Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
476 Cards in this Set
- Front
- Back
Acting as a "firewall" on EC2 instances |
Security Groups |
|
Regulate access to ports Control inbound network (from other to instance) Control outbound network Authorised IP ranges - IPv4 and IPv6 |
Security Groups |
|
Classic Port 22 |
SSH (secure shell) - log into a Linux instance // SFTP (Secure File Transport Protocol) - upload files using SSH |
|
Classic Port 21 |
FTP (File Transport Protocol) - upload files into a file |
|
Classic Port 80 |
HTTP - access unsecured websites |
|
Classic Port 442 |
HTTPS - access secured websites |
|
Classic Port 3389 |
RDP (Remote Desktop Protocol) - log into a Windows instance |
|
Allows you to control a remote machine, all using the command line |
SSH |
|
Supports Mac, Linux, Windows 10+ |
SSH |
|
Supports Windows |
Putty |
|
Supports Mac, Linux, all windows |
EC2 Instance Connect |
|
Short workload, predictable pricing |
On-demand instances |
|
Long workload (MIN 1 year) |
Reserved Instances |
|
Long workloads with flexible instances |
Convertible Reserved Instances |
|
Short workloads, cheap, can lose instances (less reliable) |
Spot instances |
|
book an entire physical server, control instance placement |
Dedicated hosts |
|
Pay for what you use Highest cost, but no upfront payment No long term commitment |
EC2 On Demand |
|
Recommended for short-term and uninterrupted workloads, where you can't predict how the application will behave |
EC2 On Demand |
|
EC2 On Demand Billing for Linux |
Billing per SECOND |
|
EC2 On Demand Billing for all other OS (not Linux) |
Billing per HOUR |
|
Up to 75% discount compared to on-demand Reservation period (only 1 OR 3 year term) Recommended for steady state usage applications (think database) Can pay no upfront, partial upfront, all upfront Specific instance type |
EC2 Reserved Instances |
|
Up to 54% discount Can change EC2 instance type |
Convertible Reserved Instance |
|
Launch within time frame you reserve When you require a fraction of a day/week/month |
Scheduled Reserved Instances |
|
Discount up to 90% compared to On-Demand Most cost-efficient instances Can "lose" instance at any point in time Not suitable for critical jobs or databases |
EC2 Spot Instances |
|
Useful for workloads that are resilient to failure: Batch jobs Data analysis Image processing Any distributed workloads Workloads with flexible start and end time |
EC2 Spot Instances |
|
physical server with EC2 instance capacity fully dedicated to your use |
EC2 Dedicated Host |
|
Help address compliance requirements and reduce costs allowing you to use existing server-bound software licenses Allocated for a 3 year reservation Useful for software that have complicated licensing model (BYOL - Bring Your Own License) Useful for strong regulatory or compliance needs |
EC2 Dedicated Host |
|
Instances running on hardware dedicated to you May share hardware with other instances on same account No control over instance placement (can move hardware after Stop/Start) |
EC2 Dedicated Instance |
|
Enables use of dedicated physical servers Per instance billing ($2 per region fee) Automatic instance placement |
Dedicated Instances |
|
Enables use of dedicated physical servers Per host billing Visibility of sockets, cores, host ID Affinity between host and instance Targeted instance placement Automatic instance placement Add capacity using allocation request |
Dedicated hosts |
|
Infrastructure (Global Network Security) Isolation on Physical Hosts Replacing faulty hardware Compliance Validation |
AWS Responsibility for EC2 |
|
Security Groups rules OS patches and updates Software and utilities installed on EC2 Instance IAM Roles assigned to EC2 & IAM user access management Data security on your instance |
User Responsibility for EC2 |
|
AMI (OS) + Instance Size (CPU + RAM) + Storage + Security Groups + EC2 User Data |
EC2 Instance |
|
Link to IAM roles |
EC2 Instance Role |
|
Script launched at the first start of an instance |
EC2 User Data |
|
Start a terminal into our EC2 instances (port 22) |
SSH |
|
On-Demand Spot Reserved (Standard/Convertible/Scheduled) Dedicated Host Dedicated Instance |
EC2 Purchasing Options |
|
network drive you can attach to your instances while they run Think of as a "network USB stick" Uses network to communicate - may be latency |
EBS (Elastic Block Store) Volume |
|
Allows instances to persist data, even after termination Can only be mounted to one instance at a time (at CCP level) Can be detached from instance and attached to another quickly Bound to specific availability zone - to move across you first need to snapshot it Free tier: 30N GB free storage of type gp2 per (provisioned capacity) month |
EBS (Elastic Block Store) Volume |
|
Make a backup of your EBS volume Not necessary to detach volume to do snapshot, but recommended Can copy across AZ or Region - able to transfer some data to different region |
EBS Snapshots |
|
Customization of an EC2 instance (Add own software, config, OS, monitoring) - Faster boot time Built for specific region (can be copied across region) |
Amazon Machine Image (AMI) |
|
Public AMI |
AWS provided |
|
Your Own AMI |
make and maintain yourself |
|
AWS Marketplace AMI |
made by someone else and potentially sells |
|
1. Start EC2 instance & customize it 2. Stop instance (for data integrity) 3. Build AMI - this will also create EBS snapshots 4. Launch instances from other AMIs |
AMI Process (from an EC2 Instance) |
|
If you need a high-performance hardware disk Better I/O performance Lose storage if stopped Good for buffer/cache/scratch data/temp content Risk of data loss if hardware fails Backups and Replication your responsibility |
EC2 Instance Store |
|
Managed NFS that can be mounted on 100s of EC2 instances at a time Only works with Linux EC2 instances - in multiple AZ Highly available, scalable, expensive (3x cost of gp2), pay per use, no capacity planning |
EFS (Elastic File System) |
|
Infrastructure Replication for data for EBS volumes & EFS drives Replacing faulty hardware Ensuring their employees cannot access your data |
AWS Responsibility for EC2 Storage |
|
Setting up backup/snapshot procedures Setting up data encryption Responsibility of any data on the drives Understanding risk of using EC2 Instance Store |
Customer Responsibility for EC2 Storage |
|
Network drives attached to one EC2 instance at a time EC2 instances can have multiples attached Mapped to AZ Allow data to persist even after termination |
EBS Volumes |
|
Create ready-to-use EC2 instances with our customizations |
AMI |
|
high performance hardware disk attached to EC2 instance Lost if instance is stopped/terminated |
EC2 Instance Store |
|
Fully managed service that makes it easy to set up, scale, and cost-optimize file storage Network file system, can be attached to 100s of instances in a region |
EFS |
|
app/system can handle greater loads by adaptability is linked but different to High Availability |
Scalability |
|
Increasing the SIZE of an instance Common for non-distributed systems, such as database Usually limit to how much you can scale (hardware limit) Ex: appruns on t2.micro to t2.large (change size of instance) Scale Up/Down |
Vertical Scalability |
|
Increasing number of instances/systems Implies distributed systems Common for web applications Easy thanks to cloud operations like EC2 Auto Scaling Group Load Balancer Scale Out/In |
Horizontal Scalability |
|
Usually goes hand in hand with horizontal scaling Running app/system in at least 2 AZ Goal = survive data center loss Auto Scaling Group Multi AZ |
High Availability |
|
once a system is scalable, there will be "auto scaling" based on load Cloud friendly, pay-per-use, match demand, optimize costs |
Elasticity |
|
Not related to scalability New IT resources are only a click away - reduce time to make resources available |
Agility |
|
servers that forward traffic to multiple servers (EC2 instances) downtream Backhand EC2 instances Expose single point of access (DNS) to app Seamlessly handle failures of downstream instances Regular health checks Provide SSL termination (HTTPS) for websites High availability across zones |
Load Balancer |
|
Managed load balancer AWS guarantees it will be working AWS takes care of upgrades, maintenance, high availability AWS provides only a few config knobs Cannot help with back-end autoscaling |
Elastic Load Balancing (ELB) |
|
3 kinds of load balancers |
1. Application Load Balancer 2. Network Load Balancer 3. Classic Load Balancer |
|
HTTP/HTTPS only - Layer 7 |
Application Load Balancer |
|
Ultra-high performance Allows for TCP Layer 4 |
Network Load Balancer |
|
Layer 4 & 7 Slowly retiring |
Classic Load Balancer |
|
Goal = scale out/scale in to match load Ensure a min and max # of machines running Automatically register new instances to load balancer Replace unhealthy instances Cost savings : only run at optimal capacity (principle of cloud) Cannot change EC2 instance types on the fly Easy horizontal scaling |
Auto Scaling Group |
|
Distribute traffic across backend EC2 instances, can be multi AZ Supports Health Checks 3 types |
Elastic Load Balancers (ELB) |
|
Implement elasticity for app, across multiple AZ Scale EC2 instance based on demand, replace unhealthy Integrated with ELB |
