AWS Dev Jan 2022

Question 1

What is a region?

Answer 1

A cluster of datacenters. Most AWS services are region-scoped.

Question 2

How do you choose an AWS region?

Answer 2

• Compliance -data may need to be local to region.
• proximity - reduce latency for bulk of users.
• available services. does the region have that service?
• Pricing - varies region to region.

Question 3

Availability Zones

Answer 3

Each region normally has 3 (6 is the max)
ap-southeast-2a
ap-southeast-2b
Altogether form a region.
Each AZ is one of more data centers with redundant power, networking and connectivity. They are isolated from disasters

Question 4

IAM stand for?

Answer 4

Identity and access management - global service.
Create users in IAM
Can be grouped together if makes sense e.g. ‘developers’, ‘operations’

Question 5

Can groups contain other groups?

Answer 5

No they can only contain users
A user can belong to multiple groups.
Users and groups can be assigned a JSOn doc called a policy.
Policy define permissions of user.

Question 6

IAM policy consists of?

Answer 6

Version number
Statement
ID (optional)
SID (optional
Effect - to allow or deny
Principal who applied to
Action list of policies allows or denies
Resource what resources applies to

Question 7

Password policy

Answer 7

prevent password reuse
MFA - if password is compromised can’t hack account
virtual MFA device - on one phone
authy - multi device

Question 8

Password policy

Answer 8

prevent password reuse
MFA - if password is compromised can’t hack account
virtual MFA device - on one phone
authy - multi device

Universal 2nd factor (U2F) security key
support for multiple root and IAM users with single security key.

Hardware key fob MFA device

Hardware Key fob MFA Gov Cloud (US)

Question 9

Cloudshell?

Answer 9

Terminal in AWS where CLI commands can be run from
Only available in some regions

Question 10

IAM role

Answer 10

Intended to be used by AWS services
Assign permiisions to AWS servuce e.g.

EC2 instance (individual server) - may want to perform some action on AWS and need to give permission to EC2 instance. EC2 will use IAM role to access information from AWS and if permission is correct, will get access.
Lambda function role
Roles for CloudFormation

Question 11

Security groups?

Answer 11

Control how traffic allowed into or out of EC2 instances.
Rules either via IP addresses or by other security groups.
Act as a firewall
Regulate access to ports, authorised IP ranges
Can be attached to multiple instances
Locked down to region/VPC combination
Live outside EC2
Time-out probs security group issue
‘Connection refused’ error - likely application error
by default all inbound traffic blocked/outbound traffic authorised

Question 12

Ports

Answer 12

SSH port 22 - log into SSH on Linux
21 FTP
22 SFTP - upload files using SSH
90 - HTTP access unsecured sites
443 - HTTPS access secure sites
3389 - RDP log into Windows instance (Remote Desktop Protocol)

Question 13

EBS

Answer 13

Network drive attach to instance whilst they run
persist data even after determination
‘network USB stick’
Locked to an AZ
Delete on termination - controls the EBS behaviour when the EC2 terminates

Question 14

EBS Snapshots

Answer 14

Backup
Can restore it to another AZ
EBS snapshot archive (24 - 72 hours to restore)
Recycle bin -stored for about 1 year
Fast snapshot restore

Question 15

AMI

Answer 15

Customisation of EC2 instance - owner software, configuration, monitoring tool.
Build own AMIs - build for specific region (can copy accross region)
Quick start-up as everything preconfigured
Public AMI - AWS provided
Own AMI
AWS MArketplace AMI
Start an EC2 instance, customise, stop instance for data integrity, build ami - creates EBS snapshots, launch instances from AMIs.
unique for each aws region

Question 16

EC2 instance store

Answer 16

name of hard drive attached to server
emphemeral (if stop EC2 data will be lost)
Good for buffer/cache/scratch data
better I/O performance

Question 17

EBS Volume types

Answer 17

size / throughput /io
EC2 only gp2/gp3 , ios1/ios2 boot volumes
gp2/gp3 low cost, effective storage, low latency
gp3 can independently set IOps and throughput but in gp2 they’re linked

provision IOPS - critical buiness application. sustained IOPS performance. Or apps that need more than 16000 IOPS
Good for database workloads.

Hard disk drive st1, sc1
cannot be boot volumne
sc1 for data infrequently accessed - low cost

root volumne - by default will be deleted on termination. other EBS volumne types not deleted as disabled by default

EBS IOPS peaks at 16,000 IOPS or equivalent 5334 GB.

