves performance of the primary database by taking workload from itE: You can add/remove read replicas based on demand, so it creates elasticity for RDS. Read replicas can take read only workloads off of the primary database, thus improving performance.

Q: The Availability Zone that your RDS database instance is located in is suffering from outages, and you have lost access to the database. What could you have done to prevent losing access to your database (in the event of this type of failure) without any downtime?A: Enabled multi-AZ failoverE: If multi-AZ failover is enabled, a duplicate copy of the database is kept in a separate AZ. If there is failure in the primary database's AZ, AWS will automatically switch the CNAME DNS record from the primary to the failover backup instance.

Q: What database service should you choose if you need petabyte-scale data warehousing?A: RedshiftE: Redshift is for petabyte-scale data warehousing.

T: When setting up a DynamoDB database, you only need to specify the required throughput capacity. There is no instance size or storage type to choose from. AWS scales compute power with your needs.

T: A read replica can be promoted to the primary instance.

Q: How does using Elasticache help to improve database performance?A: It can store high-taxing queries

89

E: Elasticache is designed for large, high-performance or taxing queries. it can store the queries to alleviate hits to the database.

Q: What database service offers petabyte-scale data warehousing?A: RedshiftE: Redshift offers petabyte-scale data warehousing that is generally used for big data analytics.

Q: What are the "engine" options for ElastiCache?A: Redis & Memcached

Q: What are three attributes of DynamoDB?A1: Fully-managedA2: A NoSQL database platformA3: Uses key-value store

Notes on: Linux Academy: AWS CSAA: 15) Application & Messaging ServicesJust a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

Application ServicesImage: Architecture: AWS Account & Services Layer (Application Services)

SNS (Simple Notification Service)Image: Architecture: Simple Notification Service

90

SNS Essentials:- SNS coordinates and manages the sending and delivery of messages to specific endpoints- We are able to use SNS to receive notifications when events occur in our AWS Environment- SNS is integrated into many AWS services, so it is very easy to setup notifications based on events that occur in those services- With CloudWatch and SNS, a full-environment monitoring solution can be created that notifies administrators of alerts, capacity issues, downtime, changes in the environment, and more!- The service can also be used for publishing IOS/Android app notifications, and creating automation based off notifications

SNS Components:

- Topic:+ The group of subscriptions that you send a message to

- Subscription:+ An endpoint that a message is sent+ Available endpoints include:-- HTTP-- HTTPS-- Email-- Email-JSON-- SQS-- Application, Mobile APP notifications (IOS/Android/Amazon/Microsoft)-- Lambda-- SMS (cellular text message)

- Publisher:+ The “entity” that triggers the sending of a message+ Examples include:-- Human-- S3 Event-- Cloudwatch Alarm

91

Image: SNS Dashboard Common Actions

SNS Publisher:- The “entity” that triggers the sending of a message- Examples include:-- Human-- S3 Event-- Cloudwatch Alarm

SNS Topic:- The group of subscriptions that you send a message to

SNS Subscriber:- An endpoint that a message is sent to- Available endpoints include:-- HTTP-- HTTPS-- Email-- Email-JSON-- SQS-- Application, Mobile APP notifications (IOS/Android/Amazon/Microsoft)-- Lambda-- SMS (cellular text message)

SQS (Simple Queue Service)Image: Architecture: Simple Queue Service

92

SQS Essentials:- SQS provides the ability to have hosted/highly available queues that can be used for messages being sent between servers- This allows for the creation of distributed/decoupled application components- SQS is used to create decoupled application environments- Messages between servers are retrieved through polling

Two types of polling:- Long Polling (1-20 seconds):-- Allows the SQS service to wait until a message is available in a queue before sending a response, and will return all messages from all SQS services-- Long polling reduces API requests (over using short polling)- Short Polling:-- SQS samples a subset of servers and returns messages from just those servers-- Will not return all possible messages in a poll-- Increases API requests (over long polling), which increases costs

Other important SQS facts:- Each message can contain up to 256KB of text (in any format)- Amazon SQS guarantees delivery of each message at least once BUT DOES NOT guarantee the order (best effort) in which they are delivered to the queue- It does not guarantee first-in-first-out order- SQS is also highly available and redundant

SQS Workflow:- Generally a “worker” instance will “poll” a queue to retrieve waiting messages for processing- Auto Scaling can be applied based off of queue size so that if a component of your application has an increase in demand, the number of work instances can increase

Decoupled Architecture:- Tightly Coupled System:

93

-- A system architecture of components that are not just linked together but are also dependent on each other-- If one component fails all components fail

- Loosely Coupled/Decoupled Systems:-- Multiple components that can process information without being connected-- Components are not connected - if one fails the rest of the system can continue processing (fault tolerant/highly available)

- AWS Services that are used for distributed/decoupled system architectures:-- SWF (Simple Work Flow Service)-- SQS (Simple Queue Service)

Image: Tightly Coupled System / Loosely Coupled System

SQS Message:- A set of instructions that will be relayed to the “worker” instances via the SNS Queue- Can be up to 256KB of text (in any format)- Each message is guaranteed to be delivered at least once:-- Order is not guaranteed-- Duplicates can occur

SQS Queue:- A queue stores messages (for up to 14 days) that can be retrieved through “polling”- Queues allow components of your application to work independently of each other (decoupled environments)

SWF (Simple Workflow Service)Image: Architecture: Simple Workflow

94

Simple Workflow Essentials:- SWF is a fully-managed “work flow” service provided by AWS- A SWF workflow allows an architect/developer to implement distributed, asynchronous applications as a work flow- A workflow coordinates and manages the execution of activities that can be run asynchronously across multiple computing devices- SWF has consistent execution- Guarantees the order in which tasks are executed- There are no duplicate tasks- The SWF service is primarily an API which an application can integrate its work flow service into. This allows the service to be used by non-AWS services, such as an on-premise data center- A workflow execution can last up to 1 year

Components of SWF- Workflow: A sequence of steps required to perform a specific task-- A workflow is also commonly referred to as a decider- Activities: A single step (or unit of work) in the workflow- Tasks: What interacts with the “workers” that are part of a workflow-- Activity task - Tells the worker to perform a function-- Decision task - Tells the decider the state of the work flow execution, which allows the decider to determine the next activity to be performed- Worker: Responsible for receiving a task and taking action on it-- Can be any type of component such as an EC2 instance, or even a person

API GatewayImage: Architecture: API Gateway

95

API Gateway Essentials:- API Gateway is a fully-managed service that allows you to create and manage your own APIs for you application- API Gateway acts as a “front door” for your application, allowing access to data/logic/functionality from your back-end services

API Gateway Main Features:

- Build RESTful APIs with:-- Resources-- Methods (i.e. GET, POST, PUT)-- Settings- Deploy APIs to a “Stage” (different envs: i.e. dev, beta, production)-- Each stage can have its own throttling, caching metering and logging- Create a new API version by cloning an existing one-- You can create and work on multiple versions of an API (API version control)- Roll back to previous API deployments-- A history of API deployments are kept- Custom domain names-- Custom domain names can point to an API or Stage- Create and manage API keys for access AND meter usage of the API keys through Amazon CloudWatch logs- Set throttling rules based on the number of request per second (for each HTTP method)-- Request over the limit throttled (HTTP 429 response)- Security using Signature v.4 to sign an authorize API calls-- Temporary credentials generated through Amazon Cognito and Security Token Service (STS)

Benefits of API Gateway:

- Ability to cache API responses- DDos protection via CloudFront- SDK generation for IOS, Android, and JavaScript- Supports Swagger (a very popular framework of API dev tools)

96

- Request/response data transformation (i.e. JSON IN to XML OUT)

API Gateway Caching:- API Gateway will cache API responses so that duplicate API request do not have to hit your back-end-- This reduces load on your back-end AND-- Speeds up calls to your back-end- You can configure a cache key and Time to Live (TTL) of the API response- Caching can be setup on a per API or per stage basis

API Gateway: CloudFront- API Gateway benefits from using CloudFront infrastructure:-- Built in Distributed Denial of Service (DDoS) attack protection and mitigation-- All CloudFront Edge Locations become entry points for your API into your back-end- Summary: Benefits are reduced latency and improved projection

API Gateway: CloudWatch- CloudWatch can be used to monitor API Gateway activity and usage- Monitoring can be done on the API or Stage level- Throttling rules are monitored by CloudWatch- Monitoring metrics include such statistics as:-- Caching-- Latency-- Detected errors- Method-level metrics can be monitored- You can create CloudWatch alarms based on these metrics

Quiz: Application Services QuizQ: An SQS Message is?A: A set of instructions stored in an SQS queue that can be up to 256KB in sizeE: An SQS message can be up to 256KB in size of text (in any format) and is used to relay instructions from one instance to another (via an SQS queue).

Q: How can you create different versions of an API using API Gateway and also create a full development lifecycle? (2 answers)A1: Create a new API version by cloning an existing oneA2: Deploy APIs to stages: dev, beta, productionE: You can create lifecycle stages (dev, beta, production) for which to deploy APIs. Each stage can have it's own throttling, caching metering, and logging. You can also create a new API version by cloning an existing one. In addition, you can roll back to previous versions of an API.

Q: If your application's architecture is currently tightly coupled, what AWS service should you use to decouple the application?A: SQS (Simple Queue Service) and, to a lesser extent, SWF (Simple Workflow) can be used to decouple application components.

Q: What are some of the essential elements of API Gateway?A1: API Gateway is a fully managed service that allows you to create and manage your own APIs for your applicationA2: API Gateway acts as a "front door" for your application.E: API Gateway is a fully managed service that allows you to create and manage your own APIs for your application. API Gateway acts as a "front door" for your application, allowing access to data/logic/functionality from your back-end services.

97

Q: What best describes decoupled architecture?A: A system architecture of multiple components that can process information without being connected.E: A loosely coupled (or decoupled) system is one that has multiple components but can work independently of each other. So if one fails, the other components can continue to work.

Q: How long can an SWF workflow execution last?A: 1 year

Q: What service should you choose if you want to send notifications via text message to a system administrator?A: SNSE: SNS (Simple Notification Service) is the AWS service that provides the ability to send notifications to various endpoints, with SMS (test messages) being one of them.

Q: What are some of the benefits of using API Gateway? (2 answers)A1: Ability to cache API responsesA2: DDoS protection via CloudFrontE: Benefits of API Gateway include:- Ability to cache API responses- DDoS protection via CloudFront- SDK generation for IOS, Android, and Javascript- Supports Swagger (a framework of API dev tools)- Request/response data transformation

T: SNS can be used to send push notifications to Android and iOS mobile devices.

Q: What is the purpose of an SWF decision task?A: It tells the decider the state of the work flow execution.E: A decision task is used to communicate (back to the decider) that a given task has been completed.

Notes on: Linux Academy: AWS CSAA: 16) MonitoringJust a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

MonitoringImage: Architecture: Monitoring Services

98

CloudWatchImage: Architecture: CloudWatch

CloudWatch Essentials:- CloudWatch is used to monitor AWS services, such as EC2, ELB and S3- You monitor your environment by configuring and viewing CloudWatch metrics

99

- Metrics are specific to each AWS service or resource, and include such metrics as:-- EC2 per-instance metrics:--- CPUUtilization--- CPUCreditUsage-- S3 Metrics:--- NumberOfObjects--- BucketSizeBytes-- ELB Metrics:--- RequestCount--- UnhealthyHostCount

- Detailed vs. Basic level monitoring:-- Basic: Data is available automatically in 5-minute periods at no charge-- Detailed: Data is available in 1-minute periods

- CloudWatch Alarms can be created to trigger alerts (or other actions in your AWS accounts, such as an SNS topic), based on threshold you set on CloudWatch metrics- Auto Scaling heavily utilizes CloudWatch - relying on threshold and alarms to trigger the addition (or removal) of instances from an auto scaling group

CloudWatch Alarms:- CloudWatch Alarms allow for you (or the system admin) to be notified when certain defined thresholds are met on CloudWatch Metrics- For example, you can setup an alarm to be triggered whenever the CPUUtilization metric on an EC2 instance goes above 70%- Alarms can also be used to trigger other events in AWS like publishing to an SNS topic or triggering auto scaling

CloudWatch EC2 Monitoring:System Status Checks: (things that are outside of our control)- Loss of network connectivity- Loss of system power- Software issues on the physical host- Hardware issues on the physical host- How to solve: Generally stopping and restarting the instance will fix the issue. This causes the instance to launch on a different physical hardware device.

Instance Status Checks: (software issues that we do control)- Failed system status checks- Misconfigured networking or startup configuration- Exhausted memory- Corrupted file system- Incompatible kernel- How to solve: Generally a reboot, or solving the file system configuration issue.