Auto Scaling Groups |
|
A main building block of AWS Advertised as "infinitely scaling" storage Backbone for websites Used as an integration |
Amazon S3 |
|
IAM policies - which API calls should be allowed for specific user from IAM console |
User based S3 Security |
|
Bucket policies - bucket wide rules from the S3 console -n allows cross account Object Access Control List - finer grain Bucket Access Control List - less common |
resource Based S3 Security |
|
An IAM principal can access an S3 object if: |
The user IAM permissions allow it OR the resource policy allows it AND there is no explicit DENY |
|
JSON based policies |
S3 Bucket Policies |
|
Buckets and objects |
Resources |
|
Set of API to ALLOW or DENY |
Actions |
|
Allow or Deny |
Effect |
|
Account or user to apply the policy to |
Principal |
|
Use S3 Bucket Policy to: |
Grant public access to the bucket Force objects to be encrypted at upload Grant access to another account (cross account) |
|
Settings created to prevent company data leaks Can be set at the account level If you know your bucket should never be public, leave these on |
Bucket settings for Block Public Access |
|
Can host static websites and have them accessible on the www If you get 403 error, make sure bucket policy allows public reads |
S3 Websites |
|
Version your files for S2 Enabled at bucket level |
S3 Versioning |
|
For audit purposes, may want to log all access to S3 buckets Any request made to S3 will be logged into another S3 bucket Data can be analyzed using data analysis tools Very helpful to identify root cause of an issue or audit usage, view suspicious patterns, etc |
S3 Access Logs |
|
Must enable versioning in source and destination Buckets can be in different accounts Copying is asynchronous Must give proper IAM permissions to S3 2 types : CRR & SRR |
S3 Replication |
|
Use cases: Compliance Lower latency access |
Cross Region Replication (CRR) |
|
Use cases: Log Aggregation Live replication between prod and test accounts |
Same Region Replication (SRR) |
|
7 types of S3 Storage Classes |
1. Amazon S3 Standard - General Purpose 2. Amazon S3 Standard - Infrequent Access (IA) 4. Amazon S3 Intelligent Tiering 5. Amazon Glacier 6. Amazon Glacier Deep Archive 7. Amazon S3 Reduced Redundancy Storage (deprecated) |
|
Amazon S3 Standard |
General purpose Commonly used |
|
Amazon S3 Standard - Infrequent Access (IA) |
Uploading file not accessed very often |
|
Amazon S3 One Zone - Infrequent Access |
File you know you can recreate over time |
|
Amazon S3 Intelligent Tiering |
Don't know where to put file |
|
Amazon Glacier |
Know you have copies of file |
|
Amazon Glacier Deep Archive |
Know it takes a while to retrieve copies |
|
If you store 10 mil objects with S3, you can on avg expect to incur a loss of single object once every 10,000 years Same for all storage classes |
S3 Durability |
|
Measures how readily available a service is Standard has 99.99% availability - not available 53 min per year VAries depending on storage class |
S3 Availability |
|
99.99% availability 99.9% availability SLA low latency, high throughput Used for frequently accessed data Sustain 2 concurrent facility failures Use cases: big data analytics mobile and gaming apps content distribution no retrieval fee |
S3 Standard - General Purpose |
|
99.9% availability 99% availability SLA For data less frequently accessed but requires rapid access when needed Lower cost compared to standard, but retrieval fee Sustain 2 concurrent facility failures Use cases: data store for disaster recovery backups min storage duration charge : 30 days min capacity charge per object: 128KB |
S3 Standard - Infrequent Access (IA) |
|
99.9% Availability 99% availability SLA Cost-optimized by automatically moving objects between two access tiers based on changing access patterns Resilient against events that impact entire AZ min storage duration charge : 30 days no retrieval fee |
S3 Intelligent Tiering |
|
Same as IA but data is stored in single AZ 99.5% availability 99% availability SLA Lower cost compared to S3-IA (by 20%) Use cases: Storing secondary backup copies of on-premises data, or storing data you can recreate min storage duration charge : 30 days min capacity charge per object: 128KB |
S3 One Zone - Infrequent Access |
|
low cost object storage (GB/month) meant for archiving/backup data retained for longer term various retrieval options of time + fee for retrieval min storage duration charge : 90 days min capacity charge per object: 40KB |
Amazon Glacier & Glacier Deep Archive |
|
99.99% availability Cheap Expedited (1-5 min) Standard (3 -5 hours) Bulk (5 - 12 hours) |
Amazon Glacier |
|
99.99% availability Standard (12 hours) Bulk (48 hours) Cheapest |
Amazon Glacier Deep Archive |
|
Infrastructure (global security, durability, availability, sustain concurrent loss of data in 2 facilities) Config and vulnerability analysis Compliance validation |
AWS Responsibility for S3 |
|
S3 Versioning S3 Bucket Policies S3 Replication Setup Logging and monitoring S3 Storage Classes Data encryption at rest and in transit |
Customer Responsibility for S3 |
|
physical data transport solution that helps moving TBs or PBs of data in.out of AWS RULE OF THUMB: use if it takes more than a week to transfer over network Alternative to moving data over network Pay per data transfer job
large data cloud migrations DC decomission Disaster recovery |
Snowball |
|
1. Request snowball devices from AWS console for delivery 2. Install snowball client on servers 3. Connect snowball to servers and copy files using client 4. Ship back device when done 5. Data loaded into S3 bucket 6. Snowball completely wiped |
Snowball process |
|
1000TB capacity Add computational capability to device Supports custom EC2 AMI to perform processing on the go Supports custom Lambda functions Very useful to pre-process data while moving Use cases: data migration image collation IoT capture Machine Learning |
Snowball Edge |
|
Transfer exabytes of data (1,000PB = 1mil TB) Has 100PB of capacity ( can use multiple in parallel) Better than Snowball if transferring more than 10PB |
AWS Snowmobile |
|
Why Hybrid cloud for storage? |
long cloud migrations security requirements compliance requirements IT strategy |
|
S3 is a proprietary storage technology (unlike EFS/NFS), so how do you expose the S3 data on-premise? |
AWS Storage Gateway |
|
AWS Storage Cloud Native Options |
Block: Amazon EBS EC2 Instance Store File: Amazon EFS Object: Amazon S3 Glacier |
|
bridge between on-premise data and cloud data in S3 Hybrid storage service to allow on-premise to seamlessly use AWS cloud Use cases: disaster recovery backup/restore tiered storage |
AWS Storage gateway |
|
Types of storage gateways |
File Volume Tape |
|
global unique name, tied to a region |
buckets |
|
IAM policy S3 Bucket Policy S3 Encryption |
S3 Security |
|
Host static website on S3 |
S3 Websites |
|
Multiple versions for files Prevent accidental deletes |
S3 versioning |
|
log requests made within S3 bucket |
S3 Access Logs |
|
same-region or cross-region must enable versioning |
S3 replication |
|
standard IA OZ-IA Intelligent Glacier Deep Archive |
S3 Storage Classes |
|
transition objects between classes (cost-savings) |
S3 Lifecycle Rules |
|
import data on S3 through physical device |
Snowball/Snowmobile |
|
hybrid solution to extend on-premises storage to S3 |
Storage Gateway |
|
composed of key, value, metadata |
Objects |
|
used to sign programmatic requests to AWS CLI or AWS API |
access keys |
|
Can structure data Build indexes to efficiently query/search through data Define relationships between datasets Optimized for a purpose and come with different features, shapes, and constraints |
Databases |
|
Looks like Excel spreadhseets with links between them Can use SQL language to perform queries/lookups |
Relational Databases |
|
non-SQL/non relational databases JSON is a common form of data that fits Data can be nested Fields can change over time Support for new types Purpose built for specific data models and have flexible schemas for building modern apps |
NoSQL Databases |
|
Benefits: Flexibility - easy to evolve data model Scalability - designed to scale out by using distributed clusters High-performance - optimized for specific data model Highly functional - types optimized for data model Examples: key-value Document graph in-memory search databases |
NoSQL databases |
|
AWS offers use to manage different databases Benefits: Quick provisioning, high availability, vert/horz scaling Automated backup & restore, operations, upgrades OS system patching Monitoring, alerting DB tech could be run on EC2 but must handle resiliency, bakcup patching, etc, by yourself |
AWS Databases Responsibilities |
|
managed DB service for DB use SQL as query language Allows to create databases in cloud managed by AWS Postgres MySQL MariaDB Oracle Microsoft SQL Server Aurora (AWS Proprietary database) |
Relational Database Service (RDS) |
|
Automated provisioning, OS patching Continous backups and restore to specific timestamp Monitoring dashboards Read replicas for improved read performance Multi AZ setup for disaster recovery Maintenance windows for upgrades Scaling capability (vertical and horizontal) Storage backed by EBS (gb2 or io1) CANNOT SSH into your instances |