Question 18

EBS multi-attach

Answer 18

• up to 16 EC2 instances at a time
• higher avlaibility in clustered Linux applications (ex. Teradata)
• Multiple EC2 in same AZ

Question 19

EFS

Answer 19

Managed NFS - mounted on many EC2 INSTANCES
works with EC2 in multi AZ
Highly avalible, expensive, pay per use
Only compatible with Linux based AMI (not windows)
CM, web serving, WP, data sharing
File system scales automatically
Mount same file system on instances in muti az

Question 20

EFS

Answer 20

Big data - MAx IO for big data,

Question 21

EFS -storage classes

Answer 21

storage tiers
standard - frequently accessed files
Infrequent access - pay to access, lower cost to store
standard - multi az
or for dev - one zone IA (low cost), backups by default

Question 22

ebs vs efs

Answer 22

elastic block storage
only attach to one ec2 instance at a time
only on AZ
gp2 - io increases if disk size increases
io1 - increase IO independantly
Backups use IO so don’t run backup when app is busy

to migrate ebs to new az, take snapsot and restore snapshot to another az
root ebs volums terminated when instance is terminated (can adjust this setting)
network volumne that only mounted on one instance

Question 23

efs

Answer 23

mounted to 100s of instances accross AZs
EFS share site files (WP)
Only for Linux (does not work for Windows)
higher cost than EBS
leverage EFS IA for cost savings
network file system accross multi instances

Question 24

Instance store

Answer 24

Max IO onto an EC2 instance - but ephemeral drive. Lose if lose that instance
best disk I/O store - good for caching
can run a database but data will be lost if EC2 instance is stopped – can set uo a replication mechanism on another EC2 instance with an Instance store to have a stand by copy. Or set up backup mechanisms for data
for IOPs of 310,000

Question 25

elb

Answer 25

managed load balancer cost less than setting up own and better for scalability

Question 26

Load balancer elb

Answer 26

link security group of ec2 instance wih SG of load balancer (source). EC2 instnce will only allow traffic coming from load balancer - enhanced security Only Network Load Balancer provides both static DNS name and static IP. While, Application Load Balancer provides a static DNS name but it does NOT provide a static IP. The reason being that AWS wants your Elastic Load Balancer to be accessible using a static endpoint, even if the underlying infrastructure that AWS manages changes.

Question 27

Application load balancer alb

Answer 27

load balancing to multiple http apps accross machines (tarhet groups) Load balancing to multi apps on same maachines (containers) support for websocket, redirect routing - routing based on path of URL to different target groups, and on hostname in URL and query string good for microservices and container based (docker and ECS) port mapping feature redirect port ECS

Question 28

target groups (alb)

Answer 28

EC2 (managed by auto scalain) ECS tasks LAmda funstion IP addresses - must be private IP

Question 29

nlb

Answer 29

layer for load balancer - TCP and UDP trffic high perf - handles millions of requests per seconds Less latency than ALB one statc IP for AZ target groups - EC2 instances IP address - must be private ip alb - get fixed ip address Network Load Balancers support both TCP and UDP protocols.

Question 30

gateway load balancer

Answer 30

analyse traffic target groups ec2 instances ip addresses (private ip)

Question 31

sticky sessions

Answer 31

send client to same instance as was sent to previously. can be enabled for alb and classic cookie - expiration date that control login session data inbalance to the load cookie - application based cookie - custom, generated by application must not use ceraton aws name application: generated by load balanceer duration based: generated by load balancer. expiration generted by load balancer

Question 32

cross zone load balancer

Answer 32

distribute evenly accross instances in different azs enabled by default by alb. can be disabled at target group level. nlb and gatewat disabled by default some cost classic disabled by default no charge if not - distributed via elb no matter how many instances When Cross-Zone Load Balancing is enabled, ELB distributes traffic evenly across all registered EC2 instances in all AZs.

Question 33

SNI - Server Name Indicatioon

Answer 33

Load multiple SSL certs onto one web server in order for that server to load multiple sites. Requires the client to indicate the hostname of the target server in the inital SSL handshake Only work when use ALB, NLB or Cloudfront. Not work for classic. multiple target groups for different sites using multiple SSL cers

Question 34

auto scaling group

Answer 34

minimum, maximiun, desired number of EC2 instances works with load balancer health check passed on from loas balancer to asg to terminate unhealthy instances launch template - info on how to launch ec2 instances

Question 35

auto scaling group - scaling policies

Answer 35

dynamic target tracking - make sure alwas avaible step scaling - cloudwatch alarm scheduled action - know scale in advance preditive scaling metrics - cpu utilisation request count er target - number of requests per ec2 instance is stable average network in/out For each Auto Scaling Group, there's a Cooldown Period after each scaling activity. In this period, the ASG doesn't launch or terminate EC2 instances. This gives time to metrics to stabilize. The default value for the Cooldown Period is 300 seconds (5 minutes).

