Get your team certified in AWS Solutions architecture – Associate and Professional Training

VPCs

  • Creating, Dividing, Connecting To, VPC Peering, VPC Monitoring, Flow Logs (to capture all IP traffic incoming and outgoing from NICs in the VPC), Bastion Hosts, Workspaces and more…
  • VPC – Subnets, Route Tables, Internet Gateways, Elastic IPs, Endpoints, NAT Gateways, Peering connect, NACLs, Sec Groups, VPN
  • — Endpoints – Say you have an S3 bucket that is only internet accessible. Say a private EC2 instance needs access to this. It Would need to go out of AWS to the internet and back to AWS. Endpoints allow these resources to be accessed directly from AWS.
  • — gives you the option of single tenancy, though, costlier.
  • — Subnets- Public, Private and VPN Subnets
  • — Regions -  5 main regions in US. Several International Regions. Edge Locations count as a ‘regional’ data center for content distribution.
  • — IP address Retention – in AWS VPCs remain associated with the instance even after the instance is stopped and restarted. In EC2-Classic VPCs, this is not true. Stopping an instance dissociates the address from the instance.
  • — Default VPC – has route to internet for all subnets
  • — Only ONE IGW per VPC at a time,
  • — Upto 50 Customer Gateways (per region)
  • — 5 NAT GWs per AZ
  • — 5 VPGs per region
  • — Peering – Direct Routing using private IPs
  • — If  Minimum of 4 up instances required at all times, launch 2 each in 3 AZs . If entire AZ goes down, you still have 4 up instances
  • — Wizard – VPC with private subnet and VPN, VPC with pub-private subnets and VPN, VPC with Pub-Priv subnets
  • — IMP : VPN is customer provided – not an AWS service

VPC Subnets

  • — Understand CIDR blocks  = from /16 to /28
  • — Understand Bastion Hosts – Jump server that sits in public subnet and directs traffic to private subnet
  • — Master address 192.168.0.0 /16 – where /16 equates to 255.255.0.0
  • Now – each subnet can be 1.0,2.0 etc…. 192.168.1.0 , 192.168.2.0 , 192.168.3.0 , 192.168.4.0 and  a mask of /24 for each subnet.
  • — AWS reserves 5 IP addresses per subnet
  • — Create DB, App and DMZ Subnets
  • — /28 is the smallest possible subnet (so, no /29 ….)
  • — NACLs applied to entire subnet
  • — NACLs stateless – need both inbound and outbound rules
  • — Modify network ACL on all public subsets to deny access to IP Address block (if repeated port scans coming from a single IP block).
  • — Security group rules would only apply to EC2 instances and not ELBs etc.

Security, NACLs, Security Groups

EC2 Inside Out (The most tested topic, there’s more to EC2s than you imagine)

  • Instance Types – Reserved, On-Demand, Spot, Dedicated – Know the differences
  • Public IP versus Elastic – used interchangeably. By default, EC2 inst. gets the DHCP IP from the DHCP server.   (elastic asssoicated with your account, can move it around between resources, public is lost on restart)
  • Domain Join instance to Directory Services
  • IAM role to access instance, Protect against accidental deletion
  • Enable Cloudwatch
  • Run Dedicated (Host or Instance) as opposed to shared instance
  • EBS Storage – IOPs or General Purpose, also ‘delete on termination’ checkbox
  • Add tags for showback etc. purposes
  • Add / Assign Security Group to the instance. Allow RDP access (TCP) here.
  • Create a key pair to allow secure connection to instance.
  • Security Groups around EC2 – Filter on destination ports only

IAM

  • Dashboards – What can you configure?  Groups, Users, Roles, Policies, Identity Providers, Account Settings, Credential Report, Encryption Keys
  • IAM and Security
    — Account security ( MFA, API)
    — OS, DB, Apps, Data encryption, Authentication, Network Identity
    — Cloudtrail api calls, Pen Testing request (Customer PErforms on EC2 after approval from AWS)
    — External Identity If you already manage user identities outside of AWS, you can use IAM identity providers instead of creating IAM users in your AWS account. SAML, OpenID, OpenLDAP
    — IAM users in your account using the IAM console can switch to a role
  • IAM , Users, Roles
    Email and Password (Root User)
    IAM User Name and Password
    Multi-Factor Authentication (MFA)
    Access Keys (Access Key ID and Secret Access Key) – Used for a) API access b) Temp Access Keys for short term access. Maximum of 2 access keys at any time.
    Key Pairs — Used for cloudfront URLs and EC2 SSH access only

    — assign IAM role to instance to ensure that access key and secret are not compromised.
    — Roles – to users and instances; e.g temporary admin role for user
    — Roles are a global service – across regions
    — 3rd party access to AWS Account. Although you could give Example Corp access to an IAM user and its long-term credentials in your AWS account, you should choose instead to go with the highly recommended best practice of using an IAM role. An IAM role provides a mechanism to allow a third party to access your AWS resources without needing to share long-term credentials (for example, an IAM user’s access key).