Advantage using RDS vs deploying DB on EC2 |
|
proprietary tech from AWS PostgreSQL and MySQL supported Claims 5x performance over MySQL on RDS Over 3x performance of Postgres on RDS Storage automatically grows in increments of 10GB, up to 64TB Costs more than RDS (20% more) - but is more efficient NOT in the free tier |
Amazon Aurora |
|
2 ways to run RDS in AWS |
1. Aurora - more cloud native 2. RDS - running tech as managed service |
|
managed Redis or Memcached Helps reduce load off databases for read intensive workloads AWS takes care of OS maintenance/patching, optimizations, setup, config, monitoring, failure recovery and backups |
Amazon ElastiCache |
|
in-memory databases with high performance, low latency |
Caches |
|
Fully managed, highly available with replication across 3 AZ NoSQL database - not relational Flagship product Scales to massive workloads, distributed "serverless" database Millions of requests per seconds Fast and consistent Single digit millisecond latency - low latency retrieval Integrated with IAM for security, auth, and administration Low cost and auto scaling capabilities Key/Valye database |
DynamoDB |
|
Based on PostgreSQL, NOT used for OLTP OLAP used for analytics and data warehousing Load data once every hour, not every second 10x better performance Columnar storage (instead of row based) Massive Parallel Query EXecution (MPP), highly available Pay as you go based on instances provisioned SQL interface for queries BI tools integration - AWS Quicksight or Tableau |
Redshift |
|
Helps create Hadoop clusters (big data) to analyze and process lots of data Clusters can be 100s of EC2 instances Supports Apache Spark, HBase, Presto, Flink Takes care of all the provisioning and configuration Auto-scaling and integrated with Spot instances Use case: Data processing Machine Learning Web indexing Big data |
Amazon EMR (Elastic MapReduce) |
|
Fully serverless database with SQL capabilities USed to query data in S3 Pay per query Output results back to S3 Secured through IAM Use case: one-time SQL queries serverless queries on S3 log analytics Serverless database to perform queries on S3 |
Athena |
|
quickly and securely migrate databases to AWS, resilient, self healing Source database remains available during migration Supports homogeneous and heterogeneous migrations |
Database Migration Service (DMS) |
|
managed extract, transform, and load (ETL) service Useful to prep and transform data for analytics Fully serverless service |
AWS GLue |
|
Catalog of datasets Can be used by Athena, Redshift, EMR to discover datasets and use proper schema |
AWS Glue Data Catalog |
|
OLTP: RDS & Aurora(SQL) |
Relational Databases |
|
In-memory database |
ElastiCache |
|
Key/Value database (serverless) |
DynamoDB |
|
OLAP/ Warehouse |
Redshift(SQL) |
|
Hadoop Cluster |
EMR |
|
Query data on S3 (serverless & SQL) |
Athena |
|
Managed ETL and Data Catalog Service |
Amazon Glue |
|
database migration |
DMS |
|
software development platform to deploy apps apps packed in containers that can be run on any OS apps run the same, regardless of where they're run virtualization technology versatile, easy to scale resources shared with host - many containers on one server |
Docker |
|
Where are Docker images stored? |
Docker repositories
Private: Amazon ECR |
|
Public Docker Repositories |
Docker Hub Ubuntu MySQL NodeJS, Java |
|
Private Docker Repository |
Amazon ECR (Elastic Container Registry) |
|
Launch Docker containers on AWS You must provision and maintain the infrastructure
Integrations with Application Load Balancer |
ECS (Elastic Container Service) |
|
Launch Docker containers on AWS Do NOT need to provision and maintain infrastructure (no EC2 instances) Serverless offering AWS runs containers for you based on CPU/RAM needed |
Fargate |
|
Private Docker registry on AWS Where you store Docker images to be run by ECS or Fargate |
Elastic Container Registry (ECR) |
|
Function as a Service pioneered by AWS Lambda Amazon S3 DynamoDB Fargate Lambda |
Serverless |
|
Virtual servers in cloud limited by RAM and CPU continuously running scaling means intervention to add/remove servers |
Amazon EC2 |
|
Virtual functions - no servers to manage Limited by time - short executions Run on-demand Scaling is automated |
AWS Lambda
|
|
Easy pricing Pay per request & compute time
Integrated with whole AWS suite of services Event-Driven: function invoked by AWS when needed Reactive Integrated with many languages Easy monitoring through AWS CloudWatch Easy to get mroe resources per functions (up to 3GB RAM) Increasing RAM will also improve CPU and network |
Benefits of AWS Lambda |
|
Node.js Python Java C# Golang Powershell Ruby Custome Runtime API) Docker is NOT for Lambda, its for ECS/Fargate |
AWS Lambda Language Sypport |
|
Serverless Thumbnail Creation Fully event-driven, fully serverless Easily scalable |
lambda function |
|
Serverless CROn job Run on Linux AMI, use CloudWatch Evemts/EventBridge |
Lambda function |
|
Pay per calls: 1st 1mil requests are free $0.20 per 1 mil requests thereafter Pay per duration (in increments of 100ms): 400k GB seconds per month if FREE 400k seconds if function is 1GB RAM 3.2mil seconds if function is 128MB RAM After that, $1.00 for 600k GB-seconds Usually very cheap to run Lambda |
AWS Lambda pricing |
|
Fully managed batch processing at any scale Efficiently run 100,000s of computing batch jobs on AWS Will dynamically launch EC2 instances or Spot instances Provisions the right amount of compute/memory You submit or schedule batch jobs and AWS Batch does the rest Helpful for cost optimizations focusing less on the infrastructure |
AWS Batch |
|
job with a start and end (as opposed to continuous) Ex: Docker images and run on ECS |
batch job |
|
time limit limited runtimes limited temp disk space serverless |
Lambda |
|
no time limit any runtime as long as it's packaged as a Docker image rely on EBS/instance store for disk space Relies on EC2 (can be managed by AWS) Runs thousands of jobs, don't manage compute resources |
Batch |
|
Virtual servers, storage, databases, and networking Low and predictable pricing Simpler alternative to using EC2, RDS, ELB, EBS, Route 53 Great for people with little cloud experience Can setup notifications and monitoring of your Lightsail resources High availability, no auto-scaling, limited AWS integrations Use cases: Simple web apps (templates for LAMP, Nginx, MEAN, Node.js) Websites (templates for WordPress, Magento, Joomla) Dev/Test enviornment |
Amazon Lightsail |
|
container technology to run applications |
Docker |
|
Run Docker Containers on EC2 instances |
Elastic container Services (ECS) |
|
Run Docker containers without provisioning the infrastructure Serverless offering (no EC2 instance) |
Fargate |
|
Private Docker Images Repository Where you store your Docker image to be run by ECS or Fargate |
ECR (Elastic Container Registry) |
|
Run batch jobs on AWS across managed EC2 instances |
Batch |
|
Predictable & low pricing for simple application and DB stacks |
Lightsail |
|
Serverless Function as a Service Seamless scaling Reactive |
Lambda |
|
By the run time x RAM provisioned By # of innovations Language support: many except Docker Invocation time : up to 15 minutes Use cases: Create thumbnails for images uploaded onto S3 Run serverless chron job |
Lambda |
|
declarative way of outlining your AWS infrastructure, for any resources (most are supported) creates in right order with exact config you specify |
CloudFormation |
|
Infrastructure as code (base) No resources manually created Changes to infrastructure reviewed through code Each resource within stack is tagged to see how much each costs you Estimate costs of resources using CF template ability to destroy/re-create infrastructure on the fly Automated generation of diagram for templates Declarative proframming Leverage existing templates and documentation |
Benefits of CloudFormation |
|
Used when we have infrastructure as code and when we need to repeat an architecture in different environments, regions, or different AWS accounts Ex: WordPress CloudFormation Stack - can see all resources - can see relations between components |
CloudFormation Stack Designer |
|
typical architecture can easily be reproduced manually, reproduced on AWS through CloudFormation |
Web App 3-tier |
|
Managing infrastructure Deploying code Configuring all databases, load balancers Scaling concerns Most web apps have same architecture (ALB + ASG) All developers want is for their code to run Possibly, consistently across multiple environments |
Developer Problems on AWS |
|
Developer-centric view of deploying an application on AWS All in one view that's easy to make sense of Have full control over the config Platform as a Service Free but pay for underlying instances |
AWS Elastic Beanstalk |
|
Managed service Instance config/OS handled by Beanstalk Deployment strategy configureable but performed by Elastic Beanstalk Just the application code is the responsibility of the developer |
AWS Elastic Beanstalk |
|
3 architecture models for Beanstalk |
1. Single instance deployment - good for dev 2. LB + ASG - great for production or pre-production web applications 3. ASG only - great for non-web apps in production |