Question 36

Server Name Indication (SNI)

Answer 36

server Name Indication (SNI) allows you to expose multiple HTTPS applications each with its own SSL certificate on the same listener.

Question 37

RDS

Answer 37

postgred MySQl MariaDB Oracle Microsoft SQL server Aurora

Question 38

Why RDS?

Answer 38

Managed service automated provisioning and OS patching continuous backups and can restore (point in time restore) read replicas (performance) multi AZ for disaster recovery Monitoring dashboard Maintaince windows SCalaing capacity Storage EBS (gp2 or io1) Cannot SSH into instances

Question 39

RDS - Auto scaling

Answer 39

Running out of storage - RDS will detect it and auto scale storage App avoid manually scaling db storage set maximum storage auto modify if less that 10% of storage low storage lasts at least 5 mins 6 hours have passed since modification useful for apps which have unpredictable workloads Supports all RDS db engines

Question 40

Read replicas vs multi az

Answer 40

read replicas help to scale reads up to 5 read replicas - within AZ, cross AZ or cross region replication is async so rads are eventually consistent replicas can be promoted to own db read replica only for SELECT reads if read replica in same region but different Az - no cost multi az sync replication one dns name incrase availability failover loss of AZ, network, storage not for scaling - just for standby read replicas can be set up as multi az if desired

Question 41

RDS single az - multi az

Answer 41

0 downtime

Question 42

Aurora

Answer 42

Not open source Compatible with post-gres/mysql cloud optomised - better performance over post gres/my sql storage auto grows up to 128 TB Dont need to worry about monitoring storage up to 15 read replicas with auto scaling failover - instantaneous high avaliablity - stores 6 copies of data accross 3 azs. only need 3 copy out of 6 for reads, 5 out of 6 for writes self healing 20% more cost one auror master that takes writes cross region replication reader endpoint - connection load balancing. connects to all read replicas. load balancing happens atconnection level not statement level.

Question 43

rds and aurora

Answer 43

Encrypt at rest using aws kms encrypt unencrypted take snapshot restore and encrypt in flight encryption - tls ready by default - use aws tls root certs client side IAM auth roles to connect to db security groups control network access to auror/rds db no ssh exceot custon rds ssh access audit logs can be enabled. send to cloudwatch for longer retention

Question 44

elasticache

Answer 44

elasticache - redis or memcached redis - bit like RDS - multi az with auto failover read replicas to scale reads and have high availability. backup and restore data durability memcache - multi node for partitioning of data no high availabity non persistant non backup/restore multithreaded architecure

Question 45

VPC endpoint

Answer 45

give private access to aws service

Question 46

site to site vpn

Answer 46

connect vpn to aws auto encrypted goes over public internet cannot access vpc endpoints

Question 47

direct connect (DX)

Answer 47

physical connection between on premisis and aws connection is private, secure and fast goes over a private network takes at least month to establish cannot access vpc endpoints

Question 48

direct connect (DX)

Answer 48

physical connection between on premisis and aws connection is private, secure and fast goes over a private network takes at least month to establish cannot access vpc endpoints

Question 49

VPC Gateway Endpoint

Answer 49

amazon s3 and dynamo db. All others have interface endpoint

Question 50

VPC Flow Logs

Answer 50

capture info about traffic going to and from network instances

Question 51

s3 secuirty

Answer 51

IAM user resource - s3 bucket policies acl encryption - s3 bucket keys

Question 52

s3 storage classes

Answer 52

durability - how many times s3 will lose object. s3 has high durability. same for all storage classes avaliability - depends on storage class s3 standard high availability

Question 53

s3 standard

Answer 53

low latency and high throughput used for frequently accessed data 99.99% availibility

Question 54

s3 infrequent access

Answer 54

less frequently accessed but requires rapid access when needed lower cost than s3 standard disaster recovery/backups one zone infrequent access lower availabity 95% high durability - data lost when az is destroyed storing secondary backups on on premesis data or data you can recreate

Question 55

glacier storage class

Answer 55

low cost - archiving/backup pricing - price for storage + object retrival cost Instant retrieval Millisecond retrieveal. Great for data accessed once a quarter flexible retrieval expedieted - to 5 mins standard 3 to 5 hours bulk - 5 to 12 hours (free) minmum storage duration 90 days. deep archive stanard 12 hours bulk 48 hours

Question 56

intelligent tiering

Answer 56

small monthly monitoring and auto tiering fee no retrieveal charges moves objects automatically between storage tiers based on usage frequent access (default) infrequest access (30 days) archive instant access (90 days) arcive access (90 to 700 +) deep archive access (180 to 700 +)

Question 57

transfer acceslaration

Answer 57

uses private network to send file to different location

Question 58

s3 byte range fetches

Answer 58

speed up downloads retrieve partiak data