RDS

  • — Read Replica vs. MultiAzs
  • — Can apply db specific settings across all RDS isntances in an account – using Parameter Groups
  • — Multi-AZ deployment – sync replication for MariaDB, MySQL, Oracle and PostgreSQL are available by default.
  • — Multi AZ Failover times are typically 60-120 seconds.
  • — Multi-AZ not designed for read operations, cannot get read scalability.
  • — The failover mechanism automatically changes the DNS record of the DB instance to point to the standby DB instance.
  • — As a result, you will need to re-establish (not re-configure) any existing connections to your DB instance.
  • — Read Replica – Can span across regions. Can promote readreplica to prod instance if needed.
  • — RDS creates a volume snapshot backing up the ENTIRE RDS instance – not just individual databases. Backup retention from 0 to 35 days. (1 is default)

Autoscaling

  • Launch Configuration, Capacity, Groups, Scaling Plans
  • Attaching an instance to an existing ASG – Running State, AMI must exist, not part of another ASG.

Storage – EBS

Storage – S3 (The second most tested topic)

  • S3 – 2 ways to encrypt – SSE on uploads and encrypt locally and transfer over https endpoint
  • storage for the internet. Storge for FILES (as opposed to tapes etc.)
  • Large Uploads – s3 Multi Part upload
  • Versioning
  • By default, not Fault Tolerant across regions,
  • Cross Region Replication Available to reduce Single P.o.Failure, Fault Tolerant across AZs by default
  • Can encrypt during upload – SSE (Server Side Enc)
  • Cross Region Replication (CRR)
  • Data Lifecycle Mgmt
  • MFA Delete
  • Permissions
  • Time Limited Access (Expires after a period of time)
  • Bucket Policies, Backing up bucket to another bucket in a different account
  • MFA Delete
  • Lifecycle of objects
  • S3 transfer (upload) acceleration
  • Data Consistency Model = Read after write consistence (aks eventual consistency) – in ALL regions
  • Amazon S3 Standard IA Infrequent Access (slightly lower SLA and pricing)
  • S3 RRS (reduced access, slightly lower durability- 4 nines)
  • all (except RRS) have Durability of 11 9s
    99.999999999%    99.999999999%    99.999999999%
    Availability – S3 – 4 nines.    SR IA – 3 nines, 99.99%, Glacier – N/A

Storage – EFS

  • Petabytes, BigData, Analytics, Media Processing, NAS as a service
  • Truly elastic – grows, shrinks
  • Stored Redundantly across multiple AZs
  • 1 to 1000s of EC2 instances

Storage Gateway

Gateway-Cached Volumes (copy of most frequently accessed data stays on-premises on the AWS storage gateway)
Gateway-Stored Volumes (with S3 as backup)
Gateway-Virtual Tape Library (VTL) – create virtual tapes backed by S3,or virtual tape shelf (VTS). Integrates with your iSCSI based backup system.

CloudWatch (Third most tested topic)

  • Dashboard, Alarms, Events, Logs, Billing
  • Alarms can be = Alarm, Insufficient, OK, Billing

On-Prem to AWS Connectivity

— Direct Connect – With Private and Public Interfaces. Private Interface to connect to private AWS assets like VPCs. Public interface to connect to S3 etc.
— Direct Connect not encrypted by default. Need to do a VPN tunnel on top of Direct COnnect.
— VPN Connectivity
    — Customer Gateway on Customer Side – needs a static, internet routable IP.
    — On AWS side, need a software VPN appliance and an Internet Gateway

VPN Types

— Traditional VPN – Secure Channel using the internet – e.g. from Corporate Data Center to Remote User
— Site to Site – Same as Traditional – except, instead of corporate data center, there is a Branch office or a Service Provider etc (Basically, Hardware VPN construct on AWS side).
— Private Connection – e.g. MPLS (Multiprotocol Label Switching (MPLS) – NOT encrypted channel – still a Virtual Private Network. No Internet Required. (Basically DIrect Connect on AWS).
— Customer Gateway on Customer Side – needs a static, internet routable IP. On AWS side, need a software VPN appliance

Billing and Budgets

— Budgets vs. Cost Explorer vs. Cost Allocation Tags
— A budget is a way to plan your usage and costs (spend data). Budgets use data from Cost Explorer, Create a budget to see how many EC2 hours are used, how many GB stored in S3 etc.