|
Deploy application automatically Works with EC2 instances Works with On-Premises servers Hybrid service Servers/instances must be provisioned and configure ahead of time with CodeDeploy Agent |
AWS CodeDeploy |
|
Way to patch fleet of EC2 instances Helps manage your EC2 and On-Premises systems at scale Hybrid Service Get operational insights about the state of infrastructure Suite of 10+ products Patching automation for enhanced compliance Run commands across an entire fleet of servers Store parameter config with the SSM Parameter Store Works for Windows and Linux |
AWS Systems Manager (SSM) |
|
Chef & Puppet - help perform server config automatically or repetitive actions Works great with EC2 & On-Premises VM Managed Chef & Puppet Alternative to AWS SSM Only provision standard AWS resources: EC2 instances, databases, load balancers, EBS volumes |
AWS OpsWorks |
|
Infrastructure as Code, works with almost all AWS resources Repeat across Regions & Accounts Free for use, pay for resources created CloudFormation templates are JSON or YAML-formatted text files Declarations of the AWS resources that make up a stack |
CloudFormation (AWS only) |
|
Platform as a Service Limited to certain programming languages or Docker Deploy code consistently with a known architecture: ex, ALB + EC2 + RDS Free for use, pay for resources created |
Beanstalk (AWS) |
|
Deploy & upgrade any application onto servers (automatic) |
CodeDeploy (Hybrid) |
|
Patch, configure, and run commands at scale Unified user interface |
Systems Manager (hybrid) |
|
Managed Chef & Puppet in AWS |
OpsWorks (Hybrid) |
|
application deployed in multiple geographies could be Regions and/or Edge locations |
Global application |
|
time it takes for network packet to reach a server Deploy app closer to users to decrease latency |
latency |
|
Why make a global application? |
Decreased latency Disaster recovery - important to increase availability attack protection - distributed global infrastructure is harder to attack |
|
Global AWS Infrastructure |
Regions: for deploying applications and infrastructure Availability Zones: made of multiple data centers Edge Locations: for content delivery as close as possible to users Network: links between regions, AZs |
|
Great to route users to the closest deployment with least latency great for disaster recover strategies |
Global DNS: Route 53 |
|
Replicate part of your application to AWS Edge Locations - decrease latency Cache common requests - improved user experience and decreased latency |
Global Content Delivery Network (CDN): CloudFront |
|
Accelerate global uploads & downloads into Amazon S3 |
S3 Transfer Acceleration |
|
Improve global application availability and performance using the AWS global network |
AWS Global Accelerator |
|
collection of rules and records which helps clients understand how to reach a server through URLs |
Domain Name System (DNS) |
|
managed DNS most common records are: |
Amazon Route 53 |
|
No health checks |
Simple Routing Policy |
|
Distribute across - enable health checks |
Weighted Routing Policy |
|
Minimize latency |
Latency Routing Policy |
|
Disaster Recovery Health check on primary |
Failover Routing Policy |
|
Route 53 Routing Policies |
Simple Weighted Failover |
|
Content Delivery Network (CDN) Improves read performance, content is cached at the edge Improves user experience 216 Edge Locations DDoS protection, integration with Shield, AWS Web Application Firewall |
AWS CloudFront |
|
For distributing files and caching them at the edge Enhanced security with CloudFront Origin Access Identity (OAI) CloudFront can be used as an ingress (to upload files to S3) |
S3 Bucket - CloudFront Origins |
|
Application Load Balancer
S3 Website (must first enable the bucket as a static S3 website) Any HTTP backend you want |
Custom Origin (HTTP) - CloudFront Origins |
|
Global edge network Files cached for a TTL (maybe a day) Cache Great for static content that must be available everywhere |
CloudFront |
|
Must be setup for each region you want replication to happen Files are updated in near real-time Read only Replicate entire bucket into another region Great for dynamic content that needs to be available at low-latency in few regions |
S3 Cross Region Replication |
|
Increase transfer speed by transferring file into an AWS Edge Location which will forward the data to the S3 bucket in the target region Only used when you want to upload/download from S3 bucket that is far away from you |
S3 Transfer Acceleration |
|
Improve global application availability and performance using the AWS global network Leverage the AWS internal network to optimize the route to your applications (60% improvement) 2 Anycast IP are created for your application and traffic is sent through Edge Locations Edge location send traffic to your application |
AWS Global Accelerator |
|
Improved performance for your cacheable conent (such as images and videos) Content is served at the edge |
CloudFront - CDN |
|
No caching Proxying packets at the edge to applications running in one or more AWS regions Improves performance for a wide range of applications over TCP and UDP Good for HTTP use cases that require static IP addresses Good for HTTP use cases that required deterministic, fast regional failover and good performance |
Global Accelerator |
|
Great to route users to the closest deployment with least latency Great for disaster recovery strategies Domain Registration, DNS, Health Checks, Routing Policy |
Global DNS: Route 53 |
|
Replicate part of your application to AWS Edge Locations - decrease latency Cache common requests - improved user experience and decreased latency Integrates WAF & Shielf to protect against web attacks |
Global Content Delivery Network (CDN): CloudFront |
|
Accelerate global uploads & downloads into S3 |
S3 Transfer Acceleration |
|
Improve global application availability and performance using the AWS global network Will go through global locations but not cached at |
AWS Global Accelerator |
|
Two patterns of application communication |
1. Synchronous communications 2. Asynchronous/ Event based |
|
Application to application Can be problematic if there are sudden spikes of traffic |
Synchronous communications |
|
Application to queue to application Better to decouple apps Using SQS: queue model Using SNS: pub/sub model Using Kineses: real-time data streaming model |
Asynchronous / Event based Communications |
|
Oldest AWS offering (over 10 years old) Fully managed service (serverless), used to decouple applications Scales from 1 message per second to 10,000s per second Default retention of messages: 4 days, max 14 days No limit to how many messages can be in the queue Messages deleted after they're read by consumers Low latency (<10 ms on publish and receive) consumers share the work to read messages & scale horizontally |
Amazon SQS (Standard Queue) |
|
event publishers only send messages to one SNS topic as many Event subscribers as we want to listen to the SNS topic notifications Each subscriber to the topic will get all the messages Up to 10mil subscriptions per topic/ 100k topics limit |
Amazon SNS |
|
SNS Subscribers can be: |
1. HTTP/HTTPS (with delivery retries - how many times) 2. Emails, SMS messages, Mobile Notifications 3. SQS queues (fan-out pattern), Lambda functions (write-your-own integration) |
|
Queue service in AWS Multiple Producers, messages kept up to 14 days Multiple COnsumers share the read and delete messages when done Used to decouple applications Pull-based system |
SQS (standard queue) |
|
Notification service in AWS Subscribers : email, Lambda, SQS, HTTP, Mobile Multiple Subscribers: send messages to all of them No message retention Push-based system |
SNS |
|
metrics for every service in AWS metrics have timestamps can create CloudWatch dashboards of metrics |
Amazon CloudWatch Metrics |
|
variable to monitor (CPU Utilization, NetworkIN) ex: Billing (us-east-1) |
metric |
|
Important metrics |
EC2 instances EBS volumes S3 Buckets Billing Service Limits Custom metrics |
|
CPU Utilization, Status Checks, Network (not RAM) Default metrics every 5 min Option for Detailed Monitoring ($$$): metrics evert 1 min |
EC2 Instance Metrics |
|
Disk read/writes |
EBS Volumes Metrics |
|
BucketSizeBytes NumberOfObjects AllRequests |
S3 Buckets Metrics |
|
Total Estimated Charge (only in us-east-1) |
Billing metric |
|
How much you've been using a service API |
Service Limits Metrics |
|
Push your own metrics |
Custom metrics |
|
used to trigger notifications for any metric various options (sampling, %, max, min, etc) Can choose period on which to evaluate an alarm
|
Amazon CloudWatch Alarms |
|
Alarms actions |
Auto Scaling EC2 Actions SNS Notifications |
|
Increase or decrease EC2 instances "desired" count
|
Auto Scaling actions |
|
stop, terminate, reboot, or recover an EC2 instance |
EC2 Actions |
|
Send notification into SNS topic |
SNS notifications |
|
Alarm states |
OK Insufficient data - not enough data ALARM - bad |
|
logs can collect log from: Elastic Beanstalk ECS AWS Lambda CloudTrail CloudWatch enables real-time monitoring of logs Adjustable CloudWatch Logs retention |
Amazon CloudWatch Logs |
|
collection of logs from application |
Elastic Beanstalk Log |