By default, CloudWatch will automatically monitor metrics that can be viewed at the host level (NOT the software level), such as:- CPUUtilization- Network in/out- CPUCreditBalance- CPUCreditUsage

OS level metrics that require a third party script (perl) to be installed (provided by AWS)- Memory utilization, memory used, and memory available- Disk Swap utilization- Disk space utilization, disk space used, disk space available

100

CloudTrailImage: Architecture: CloudTrail

CloudTrail Essentials:- CloudTrail is an API logging service that logs all API calls made to AWS- It does not matter if the API calls from the command line, SDK, or console- All created logs are placed into a designated S3 bucket - so they are highly available by default- Cloudtrail logs help when addressing security concerns, by allowing you to view what actions users on your AWS account have performed- Since AWS is just one big API - CloudTrail can log every single action taken in your account

Flow Logs

VPC Flow Logs:- VPC Flow Logs allow you to collect information about the IP traffic going to and from network interfaces in your VPC- VPC Flow Log data is stored in a log group in CloudWatch- Flow logs can be created on a specific VPC, Subnet or Network interface- Flow logs created on a VPC or Subnet will include all network interfaces in that VPC or subnet- Each network interface will have its own unique log stream- You can set the log to capture data on accepted traffic, rejected traffic, or all traffic- Flow logs are NOT captured in “real-time”. The capture window is approx. 10 minutes, and then data is published- VPC Flow Logs consist of network traffic for a specific 5-tuple- A 5-tuple is a set of five different values that comprise a TCP/IP connection. It includes:-- (1) Source IP address and (2) source port number-- (3) Destination IP address and (4) destination port number-- (5) Protocol

Benefits of VPC Flow Logs:

101

- Troubleshoot why certain traffic is not reaching an EC2 instance- An added security layer by allowing you to monitor the traffic that reaches your EC2 instances

Limitations of VPC Flow Logs:- Traffic NOT captured by VPC Flow Logs:-- Traffic between an EC2 instance and an Amazon DNS Server-- Traffic generated by request for instance metadata (request to 169.254.169.254)-- DHCP Traffic

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html

Quiz: Monitoring QuizT: CloudWatch is a service that allows you to view resource level metrics and create alarms based on metric thresholds.

Q: Why does stopping and starting an instance (usually) fix a System Status Check error?A: Stopping and starting an instance causes the instance to be provisioned on different AWS hardware.E: Unless you have dedicated tenancy enabled, stopping and starting an instance will generally cause it to be launched onto different AWS host hardware.

Q: CloudTrail can log API calls from?E: AWS is basically one big API call, so it does not matter if the API calls from the command line, SDK, or console, they are all logged by CloudTrail.

Q: Which of the following CloudWatch EC2 metrics will require a custom script to enable?A: Memory UtilizationE: Custom scripts are needed to enable OS-level monitoring of EC2 instances. Memory Utilization falls into that category, while CPU Credit Usage and Utilization does not (those are host-level metrics).

T: System Status Checks are AWS hardware/software issues that we have no control over.T: CloudTrail is an API Logging service.

Notes on: Linux Academy: AWS CSAA: 17) Deployment ServicesJust a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

Deployment ServicesImage: Architecture: Deployment Services

102

CloudformationImage: Architecture: Cloudformation

CloudFormation Essentials- CloudFormation is the pure definition of infrastructure as code:

103

-- You can “convert” your application’s architecture into a JSON formatted template (so your architecture is literally code)-- You can then use that JSON template to deploy out updated or replication copies of that architecture to multiple regions

Benefits- Saves time - you don’t have to manually create duplicate architecture in additional regions- Since your infrastructure is now code, you can version control your infrastructure. Allowing for rollbacks to previous versions of your infrastructure if a new version has issues- Allows for backups of your infrastructure- Great solution for disaster recovery

Elastic BeanStalkImage: Architecture: Elastic Beanstalk

Elastic BeanStalk Essentials:- Elastic Beanstalk is designed to make it easy to deploy less complex applications- This helps reduce the management required for building and deploying applications- Elastic Beanstalk is used to deploy out easy, single-tier applications that take advantage of core services such as:-- EC2-- Auto Scaling-- ELB-- RDS-- SQS-- CloudFront

- Why/when to use Elastic Beanstalk:-- In order to quickly provision an AWS environment that requires little to no management-- The application fits within the parameters of the Beanstalk service-- Can deploy from repositories or from uploaded code files-- Easily update applications by uploading new code files or requesting a pull from a repository

104

- Supported Platforms:-- Docker-- Java-- Windows .NET-- Node.js-- PHP-- Python-- Ruby

Quiz: Deployment QuizQ: What platforms are supported in Elastic BeanStalk?A: Docker, Java, Windows .NET, Node.js, PHP, Python, Ruby

T: Elastic BeanStalk is primarily used to deploy simple, single-tier applications.

Q: What are two benefits of Cloudformation?A1: A great disaster recovery optionA2: Version control your infrastructureE: Since CloudFormation allows for you to turn your infrastructure into code, you can use it to quickly spin up the infrastructure in a new region (in the case of a disaster), and since it's code, you can version control it.

T: By using Cloudformation, you can easily rollback your application's infrastructure to previous versions.

Q: What AWS service allows you to treat your infrastructure as code?A: CloudformationE: Cloudformation allows you to turn your infrastructure into JSON-formatted templates.

Notes on: Linux Academy: AWS CSAA: 18) AnalyticsJust a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

AWS Analytic ServicesImage: Architecture: Analytic Services

105

KinesisImage: Architecture: Kinesis

Kinesis Essentials:- Kinesis is a real-time data processing service that continuously captures (and stores) large amounts of data that can power real-time streaming dash boards

106

- Using the AWS provided SDKs, you can create real-time dashboards, integrate dynamic pricing strategies, and export data from Kinesis to other AWS services- Including:-- EMR (analytics)-- S3 (storage)-- RedShift (big data)-- Lambda (event driven actions)

Kinesis Components

- Stream- Producers (data creators)- Consumers (data consumers)- Shards (processing power)

Kinesis Benefits:- Real-time processing:-- Continuously collect and build applications that analyze the data as its generated

- Parallel processing:-- Multiple Kinesis applications can be processing the same incoming data stream concurrently

- Durable:-- Kinesis synchronously replicates the streaming data across three data centers within a single AWS region and preserves the data for up to 24 hours

- Scales:-- Can stream from as little as a few megabytes to several terabytes per hour

When to use Kinesis:- Gaming:-- Collect gaming data such as player actions and feed the data into the gaming platform, for example a reactive environment based off real-time actions of the player.

- Real-time analytics:-- Collect IOT (sensors) from many sources and high amounts of frequency and process it using Kinesis to gain insights as data arrives in your environment

- Application alerts:-- Build a Kinesis application that monitors incoming application logs in real-time and trigger events based off the data

- Log / Event Data collection:-- Log data from any number of devices and use Kinesis application to continuously process the incoming data, power, real-time dashboards and store the data in S3 when completed

- Mobile data capture:-- Mobile applications can push data to Kinesis from countless number of devices which makes the data available as soon as it is produced

Kinesis Producers:- Producers are devices that collect data for Kinesis processing- You build producers to continuously input data into a Kinesis stream- Producers can include (but not limited to):-- IoT Sensors-- Mobile devices (cell phones)

107

- You can have literally thousands of different producers and scale based on your need-- The more data you want to process, the more “shards” you add to your Kinesis stream-- Each “shard” can process 2MB of read data per second, and 1MB of write data per second

Kinesis Consumers:- Consumers consume the stream’s data- This is done concurrently (multiple consumers can consume the same data at the same time)- Consumers include (but are not limited to):-- Real-time dashboards-- S3-- Redshift (data warehouse)-- EMR- Any application (one you create) can consume the streams’ data

- Kinesis keeps 24 hours of streaming data stored by default, but can be configured to store up to 7 days

Elastic Map ReduceImage: Architecture: Elastic Map Reduce

Elastic MapReduce Essentials:- Amazon EMR is a service which deploys out EC2 instances based off of the Hadoop big data framework- EMR is used to analyze and process vast amounts of data- EMR also supports other distributed frameworks, such as:-- Apache Spark-- HBase-- Presto-- Flink

General EMR Workflow

108

- Data stored in S3, DynamoDB, or Redshift is sent to EMR- The data is mapped to a “cluster” of Hadoop Master/Slave nodes for processing- Computations (coded/created by the developer) are used to process the data- The processed data is then reduced  to a single output set of return information

Other Important EMR Facts- You (the admin) have the ability to access the underlying operating system- You can add user data to EC2 instances launched into the cluster via bootstrapping- EMR takes advantage of parallel processing  for faster processing of data- You can resize a running cluster at any time, and you can deploy multiple clusters

EMR Master node:- A node that manages the cluster by running software components which coordinate the distribution of data and tasks among other (slave) nodes for processing- The master node tracks the status of tasks and monitors the health of the cluster

EMR Slave Nodes:There are two types of slave nodes:

- Core node:-- A slave node has software components which run tasks AND stores data in the Hadoop Distributed File System (HDFS) on your cluster-- The core nodes do the “heavy lifting” with the data

- Task node:-- A slave node that has software components which only run tasks-- Tasks nodes are optional

EMR Map Phase:- Mapping is a function that defines the process which splits the large data file for processing- During the mapping phase, the data is split into 128MB “chunks”- The larger the instance size used in our EMR cluster, the more chunks you can map and process at the same time- If there are more chunks than nodes/mappers, the chunks will queue for processing

EMR Reduce Phase:- Reducing is a function that aggregates the split data back into one data source- Reduced data needs to be stored (in a service like S3) as data processed by the EMR cluster is not persistent

Quiz: Analytics QuizQ: If you want to process data in real-time, what AWS service should you use?A: KinesisE: Kinesis is AWS's service for processing data in real-time and outputting it to a dashboard or other AWS services.

T: In EMR, data is mapped to a cluster of master/slave nodes for processing.

Q: If your Kinesis stream needs additional processing power, what component will you need to add more of?A: ShardsE: You can scale out a Kinesis stream by adding more "shards".

109

Q: In what two scenarios would you want to use AWS Kinesis?A1: Mobile data captureA2: Capturing gaming data.E: Kinesis is great for collecting gaming data, such as player actions, and capturing data from IoT sensors and mobile devices.

T: EMR is a service which deploys out EC2 instances based on the Hadoop framework, and also supports Apache Spark, HBase, Presto, and Flink.

T: A Kinesis consumer can include AWS services such as Redshift and S3.E: Consumers can include Redshift and S3, but also other services like DynamoDB or a real-time dashboard/Kinesis enabled app.

Q: What is the purpose of a Kinesis producer?A: To collect and send data into a Kinesis stream.E: Kinesis producers include things like IoT sensors and mobile devices that collect data and send it into the Kinesis stream.

T: EMR allows you to access the underlying operating system.

Notes on: Linux Academy: AWS CSAA: 19) EC2 Container ServiceJust a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

EC2 Container Service (ECS)Image: Architecture: ECS

EC2 Container Service (ECS) Essentials:- ECS is a container management service that supports Docker

110

- It allows you to easily create and manage a fleet of Docker containers on a cluster of EC2 instances

Why use ECS/Containers?

Create distributed applications and Microservices:- Create application architecture comprised of independent tasks or processes (microservices)- For example, you can have separate containers for various components of your application-- Webserver-- Application server-- Message queue-- Backend Servers- This allows you to start, stop, manage, monitor, and scale each container independently

Batch and ETL Jobs:- Package batch and ETL jobs into containers and deploy them into a shared EC2 cluster(s)- Run different versions of the same job or multiple jobs on the same cluster- Share cluster capacity with other processes and or grow job dynamically on-demand to improve resource utilization

Continuous Integration and Deployment:- By using Docker's Image versioning, you can use containers for continuous integration and deployment- Build processes can pull, build, and create a Docker Image that can be deployed into your containers- This allows you to avoid an application from working in a developer environment and not working in a production environment because the Docker daemon is the same across all environments

Dockerfile:- A plain text file (script) that specifies all of the components that are included in the container- Basically, it’s the instructions for what will be placed inside a given container

Container/Docker Image:- A container/Docker image is built from a Dockerfile- The container/Docker image contains all the downloaded software, code, runtime, system tools, and libraries (as outlined in the Dockerfile)-- i.e. If the Dockerfile specifies PHP to be downloaded and installed, then the container/Docker Image will have PHP downloaded and installed

Container Registry:- A container registry is a repository where container/docker images are stored and accessed from when needed- A container registry can be:-- Located on AWS via the ECR service (EC2 Container Registry)-- A 3rd party repository like Docker Hub-- Self-hosted registry

ECS Task Definition:- A JSON formatted text file that contains the “blueprint” for your application, including:-- Which container/docker image to use-- The repository (container registry) the image is located in-- Which ports should be open on the container instance-- What data volumes should be used with the containers

ECS Agent:

111

- The ECS Agent runs on each EC2 instance in the ECS cluster- It communicates information about the instances to EC2, including:-- Running tasks-- Resource Utilization- The ECS Agent is also responsible for starting/stopping tasks (when told to by ECS)

ECS Task:- An ECS Task is the actual representation of the Task Definition on an EC2 instance inside of your container cluster- The ECS Agent will start/stop these tasks based on instruction/schedule

Quiz: ECS Basics QuizQ: Which of the following is NOT a use case for using ECS?A: Cache big data queriesE: Cache big data queries is best done with a service like Elasticache, not ECS.

Q: What is responsible for starting and stopping tasks on an ECS Container instance.A: ECS AgentE: The ECS Agent is responsible for starting/stopping tasks. It also monitors tasks and resource utilization.

Q: What two components does a Task Definition define?A1: Which ports should be open on the container instanceA2: Which container image to useE: The Task Definition is the blueprint for your application and defines items such as: 1) Which ports should be open on the container instance 2) Which container image to use 3) Where to get the container image 4) What data volumes to use.

Q: What is the purpose of AWS ECR?A: To act as a container registry serviceE: ECR is short for EC2 Container Registry. It is a repository service for storing container images.

Q: What component ECS/Containers contains all the actual software, code, and system tools that your container will use?A: Container/Docker ImageE: The Container/Docker Image, which is built from the Dockerfile, contains all the actual software, code, runtime, system tools, and libraries that will be used in the container.

