Benefits of Cloud:
1. Trade capital expense for variable expenses
2. Benefits from massive economy of scale
3. Increase speed and agility — react quickly as you need evolve changes.
4. Stop spending money on running and maintaining data centers
5. Go global in minutes.
6. While deploying applications on AWS you don’t need to worry about security.
AWS Well Architecture Framework: five pillars->
1. Operational excellence
Avoid/Minimize effort and problems with: Provisioning servers, Deployment, Monitoring and Support
Automate with Cloud Formation: Use Infrastructure As Code. Implement CI/CD to find problems early: CodePipeline, CodeBuild, CodeDeploy. Perform frequent, small reversible changes
2. Cost optimization
Your application in the cloud to be able to automatically recover from failures of one or more components.
Ø Ability to recover from infra and app issue
Ø Adapt to changing demands in load
5. Performance efficiency
AWS CloudFront: an application deployed with higher availability with low latency access to static content to global users. It delivers content to global users, over 200+ edge locations, if content is not available at the edge location (cache) it retrieves from the origin server.
Content sources: S3, EC2, ELB or external websites
AWS load balancers (Elastic Load Balancers):
Application load balancer: most used one with HTTP/HTTPS in AWS, advanced routing (headers, query params, path and host based)
Network load balancer: high performance use cases, support TCP/TLS and UDP
Classic Load balancer: old generation, not recommended.
Spot instance: cheapest (90% discount), terminated in 2 minutes, cost sensitive, fault tolerant, non-immediate workload.
On-Demand: flexible and most expensive, immediate workloads (web applications/batch program), applications that cannot be interrupted, to handle short-term irregular workloads.
Reserved Instance: reserved ahead of time, 75% discount 1- or 3-years reservation, reserve of a specific time in day (5% or 10% discount)
Saving Plans: Commit spending $x per hour on (EC2 or AWS Fargate or lambda. Up to 66% off, flexibility 1- or 3-years reservation, full payment.
AWS Management Console and AWS CloudFormation used to manually provision EC2 instance through the user interface.
You can also do Infrastructure provisioning using AWS CloudFormation.
AWS Configuration, Security and Firewall:
AWS CloudTrail: Audit and Monitor Changes made to your AWS account. Track events, API calls made via AWS management console, AWS CLI, AWS SDKs etc. changes made to your AWS resource. Auditing and troubleshooting who did what? When and from where? So AWS account related changes, find out he deleted resources etc.
AWS Config: Complete inventory of your AWS resources. Resource history and change tracking. — Find how a resource was configured at any point in time Governance — Customize Config Rules for specific resources or for entire AWS account and continuously evaluate compliance against the desired configuration
AWS Organization: helps to define service control policies (SCP) to define cross account restriction (i.e. MFA to stop an AWS EC2 instance)
1. Manage multiple AWS accounts,
2. Centralized management AWS config rules
3. Send AWS CloudTrail data to one s3 bucket across accounts
4. Firewall manager to manage firewall rules, (WAF, Shield and Security Groups)
5. Define Service control across account
6. Consolidated bill for all AWS account.
AWS CloudWatch: Monitoring and observability services, generate warning based on an estimated monthly bill.
AWS CloudWatch Alarms: create alarm to take immediate action, execute an Autoscaling policy based on CPU utilization of EC2 instance or AWS SQS queue length send a SNS event notification (email) based on Amazon Dynamo table throughput, Network In, Network Out
AWS CloudWatch Metrics: metrics of AWS EC2 instance : CPU Utilization, Network In, Out
AWS Cloud Events: act based on AWS resource call a AWS lambda function or send an email when an EC2 instance starts schedule events.
AWS Event Bridge: helps you to build event driven architecture
AWS X-RAY: trace request across microservices/ AWS services — analyze, troubleshoot errors, resolve performance issue
AWS GuardDuty: Continuous monitoring AWS environment for suspicious, malicious activity (intelligent threat detection), Analyzes AWS CloudTrail account events, VPC flow logs.