|
Collection from containers |
ECS Log |
|
Collection from function logs |
AWS Lambda Logs |
|
log Based on filter |
CloudTrail Logs |
|
on EC2 machines or on-premises servers |
CloudWatch log agents |
|
Log DNS Queries |
Route53 logs |
|
log agent can be setup on-premises too Make sure IAM permissions are correct By default, no logs from EC2 instance will go to CloudWatch Need to run CloudWatch agent on EC2 to push the log files you want |
CloudWatch Logs for EC2 |
|
Schedule: Cron jobs (scheduled scripts) Event Pattern: event rules to react to a service doing something Trigger lambda functions, send SQS/SNS messages |
Amazon CloudWatch Events |
|
next evolution of CloudWatch Events |
Amazon EventBridge |
|
Default event bus |
generated by AWS services (CloudWatch Events) |
|
Partner event bus |
receive events from SaaS service or applications (Zendesk, Datadog, Segment, Auth0) |
|
Custom Event buses |
for your own applications |
|
Schema Registry |
model event schema |
|
Provides governance, compliance and audit for your AWS Account Enabled by default Get a history of events/API calls made within your AWS Account by: Console SDK CLI AWS Services Can put logs from CloudTrail into CloudWatch Logs or S3 A trail can be applied to All Regions (default) or a single Region If resource deleted in AWS, investigate CloudTrail first |
AWS CloudTrail |
|
Debugging in Production Test locally Add log statements everywhere Re-deploy in production Log formats differ across applications No common views of entire architecture Debugging: one big (easy), distributed services (hard) |
AWS X-Ray |
|
Troubleshooting performance (bottlenecks) Understand dependencies in a microservice architecture Pinpoint service issues Review request behavior Find errors and exceptions Identify users that are impacted Are we meeting time SLA? Where am I throttled? |
AWS X-Ray Advantages |
|
Shows all regions, all services health Shows historical information for each day Has an RSS feed you can subscribe to |
AWS Status - Service Health Dashboard |
|
Provides alerts and remediation guidance when AWS is experiencing events that may impact you personalized view into the performance and availability of the AWS services underlying your AWS resources displays relevant and timely information to help you manage events in progress and provides proactive notification to help you plan for scheduled activities shows how AWS outages directly impact you & your AWS resources Alert, remediation, proactive, scheduled activities |
AWS Personal Health Dashboard |
|
monitor the performance of AWS services and billing metrics |
CloudWatch Metrics |
|
Automate notification, perform EC2 action, notify to SNS based on metric Trigger notifications when metrics reach specific threshold |
CloudWatch Alarms |
|
Collect log files from EC2 instances, servers, Lambda functions Single, highly scalable service that centralizes logs from all of your systems, apps, and AWS services |
CloudWatch Logs |
|
React to events in AWS or trigger a rule on a schedule |
CloudWatch Events (EventBridge) |
|
Audit API calls made within your AWS account Inspect, audit, record events and API calls made within AWS account |
CloudTrail |
|
Trace requests made through your distributed applications Help analyze and debug production as well as distributed applications |
X-Ray |
|
Status of all AWS services across all regions |
Service Health Dashboard |
|
AWS events that impact your infrastructure |
Personal Health Dashboard |
|
Private network to deploy your resources (regional resource) |
VPC (Virtual Private Cloud) |
|
Allow you to partition your network inside your VPC (AZ resource) |
Subnets |
|
subnet that is accessible from the internet |
Public subnet |
|
Subnet that is not accessible from the internet |
Private subnet |
|
to define access to the internet and between subnets, we use |
Route Tables |
|
help our VPC instances connect with the internet Public Subnets have a route to |
Internet Gateway |
|
Allows instances in your private subnets to access the internet while remaining private |
NAT Gateways (AWS managed) NAT Instances (self-managed) |
|
Firewall which controls traffic from and to subnet Can have ALLOW and DENY rules Attached at the Subnet level Rules only include IP addresses Process rules in number order Is stateless: return traffic must be explicitly allowed by rules Automatically applies to all instances in the subnets it's associated with |
NACL (Network ACL) |
|
A firewall that controls traffic to and from an ENI/EC2 instance Can only have ALLOW rules Rules include IP addresses and other security groups Evaluate all rules before allowing traffic Operates at the Instance level Applies to an instance only if someone specified the SG when launching the instance |
Security Groups |
|
Capture information about IP Traffic going into your interfaces Helps monitor and troubleshoot connectivity issues -subnets to internet -subnets to subnets -internets to subnets Captures network infor from AWDS managed interfaces Data can go to S3/CloudWatch Logs |
VPC Flow Logs Subnet Flow Logs Elastic Network Interface Flow Logs |
|
Connect 2 VPC privately using AWS network Behave as if they were in the same network Must not have overlapping CIDR (IP address range) Connection is not transitive - must be established for each VPC that need to communicate with one another |
VPC Peering |
|
allow you to connect to AWS services using a private network instead if the public www network enhanced security and lower latency to access AWS services |
VPC Endpoints |
|
VPC Endpoint Gateway |
S3& DynamoDB |
|
VPC Endpoint Interface: |
the rest |
|
Connect on-premises VPN to AWS
Goes over the public internet Limited bandwidth, security concerns |
Site to Site VPN |
|
Establish a physical connection between on-premises and AWS Connection is private, secure, and fast Goes over a private network Takes at least a month to establish |
Direct Connect (DX) |
|
must use a customer Gateway (CGW) |
Site-to-site VPN On-premises |
|
must use a Virtual Private Gateway (VPG) |
Site-to-site VPN AWS |
|
works with direct connect gateway, VPN connections For having transitive peering between thousands of VPC and on-premises, hub-and-spoke (star) connection |
Transit Gateway
. |
|
logically isolated from other virtual networks, can launch AWS resources in a private network that you define |
Virtual Private Cloud |
|
tied to an AZ, network partition of the VPC |
Subnets |
|
at the VPC level, provide internet access horizontally scaled, redundant, highly available VPC component that allows communication between VPC and internet |
Internet Gateway |
|
give internet access to private subnets |
NAT Gateway/Instances |
|
stateless, subnet rules for inbound and outbound |
NACL |
|
stateful, operate at the EC2 instance level or ENI |
security groups |
|
connect 2 VPC with non overlapping IP ranges, non-transitive |
VPC Peering |
|
Provide private access to AWS services within VPC |
VPC ENdpoints |
|
network traffic logs |
VPC flow logs |
|
VPN over public internet between on-premises DC and AWS |
Site to Site VPN |
|
direct private connection to AWS (physical connection) |
Direct Connect |
|
Connect 1000s of VPC and on-premises networks together |
Transit Gateway |
|
Protecting infrastructure (hardware, software, facilities, and networking) that runs all AWS services Managed services like S3, DynamoDB, RDS, etc. |
AWS Responsibility Security OF the Cloud |
|
For EC2 instance, customer is responsible for management of the guest OS (including security patches and updates), firewall & network configuration, IAM Encrypting application data |
Customer Responsibility - Security IN the Cloud |
|
Patch management Config management Awareness and training |
Shared controls for Security |
|
Manage the underlying EC2 instance, disable SSH access Automated DB patching Automated OS patching Audit the underlying instance and disks & gurantee it functions |
AWS Responsibility for RDS |
|
Check ports/IP/security group inbound rules in DBs SG In-database user creation and permissions Creating a database with or without public access Ensure parameter groups or DB is configured to only allow SSL connections Database encryption setting |
Customer responsibility for RDS |
|
Guarantee you get unlimited storage Guarantee you get encryption Ensure separation of the data between different customers Ensure AWS employees can't access your data |
AWS Responsibility for S3 |
|
Bucket Configuration Bucket policy/public settings IAM user and roles Enabling encryption |
Customer responsibility for S3 |
|
protects against DDOS attack for your website and applications, for all customers at no additional cost |
AWS Shield Standard |
|
24/7 premium DDOS protection |
AWS SHield Advanced |
|
Filter specific requests based on rules |
AWS WAF |
|
availability protection using global edge network Combined with AWS Shield, provides attack mitigation at the edge |
CloudFront and Route53 |
|
What is a DDOD |
Distributed Denial-of-Service attack |
|
Free service activated for every AWS customer Provides protection from attacks like SYN/UDP floods, Reflection attacks and other layer 3/layer 4 attacks |
AWS Shield Standard |
|