Notes on: Linux Academy: AWS CSAA: 20) Certified Solution Architect ConceptsJust a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

Implementation & DeploymentHow to Design Cloud Services & Best Practices:- Design for failure, and create self-healing application environments- Always design applications with instances in at least two availability zones- Guarantee that you have “reserved” capacity in the event of an emergency by purchasing reserved instances in a designated recovery availability zone (AWS does not guarantee on-demand instance capability)- Rigorously test to find single points of failure and apply high availability

112

- Always enable RDS Multi-AZ and automated backups (InnoDB table support only for MySQL)- Utilize Elastic IP addresses for fail over to “stand-by” instances when auto scaling and load balancing are not available

- Use Route 53 to implement failover DNS techniques that include:-- Latency based routing-- Failover DNS routing

- Have a disaster recovery and backup strategy that utilizes:-- Multiple Regions-- Maintain up to date AMI’s (and copy AMI’s from one region to another)-- Copy EBS snapshots to other regions (use CRON jobs that take snapshots of EBS)-- Automate everything in order to easily re-deploy resources in the event of a disaster-- Utilize bootstrapping to quickly bring up new instances with minimal configuration and allows for “generic” AMI’s

- Decouple application components using services such as SQS (when available)- “Throw away” old or broken instances- Utilize CloudWatch to monitor infrastructure changes and health- Utilize MultiPartUpload for S3 uploads (for objects over 100MB)- Cache static content on Amazon CloudFront using EC2 or S3 Origins

- Protect your data in transit by using HTTPS/SSL endpoints- Protect data at rest using encrypted file systems or EBS/S3 encryption options- Connect to instances inside of the VPC using a bastion host or VPN connection- Use IAM roles on EC2 instances instead of using API keys (Never store API keys on an AMI)

Monitoring you AWS EnvironmentUse CloudWatch for:- Shutting down inactive instances- Monitoring changes in your AWS environment with CloudTrail integration- Monitor instance resources and create alarms based off of usage and availability-- EC2 instances have “basic” monitoring which CloudWatch supports out of the box, and includes all metrics that can be monitored at a hypervisor level.-- Status checks which can automate recovery of failed status checks by stopping and starting the instance again-- EC2 metrics that include custom scripts to work with CloudWatch--- Disk Usage: Available Disk Space--- Swap Usage: Available swap--- Memory Usage: Available Memory

Use CloudTrail for:- Security and compliance- Monitoring all actions taken against the AWS account- Monitoring (and being notified) of changes to IAM accounts (with CloudWatch/SNS Integration)- View what API Keys/Users performed any given API action against an environment (i.e. view what user terminated a set of instances or an individual instance)- Fulfilling auditing requirements inside of organizations

Use AWS Config for:- Receiving detailed configuration information about an AWS environment- Taking a point in time “snapshot” of all supported AWS resources to determine the state of your environment- Viewing historical configurations within your environment by viewing the “snapshots”- Receiving notifications whenever resources are created, modified, or deleted- Viewing relationships between resources, i.e. what EC2 instances and EBS volume is attached to

Architectural Trade-off Decisions:

113

Storage Trade-off Options- S3 Standard Storage-- 99.999999999% durability and 99.99% availability, but is the most expensive- S3 RRS-- Reduced redundancy durability is 99.99%, but the storage cost is cheaper-- Should be used for easily reproducible data, and you should take advantage of lost object notification using S3 events- Glacier-- Requires an extended timeframe to check-in and check-out data from archiving-- Costs are significantly reduced compared to S3 storage options

Database Trade-Off Options

- Running databases on EC2 instances:-- Have to manage the underlying operating system-- Have to build for high availability-- Have to apply your own backups-- Can use additional software to cluster MySQL-- Requires more time to manage than RDS

- Managed RDS database provides:-- Fully managed database updates and does not require managing of the underlying OS-- Provides automatic point in time backups-- Easily enable Multi-AZ failover, and when a failover occurs the DNS is switched from the primary instance to the standby instance-- If Multi-AZ is enabled then backups are taken against the stand-by to reduce I/O freezes and updates are applied to the standby which is then switched to the primary-- Easily create read replicas

Elasticity and Scalability:- Proactive Cycle Scaling: Scaling that occurs at a fixed interval- Proactive Event-based scaling: Scaling that occurs in anticipation of an event- Auto-scaling based on demand: Scaling that occurs based off of increase in demand for the application

- Plan to scale out rather than up (horizontal scaling):-- Add more EC2 instances to handle increases in capacity rather than increasing instance size-- Be sure to design for the proper instance size to start-- Use tools like Auto Scaling and ELB-- A scaled service should be fault tolerant and operationally efficient-- Scalable service should become more cost effective as it grows

- DynamoDB is a fully managed NoSQL service from AWS:-- With high availability and scaling already built in-- All the developer has to do is specify required throughput for the tables

- RDS requires scaling in a few different ways:-- RDS does not support a cluster of instances to load balance traffic across-- Because of this there are a few different methods to scale traffic with RDS:--- Utilize read replicas to offload heavy read only traffic--- Increase the instance size to handle increase in load--- Utilize ElastiCache clusters for caching database session information

Security Architecture with AWSShared Security Responsibility Model:

114

- AWS is responsible for portions of the cloud, and you as the customer have portions of the cloud that you are responsible for - thus creating shared security responsibility

- Reduces the operational burden (on you) as AWS operates, manages, and controls the components from the host operating system and virtualization layer, down to the physical security of the facilities in which the services operate

- As the customer (you), using AWS means you assume the responsibility and management of the guest operating system (including updates and security patches), other associated applications software, as well as the configuration of the AWS-provided security group firewall.

- You are also responsible for your owo coded applications and custom applications built on top of the cloud

AWS is responsible for (EC2 example)- Facilities- Physical security of hardware- Network infrastructure- Virtualization infrastructure

You (as the customer) are responsible for (EC2 example)- Amazon Machine Images (AMIs)- Operating systems- Applications- Data-in-transit- Data-at-rest- Data stores- Credentials- Policies and configuration

AWS Platform Compliance and Security Services:The AWS cloud infrastructure has been architected to be flexible and secure with world-class protection, by using its built-in security features:- Secure access - Use API endpoints, HTTPS, and SSL/TLS- Built-in firewalls - Virtual Private Cloud (VPC)- Unique users - AWS Identity and Access Management (IAM)- Multi-factor authentication (MFA)- Private subnets - AWS allowing private subnets on your VPC- Encrypted data storage - Encrypt your data in EBS, S3, Glacier, Redshift, and SQL RDS- Dedicated connection option - AWS Direct Connect- Perfect Forward Secrecy - ELB and CloudFront offer SSL/TLS cipher suites for PFS- Security logs - AWS CloudTrail- Asset identification and configuration - AWS Config- Centralized key management - Centralized key management service- Isolated GovCloud - US ITAR regulations using AWS GovCloud- CloudHSM - Hardware Security Model (HSM) hardware based cryptographic storage- Trusted Advisor - With premier support (identify security holes)

Incorporating Common Conventional Security Products:OS-side Firewalls- IPTABLES- FirewallD- Windows Firewall

AntiVirus Software- TrendMicro (integrates into AWS EC2 instances)

115

DDoS Mitigation:When mitigating against DOS/DDOS attacks, use the same practice you would use on your on-premise components:- Firewalls:-- Security groups-- Network access control lists-- Host-based firewalls- Web application firewalls (WAFS)- Host-based or inline IDS/IPS (Trend Micro)- Traffic sharing/rate limiting

Along with your traditional approaches for DOS/DDOS attack mitigation, AWS provides capabilities based on its elasticity:- You can potentially use CloudFront to absorb DOS/DDOS flooding attacks- A potential attacker trying to attack content behind a CloudFront distribution is likely to send most requests to CloudFront edge locations, where the AWS infrastructure will absorb the extra request with minimal to no impact on the back-end customer web servers

We MUST have permission to do Port Scanning on any of your EC2 instances!INGRESS filtering on all incoming traffic onto their network

Encryption Solutions:S3 has built-in features that allow you to encrypt your data:- AES-256 bit encryption that encrypts data-at-REST in an S3 bucket- AWS will decrypt the data and send it to you when you download it

EBS encrypted volumes:- You can select to have all data encrypted that is stored on an EBS volume- If a snapshot is taken, that snapshot is automatically encrypted

RDS encryption:- Aurora, MySQL, Oracle, PostgreSQL, and MS SQL all support this feature- Encrypts the underlying storage space for the instance- Automated Backups are encrypted (as well as snapshots)- Read Replicas are encrypted- RDS provides SSL endpoint to encrypt a connection to a DB instance

Complex Access Control:- Through IAM policies, AWS gives us the ability to create extremely complex and granular permission policies for our users (all the way down to the resource level)- IAM policies with resource level permissions:-- EC2: Create permissions for instances such as reboot, start, stop, or terminate based all the way down to the instance ID-- EBS volumes: Attach, Delete, Detach-- EC2 actions that are not one of these above are not governed by resource-level at this time- This is not EC2 limited, can also include services such as RDS, S3, etc.

- Additional security measures, such as MFA authentication are also available when acting on certain resources:-- For example, you can require MFA before an API request to delete an object within an S3 bucket

CloudWatch for the Security Architect:CloudWatch Security

116

- Requests are signed with a HMAC-SHA1 signature, calculated from the request and the user’s private key- CloudWatch control API is only accessible via SSL encrypted endpoints- CloudWatch access is given via IAM permission policies, essentially only giving users permissions that are needed (only give access to CloudWatch if they need access to CloudWatch)- Use CloudWatch and CloudTrail to monitor changes inside the AWS environment-- We can ask CloudWatch to notify us (via SNS) if there have been changes for example:--- Changes to IAM security credentials--- Assigning access policies to users--- Adding/deleting users- It is important to know how we can use CloudWatch for security in our AWS environment

CloudHSM:- HSM (Hardware Security Module) is a dedicated physical machine/appliance isolated in order to store security keys and other types of encryption keys used within an application- The key is used within the domain of the HSM appliance instead of being exposed outside the appliance

- HSM Appliances have special security mechanisms to make them more secure:-- The security key is only used within the HSM-- A HSM client is used to expose the APIs of the HSM-- So an application can communicate with HSM to do the encryption (or decryption) of the data that we are requesting-- The appliance is physically isolated from other resources-- Tamper resistant (built to notify via advanced logging)-- On AWS, even though they are hosting the appliance, AWS engineers have NO access to the keys (only to manage and update the appliance)-- If the keys are lost or reset (to access the appliance) you will never be able to access the data stored on the appliance

- Some types of keys that might be stored on HSMs:-- Keys used to encrypt file systems-- Keys used to encrypt databases-- Keys used to provide DRM-- Used with S3 encryption

- When to use CloudHSM instead of something like Key Management Service?-- Generally, compliance requirements require it or internal security policy require it-- Not even AWS engineers have access to the keys on the CloudHSM appliance, only access to “manage” the appliance

Disaster RecoveryDisaster Recovery:Business disaster recovery key words (very important for AWS CSA Exam)

Recovery time objective (RTO): Time it takes after a disruption to restore operations back to its regular service level, as defined by the companies operational level agreement (i.e. if the RTO is 4 hours, you have 4 hours to restore the service back to an acceptable level)

Recovery point objective (RPO): Acceptable amount of data loss measured in time  (i.e. if the system goes down at 10pm, and RPO is 2 hours, then you should recover all data as part of the application as it was before 8PM)

117

Not only should you design for disaster recovery for your applications running on AWS, you can also use AWS as a disaster recovery solution for your on-premise applications or data. The AWS services used should be determined based off of the business RTO and RPO operational agreement.

Pilot light: A minimal version of your production environment that is running in AWS. This allows for replication from on-premise servers to AWS, and in the event of a disaster the AWS environment spins up more capacity (elastically/automatically) and DNS is switched from on-premise to AWS. It is important to keep up to date AMI and instance configurations if following pilot light protocol.

Warm Standby: Has a larger foot print than a pilot light setup, and would most likely be running business critical applications in “standby”. This type of configuration could also be used as a test area for applications.

Multi-Site Solution: Essentially clones your “production” environment, which can either be in the cloud or on premise. Has an active-active configuration which means instances' size and capacity are all running in full standby and can easily convert at the flip of a switch. Methods like this could also be used to “load balanace” using latency based routing or Route 53 failover in the event of an issue.

Services Examples:- Elastic Load Balancer and Auto Scaling- Amazon EC2 VM Import Connector- AMI’s with up to date configurations- Replication from on-premise database servers to RDS- Automate the increasing of resources in the event of a disaster- Use AWS Import/Export to copy large amounts of data to speed up replication times (also used for off-site archiving)- Route 53 DNS Failover/Latency Based Routing Solutions- Storage Gateway (Gateway-cached volumes/Gateway-stored volumes)

Quiz: Certified Solutions Architect Concepts QuizT: When designing for elasticity and scalability, you want to strive for scaling out (adding more instances) instead of scaling up (increasing instance sizes). However, you must make sure you start with the proper instance size.

Q: What best describes Recovery Time Objective (RTO)?A: The time it takes after a disruption to restore operations back to its regular service level.E: The Recovery Time Objective (RTO) is the time it takes after a disruption to restore operations back to its regular service level (as defined by a company's operational level agreement).

Q: What service is best for logging all actions taken against the AWS API?A: CloudTrailE: Cloudtrail is AWS's logging service that can be used to log all actions taken inside your AWS account.

Q: In the shared security responsibility model, what are items that you are responsible for managing? (choose all that apply)A: Guest operating systems, AMIsE: AWS is responsible for everything physical. That includes the security of the physical hardware at their data centers and their network infrastructure. You are responsible for selecting and managing the security for AMI and the OS you install on instances.

T: S3 offers 256-bit encryption for data-at-rest.E: S3 offers 256-bit encryption for data-at-rest, which is an option you can turn on/off. AWS manages the keys and will decrypt the data when you request to download it.