AWS Detective: investigate and quickly identify the root cause of potential security issue.
AWS Security Hub: Consolidated view of your AWS security status, automate security checks, manage security findings, and identify the highest priority security issue in your AWS environment.
Amazon Macie: Use ML to identify sensitivity data in amazon S3 when migrating data to AWS use S3 for staging and runs Macie.
AWS Artifact: self service portal for on demand access of AWS compliance report, certifications, accreditations, and other third-party attestations. Review, accept and manage your agreements with AWS.
AWS Certificate Manager: Used to integrate the certificates like SSL/TLS with aws services.
AWS WAF: (Web Application Firewall)
To protect your application from common vulnerabilities and Exposures (CVE) — information security vulnerabilities and exposures. Protect from OWASP top 10 exploits sql injection, cross site scripting etc
AWS NACL (Network Access Control List): stateless firewall at subnet level — stop traffic from even entering the traffic.
AWS VPC flow logs — helps to monitor network traffic and troubleshot network connectivity issue (NACL and Security group misconfiguration)
AWS Inspector: enables you to analyze the behavior of aws resource that help you to identify the potential security issues. You can run an assessment after including collection of AWS resources and launch a security assessment run of this target.
AWS Direct Connect: helps you to private connectivity between AWS and your data centers to reduce network costs, increase bandwidth throughput, more consistent network experience. Use to make Hybrid cloud.
NAT Gateway: allows instance in a private subnet to download software patches (connect to internet), while denying inbound traffic from internet. VPC used NAT to converts the private IP address to the public IP address.
VPC Subnets: separates private resources from public resources. VPC endpoint securely connect to VPC to another service.
Internet Gateway: allows public subnets to connect/accept traffic to/from internet, communicate with the outside world from the instances.
Security Groups: virtual firewall to control incoming/out going traffic to/from AWS resources (EC2 instances, databases etc.), defines rules to allow traffic to EC2 instances if there is no rule defined then no outbound/inbound traffic is allowed.
By default, it denies all inbound traffic and allows to outbound traffic.
To block incoming and outgoing IP addresses(traffic) we can use security groups
AWS Automate Deployment CI CD and Manages AWS Services:
AWS CloudFormation: Infrastructure provisioning -> Provision AWS Resources, automate deployment of AWS resource in a controlled, predictable way.
AWS SAM (Serverless Application Model): Infrastructure provisioning -> provision serverless resources (lambda)
AWS CodeCommit: git repository
AWS CodePipeline: Orchestrate CI CD pipeline
AWS CodeBuild: Build and test code (packages and containers)
AWS CodeDeploy: Automate Deployment (ECS, Lambda etc)
AWS OpsWorks: configuration management (Chef, puppet in AWS)
AWS Lightsail: pre-configured development stack LAMP, MEAN in AWS at a low predictable monthly price.
AWS SDK — allow to write code inside your application to interact with AWS services.
AWS Application Service:
AWS ECS (Elastic Container Service): Simplify the running of micro-services with Docker container (load balancing + auto scaling), Run Containers in EC2 based EC2 clusters.
AWS Elastic Beanstalk: simplify the management of web application and batch application, automatically create the EC2+ELB (load balancing and auto scaling)
AWS Fargate: Serverless version of ECS, deploy your application directly without infrastructure,
AWS Lambda: Serverless -Do not worry about servers
AWS Professional Services: get help from AWS for your cloud migration, technical expertise for application migration, application modernization.
AWS Partner Network: partners and consulting framework that help enterprises make the best use of AWS resources. Get help into design, architecture, build, connectivity, and migration to AWS.
AWS Abuse Team: a team can assist you when AWS resources are used to engage in abusive behavior (spam etc.)
A DDoS attack in being make on AWS resources,
AWS resources are being used in a way that is inconsistent with corporate policy.
AWS Trust Advisor: inspects your AWS environments and make recommendation for saving money, improving system performance, and closing security gaps. It provides cost optimization, performance, security, and fault tolerant recommendation.