Option DDOS mitigation service ($3k per month per org) Protect against more sophisticated attack on EC2, ELB, CloudFront, global accelerator, Route 53 24/7 access to AWS DDOS response team (DRP) Protect against higher fees during usage spikes due to DDOS |
AWS Shield Advanced |
|
Protects your web apps from common web exploits (layer 7) Layer 7 is HTTP (vs Layer 4 is TCP) Deploy on Application Load Balancer, API Gateway, CloudFront |
AWS Web Application Firewall (WAF) |
|
Rules can include IP addresses, HTTP headers, HTTP body, or URI strings Protects from common attack - SQL injection, Cross-Site Scripting (XSS) Size constraints, geo-match (block countries) Rate-based rules (to count occurrences of events) - for DDOS protection |
Web Access Control List (WACL) |
|
AWS customers can carry out penetration tests against their AWS infrastructure without prior approval for 8 services: |
1. EC2 instances, NAT Gateways, ELBs 2. RDS 3. CloudFront 4. Aurora 5. API Gateways 6. Lambda and Lambda Edge functions 7. Lightsail resources 8. Elastic Beanstalk environments |
|
Prohibited activities for penetration tests |
1. DNS zone walking via Route 53 Hosted Zones 2. DOS, DDOS, simulated DOS, simulated DDOS 3. Port flooding 4. Protocol flooding 5. Request flooding (login request flooding, API request flooding) |
|
encryption for AWS service AWS manages software for encryption |
AWS Key Management Service (KMS) |
|
Encrypt volumes |
EBS Volumes |
|
Server-side encryption of objects |
S3 Buckets |
|
encryption of data |
Redshift database/EFS drives |
|
Encryption Opt-in
|
EBS Volumes S3 buckets Redshift database EFS drives |
|
Encryption Automatically Enabled for: |
cloudTrail logs S3 Glacier Storage Gateway |
|
AWS provisions encryption hardware you manage your own encryption keys Dedicated hardware (HSM) - tamper resistant, FIPS 140-2 Level 3 compliance |
CloudHSM |
|
3 types of KMS Keys |
1. Customer Manager CMK 2. AWS managed CMK 3. CloudHSM Keys (custom keystore) |
|
Create, manage and use, can enable/disable Possibility of rotation policy (new key generated every year, old key preserved) Possibility to bring-your-own-key |
Customer Manager CMK |
|
Used by AWS service (S3, EBS, Redshift) Managed by AWS |
AWS managed CMK |
|
Keys generated from your own CloudHSM hardware device
|
CloudHSM Keys (custom keystore) |
|
Newer service, meant for storing secrets Capability to force rotation of secrets every X days Automate generation of secrets on rotation (uses Lambda) Integration with RDS (MySQL, PostgreSQL, Aurora) Secrets are encrypted using KMS Mostly meant for RDS integration |
AWS Secrets Manager |
|
portal that provides customers with on-demand access to AWS compliance documentation and AWS agreements |
AWS Artifact |
|
allows you to download AWS security and compliance documents, like AWS ISO certifications, Payment Card Industry (PCI), and SYstem and Organization Conteol (SOC) reports |
Artifacts Reports |
|
allows you to review, accept, and track the status of AWS agreements such as the Busienss Associate Addendum (BAA) Can be used to support internal audit or compliance |
Artifacts Agreement |
|
Intelligent Threat discovery to protect AWS account uses ML algorithms, anomaly detection, 3rd party data One click to enable (30 day trial), no need to install software Can set up CloudWatch Event rules to be notified in case of findings CloudWate events rules can target Lambda or SNS |
Amazon Guard Duty |
|
Input data for GuardDuty inclides: |
1. CloudTrail Logs: unusual API calls, unauthorized deployments 2. VPC Flow Logs: unusual internet traffic, unusual IP address 3. DNS Logs: compromised EC2 instances sending encoded data within DNS queries |
|
automated security assessments for EC2 instances Analyze the running OS against known vulnerabilities analyze against unitended network accessibility must be installed on OS in EC2 instances After assessment, you get a report with list of vulnerabilities |
Amazon Inspector |
|
Helps with auditing and recording compliance of your AWS resources Helps record configurations and changes over time Possibility of storing the configuration data into S3 (analyzed by Athena) Can receive alerts for any changes Per-region service can be aggregated across regions and accounts |
AWS Config |
|
Is there unrestricted SSH access to my security groups? Do my buckets have any public access? How has my ALB configuration changed over time? |
Questions that can be solved by AWS Config |
|
View compliance of a resoirce over time View configuration of a resource over time View CloudTrail API calls if enabled |
AWS Config Resource |
|
Fully managed data security and data privacy service that uses ML and pattern matching to discover and protect your sensitive data in AWS Helps identify and alert you to sensitive data, such as PII |
Amazon Macie |
|
Responsible for firewall and network config Server-side encryption Client-side data protection Customer data protection |
Customer responsibility for Security |
|
Get access to compliance reports such as PCI, ISO |
Artifact |
|
Find malicious behavior with VPC, DNS, CloudTrail logs Threat Detection service |
GuardDuty |
|
For EC2 only, install agent and find vulnerabilities |
Inspector |
|
Track config changes and compliance against rules |
Config |
|
Find sensitive data in S3 buckets |
Macie |
|
Track API calls made by users within account |
CloudTrail |
|
Find objects, people, text, scenes in images and videos using ML Facial analysis and facial search to do user verification, people counting Create a database of "familiar faces" or compare against celebrities Use cases: Labeling Content moderation text detection face detection and analysis face search and verification Celebrity recognition Pathing (sports game analysis) |
Amazon Rekognition |
|
Automatically convert speech to text Uses deep learning process called automatic speech recognition (ASR) to convert speech to text quickly and accurately Use cases: Transcribe customer calls Automate closed captioning and subtitling Generate metadata for media assets to create a fully searchable archive |
Amazon Transcribe |
|
Turn text into lifelike speech using deep learning Allow you to create applications that talk |
Amazon Polly |
|
Natural and accurate language translation Allows you to localize content - such as websites and apps - for international users and easily translate large volumes of text efficiently |
Amazon Translate |
|
Same technology that powers Alexa ASR to convert speech to text Natutal language understanding to recognize the intent of text, callers Helps build chatbots, call center bots Can be used as a stand-alone service |
Amazon Lex |
|
Receive calls, create contact flows, cloud-based virtual contact center
|
Amazon Connect |
|
for NLP Fully managed and serverless service Use ML to find insights and relationships in text Language of text Extracrs key phrases, people, places, brands or events Understands how positive or negative the text is Analyzes text using tokenization and parts of speech Automatically organizes a collection of text files by topic USe cases: analyze customer interactions to find what leads to pos/neg experience Create and group articles by topics that comprehend will uncover |
Amazon Comprehend |
|
Fully managed service for developers/data scientists to build ML models Typically difficult to do all processes in one place and provision servers |
Amazon Sage Maker |
|
Global service Allows you to manage multiple AWS accounts Main account is master account Cost benefits API available to automate AWS account creation
|
AWS Organizations |
|
Consilidated billing across all accounts - single payment method PRicing benefits from aggregated usage (volume discount for EC2, S3) Pooling of Reserved EC2 instances for optimal savings |
Cost benefits of AWS Organizations |
|
Create accounts per department, per cost center, per enviornment, based on regulatory restrictions (using SCP) for better resource isolation (ex:VPC) to have separate per-account service limits, isolated account for logging Multi Account v One Account Multi VPS Use tagging standards for billing purposes Enable CloudTrail on all accounts, send logs to central S3 account |
Multi Account Strategies |
|
4 pricing models in AWS |
1. Pay as you go 2. Save when you reserve 3. Pay less by using more 4. Pay less as AWS grows |
|
pay for what you use, remain agile, responsive, meet scale demands |
Pay as you go |
|
Minimize risks, predictably manage budgets, comply with long-term requirements |
Save when you reserve |
|
volume-based discounts |
pay less by using more |
|
Free services in AWS |
IAM VPC Consolidated billing Elastic beanstalk (pay for resources created) CloudFormation (pay for resources created) AutoScaling Groups (pay for resources created) |
|
Free tier in AWS |
EC2 t2.micro instance for a year S3, EBS, ELB, AWS Data transfer |
|
only charged for what you use Number of instances Instance configuration ELB running time and amount of data processed Detailed monitoring |
Compute Pricing - EC2 |
|
Physical capacity Region OS and software Instance type Instance size |
Instance configuration |
|
Minimum of 60s Pay per second (Linux) Pay per hour (Windows) |
EC2 On-Demand Instance pricing |
|
Up to 75% discount compared to on-demand hourly rate 1 or 3 year commitment all upfront, partial, no upfront |