118

Q: When designing cloud services, what design elements should you always consider? (select all that apply)A1: Design for failureA2: Create self-healing application environmentsA3: Decouple applicationsE: When designing cloud architecture, you always want to start by designing for failure, and create self-healing whenever possible. Decoupling your application is also best practice. However, you should always use a MIN of TWO Availability Zones. Only using one Availability Zone does not allow for high availability.

Q: What AWS service, if used as part of your application's architecture, has an added benefit of helping to mitigate DDoS attacks from hitting your back-end instances?A: CloudFrontE: When CloudFront is used as part of your application's architecture, traffic from a DDoS attack will most likely be redirected to the cached data at an edge location (instead of being routed to your applications EC2 instances).

Q: Perfect Forward Secrecy is used to offer SSL/TLS cipher suites for which two AWS services?A1: CloudfrontA2: Elastic Load Balancing

Q: What feature should you utilize for redundancy if auto scaling and load balancing are not available?A: Elastic IP address set up for failover to "stand-by" instancesE: Setting up an Elastic IP address and having it ready for failover is a great solution when other services that provide high availability and fault tolerance are not available.

Q: What best describes CloudHSM?A: A dedicated appliance that is used to store security keysE: CloudHSM (which is not a feature specific to AWS) is a dedicated appliance that is used to store security keys.

Q: What is it called when you have a minimal version of your production environment running (which can be easily increased in size) as a disaster recovery solution?A: Pilot lightE: A pilot light is the practice of having a minimally active version of of your environment set up and running in a separate region. If there is catastrophic failure on your primary environment, you can quickly spin up the pilot light environment to become your primary environment.

Notes on: Linux Academy: AWS CSAA: 21) How to Prepare for the ExamJust a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

Read the whitepapers:

1) Architecting for the Cloud: AWS Best Practices2) AWS Security Best Practices3) Amazon Web Services: Overview of Security Processes4) AWS Well-Architected Framework5) Development and Test on AWS6) Backup and Recovery Approaches Using AWS7) Amazon Virtual Private Cloud Connectivity Options8) How AWS Pricing Works

Image: The Certified Solutions Architect Exam

119

Links:https://www.aws.training/https://linuxacademy.com/blog/amazon-web-services-2/tips-tricks-taking-an-aws-certification-exam/

Quiz: Final ExamQ: A colleague would like a new subnet configured in AWS for a database cluster she is building. She expects that the subnet will never need more than six IP addresses. Which of the following will likely be the most appropriate choice for this subnet?A: A /28 private subnetE: Databases generally do not require public access from the Internet, so a private subnet is likely the better choice from a security perspective.  /28 is the smallest possible subnet in an AWS VPC.

Q: Company B provides an online image recognition service and utilizes SQS to decouple system components for scalability. The SQS consumer's readers poll the image queue as often as possible to keep end-to-end throughput as high as possible. However, Company B is realizing that polling in tight loops is burning CPU cycles and increasing costs with empty responses. How can company B reduce the number of empty responses?A: Enable long polling by setting the ReceiveMessageWaitTimeSeconds to a number > 0

Q: The KPL is an easy-to-use, highly-configurable library that helps you write to an Amazon Kinesis stream. It acts as an intermediary between your producer application code and the stream's API actions. One of its key concepts is aggregation. Which of the following best describes aggregation as it relates to the KPL?A: It refers to the storage of multiple records in a stream's record and allows customers to increase the number of records sent per API call, which effectively increases producer throughput.

Q: While implementing a disaster recovery strategy in another region, you are attempting to move the data from one EBS volume to another in a separate region. What is the best way to do this? Keep in mind this is not a live production replication copy.A: Take a snapshot of the EBS volume and copy it to the desired region

Q: Elasticity is a fundamental property of the cloud. What best describes elasticity?A: Power to scale computing resources up and down easily with minimal friction

Q: If an instance that belongs to an Elastic Load Balancer's health check fails, what occurs to the instance that fails?A: The ELB will de-register the instance and stop sending traffic to the unhealthy instance

120

Q: Your company is posting a big article on the front page of your website tomorrow. It is expected that the demand could potentially overwhelm your infrastructure. In the event of a load failure, how can you set up DNS failover to a static website?A: Use Route 53 and the failover option to failover to a static S3 website bucket or CloudFront distribution in the event of an issue

Q: As part of your application architecture requirements, the company you are working for has requested the ability to run analytics against all combined log files from the Elastic Load Balancer. Which services are used together to collect logs and process log file analysis in an AWS environment?A: Amazon S3 for storing ELB log files and Amazon EMR for processing the log files in analysis

Q: You recently purchased and deployed four reserved EC2 instances in the US-East-1 region’s Availability Zone 1 for a new project. Your supervisor just informed you that this project only requires two EC2 instances. Rather than selling the reserved instances, she asked you to terminate the extra instances and convert two of the on-demand instances already running in Availability Zone 1 to reserved instances. Can this be done?A: Yes, you can terminate the reserved instances and AWS will automatically begin billing the two on-demand instances as reserved instancesE:  If you own three Reserved Instances with the same instance type and Availability Zone, the billing system checks each hour to see how many total instances you have running that match those parameters. If it is three or less, you will be charged the Reserved Instance rate for each instance running that hour.

Q: Your supervisor asks you to create a highly available, decoupled web application. Which of the following does not help you accomplish this goal?A: IAM user credentials on EC2 instances to grant permissions to modify an SQS queueE: Elastic Load Balancers, Auto Scaling, and SQS can all play a part in a highly available, decoupled web application. IAM user credentials should not be stored on a EC2 instance.

Q: While implementing a disaster recovery strategy in another region, you attempt to move the data from one EBS volume to another in a separate region. What is the best way to do this? Keep in mind this is not a live production replication copy.A: Take a snapshot of the EBS volume and copy it to the desired region

Q: Your AWS environment contains several on-demand EC2 instances dedicated to a project that has just been cancelled. Your supervisor does not want to incur charges for these on-demand instances but also does not want to lose the data just yet because there is a chance the project may be revived in the next few days. What should you do to minimize charges for these instances in the meantime?A: Stop the instances as soon as possibleE: You should not terminate an instance that you may need to place back into production in a few days. The best way to minimize charges is to stop the instances to avoid any data transfer charges that the instance might incur if left running.

Q: Your company is posting a big article on the front page of your website tomorrow. It is expected that the demand could potentially overwhelm your infrastructure. In the event of a load failure, how can you set up DNS failover to a static website?A: Use Route 53 and the failover option to failover to a static S3 website bucket or CloudFront distribution in the event of an issue

Q: When designing a cloud service based on AWS and you choose to use RRS on S3 instead of S3 standard storage type, what type of trade offs do you have to build your application around?A: RRS only has 99.99% durability and you have to design automation around replacing lost objects

Q: One of your more important clients is a Telecom business who needs to process some real-time data in a distributed manner. They suggest to you that they think they should use either Amazon SQS or Amazon Kinesis to achieve this and they want you to tell them what would be the difference between the two. After some research, you decide that they should use Kinesis and are trying to put together some reasons for this. One of the below statements is INCORRECT, regarding this. Which one?

121

A: Kinesis cannot route related data records to the same record processor (as in streaming MapReduce).E: Kinesis can route related data records to the same record processor

Q: Which of the following best describes what "bastion hosts" are?A: Bastion hosts are instances that sit within your public subnet and are typically accessed using SSH or RDP. Once remote connectivity has been established with a bastion host, it then acts as a ‘jump’ server, allowing you to use SSH or RDP to log in to other instances (within private subnets) deeper within your network.

Q: You and a colleague create an SQS queue and create several messages in it. You both test your ability to manually poll the queue by using the command-line API calls. After testing, you find that your colleague’s polling attempt retrieved messages 1, 3, and 5. Your polling attempt retrieved messages 4, 6, and 8. Nether of your attempts retrieved messages 2 or 7. What is a possible cause for this behavior?A1: You and your colleague did not see the same messages because of the visibility timeoutA2: You and your colleague used short pollingE: When a message is retrieved, that message is hidden from other polling attempts until the message is deleted or the visibility timeout expires. Short polling does not query all the servers that the SQS messages can reside on, so multiple queries of the queue may be needed to retrieve all messages in the queue.

T: The AMI ID used in an Auto Scaling policy is configured in the Launch configuration

Q: When reviewing the Auto Scaling events, it is noticed that an application is scaling up and down multiple times within the hour. What design change could you make to optimize cost while preserving elasticity?A: Change the scale down CloudWatch metric to a higher threshold

T: You cannot deny the AWS root account to EC2 instances via IAM policy.

Q: By default, is data in S3 encrypted?A: No, but it can be when the right APIs are called for SSE

Q: You are working for a startup company that is building an application that receives large amounts of data. Unfortunately, current funding has left the startup short on cash, unable to afford thousands of dollars of storage hardware. The company has opted to use AWS. Which services would you implement to store a virtually unlimited amount of data without any effort to scale when demand unexpectedly increases?A: Amazon S3, because it provides unlimited amounts of storage data, scales automatically, is highly available, and durable

T: Amazon SQS (Simple Queue Service) guarantees delivery of AT LEAST 1 message but cannot guarantee it will not create duplicates.

Q: You are consulting for a healthcare company that has strict compliance and auditing requirements. When architecting the application environment on AWS, which services or service features might you enable to take advantage of monitoring to ensure auditing the environment for compliance is easy and follows the strict healthcare compliance requirements?A: CloudTrail for security logs

Q: If your organization is concerned about storing sensitive data in the cloud, you should:A1: Encrypt the file system on an EBS volume using Linux toolsA2: Enable EBS EncyptionA3: Enable S3 Encryption

Q: You are designing a global application that takes advantage of multiple regions. As part of your application, the need to synchronize from one region to another is required to ensure your application is serving the same data when employing latency-based Route 53 DNS records. To ensure this

122

happens, you have determined that using the AWS CLI to sync files from the primary storage servers to S3 is the best method. How might you implement AWS CLI authentication against the S3 service?A: Create an EC2 IAM role and assign it to each EC2 instance that utilizes the AWS CLI to sync the data

Q: What is the difference between an Availability Zone and an edge location?A: An Availability Zone is an Amazon resource within an AWS region, whereas an edge location will deliver cached content to the closest location to reduce latency

Q: Currently, you're helping design and architect a highly-available application. After building the initial environment, you've found that part of your application does not work correctly until port 443 is added to the security group. After adding port 443 to the appropriate security group, how much time will it take before the changes are applied and the application begins working correctly?A: Changes apply instantly to the security group, and the application should be able to imediately respond to 443 requests

Q: Your supervisor asks you to create a highly available website which serves static content from EC2 instances. Which of the following is not a requirement to accomplish this goal?A: An SQS queueE: While an SQS queue can be an important part of a multi-step decoupled web application, it is not necessary to host a highly-available static website on EC2. An Auto Scaling group configured to deploy EC2 instances in multiple subnets located in multiple Availability Zones allows an application to remain online despite an instance or AZ failure.

Q: Your company wants to back up the onsite file server to AWS but does not want to serve the files from S3 to your office network when files need to be accessed. Which service and setup would you use to accomplish this task?A: Use Amazon Storage Gateway and gateway-stored volumes to store the data locally and asynchronously backup point-in-time snapshots to S3

Q: A user needs access to Elastic Load Balancing. This is the first and possibly only time that they will require this access. Which of the following choices would be the best way to allow this access?A: Delegate access to the ELB using an IAM role

Q: You own an image manipulation application. Your users take a picture, upload it to your app, and request filters to be added to the image. You need to decouple the application so your users are not waiting for the image processing to take place. How would you go about doing this?A: Use Amazon SQS to store the requests using metadata and JSON in the message, use S3 to store the image, and Auto Scaling to determine when to fire off more worker instances based on queue size

Q: You have 5 Cloudformation templates. Each template is for a different application architecture. These architectures vary between your blog apps and your gaming apps. What determines the cost of using the Cloudformation templates?A: CloudFormation does not have a cost but you are charged for the underlying resources it builds

Q: Your application's usage peaks at 90% during the hours of 9 AM and 10 AM everyday. All other hours require only 10% of the peak resources. What is the best way to scale your application so you're only paying for max resources during peak hours?A: Proactive Cycle Scaling

Q: You are asked to review a plan that your company has made to create a new application that makes use of SQS, EC2, Auto Scaling, and CloudWatch. Which of the following action items should you advise your company not to implement?A: Utilize short polling with a wait time of 20 seconds to reduce the number of empty responses from the SQS queueE: Polling executed with a wait time of greater than 0 seconds is called long polling.

FALSE: When a snapshot is being taken against an EBS volume, the volume becomes unavailable and the instance no longer has the ability to communicate with the EBS volume until the snapshot is complete.

123

Q: Your EC2 instances are configured to run behind an Amazon VPC. You have assigned two web servers instances to an Elastic Load Balancer. However, the instances and the ELB are not reachable via URL to the elastic load balancer serving the web app data from the EC2 instances. How might you resolve the issue so that your instances are serving the web app data to the public Internet?A: Attach an internet gateway to the VPC and route it to the subnet

Q: You create an SQS queue with the default settings for a new application your company is deploying. While new messages are added to the queue throughout the week, management has indicated that the application which retrieves the messages should only be run during your company’s weekly Sunday evening maintenance window. It is quickly noticed on Monday morning that several messages were not processed the previous evening and the messages are no longer in the queue. What is a likely cause for this issue?A: The messages surpassed the retention period for the queueE: The default message retention period for an SQS queue is four days, so messages older than four days would have been deleted.