Elastic Map Reduce

  • Supports R, 9000+ open source modules
  • Supports Scalding on Apache Spark, R Studio

Simple Queuing Service

  • Horizontal scaling of tasks (e.g. encoding video task)

  • guarantees order of messages, however can cause messages to be processed twice.   Switch to SWF if this happens.

  • Need to delete messages programmatically

Policies and Identities

  • AWS can create identities – cannot use it to give read-access to a bucket
  • Can configure bucket policy to public read for all objects

Route 53  (Another highly tested topic)

  • — Public hosted zone
  • — Private Hosted zone for amazon vpc – friendly names for your vpc instances
  • — Extend onprem dns to amazon vpc
  • — Cannot automatically register EC2 instances with private hosted zones
  • — A – address record- regular dns mapping to IP address. Gives you both – v6 and v4 addresses
  • — CNAME – canonical record name – Alias – name that points to another name. Eg for ELB dns name, you would create a CName.
  • — AAAA – also an address record, but for IPV6 instead of IPV4
  • — TXT Record – for verifying that you are owner of that dns record
  • — PTR – IP Address to name ( reverse of A record )
  • — SRV – Service locator
  • — SPF – sender policy framework, prevents spoofing
  • — NS – Name server record- eg . Images.anuj.com is a name server rec
  • — SOA – start of authority record – primary name server and hierarchy
  • — Single A record-> multiple IP Addresses – round robin ; can be weighted IP addresses  for round robin
  • — Geolocation of route53 A records
  • — Private / public hosted zones – NS and SOA are created by default
  • — Check route53 health by monitoring endpoint
  • — Policy -> to map www1.* to a particular IP –traffic policy –> failover rule, geolocation rule, weighted rule,
  • — use an A record if you manage what IP addresses are assigned to a particular machine or if the IP are fixed (this is the most common case)
  • — use a CNAME record if you want to alias a name to another name, and you don’t need other records (such as MX records for emails) for the same name
  • – use an ALIAS record if you are trying to alias the root domain (apex zone) or if you need other records for the same name

Monitoring –

  • AWS Trusted Advisor is a tool to help reduce cost, increase performance and security.
  • – cloudtrail vs cloudwatch – Widgets, Alarms, Dashboard
  • Cloud Trail – Logs every action on aws dashboard – API – mgmt console, SDKs, command line tools, higherlevel services such as cloud formation.
  • Cloud Watch – Take action against logged cloudtrail events. Metrics, set alarms, react to changes in aws resources , app perf specific metrics, create a dashboard, Operational health
  • Cloud Watch – Memory is not offered by cloudwatch, only disk reads, network data stats (bytes in and out) and CPU util
  • Logs are stored indefinitely
  • Alarm history 14 days
  • Cloudtrail logs can be sent to cloud watch logs for RT monitoring. Assign cloudwatch metrics to the metric filters
  • Store logs  – cloudwatch or splunk or S3
  • Trusted Advisor- automated free audit, Performance, Cost Optimization, Fault Tolerance, Security
  • CWatch dashboard  – widgets and alarms – can add metrics ( billing estimate) can add perf counters
  • Alarms can be added directly from the EC2 instance as well.
  • Cloudwatch alarms – difference is you can even do ‘billing alarms’. set threshold, alarm actions
  • Create events – event rule =!event pattern, event source : EC2 launch unsuccessful is trigger event, event target: SQS, snapshot

Cloud Watch

  • — Monitor EC2, Monitor DynamoDB, EBS, RDS Instances, Elastic MapReduce job flows, SQS, SNS. 
  • — Monitor Custom Metrics
  • — Montor Existing App Logs, Custom Logs in near real-time
  • — EC2 Instance Monitoring – Metrics are collected every 5 minutes and stored for 2 weeks.
  • — Cloudwatch alarms – difference is you can even do ‘billing alarms’. set threshold, alarm actions

DynamoDB vs Memcache

  • Shared Data Store, Low Latency and Durability. Memcache has the low latency and shared data store – but NOT durability

Call today to learn more or to schedule a customized, training session.

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.