Reserved instance pricing |
|
up to 90% discount compared to On-demand on hourly rate Bid for unused capacity |
Spot instances |
|
Up to 72% discount compared to ON-demand hourly rate Commit to usage of individual instance families in a region ($ per hour) Regardless of AZ, size, OS, or tenancy 1 or 3 year commitment all upfront, partial, no upfront |
Savings Plans |
|
On-demand Reserved Savings plans |
Dedicated host |
|
Pay per call Pay per duration |
Lambda Pricing |
|
EC2 Launch Type midel No additional fees, you pay for resources stored and created in your application |
ECS |
|
Fargate Launch Type Model Pay for vCPU and memory resources allocated to your applications in your containers |
Fargate |
|
S3 Standard S3 IA S3 OZ IA S3 Intelligent Tiering S3 Glacier S3 Glacier Deep Archive |
Storage classes |
|
Storage class Number and size of objects: price can be tiered (based on volume) Number and type of reauests Data transfer OUT of the S3 region S3 Transfer acceleration Lifecycle transitions Similar service: EFS (pay per use, has infrequent access and lifecycle rules) |
S3 Storage Pricing |
|
Volume type (based on performance) Storage volume in GB per month provisioned IOPS Snapsots -0 added data cost per GB per month Data tranfer - outbount tiered for volume discounts (inbound is free) |
EBS Storage Pricing |
|
General Purpose SSD: included Provisioned IOPS SSD: provisioned amount in IOPS Magnetic: Number of requests |
IOPS |
|
Per hour billing Database characteristice (engine, size, memory class) Purchase type (on-demand, reserved with required up front) Backup storage - no additional charge up to 100% of total DB storage for a region Additional storage - per GB per month Number of input/outout requests per month Deployment type (Storage and I/O are variable) - single AZ/ multi AZ Data transfer - outbount tiered for volume discounts (inbound is free) |
RDS Database pricing |
|
pricing is different across geographic regions Aggregated for each edge location, then applied to bill Data transfer out (volume discount) Number of HTTP/HTTPS requests |
Content Delivery - CloudFront pricing |
|
Use Private IP instead of Public IP for good savings and better network performance Use same AZ for max savings (at cost of high availability) |
Networking Costs per GB |
|
estimating costs in the cloud |
TCO Calculator Simple Monthly Calculator |
|
Tracking costs in the cloud |
Billing dashboard Cost allocation tags Cost and usage reports Cost explorer |
|
Monitoring against cost plans |
billing alarms budgets |
|
allow you to estimate the cost savings when using AWS and provide a detailed set of reports that can be used in executive presentations compare cost of applications in an on-premises or traditional hosting environment to AWS: server, storage, network, IT labor |
AWS Total Cost of Ownership Calculator (TCO) |
|
how does AWS help reduce TCO |
by reducing the need to invest in large capital expenditures and providing a pay-as-you-go model |
|
points of comparison of On_Premises vs AWS |
1. server costs 2. storage costs 3. network costs 4. IT labor costs |
|
replaced by AWS pricing calculator Estimate cost for your architecture solution |
Simple Pricing Calculator |
|
Shows cost for the month |
AWS Billing Dashboard |
|
shows usage for each free tier |
AWS Free Tier Dashboard |
|
used to track AWS costs on a detailed level |
Cost Allocation Tags |
|
automatically applied to the resource you create starts with Prefix aws: |
AWS Generated tages |
|
defined by the user starts with prefix user: |
user-defined tags |
|
used for organizing resources EC2: instances, images, load balancers, security groups RDS, VPC resources, route53, IAM users resources created by CloudFormation are all tagged the same way can be used to create Resource Groups |
Tags |
|
create, maintain, and view a collection of resources that share common tags manage these tags using the tag editor |
resource groups |
|
free naming, common tags |
Name, Enviornment, Team |
|
contains most comprehensive set of AWS cost and usage data available, including additional metadata about services, pricing, and reservations (ex: EC2 Reserved Instances) Lists AWS usage for each service category used by an account and its IAM users in hourly or daily line items, as well as any tags that you have activated for cost allocation purposes Can be integrated with Athena, Redshift, or QuickSight |
Cost & Usage Reports |
|
Visualize, understand, and manage your AWS costs and usage over time Create custom reports to analyze cost and usage data analyze data at high level: total costs and usage across all accounts Choose an optimal savings plan (to lower prices on your bill) Forecast usage up to 3 months based on previous usage |
Cost Explorer |
|
for actual cost, not projected costs intended as a simple alarm (not as powerful as AWS Budgets) data for overall worldwide AWS costs metric stored in us-east-1 |
Billing alarms in CloudWatch |
|
create budget and send alarms when costs exceeds budget 3 types of budgets: usage, cost, reservation up to 5 SNS notifications per budget same options as AWS Cost Explorer 2 budgets are free, then $0.02/day/budget Can filter by: service, linked account, tag, purchase option, instance type, region, AZ, API operation For reserved instances: track utilization, supports EC2 / elasticache /rds /redshift |
AWS Budgets |
|
no need to install - high level AWS account assessment analyze AWS accounts and provides recommendation: cost optimization performance security fault tolerance service limits core checks and recommendations - all customers can enable weekly email notification from the console |
trusted advisor |
|
ability to set CloudWatch alarms when reaching limits programmatic access using AWS support API |
Full Trusted Advisor |
|
low utilization EC2 instances, idle load balancers, under-utilized EBS volumes Reserved instances and savings plans optimizations |
Trusted advisor checks - cost optimizations |
|
High utilization EC2 instances, CloudFront CDN optimizations EC2 to EBS throughout optimizations, alias records recommendations |
trusted advisor checks - performance |
|
MFA enabled on Root Account, IAM key rotation, exposed Access Keys S3 Bucket Permissions for public access, sedcurity groups with unrestricted ports |
trusted advisor checks - Security |
|
EBS snapshots age, AZ balance ASG multi AZ, RDS multi AZ, ELB configuration |
Trusted advisor checks - fault tolerance |
|
trusted advisor checks |
cost optimizations performance security fault tolerance service limits |
|
Free Customer Service & communities - 24x7 access to customer service, documentation,whitepapers, and support forums Trusted Advisor - Access to 7 core trusted advisor checks and guidance to provision resources following best practives to increase performance and improve security Personal Health Dashboard - personalized view of health of AWS services and alerts when resources impacted |
Basic Support Plan |
|
All basic support plan + Business hours email access to Cloud Support Associates Unlimited cases / 1 primary contact Case severity/response times: general guidance: < 24 hours system impaired: < 12 hours |
Developer support plan |
|
intended to be used if you have production workloads Trusted advisor - full set of checks + API access 24x7 phone, email, chat access to Cloud Support Engineers unlimited cases/unlimited contacts access to infrastrucure event management - for additional fee case severity/response times: general guidance: <24 hours system impaired:: <12 hours Production system impaired: <4 hours production system down: < 1 hour |
Bussiness Support Plan |
|
Intended for use if you have mission critical workloads All of business support plan + access to a technical account manager (TAM) Concierge support team (for billing and account best practices) Infrastructure Event Management, Well-architected & Operations reviews case severity/response times: business critical system down: < 15 min |
Enterprise Support Plan |
|
operate multiple accounts using Organizations use SCP to restrict account power use tags & cost allocation tags for easy management & billing IAM guidelines: MFA, least-privilege, password policy, password rotation Config to record all resources configs & compliance over time CloudFormation to deploy stacks across accounts and regions Trusted Advisor to get insights, Support Plan adapted to your needs Send service logs and access logs to S3 or CloudWatch logs CloudTrail to record API calls made within your account If account compromised: change root password, delete and rotate all pww/keys, contact AWS support |
Account Best practices
|
|
plan move from on-premises to aws, cost savings |
TCO calculator |
|
cost of services on AWS |
pricing calculator |
|
high level overview + free tier dashboard |
billing dashboard |
|
tag resources to create details on reports |
cost allocation tags |
|
most comprehensive billing dataset |
cost & usage reports |
|
view current usage (detailed) and forecast usage |
cost explorer |
|
in us-east-1 track overall and per-service billing |
billing alarms |
|
more advanced track usage, costs, RI, and get alerts |
Budgets |
|
identity for your Web and Mobile application users (potentially millions) instead of creating them an IAM user |