Q: Your company has an application that requires access to a NoSQL database. Your IT department has no desire to manage the NoSQL servers. Which Amazon service provides a fully-managed and highly available NoSQL service?A: DynamoDB

Q: An AWS VPC (Virtual Private Cloud) allows you to…A: …connect your cloud resources to your own encrypted IPSec VPN connections

Q: In order to establish a successful site-to-site VPN connection from your on-premises network to the VPC (Virtual Private Cloud), which of the following needs to be configured inside of the VPC?A: A public IP address on the customer gateway for the on-premise networkE: When you configure a VPN, you're configuring it from the VPC and from the on-premises network. You are taking information (the public IP) from the on-premises network and configuring it inside of the VPC.

T: Auto Scaling is a tool used for creating elastic and self-healing applications.

Q: For basic monitoring on AWS, which metrics are not included as part of the basic monitoring package?A1: Free memoryA2: Free swap

T: Amazon Auto Scaling is not meant to handle instant load spikes but is built to grow with a gradual increase in usage over a short time period.

Q: Your AWS environment contains several reserved EC2 instances dedicated to a project that has just been cancelled. Your supervisor wants to stop incurring charges for these reserved instances immediately and recuperate as much of the reserved instance cost as possible. What can you do to avoid being charged for them?A: Terminate the instances as soon as possible, Sell the reserved instances on the AWS Reserved Instance MarketplaceE: You should terminate the instance to avoid any data transfer charges that the instance might incur if left running and sell the reserved instance in the AWS Reserved Instance Marketplace to recuperate cost.

Q: In AWS, when a request is made, the AWS service decides whether a given request should be allowed or denied. The distinction between a request being denied or allowed by default and an explicit deny in a policy is important. Which of the following statements best describes this distinction?A: By default, a request is denied, but this can be overridden by an allow. In contrast, if a policy explicitly denies a request, that deny can't be overridden.

T: US-East-1 supports Multi-AZ RDS deployments.

124

Q: Your supervisor asks you to create a decoupled application whose process includes dependencies on EC2 instances and servers located in your company’s on-premises datacenter. Which of these are you least likely to recommend as part of that process?A: SQS polling from an EC2 instance using IAM user credentialsE: An EC2 IAM role should be used when deploying EC2 instances to grant permissions rather than storing IAM user credentials in EC2 instances

Q: You manage an application that uses EC2 instances and SQS to process requests from end users. Your application is working great, but your supervisor is concerned about the cost of the AWS resources it uses. Which of the following would not help address that concern?A: Increase the visibility timeout for messages in the SQS queue

Q: Your company has moved a legacy application from an on-premises data center to the cloud. The legacy application requires a static IP address hard-coded into the backend, which prevents you from deploying the application with high availability and fault tolerance using the ELB. Which steps would you take to apply high availability and fault tolerance to this application?A1: Ensure that the instance it's using has an elastic IP address assigned to itA2: Write a custom script that pings the health of the instance, and, if the instance stops responding, switches the elastic IP address to a standby instance

Q: Which statement is true about Amazon SQS?A1: Amazon SQS (Simple Queue Service) guarantees delivery of AT LEAST 1 message but cannot guarantee it will not create duplicates.A2: Amazon SQS guarantees delivery of AT LEAST 1 message but cannot guarantee message order, although does attempt to.

Q: Your company is moving their entire 20 TB data warehouse to the cloud. With your current bandwidth it would take 2 months to transfer the data. Which service would allow you to quickly get your data into AWS?A: Amazon Import/Export

AWS Certified Solutions Architect - Associate: Questions, Answers, and True StatementsThis blog post takes the questions from the AWS Practice test, and from the Linux Academy (LA) AWS CSAA course, and puts them in one post to help you with your exam cram preparation. Q = Question. A = Answer. T = True statement. E = Explanation.

Image: Amazon Web Service Certified Solutions Architect - Associate

Practice ExamQ: Amazon Glacier is designed for:A1: Infrequently accessed dataA2: Data archive

Q: You configured ELB to perform health checks on these EC2 instances. If an instance fails to pass health checks, which statement will be true?A: The ELB stops sending traffic to the instance that failed its health check.

125

Q: You are building a system to distribute confidential training videos to employees. Using CloudFront, what method could be used to serve content that is stored in S3, but not publicly accessible from S3 directly?A: Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.

Q: Which of the following will occur when an EC2 instance in a VPC (Virtual Private Cloud) with an associated Elastic IP is stopped and started?A1: All data on instance-store devices will be lostA2: The underlying host for the instance is changed.

Q: In the basic monitoring package for EC2, Amazon CloudWatch provides the following metrics:A: Hypervisor visible metrics such as CPU utilization.

Q: Which is an operational process performed by AWS for data security?A: Decommissioning of storage devices using industry-standard practices

Q: To protect S3 data from both accidental deletion and accidental overwriting, you should:A: Enable S3 versioning on the bucket.

LA Quiz 1: Account & Physical OrganizationT: Each Availability Zone has at least one AWS data center and sometimes up to 5 or 6 data centers.

T: Availability Zones do NOT span across regions. Availability zones DO provide for highly available and fault tolerant architecture, but an AZ is contained within a region.

Q: What are the main benefits of AWS regions?A1: Regions allow you to place AWS resources in the area of the world closest to your customers who access those resources.A2: Regions allow you to design applications to conform to specific laws and regulations for specific parts of the world.

Q: What are the benefits of an Availability Zone?A1: Each Availability Zone is isolated from each other to ensure fault tolerance.A2: Availability Zones have direct, low latency connections to each other.

Q: Besides regions and their included Availability Zones, which of the following is another “regional” datacenter location used for content distribution?A: Edge LocationE: An Edge Location is an AWS datacenter which does not contain AWS services, it is used to deliver content to parts of the world (e.g. CloudFront)

Q: What best describes the concept of elasticity?A: The ability of a system to increase and decrease in size.

T: Fault Tolerance is a system ability allowing the system to continue to operate even when one of its components fail.

Q: What best describes the concept of High Availability?A: A durable system that can operate for long periods of time without failure.

Q: What are the two primary ways that AWS users interface with AWS?A1: AWS CLIA2: AWS Console

LA Quiz 2: IAM

126

T: If an IAM access policy has both an allow rule and a deny rule for the same service, the DENY rule will supersede the allow rule.

Q: You create a new IAM user for AUSER in you company’s AWS account. On AUSER’s first day, you ask AUSER to make a change to a Cloudwatch alarm in an Auto Scaling group. AUSER reports no access to Cloudwatch or Auto Scaling in the AWS console. What is a possible explanation for this?A: You have not added the appropriate IAM permissions and access policies to AUSER; there is a non-explicit deny to all new users.

T: An IAM user can have many IAM permission policies attached to them at the same time, either directly attached or through groups.

Q: What best describes an IAM role?A: A role is something that another entity can “assume”

Q: AUSER will be overseeing the company’s DynamoDB database, so you attached the “AmazonDynamoDBFullAccess” IAM policy to AUSER’s IAM user. 6 months later, AUSER was promoted to manager and added to the “Managers” IAM group. The “Managers” group does not have the “AmazonDynamoDBFullAccess” policy attached to it. What will happen to AUSER’s DynamoDB access?A: Nothing, as an IAM user can have multiple IAM permission policies attached to them at the same time, either directly to the user or through an associated IAM group.

T: By default, when an IAM user is created, it has a non-explicit “deny” for all AWS services.

Q: What are the main benefits of IAM groups?A1: Assigning IAM permission policies to more than one user at a time.A2: Easier user/policy management.

T: Best practice is to NEVER store or pass IAM credentials to an EC2 instance.

Q: What best describes the “Principal of Least Privilege”?A: Users should be granted permission to access only the resources they need to do their assigned job.

Q: The common use for IAM is to manage what?A: Users, Groups, Roles, Access Policies, API Keys, Password Policies, Multi-Factor Authentication

Q: EC2 instance must have the ability to access other AWS resources. What is the best way to manage this access?A: Use an IAM role to manage temporary credentials for applications that run on an EC2 instance. The role will supply temporary permissions that applications can use when they make calls to other AWS resources.

Q: API Access Keys are required to make programmatic calls to AWS from which of the following?A: AWS CLI, Tools for PowerShell, AWS SDKs, Direct HTTP API calls

Q: You notice that one of the groups has two conflicting permissions attached: one that allows S3 access, and one that denies S3 access. If your goal is to allow members of the group to have S3 access, what needs to be done?A: You must remove the deny policy, as a deny policy will override an allow policy.

LA Quiz 3: VPC BasicsT: For a subnet to be considered public, it must have a route to the Internet. Having a route to the Internet means that it must be associated with a route table that points to the IGW.

127

Q: You have been tasked with auditing the security of your VPC. As part of this process, you need to start by analysing what traffic is allowed to and from various EC2 instances. What two parts of the VPC do you need to check to accomplish this task?A: Security Groups and NACLsE: Security Groups and NACLs are the two parts of the VPC Security Layers. Security Groups are a firewall on the instance level, and NACLs are a firewall on the subnet level.

Q: What best describes how NACLs rules work?A: Rules are evaluated by rule number from lowest to highest, and executed immediately when a matching allow/deny rule is found.

T: A VPC can only have one IGW attached at a time.

Q: If data is travelling from a customer, over the open Internet, to a web site you are hosting on an EC2 instance in an AWS VPC, what is the order of components that data will travel through?A: IGW -> Route Table -> NACL -> Subnet -> Security Group -> EC2 Instance

Q: You work for a financial institution that is preparing to (possibly) migrate their on-premise infrastructure to AWS. As part of this process, you have been tasked with preparing the cloud strategy that will be presented to your CTO. As part of this presentation, you need to highlight several of the top benefits of using an AWS VPC. Which of the following benefits do you highlight in this section of the presentation?A1: The ability to have both public and private subnetsA2: The ability to extend your on-premise network to the cloud via VPNA3: The ability to provide a DNS server for your VPC

Q: Your company’s management team has been considering moving their on-premise network to AWS. You have been called into a meeting to brief the management team on some specifics of AWS. One of the first questions you are asked is what exactly a VPC is. How should you respond?A: An AWS VPC closely resembles a traditional on-premise network, with the added benefit of AWS infrastructure.

T: NACLs are stateless and security groups are stateful.E: NACLs are stateless, which means that return request traffic must have an allow rule set up for that return traffic to enter or leave the subnet. Security groups are stateful, which means that return request traffic does not need an allow rule set up for that return traffic to enter or leave the security group.

Q: You are the lead Solutions Architect for a healthcare company and are managing an application running on multiple EC2 instances. Those EC2 instances must have the ability to access other AWS resources. What is the best way to manage this access?A: Use an IAM role to manage temporary credentials for applications that run on an EC2 instance. The role will supply temporary permissions that applications can use when they make calls to other AWS resources.

T: All subnets, regardless of being public or private, can communicate with each other inside of a VPC.E: Since each route table has a local target with the destination of the VPCs CIDR block range, all subnets within a VPC can communicate with each other.

T: In the default VPC, all subnets have a route to the Internet.

LA Quiz 4: EC2Q: IOPS are measured in what size “chunks?”A: IOPS are measured in chunks of 256KB or smaller

Q: What best describes how EBS snapshots work?A: Snapshots are incremental in nature and are stored in S3

128

Q: You are a Solutions Architect and your company is interested in moving some workload to AWS.  You are concerned that it will be very challenging to manage and control all of the EC2 servers that will need to be deployed – specifically, how to insure that fellow employees are installing the company approved operating system version, with the right libraries and runtimes and with the proper configuration settings.  What EC2 feature will best allow you to control this?A: You can have a company policy stipulating that any new instance must be launched using a custom Amazon Machine Image (AMI) which specifies exactly which software and associated settings you want to have installed on every new EC2 instance.

T: AMIs are what dictate the instances operating system and other software settings. It is the "instance type" which determines the instances virtual hardware.

Q: What best describes the characteristics of EBS volumes?A: They are persistent and can live past the lifetime of the instance.

Q: If you are running a legacy application that has hard-coded static IP addresses and is running on an EC2 instance, what is the best failover solution that allows you to keep the same IP address on a new instance?A: Elastic IP addresses (EIPs) are designed to be attached/detached and moved from one EC2 instance to another. They are a great solution for keeping a static IP address and moving it to a new instance if the current instance fails. This will reduce or eliminate any downtime users may experience.

Q: If you are running an application in a production environment and must add a new EBS volume with data from a snapshot, what should you do to avoid degraded performance during the volume's first use?A: Initialize the data by readying each storage block on the volumeE: Volumes created from an EBS snapshot must be initialized. Initializing occurs the first time a storage block on the volume is read, and the performance impact can be impacted by up to 50%. You can avoid this impact in production environments by manually reading all the blocks.

Q: What command should you run if you want to view an instance's user-data?A: curl http://169.254.169.254/latest/user-data

Q: Your company has been thinking about moving its networking resources over to AWS. Your boss is particularly interested in the AWS shared responsibility model, as it will allow him to offload some traditional responsibilities to AWS. He says that he is happy that AWS will now handle the following responsibilities listed below. However, you know that he is wrong and that AWS does not handle all of them as part of the shared responsibility model. Which ... are not handled by AWS?A1: Security GroupsA2: Applying an SSL Certificate to an ELBA3: Installation of custom firewall softwareE: In the shared responsibility model, AWS is responsible for DDOS protection, port scanning protection, and ingress network filtering. You are responsible for managing Security Groups, Applying an SSL Certificate to an ELB, and Installation of custom firewall software.

T: A key pair is a combination of a public and private key that is used for authenticating users when logging into an EC2 instance.E: The public key pair is stored on the instance, and the private key is given to you when the instance is created.

Q: If you are designing an application that requires fast (10Gbps), low-latency connections between EC2 instances, what EC2 feature should you use?A: Placement groupsE: Placement groups are a clustering of EC2 instances in one Availability Zone with fast (10Gbps) connections between them. This service is used for applications that need extremely low-latency connections between instances.