Trust advisor do not provide reliability.
Check unrestricted access.
Cost Optimization: check Unused resources, Other opportunities (ex: reserved instances)
- Security: Settings to make your AWS solution more secure (ex: security group)
- Fault Tolerance: Redundancy improvements, over-utilized resources
- Performance: Improve speed and responsiveness of your AWS solutions
Service Limits: Is your usage is more than 80% of service limits?
Checks: 1. information on amazon s3 bucket permission
2. MFA enabled on AWS account root user.
All AWS users have access to which AWS Trusted Advisor check?
Cost optimization checks.
What is redundancy in AWS cloud?
If you need 10 instances to handle to load, typically you will have few more instances running. These instances are called redundant instances, even if one or more instance is failed, the performance of the application will not get affected.
AWS Price calculators, health dashboard and Cost Explorer:
Cost Explorer: view your AWS data as a graph, dashboard, future cost projection (filter by regions, AZs).
AWS budgets: Create a budget (create alerts (SNS)), enable cost allocation tags, categories your cost in cost management.
TCO: total cost of ownership calculator compare cost of running applications in AWS vs On-premise.
Three components come under TCO, Compute cost, storage cost, data transfer cost
AWS pricing calculator: Estimate the cost of your architecture solution, estimate cost as monthly to compare the cost with the on-premises environments.
AWS Cost Management tools: 1. Break down AWS cost by day, 2. services and 3. linked AWS account
AWS System Manager: run commands on a group of EC2 instances, manage your database and OS patches.
AWS Marketplace: digital catalogue to find and buy license software using flexible pricing solution (Bring your own license BYOL), free trial, pay as you go, monthly etc.
AWS Personal health dashboard: Personalized alerts when AWS is experiencing events that may impact you, provides troubleshooting guidance.
AWS Data Transfer Services:
AWS Snowball: Transfer 100 TB to PB (42 PB) from on-premises to cloud
AWS Snowmobile: Transfer 100 PB per truck, for dozen PB to exabyte
AWS Storage Services:
Object: AWS S3 (very flexible): stores large object using a key-value approach (40–80TB), can be used to host a static website in AWS.
Block: Storage connected with your EC2 instance, your hard disk.
EBS: Elastic Block Storage — permanent, run your custom database like MySQL (RDS)
EFS: file-based storage
EC2 Virtual Servers instance store (Ephemeral)
AWS S3 Storage Classes:
Standard — frequently accessed data, Scalable, Durable, can connect with on-premises and cloud both
Standard -1A: low cost, long-lived, infrequently accessed data (backups for disaster recovery), non-critical data (thumbnails of images etc.)
S3 One-Zone IA: lowest availability
Intelligent Tiering: long lived data with changing and unknown access patterns
Glacier: archive data with retrieval times ranging from minutes to hours
Glacier Deep Archive: rarely used data,
Reduced Redundancy: (not recommended)
AWS Storage Gateway:
AWS Storage Tape gateway: used to create virtual tape backups from on-premises to S3 and glacier, to make HYBRID cloud.
AWS Storage File Gateway: Storage for file shares
AWS Storage Volume Gateway: Cloud block storage
Amazon Elastic File System (EFS): share a file system between multiple EC2 instance, auto scaling by default.
File — File Share. Share storage between EC2 instances.
>> EFS (Linux)
>> FSx Windows
>> FSx for Lustre (High Performance)
AWS Owned responsibilities : Hardware maintenance, OS Installation and patches, availability , Durability, backups, Scaling and Maintenance.
Customer Owned Responsibilities: Choose db type, managing db users, creating schema (tables and indexing), schema optimization), guest OS upgrade and patches
· C. Installing operating system security patches for Amazon EC2 database instances
Shared Controls (Controls shared by AWS and Customer)
Patch Management: AWS (Infrastructure Patches), Customer (Guest OS Patches and Software Patches)
Configuration Management: AWS (Infrastructure), Customer (Guest OS, databases, and applications)
Awareness & Training
OLTP -> Oracle, MySQL, SQL server etc. (Amazon RDS)
OLAP: Redshift — reporting, analytics, and intelligent app, analyze Petabyte of data
Document and Key Databases: Dynamo DB — when apps need quickly evolving semi structure data (schema-less) — TB of data within milliseconds responses for millions of TPS. Content management, catalogs, user profiles, shopping carts, session stores and gaming application
Amazon Elasticache: (in-memory database/cache): when applications need microsecond response — cache query result from databases, can act as a session stored as well.