Amazon Cognito |
|
found on any Windows server with AD Domain services database of objects: user accounts, computers, printers, file shares, security groups centralized security management, create account, assign permissions |
Microsoft Active Directory |
|
AWS Managed Microsoft AD Create your own AD in AwS, manage users locally, supports MFA establish "trust" connections with your on-premise AD |
AWS Directory Services |
|
Directory Gateway(proxy) to redirect to on-premise AD users are managed on the on-premise AD |
AD Connector |
|
AD-compatible managed directory on AWS cannot be joined with on-premise AD |
Simple AD |
|
centrally manage SSO to access multiple accounts and 3rd party business applications integrated with AWS organizations supports SAML 2.0 markup Integration with on-premise AD |
AWS SSO |
|
Identity and Access Management inside your account for users that you trust and belong to your company |
IAM |
|
manage multiple AWS accounts |
organizations |
|
create a database of users for your mobile and web applications |
Cognito |
|
integrate microsfot AD in aws |
Directory services |
|
one login for multiple aws accounts & applications |
SSO |
|
stop guessing your capacity needs - use ASG based on demand test systems at production scale automate to make architectural experimentation easier allow for evolutionary architectures - design based on changing requirements drive architectures using data improve through game days - simulate apps for flash sale days |
Well architected framework general guiding principles |
|
scalability disposable resources automation: serverless, infrastructure as a service, auto scaling Loose coupling services, not servers |
AWS Cloud Best practices |
|
well-architected framework 5 pillars |
1. Operational Excellence 2. Security 3. Reliability 4. Performance Efficiency 5. Cost Optimization |
|
ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures |
operation excellence |
|
perform operations as code - infrastructure as code annotate documentation - automate creation of annotated documentation after every build make frequent, small, reversible changes refine operations procedures frequently anticipate failure learn from all operational failures |
design principles for operational excellence |
|
Prepare - AWS cLoudFormation, AWS Config (evaluate compliance) Operate - AWS CloudFormation, Config, CloudTrail, CloudWatch, X-Ray Evolve - CloudFormation, CodeBuild, CodeCommit, CodeDeploy, CodePipeline |
Operational excellence AWS Services |
|
ability to protect information, systems, and assets while deliverying business value through risk assessments and mitigation strategies |
Security |
|
Implement a strong identity foundation - centralize privilege management and reduce reliance on long-term credentials - Principle of least privilege - IAM Enable traceability - integrate logs and metrics with systems to automatically respond and take action Apply security at all layers - edge network, VPC, subnet, load balancer, every instance, OS Automate security best practices Protect data in transit and at rest - encryption, tokenization, and access control Keep people away from data - reduce or eliminate the need for direct access or manual processing of data Prepare for security events - run incident response simulations and use tools with automation to increase your speed for detection, investigatoin and recovery |
Security Design Principles |
|
Identity and Access Management - IAM, AWS-STS, MFA Token, Organizations Detective Controls - Config, CloudTrail, CloudWatch Infrastructure Protection -CloudFront, VPC, Shield, WAF, Inspector Data Protection -KMS, S3, ELB, EBS, RDS Incident Response - IAM, CloudFormation, CloudWatch Events |
Security AWS Services |
|
ability of a system to recover from infrastructure or service disruptions dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues |
Reliability |
|
Test recovery procedures - use automation to simulate different failures Automatically recover from failure - anticipate and remediate failures before they occur Scale horizontally to increase aggregate system availability - distribute request across multiple, smaller resources to ensure they don't share a common point of failure Stop guessing capacity - maintain optimal level to satisfy demand - use auto scaling Manage change in automation - use automation to make changes to infrastructure |
Reliability Design Principles |
|
Foundations -IAM, VPC, Service Limits, Trusted Advisor Change Management - AWS Auto Scaling, CloudWatch, CloudTrail, Config Failure Management -Backups, CloudFormation, S3, S3 Glacier, Route53 |
Reliability AWS Services |
|
Ability to sue computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technology evolves |
Performance Efficiency |
|
Democratize advanced technologies Go global in minutes - easy deployment in multiple regions Use serverless architectures - avoid burden of managing servers Experiment more often - easy to carry out comparative testing Mechanical sympathy - be aware of all AWS services |
Performance Efficiency design principles
|
|
Selection -Auto scaling, Lambda, EBS, S3, RDS Review -CloudFormation, News Blog Monitoring -CloudWatch, Lambda Tradeoffs -RDS, Elasticache, Snowball, CloudFront |
Performance efficiency AWS services |
|
ability to run systems to deliver business value at the lowest price point |
cost optimization |
|
adopt a consumption mode - pay only for what you use Measure overall efficiency - use CloudWatch Stop sending money on data center operations - AWS does infrastructure enabling customers to focus on organization projects Analyze and attribute expenditure - accurate identification of system usage and costs, helps measure return on investment - use tags Use managed and application level services to reduce cost of ownership - as managed services operate at cloud scale, they can offer a lower cost per transaction or service |
cost optimizations design principles |
|
Expenditure Awareness -Budgets, Cost & Usage Report, Cost Explorer, RI Reporting Cost-Effective Resources -Spot instances, reserved, S3 Glacier Matching supply and demand -Auto Scaling, Lambda Optimizing Over Time -Trusted Advisor, Cost & Usage Report |
Cost Optimization AWS Services |
|
AWS Ecosystem Free resources |
Blogs Forums Whitepapers & Guides Quick Starts -automates gold-standard deployments in the Cloud -WordPress on AWS -Leverages CloudFormation Solutions -Vetted Technology solutions for the AWS Cloud -Ex: Landing Zone: secure, multi-account environment |
|
digital catalog with thousands of software listings from independent software vendors (3rd party) Ex: Custom AMI (custom OS, firewalls, technical solutions), CloudFormation templates, Software as a Service, Containers Goes into AWS bill Can sell your own solutions on the Marketplace |
AWS Marketplace |
|
AWS Digital and Classroom Training Private Training (for your org) Training and certificatoin for the US Gov Training and certification for Enterprise Academy - help universities teach AWS Online teacher |
AWS Training |
|
global team of experts work alongside your team and chosen member of APN |
AWS Professional Services |
|
APN |
AWS Partner Network |
|
providing hardware, connectivity, and software |
APN Technology Partners |
|
Professional services firm to help build on AWS |
APN Consulting Partners |
|
find who can help you learn AWS |
APN Training Partners |
|
AWS competencies are granted to an APN Partners who have demonstrated technical proficiency and proven customer success in specialized solution areas |
AWS Competency Program |
|
cables, routers, servers connected |
network |
|
forwards data packets between networks |
router |
|
takes packet and sends to correct server/client |
switch |
|
pay for rent for data center pay for power supply, cooling, maintenance hardware costs scaling is limited pay team to monitor infrastructure |
Problems with Traditional IT |
|
on-demand delivery of computer power, DB, storage, IT resources, pay as you go pricing |
Cloud computing |
|
used by single org, complete control, specific needs |
private cloud |
|
AWS, azure, google, owned and operated by 3rd party |
public cloud |
|
5 characteristics of cloud computing |
on-demand self service broad network access multi-tenancy and resource pooling rapid elasticity and scalability measured service |
|
6 advantages of cloud computing |
trade capital expenditures for operational expenditures benefit from economies of scale stop guessing capacity increased speed and agility stop spending $ running and maintaining data centers go global in minutes |
|
problems solved by cloud |
flexibility cost effectiveness scalability elasticity high availability + fault tolerance agility |
|
3 types of cloud computing |
Infrastrucute as a Service - building blocks, highest level of flexibility Platform as a Service -deployment, management of apps Software as a Service - completed product run and managed by service provider |
|
3 Pricing fundamentals` |
1. Compute - pay for computer time 2. Storage 3. Data transfer OUT of the cloud |
|
Examples of IaaS |
EC2 GCO Azure Rackspace Digital Ocean |
|
Examles of PaaS |
Elastic Beanstalk Heroku Google App Engine Windows Azure |
|
Examples of SaaS |
AWS services Gmail Dropbox Zoom |