129

Q: You work in the IT department of a Fortune 500 financial services company. Your company has hundreds of servers and also uses VMware for certain applications. You happened to run into one of the senior directors in the hallway today, and she told you that she had just read an article on cloud computing that mentioned EC2 instances and was wondering what that was. What would be the best analogy to use in explaining to her what EC2 is?A: EC2 is analogous to our internal VMware environment and provides companies with virtual servers that run in the cloud.

Q: What happens to data stored on an instance store volume when an EC2 instance is stopped or shutdown?A: The data will be deletedE: Since instance store volumes are ephemeral, data will NOT be persistent and WILL be deleted if the instance is stopped or shut down.

LA Quiz 7: Advanced Networking: Highly Available & Fault Tolerant VPC NetworkingQ: What best describes the purpose of an Elastic Load Balancer?A: To evenly distribute traffic among multiple EC2 instances in separate Availability Zones.E: An ELB is used BEST when it is distributing traffic to EC2 instances located in separate Availability Zones. This provides for higher availability and is more fault tolerant than distributing traffic to EC2 instances in the same AZ.

Q: If you want to create architecture that meets the minimum requirement for high availability and fault tolerance, which option would you choose?A: An ELB distributing traffic to an Auto Scaling group that has a minimum of two instances that are located in separate Availability Zones.E: Having a minimum of two instances is required in case one of them fails and is no longer "available." Two AZs are required in case of one of them fails and is no longer "available." Auto Scaling is required so that failed instances will be automatically terminated and replaced with healthy instance OR to increase the amount of instances if demand increases (improving availability and fault tolerance).

Q: What happens when an EC2 instance that is being served traffic from an ELB becomes unhealthy?A: The ELB will stop serving traffic to it and divert its traffic to a healthy instance.E: The ELB will stop serving traffic to it and divert its traffic to a healthy instance, as this is all it can do. It is Auto Scaling which can take an unhealthy instance, terminate it, and replace it with a new instance.

Q: What best describes a scaling policy?A: A set of CloudWatch metric thresholds that dictate when to add or remove instances from the Auto Scaling group.E: Scaling policies belong to the Auto Scaling group. The policies themselves dictate (via chosen CloudWatch metrics thresholds) when instances should be added or removed.

T: An SSL certificate can be applied to an ELB.E: You can apply an SSL certificate to an ELB and have that as the central point for your secure connection before passing the traffics onto subsequent EC2 instances.

T: Elasticity is a primary benefit of using Auto Scaling.E: Auto Scaling provides elasticity to your architecture by automating the process of easily scaling up OR down the number of instances being used by your application.

Q: What is the proper solution you should enact to prevent your application from crashing due to a sudden increase in demand?A: Auto Scaling

130

E: Auto Scaling is what provides your architecture with the ability to automate the process of adding more instances to avoid crashes (due to sudden increase in demand). Scaling policies are PART of Auto Scaling but are not the overall solution.

T: An ELB can serve traffic to instances located inside a private subnet.E: Placing instances in a private subnet creates a higher level of security for the data stored on them. By using an ELB, the ELB can take public traffic from the open Internet and route into private subnets (and back out).

T: Target Groups allow us to assign different sets of EC2 instances different traffic using content-based rules in an Application Elastic Load BalancerE: Target Groups are where we assign different sets of EC2 instances to receive traffic in an Application Load Balancer. Launch Configurations and AutoScaling Groups can be used with either Load Balancing type.

Q: What are the two main components of AWS Auto Scaling?A: Launch configuration and Auto Scaling groupsE: A launch configuration is an EC2 template that will be used by the Auto Scaling group. The Auto Scaling group holds the rules that govern when instances will be provisioned or terminated.

T: It is Auto Scaling that contains scaling policies (which dictate the Cloudwatch thresholds for adding/removing instances), not Elastic Load Balancer.

Q: You are designing an environment that requires a complex balancing of traffic to EC2 instances using content-based rules, such as host-based or path-based. Which of the following AWS services would you choose?A: Application Elastic Load BalancerE: Application Elastic Load Balancers allow us to configure content-based rules to balance traffic based on different content-based rules.

LA Quiz 8: Advanced Networking: Advanced VPC Networking for Increased SecurityQ: You work for a company that has been experiencing attacks on its network. Management has asked that you design a solution that will provide increased security for EC2 instances containing sensitive data, while still allowing employees to access the data when needed. Which of the following suggestions is best?A: Place the EC2 instances into private subnets, and set up a bastion host so employees can access them.E: Placing EC2 instances into private subnets is a great way to increase their security, since they will no longer be directly accessible from any host outside of the VPC. Adding a bastion host to the architecture will allow authorized users to gain access to the internal resources (instances in private subnets) while providing an additional "hardened" layer of security.

Q: You have provisioned several EC2 instances into private subnets; however, you now have the problem of not being able to download any new software packages or updates. Which if of the following provides the best solution?A: Create a NAT Gateway in a public subnet and create a route to it in the route table associated with the private subnets.E: A NAT gateway provides the most secure solution for granting EC2 instances in private subnet the ability to download software packages. However, the NAT gateway MUST be placed in a public subnet, and a route to it must be created in the route table associated with the private subnets.

Q: What are two primary requirements of a NAT Gateway (or NAT instance)?A: A NAT gateway must be provisioned into a public subnet, and it must be part of the private subnet's route table.E: A NAT gateway must be provisioned into a public subnet (so that it has a route to the internet), and it must part of the private subnet's route table (so that the private instances have a route to the NAT gateway). A NAT gateway does not require a bastion host to work (but can be used in combination).

131

T: A NAT Gateway will only allow return traffic if that traffic has been specifically asked for by an internal resource.E: A NAT Gateway will not allow any unsolicited traffic through. All traffic that passes through it MUST have been asked for by a resource inside the VPC.

Q: What best describes the difference between a bastion host and a NAT gateway?A: A bastion host is used is used as a "gateway" for traffic that is destined for instances located in a private subnet, whereas a NAT gateway provides instances in a private subnet with a route to the Internet.E: A bastion host is used is used as a "gateway" for traffic that is destined for instances located in a private subnet, whereas a NAT gateway provides instances in a private subnet with a route to the Internet. A NAT does provide protection for instances in a private subnet, but its primary goal is to allow instances in the private subnet a route to the Internet (to download software packages).

LA Quiz 9: Advanced Networking: Network Connectivity TroubleshootingT: You cannot peer two VPCs that are located in different AWS regions.

T: NACLs are the security layer for a subnet (not security groups.)

Q: You have just provisioned a fleet of EC2 instances and realized that none of them have a public IP address. What settings would need to be changed for the next fleet of instances to be created with public IP addresses?A: Modify the auto-assign public IP setting on the subnet.E: The auto assigning of IP addresses resides in the settings of the SUBNET you are provisioning the instances in. By default, new subnets have auto-assign IP addresses disabled.

Q: You have an application currently running on five EC2 instances as part of an Auto Scaling group. For the past 30 minutes all five instances have been running at 100% CPU Utilization; however, the Auto Scaling group has not added any more instances to the group. What is a likely cause?A1: The Auto Scaling group's MAX size is set at fiveA2: You already have 20 on-demand instances runningE: The number of instances in an Auto Scaling group cannot exceed its set MAX limit, regardless of scale-up policies. Also, unless you request an increase from AWS, you cannot have more than 20 on-demand instances running at one time.

T: There can be many reasons why you cannot download software packages besides the instance being provisioned in a private subnet. For example, creating an instance without a public IP address or not having the proper ports open on the security group can cause issues downloading software.

Q: You are using a T2 instance type and are starting to notice that most of the time your application is running very slow. What would be an appropriate course of action?A: Move the application to a larger instance type.E: T2 instance types rely on "burstable" CPU credits for processing power. If your application is constantly using all the CPU credits, then you may experience slow downs when you run out of credits. The solution to this would be to move the application to an instance running a large instance type.

Q: You are running an analysis on traffic that is accessing your web application. However, you notice that the IP address for every visitor is the IP address of the Elastic Load Balancer. How should you fix this problem so that the logs reflect the IP address of the originating hosts?A: Enable access logs on the ELB and store them in an S3 bucket.

132

Q: You have an ELB distributing traffic to a fleet of EC2 instances inside your VPC, evenly spread across two Availability Zones. However, you realize that only half of the instances are actually receiving traffic. What is the most likely cause of this problem?A: Cross-zone load balancing has not been enabled.E: Cross-zone load balancing must be enabled for it to serve traffic evenly to all instances in all associated Availability Zones.

Q: If you have an EBS volume in Availability Zone us-east-1d and you want to attach it to an EC2 instance in Availability Zone us-east-1a, what procedure should you follow?A: Create a snapshot of the volume in us-east-1d, then create a new volume from the snapshot, choosing to place it in us-east-1a. Attach the new volume to the instance.E: EBS volumes cannot be used across Availability Zones; however, since snapshots are stored in S3, new volumes can be created from a snapshot and placed into any Availability Zone.

T: A VPC can only have one IGW attached to it at a time.

LA Quiz 10: S3T: S3 can be used as an option for low-cost, reliable web hosting for STATIC (not dynamic) web sites.

Q: Through what process are objects moved from the standard storage class to Glacier?A: Lifecycle policiesE: Objects uploaded and stored using the standard storage class must use lifecycles to move them to Glacier.

T: All S3 buckets are private by default.

Q: You have a static web page hosted in an S3 bucket, and your requests for a file from a website in another S3 bucket keep failing. What is the most likely solution?A: Enable CORS configuration on the S3 bucketsE: S3 buckets are in different domains. CORS (cross-origin resource sharing) will allow for domains to share resources. So, enabling CORS on the S3 buckets is the best solution.

T: The S3 infrequent access (S3-IA) storage class has object durability of 99.999999999% and availability of 99.90%E: S3-IA has the same durability as S3-standard but has a slightly slower availability since these objects are expected to be accessed much less frequently.

Q: You are currently running an application on AWS that hosts customers' photo albums. For each main photo uploaded, your application generates a thumbnail for use in the mobile version of the application. What is the most cost effective storage solution, while also providing the highest level of availability and durability?A: Use the standard storage class for the main photos and the reduced redundancy storage class for the thumbnails.E: Since the customers' main photos cannot be reproduced, storing them in the standard storage class will provide the highest level of availability and durability. The thumbnails can be easily reproduced from the main photos, so you can store them in reduced redundancy storage, which has lower durability, but is cheaper than standard.

Q: If you need to upload a file to S3 that is 500MB in size, what data transit option should you use?A: Multi-part uploadE: Multi-part upload should be used for uploading any file over 100MB in size (and required for an object over 5GB in size - up to 5TB in size). Single operation upload may be used but is not recommended. Import/export and Snowball are used for datasets that are larger than 5TB.

Q: Your company has petabytes of data that it wants to move from their on-premise network to AWS. What AWS solution should you use?A: AWS Snowball

133

E: Snowball is a service provided by AWS for moving extremely large (petabytes) of data into AWS.

Q: You work for a hospital that is required to store patient's medical records for a minimum of 10 years. Most of these records will never be accessed but must be made available upon request (within a few hours). What is the most cost-effective storage option?A: GlacierE: Glacier is an AWS solution for archival storage, which is designed for long-term storage of data that is very rarely accessed.

Q: What best describes what occurs when you suspend object versioning?A: All existing objects retain their current and past versions, and no new versions are created when objects are updated.E: When you suspend versioning, S3 retains all current and existing past versions. However, all new objects will overwrite the existing current version. No new versions will be created.

Q: What is the object durability and availability advertised by AWS for their S3 standard storage service?A: Durability of 99.999999999% and availability of 99.99%E: S3 standard storage class is advertised as having object durability of 99.999999999% (known as 11 nines) and availability of 99.99%

LA Quiz 11: Advanced DNS, CSN and Failover NetworkingQ: You are migrating your existing web application from your on-premise data center to the AWS cloud. As part of testing your AWS infrastructure, you only want to have 20% of traffic to hit AWS resources and the other 80% to hit your on-premise resources. What record set routing policy should you choose to accomplish this?A: WeightedE: A weighted routing policy allows for "manual" load balancing between different endpoints.

T: An alias record set contains a pointer to an AWS-specific resource.E: An alias record set contains a pointer to an AWS-specific resource and is used to direct traffic to ELBs, CF distributions, and S3 buckets.

T: CloudFront caching is based on the object's file name (not its type).

Q: If you want to point a domain name to an AWS elastic load balancer in Route 53, how would you need to configure the record set?A: Alias with a type "A" record setE: You will need to configure the record set as a type "A" alias. An alias allows you to point the domain to an AWS-specific endpoint, such as an ELB, Cloudfront distribution, or S3 bucket (as opposed to just an IPv4 IP address).

T: A public hosted zone should be used for routing Internet traffic for a domain, and a private hosted zone should be used for routing traffic within a VPC.

Q: What is a main benefit of using a CloudFront distribution?A: Reduces load on your applications resourcesE: Once an object is cached at an edge location, all other requests for that object will be handled by the edge location, not your application. This can significantly reduce the amount of times your resources are hit.

Q: You have set up a CloudFront distribution but find that instead of each edge location serving up objects that should be cached, your application's origins are being hit for each request. What could be a possible cause of this behavior?A: The cache expiration time is set to zeroE: If the cache expiration time is not set (or set to zero), then CF will not cache objects at the edge location. This will prompt the behavior where the edge location will have to request the same object from the origin for reach request.

134

Q: Your CloudFront distribution is performing well, but you are still getting too many request at the origin locations. What could be one way to increase CloudFront performance?A: Increase the cache expiration timeE: If your cache expiration times are too short, you may have request from the edge location to the origin occurring when they are not required. If you increase the cache expiration date, you should experience less hits to the origin.