Amazon Athena: run quick adhoc queries without worrying about provisioning a compute cluster(serverless).
Amazon redshift spectrum recommended if you are executing queries frequently against structured data.
Amazon Aurora: create an AWS managed MySql or Postgre database with auto-scaling.
Type of EC2 instances:
General Purpose: balance memory, compute
Compute Optimized: high performance, batch process
Memory Optimized: high performance databases
Storage Optimized: data warehousing, high I/Os
Core Services Categories:
Ø Network and Content Delivery
Ø Databases [RDS & Non-RDS]
Ø Management & Governance
AWS messaging services to create loosely coupled Applications to avoid cascading failure while architecting your application:
SNS: Pub/Sub pattern, bulk notification, and mobile support
SQS: Polling Mechanism
Amazon Kinesis: Handle event streams, multiple clients, each client can track their stream position
Key Management Services:
AWS KMS: create and manage cryptographic keys, a multi-tenant service
1. KMS integrates with all storages and database services in AWS
2. Automatically rotate master keys once a year
3. Scheduled key deletion to verify if the key is used
4. Mandatory min wait period of 7 days (max 30 days)
Cloud HSM: Dedicated single tenant HSM for regulatory compliance
1. Compliance to regulations, very high security
Route 53 = Domain Registrar + DNS (Domain Name Server)
AWS Local Zones: are designed to bring the core services needed for the latency sensitive portions of your workload closer to end user while AZs provides access to the full array on AWS services.
AWS Outposts: AWS Outposts is a fully managed service that extends AWS infrastructure, services, APIs, and tools to customer premises. By providing local access to AWS managed infrastructure, AWS Outposts enables customers to build and run applications on premises using the same programming interfaces as in AWS Regions, while using local compute and storage resources for lower latency and local data processing needs.
What is Amazon Polly?
Amazon Polly is a cloud service that converts text into lifelike speech. You can use Amazon Polly to develop applications that increase engagement and accessibility.
AWS Support Plans:
Aws trust advisor: service quota and basic security checks
Tech support: business hours email access to cloud support associates. Unlimited cases/ 1 primary contact
Aws support API
AWS trust advisor: full checks
Tech support: 24*7 phone, email chat
Aws support API
AWS Enterprise on-ramp: AWS trust advisor: full checks
Tech support: 24*7 phone, email chat
Aws support API
AWS Enterprise: AWS trust advisor: full checks
Tech support: 24*7 phone, email chat
Aws support API
Few More AWS statements:
· Benefits of Read replica: it improves database scalability.
· Advantage of consolidated billing of AWS account: Combined usage of volume discount.
· Where can AWS user find out the prohibited actions of AWS infrastructure?
· AWS acceptable use policy
· Which AWS service can assist a company in determining whether it has publicly accessible Amazon S3 buckets? AWS Trust Advisor
· AWS Outposts brings native (nearest) AWS services, infrastructure, and operating models to virtually any data center, co-location space, or on-premises facility, support work loads data intensive or time sensitive requirements on-prem.
· Virtual Private Gateway: a component of VPC to communicate AWS cloud and on-premises network.
· Dedicated Host: to comply with per core software requirements.
· Dedicated Instance: the instance that runs in a VPC on hardware that is dedicated to particular customer
· All AWS users have access to Trust Partner cost-optimization checks.
· AWS Database Migration Service: helps you to migrate databases to AWS quickly and securely, with minimize downtime.
Differences between cloud computing and traditional DCs
Distributed infrastructure, Eliminating of single point of failure.