Q: What is an absolute rule when using an S3 bucket for Route 53 DNS failover?A: The S3 bucket must be the same as the domain nameE: To use an S3 bucket for Route 53 DNS failover, the bucket name must match the domain name.

T: A CloudFront origin is the source of the object, and an edge location is where the object is cached.

LA Quiz 12: Hybrid Environments and VPC PeeringQ: If AWS asks you to configure the connection between your on-premise data center and a Direct Connect Authorized Provider, what would you be configuring?A: The cross-network connectionE: The cross-network connection is the connection between your on-premise data center and the Direct Connect Authorized Provider.

Q: You are trying to establish a VPC peering connection but are having difficulties locating the other VPC. What is most likely the cause?A: The other VPC is in a different regionE: For a VPC peering connection to be established, both VPCs must be in the same region.

T: You can peer VPCs that are in two different AWS accounts, but they must be in the same region.

Q: What two components are required to establish a VPN connection?A: Virtual Private Gateway and Customer GatewayE: The VPG and Customer Gateway are the two "connectors" on both sides of the VPN connection (and both are required).

T: An AWS VPC connection automatically has two parallel IPsec tunnels for redundancy

T: A VPC can have both an IGW and a VPG attached at the same time (but only one of each)

Q: You have set up an AWS Direct Connect connection for your company but still want to create a backup solution in case the Direct Connect connections fails. What solution should use as the backup?A: AWS virtual private networkE: A virtual private network is a great backup solution for AWS direct connect. A virtual private network provides the same access, just with fewer benefits.

T: VPC peering does not allow transitive connections.

Q: If you need a dedicated, low latency connection to AWS from your on-premises data center, what solution should you choose?A: AWS Direct ConnectE: AWS Direct Connect is a service that provides a dedicated network connection between your data center and one of AWS's Direct Connect locations. One of the main benefits of Direct Connect is a low-latency connection.

Q: You have been asked to set up architecture that extends the AWS VPC to your company's on-premise data center. What do you need to set up to accomplish this?A: Virtual Private NetworkE: You will need to set up and configure a virtual private network. A VPN is what allows you to extend subnets inside your VPC to your on-premise data center.

135

Q: What best describes a Customer Gateway?A: An on-premises, physical device that acts as the "connector" for the VPN connection.E: The Customer Gateway is a physical or software application that is located at your on-premise data center. It is the VPN connector on the data center side (of the connection) and must be configured with a static public IP address.

T: A Public Virtual Interface allows you to interface with AWS resources that have a public endpoint (like S3 or DynamoDB).

LA Quiz 14: DatabasesT: AWS provides automated backups of RDS databases which are point-in-time snapshots.

Q: What are two benefits of using read replicas?A1: Creates elasticity in RDSA2: Improves performance of the primary database by taking workload from itE: You can add/remove read replicas based on demand, so it creates elasticity for RDS. Read replicas can take read only workloads off of the primary database, thus improving performance.

Q: The Availability Zone that your RDS database instance is located in is suffering from outages, and you have lost access to the database. What could you have done to prevent losing access to your database (in the event of this type of failure) without any downtime?A: Enabled multi-AZ failoverE: If multi-AZ failover is enabled, a duplicate copy of the database is kept in a separate AZ. If there is failure in the primary database's AZ, AWS will automatically switch the CNAME DNS record from the primary to the failover backup instance.

Q: What database service should you choose if you need petabyte-scale data warehousing?A: RedshiftE: Redshift is for petabyte-scale data warehousing.

T: When setting up a DynamoDB database, you only need to specify the required throughput capacity. There is no instance size or storage type to choose from. AWS scales compute power with your needs.

T: A read replica can be promoted to the primary instance.

Q: How does using Elasticache help to improve database performance?A: It can store high-taxing queriesE: Elasticache is designed for large, high-performance or taxing queries. it can store the queries to alleviate hits to the database.

Q: What database service offers petabyte-scale data warehousing?A: RedshiftE: Redshift offers petabyte-scale data warehousing that is generally used for big data analytics.

Q: What are the "engine" options for ElastiCache?A: Redis & Memcached

Q: What are three attributes of DynamoDB?A1: Fully-managedA2: A NoSQL database platformA3: Uses key-value store

LA Quiz 15: Application & Messaging ServicesQ: An SQS Message is?A: A set of instructions stored in an SQS queue that can be up to 256KB in size

136

E: An SQS message can be up to 256KB in size of text (in any format) and is used to relay instructions from one instance to another (via an SQS queue).

Q: How can you create different versions of an API using API Gateway and also create a full development lifecycle? (2 answers)A1: Create a new API version by cloning an existing oneA2: Deploy APIs to stages: dev, beta, productionE: You can create lifecycle stages (dev, beta, production) for which to deploy APIs. Each stage can have its own throttling, caching metering, and logging. You can also create a new API version by cloning an existing one. In addition, you can roll back to previous versions of an API.

Q: If your application's architecture is currently tightly coupled, what AWS service should you use to decouple the application?A: SQS (Simple Queue Service) and, to a lesser extent, SWF (Simple Workflow) can be used to decouple application components.

Q: What are some of the essential elements of API Gateway?A1: API Gateway is a fully managed service that allows you to create and manage your own APIs for your applicationA2: API Gateway acts as a "front door" for your application.E: API Gateway is a fully managed service that allows you to create and manage your own APIs for your application. API Gateway acts as a "front door" for your application, allowing access to data/logic/functionality from your back-end services.

Q: What best describes decoupled architecture?A: A system architecture of multiple components that can process information without being connected.E: A loosely coupled (or decoupled) system is one that has multiple components but can work independently of each other. So if one fails, the other components can continue to work.

Q: How long can an SWF workflow execution last?A: 1 year

Q: What service should you choose if you want to send notifications via text message to a system administrator?A: SNSE: SNS (Simple Notification Service) is the AWS service that provides the ability to send notifications to various endpoints, with SMS (test messages) being one of them.

Q: What are some of the benefits of using API Gateway? (2 answers)A1: Ability to cache API responsesA2: DDoS protection via CloudFrontE: Benefits of API Gateway include:- Ability to cache API responses- DDoS protection via CloudFront- SDK generation for IOS, Android, and Javascript- Supports Swagger (a framework of API dev tools)- Request/response data transformation

T: SNS can be used to send push notifications to Android and iOS mobile devices.

Q: What is the purpose of an SWF decision task?A: It tells the decider the state of the work flow execution.E: A decision task is used to communicate (back to the decider) that a given task has been completed.

LA Quiz 16: MonitoringT: CloudWatch is a service that allows you to view resource level metrics and create alarms based on metric thresholds.

137

Q: Why does stopping and starting an instance (usually) fix a System Status Check error?A: Stopping and starting an instance causes the instance to be provisioned on different AWS hardware.E: Unless you have dedicated tenancy enabled, stopping and starting an instance will generally cause it to be launched onto different AWS host hardware.

Q: CloudTrail can log API calls from?A: AWS is basically one big API call, so it does not matter if the API calls come from the command line, SDK, or console, they are all logged by CloudTrail.

Q: Which of the following CloudWatch EC2 metrics will require a custom script to enable?A: Memory UtilizationE: Custom scripts are needed to enable OS-level monitoring of EC2 instances. Memory Utilization falls into that category, while CPU Credit Usage and Utilization does not (those are host-level metrics).

T: System Status Checks are AWS hardware/software issues that we have no control over.

T: CloudTrail is an API Logging service.

LA Quiz 17: Deployment ServicesQ: What platforms are supported in Elastic BeanStalk?A: Docker, Java, Windows .NET, Node.js, PHP, Python, Ruby

T: Elastic BeanStalk is primarily used to deploy simple, single-tier applications.

Q: What are two benefits of Cloudformation?A1: A great disaster recovery optionA2: Version control your infrastructureE: Since CloudFormation allows for you to turn your infrastructure into code, you can use it to quickly spin up the infrastructure in a new region (in the case of a disaster), and since it's code, you can version control it.

T: By using Cloudformation, you can easily rollback your applications’ infrastructure to previous versions.

Q: What AWS service allows you to treat your infrastructure as code?A: CloudformationE: Cloudformation allows you to turn your infrastructure into JSON-formatted templates.

LA Quiz 18: AnalyticsQ: If you want to process data in real-time, what AWS service should you use?A: KinesisE: Kinesis is AWS's service for processing data in real-time and outputting it to a dashboard or other AWS services.

T: In EMR, data is mapped to a cluster of master/slave nodes for processing.

Q: If your Kinesis stream needs additional processing power, what component will you need to add more of?A: ShardsE: You can scale out a Kinesis stream by adding more "shards".

Q: In what two scenarios would you want to use AWS Kinesis?A1: Mobile data captureA2: Capturing gaming data.E: Kinesis is great for collecting gaming data, such as player actions, and capturing data from IoT sensors and mobile devices.

138

T: EMR is a service which deploys EC2 instances based on the Hadoop framework, and also supports Apache Spark, HBase, Presto, and Flink.

T: A Kinesis consumer can include AWS services such as Redshift and S3.E: Consumers can include Redshift and S3, but also other services like DynamoDB or a real-time dashboard/Kinesis enabled app.

Q: What is the purpose of a Kinesis producer?A: To collect and send data into a Kinesis stream.E: Kinesis producers include things like IoT sensors and mobile devices that collect data and send it into the Kinesis stream.

T: EMR allows you to access the underlining operating system.

LA Quiz 19: EC2 Container ServiceQ: Which of the following is NOT a use case for using ECS?A: Cache big data queriesE: Cache big data queries is best done with service like Elasticache, not ECS.

Q: What is responsible for starting and stopping tasks on an ECS Container instance.A: ECS AgentE: The ECS Agent is responsible for starting/stopping tasks. It also monitors tasks and resource utilization.

Q: What two components does a Task Definition define?A1: Which ports should be open on the container instanceA2: Which container image to useE: The Task Definition is the blueprint for your application and defines items such as:1) Which ports should be open on the container instance2) Which container image to use3) Where to get the container image4) What data volumes to use.

Q: What is the purpose of AWS ECR?A: To act as a container registry serviceE: ECR is short for EC2 Container Registry. It is a repository service for storing container images.

Q: What component ECS/Containers contains all the actual software, code, and system tools that your container will use?A: Container/Docker ImageE: The Container/Docker Image, which is built from the Dockerfile, contains all the actual software, code, runtime, system tools, and libraries that will be used in the container.

LA Quiz 20: Certified Solution Architect ConceptsT: When designing for elasticity and scalability, you want to strive for scaling out (adding more instances) instead of scaling up (increasing instance sizes). However, you must make sure you start with the proper instance size.

Q: What best describes Recovery Time Objective (RTO)?A: The time it takes after a disruption to restore operations back to its regular service level.E: The Recovery Time Objective (RTO) is the time it takes after a disruption to restore operations back to its regular service level (as defined by a company's operational level agreement).

Q: What service is best for logging all actions taken against the AWS API?A: CloudTrail

139

E: Cloudtrail is AWS's logging service that can be used to log all actions taken inside your AWS account.

Q: In the shared security responsibility model, what are items that you are responsible for managing? (choose all that apply)A1: Guest operating systemsA2: AMIsE: AWS is responsible for everything physical. That includes the security of the physical hardware at their data centers and their network infrastructure. You are responsible for selecting and managing the security for AMI and the OS you install on instances.

T: S3 offers 256-bit encryption for data-at-rest.E: S3 offers 256-bit encryption for data-at-rest, which is an option you can turn on/off. AWS manages the keys and will decrypt the data when you request to download it.

Q: When designing cloud services, what design elements should you always consider? (select all that apply)A1: Design for failureA2: Create self-healing application environmentsA3: Decouple applicationsE: When designing cloud architecture, you always want to start by designing for failure, and create self-healing whenever possible. Decoupling your application is also best practice. However, you should always use a minimum of TWO Availability Zones. Only using one Availability Zone does not allow for high availability.

Q: What AWS service, if used as part of your application's architecture, has an added benefit of helping to mitigate DDoS attacks from hitting your back-end instances?A: CloudFrontE: When CloudFront is used as part of your application's architecture, traffic from a DDoS attack will most likely be redirected to the cached data at an edge location (instead of being routed to your applications EC2 instances).

Q: Perfect Forward Secrecy is used to offer SSL/TLS cipher suites for which two AWS services?A1: CloudfrontA2: Elastic Load Balancing

Q: What feature should you utilize for redundancy if auto scaling and load balancing are not available?A: Elastic IP address set up for failover to "stand-by" instancesE: Setting up an Elastic IP address and having it ready for failover is a great solution when other services that provide high availability and fault tolerance are not available.

Q: What best describes CloudHSM?A: A dedicated appliance that is used to store security keysE: CloudHSM (which is not a feature specific to AWS) is a dedicated appliance that is used to store security keys.

Q: What it is called when you have a minimal version of your production environment running (which can be easily increased in size) as a disaster recovery solution?A: Pilot lightE: A pilot light is the practice of having a minimally active version of your environment set up and running in a separate region. If there is catastrophic failure on your primary environment, you can quickly spin up the pilot light environment to become your primary environment.

LA Quiz 21: Final ExamQ: A colleague would like a new subnet configured in AWS for a database cluster she is building. She expects that the subnet will never need more than six IP addresses. Which of the following will likely be the most appropriate choice for this subnet?

140

A: A /28 private subnetE: Databases generally do not require public access from the Internet, so a private subnet is likely the better choice from a security perspective. /28 is the smallest possible subnet in an AWS VPC.

Q: Company B provides an online image recognition service and utilizes SQS to decouple system components for scalability. The SQS consumer's readers poll the image queue as often as possible to keep end-to-end throughput as high as possible. However, Company B is realizing that polling in tight loops is burning CPU cycles and increasing costs with empty responses. How can company B reduce the number of empty responses?A: Enable long polling by setting the ReceiveMessageWaitTimeSeconds to a number > 0

Q: The KPL is an easy-to-use, highly-configurable library that helps you write to an Amazon Kinesis stream. It acts as an intermediary between your producer application code and the stream's API actions. One of its key concepts is aggregation. Which of the following best describes aggregation as it relates to the KPL?A: It refers to the storage of multiple records in a stream's record and allows customers to increase the number of records sent per API call, which effectively increases producer throughput.

Q: While implementing a disaster recovery strategy in another region, you are attempting to move the data from one EBS volume to another in a separate region. What is the best way to do this? Keep in mind this is not a live production replication copy.A: Take a snapshot of the EBS volume and copy it to the desired region

Q: Elasticity is a fundamental property of the cloud. What best describes elasticity?A: Power to scale computing resources up and down easily with minimal friction

Q: If an instance that belongs to an Elastic Load Balancer's health check fails, what occurs to the instance that fails?A: The ELB will de-register the instance and stop sending traffic to the unhealthy instance

Q: Your company is posting a big article on the front page of your website tomorrow. It is expected that the demand could potentially overwhelm your infrastructure. In the event of a load failure, how can you set up DNS failover to a static website?A: Use Route 53 and the failover option to failover to a static S3 website bucket or CloudFront distribution in the event of an issue

Q: As part of your application architecture requirements, the company you are working for has requested the ability to run analytics against all combined log files from the Elastic Load Balancer. Which services are used together to collect logs and process log file analysis in an AWS environment?A: Amazon S3 for storing ELB log files and Amazon EMR for processing the log files in analysis

Q: You recently purchased and deployed four reserved EC2 instances in the US-East-1 region’s Availability Zone 1 for a new project. Your supervisor just informed you that this project only requires two EC2 instances. Rather than selling the reserved instances, she asked you to terminate the extra instances and convert two of the on-demand instances already running in Availability Zone 1 to reserved instances. Can this be done?A: Yes, you can terminate the reserved instances and AWS will automatically begin billing the two on-demand instances as reserved instancesE: If you own three Reserved Instances with the same instance type and Availability Zone, the billing system checks each hour to see how many total instances you have running that match those parameters. If it is three or less, you will be charged the Reserved Instance rate for each instance running that hour.

Q: Your supervisor asks you to create a highly available, decoupled web application. Which of the following does not help you accomplish this goal?A: IAM user credentials on EC2 instances to grant permissions to modify an SQS queueE: Elastic Load Balancers, Auto Scaling, and SQS can all play a part in a highly available, decoupled web application. IAM user credentials should not be stored on a EC2 instance.

141

Q: Your AWS environment contains several on-demand EC2 instances dedicated to a project that has just been cancelled. Your supervisor does not want to incur charges for these on-demand instances but also does not want to lose the data just yet because there is a chance the project may be revived in the next few days. What should you do to minimize charges for these instances in the meantime?A: Stop the instances as soon as possibleE: You should not terminate an instance that you may need to place back into production in a few days. The best way to minimize charges is to stop the instances to avoid any data transfer charges that the instance might incur if left running.

Q: When designing a cloud service based on AWS and you choose to use RRS on S3 instead of S3 standard storage type, what type of trade offs do you have to build your application around?A: RRS only has 99.99% durability and you have to design automation around replacing lost objects

Q: One of your more important clients is a Telecom business who needs to process some real-time data in a distributed manner. They suggest to you that they think they should use either Amazon SQS or Amazon Kinesis to achieve this and they want you to tell them what would be the difference between the two. After some research, you decide that they should use Kinesis and are trying to put together some reasons for this. One of the below statements is INCORRECT, regarding this. Which one?A: Kinesis cannot route related data records to the same record processor (as in streaming MapReduce).E: Kinesis can route related data records to the same record processor

Q: Which of the following best describes what "bastion hosts" are?A: Bastion hosts are instances that sit within your public subnet and are typically accessed using SSH or RDP. Once remote connectivity has been established with a bastion host, it then acts as a ‘jump’ server, allowing you to use SSH or RDP to log in to other instances (within private subnets) deeper within your network.

Q: You and a colleague create an SQS queue and create several messages in it. You both test your ability to manually poll the queue by using the command-line API calls. After testing, you find that your colleague’s polling attempt retrieved messages 1, 3, and 5. Your polling attempt retrieved messages 4, 6, and 8. Nether of your attempts retrieved messages 2 or 7. What is a possible cause for this behavior?A1: You and your colleague did not see the same messages because of the visibility timeoutA2: You and your colleague used short pollingE: When a message is retrieved, that message is hidden from other polling attempts until the message is deleted or the visibility timeout expires. Short polling does not query all the servers that the SQS messages can reside on, so multiple queries of the queue may be needed to retrieve all messages in the queue.

T: The AMI ID used in an Auto Scaling policy is configured in the Launch configuration

Q: When reviewing the Auto Scaling events, it is noticed that an application is scaling up and down multiple times within the hour. What design change could you make to optimize cost while preserving elasticity?A: Change the scale down CloudWatch metric to a higher threshold

T: You cannot deny the AWS root account to EC2 instances via IAM policy.

Q: By default, is data in S3 encrypted?A: No, but it can be when the right APIs are called for SSE

Q: You are working for a startup company that is building an application that receives large amounts of data. Unfortunately, current funding has left the startup short on cash, unable to afford thousands of dollars of storage hardware. The company has opted to use AWS. Which services would you implement to store a virtually unlimited amount of data without any effort to scale when demand unexpectedly increases?

142

A: Amazon S3, because it provides unlimited amounts of storage data, scales automatically, is highly available, and durable

T: Amazon SQS (Simple Queue Service) guarantees delivery of AT LEAST 1 message but cannot guarantee it will not create duplicates.

Q: You are consulting for a healthcare company that has strict compliance and auditing requirements. When architecting the application environment on AWS, which services or service features might you enable to take advantage of monitoring to ensure auditing the environment for compliance is easy and follows the strict healthcare compliance requirements?A: CloudTrail for security logs

Q: If your organization is concerned about storing sensitive data in the cloud, you should:A1: Encrypt the file system on an EBS volume using Linux toolsA2: Enable EBS EncyptionA3: Enable S3 Encryption

Q: You are designing a global application that takes advantage of multiple regions. As part of your application, the need to synchronize from one region to another is required to ensure your application is serving the same data when employing latency-based Route 53 DNS records. To ensure this happens, you have determined that using the AWS CLI to sync files from the primary storage servers to S3 is the best method. How might you implement AWS CLI authentication against the S3 service?A: Create an EC2 IAM role and assign it to each EC2 instance that utilizes the AWS CLI to sync the data

Q: What is the difference between an Availability Zone and an edge location?A: An Availability Zone is an Amazon resource within an AWS region, whereas an edge location will deliver cached content to the closest location to reduce latency

Q: Currently, you're helping design and architect a highly-available application. After building the initial environment, you've found that part of your application does not work correctly until port 443 is added to the security group. After adding port 443 to the appropriate security group, how much time will it take before the changes are applied and the application begins working correctly?A: Changes apply instantly to the security group, and the application should be able to immediately respond to 443 requests

Q: Your supervisor asks you to create a highly available website which serves static content from EC2 instances. Which of the following is not a requirement to accomplish this goal?A: An SQS queueE: While an SQS queue can be an important part of a multi-step decoupled web application, it is not necessary to host a highly-available static website on EC2. An Auto Scaling group configured to deploy EC2 instances in multiple subnets located in multiple Availability Zones allows an application to remain online despite an instance or AZ failure.

Q: Your company wants to back up the onsite file server to AWS but does not want to serve the files from S3 to your office network when files need to be accessed. Which service and setup would you use to accomplish this task?A: Use Amazon Storage Gateway and gateway-stored volumes to store the data locally and asynchronously backup point-in-time snapshots to S3

Q: A user needs access to Elastic Load Balancing. This is the first and possibly only time that they will require this access. Which of the following choices would be the best way to allow this access?A: Delegate access to the ELB using an IAM role

Q: You own an image manipulation application. Your users take a picture, upload it to your app, and request filters to be added to the image. You need to decouple the application so your

143

users are not waiting for the image processing to take place. How would you go about doing this?A: Use Amazon SQS to store the requests using metadata and JSON in the message, use S3 to store the image, and Auto Scaling to determine when to fire off more worker instances based on queue size

Q: You have 5 Cloudformation templates. Each template is for a different application architecture. These architectures vary between your blog apps and your gaming apps. What determines the cost of using the Cloudformation templates?A: CloudFormation does not have a cost but you are charged for the underlying resources it builds

Q: Your application's usage peaks at 90% during the hours of 9 AM and 10 AM everyday. All other hours require only 10% of the peak resources. What is the best way to scale your application so you're only paying for max resources during peak hours?A: Proactive Cycle Scaling

Q: You are asked to review a plan that your company has made to create a new application that makes use of SQS, EC2, Auto Scaling, and CloudWatch. Which of the following action items should you advise your company not to implement?A: Utilize short polling with a wait time of 20 seconds to reduce the number of empty responses from the SQS queueE: Polling executed with a wait time of greater than 0 seconds is called long polling.

FALSE: When a snapshot is being taken against an EBS volume, the volume becomes unavailable and the instance no longer has the ability to communicate with the EBS volume until the snapshot is complete.

Q: Your EC2 instances are configured to run behind an Amazon VPC. You have assigned two web server instances to an Elastic Load Balancer. However, the instances and the ELB are not reachable via URL to the elastic load balancer serving the web app data from the EC2 instances. How might you resolve the issue so that your instances are serving the web app data to the public Internet?A: Attach an internet gateway to the VPC and route it to the subnet

Q: You create an SQS queue with the default settings for a new application your company is deploying. While new messages are added to the queue throughout the week, management has indicated that the application which retrieves the messages should only be run during your company’s weekly Sunday evening maintenance window. It is quickly noticed on Monday morning that several messages were not processed the previous evening and the messages are no longer in the queue. What is a likely cause for this issue?A: The messages surpassed the retention period for the queueE: The default message retention period for an SQS queue is four days, so messages older than four days would have been deleted.

Q: Your company has an application that requires access to a NoSQL database. Your IT department has no desire to manage the NoSQL servers. Which Amazon service provides a fully-managed and highly available NoSQL service?A: DynamoDB

Q: An AWS VPC (Virtual Private Cloud) allows you to…A: …connect your cloud resources to your own encrypted IPSec VPN connections

Q: In order to establish a successful site-to-site VPN connection from your on-premises network to the VPC (Virtual Private Cloud), which of the following needs to be configured inside of the VPC?A: A public IP address on the customer gateway for the on-premise networkE: When you configure a VPN, you're configuring it from the VPC and from the on-premises network. You are taking information (the public IP) from the on-premises network and configuring it inside of the VPC.

T: Auto Scaling is a tool used for creating elastic and self-healing applications.

144

Q: For basic monitoring on AWS, which metrics are not included as part of the basic monitoring package?A1: Free memoryA2: Free swap

T: Amazon Auto Scaling is not meant to handle instant load spikes but is built to grow with a gradual increase in usage over a short time period.

Q: Your AWS environment contains several reserved EC2 instances dedicated to a project that has just been cancelled. Your supervisor wants to stop incurring charges for these reserved instances immediately and recuperate as much of the reserved instance cost as possible. What can you do to avoid being charged for them?A: Terminate the instances as soon as possible, Sell the reserved instances on the AWS Reserved Instance MarketplaceE: You should terminate the instance to avoid any data transfer charges that the instance might incur if left running and sell the reserved instance in the AWS Reserved Instance Marketplace to recuperate cost.

Q: In AWS, when a request is made, the AWS service decides whether a given request should be allowed or denied. The distinction between a request being denied or allowed by default and an explicit deny in a policy is important. Which of the following statements best describes this distinction?A: By default, a request is denied, but this can be overridden by an allow. In contrast, if a policy explicitly denies a request, that deny can't be overridden.

T: US-East-1 supports Multi-AZ RDS deployments.

Q: Your supervisor asks you to create a decoupled application whose process includes dependencies on EC2 instances and servers located in your company’s on-premises datacenter. Which of these are you least likely to recommend as part of that process?A: SQS polling from an EC2 instance using IAM user credentialsE: An EC2 IAM role should be used when deploying EC2 instances to grant permissions rather than storing IAM user credentials in EC2 instances

Q: You manage an application that uses EC2 instances and SQS to process requests from end users. Your application is working great, but your supervisor is concerned about the cost of the AWS resources it uses. Which of the following would not help address that concern?A: Increase the visibility timeout for messages in the SQS queue

Q: Your company has moved a legacy application from an on-premises data center to the cloud. The legacy application requires a static IP address hard-coded into the backend, which prevents you from deploying the application with high availability and fault tolerance using the ELB. Which steps would you take to apply high availability and fault tolerance to this application?A1: Ensure that the instance it's using has an elastic IP address assigned to itA2: Write a custom script that pings the health of the instance, and, if the instance stops responding, switches the elastic IP address to a standby instance

Q: Which statement is true about Amazon SQS?A1: Amazon SQS (Simple Queue Service) guarantees delivery of AT LEAST 1 message but cannot guarantee it will not create duplicates.A2: Amazon SQS guarantees delivery of AT LEAST 1 message but cannot guarantee message order, although does attempt to.

Q: Your company is moving their entire 20 TB data warehouse to the cloud. With your current bandwidth it would take 2 months to transfer the data. Which service would allow you to quickly get your data into AWS?A: Amazon Import/Export

145