S.A.A. Flashcards

Question

CH2 PG32 S3 basic concepts?

Answer 1

Bucket – is actually a container for storing objects. Cannot have two buckets with the same name even across multiple regions. Buckets serve the following purposes • Organizes S3 namespace at the highest level • Identifies the accounts responsible for charges • Plays a role in access control • Serves as the unit of aggregation for usage reporting By default the data of a bucket is not replicated to any other region unless you do it manually or by using cross region replication. The object stored in the reion never leaves the region unless you explicitly transfer it to a different region. S3 is accessible through API, which allows developers to write applications on top of S3. The fundamental interface is Representation State Transfer (REST) API. S3 does support SOAP over HTTP but its depreciated. Use REST API over SOAP. Using REST API you can create , read , update, delete and list. HTTPS is better over HTTP since its secure. Verbs • GET = Read • PUT = Create • DELETE = Delete • POST = Create

Answer 2

Steps for installing AWS Command Line Interface = is primarily distributed on Linux, Windows, and macOS in pip. A package manager for Python that provides ane easy way to install python packages and their dependencies S3 Data Consistency Model = S3 is intended to be a “write once read many times” storage. Therefore infrastructure is different from traditional SAN architecture. The entire architecture is redundant.S3 Standard uses a minimum of 3 AZ’s to store the data.S3 does not support object locking, which means If there are request to update the same file concurrently (PUT request), the request with the latest time stamps wins. Name of an S3 bucket is unique and by the combining the bucket name and object name (key), every object can be identified uniquely across the globe.

Answer 3

Side notes: If you upload the data using HTTPS and use SSL-encrypted endpoints the data is automatically secure for all the uploads and downloads, and the data remains encrypted during transit. SSE with Amazon S3 Key Management (SSE-SE) = In this case, Amazon S3will encrpt your data at rest and manage the encryption keys for you. • Each object is encrypted using a per object key • The per object key is encrypted using a master key • The master key is managed using S3 management • Can be turned on through S3 console or command line interface or SDK SSE with customer-provided keys (SSE-C) = Amazon will encrypt your data at rest using the custom encryption keys that you provide. To use SSE-C simply include your custom encryption key in your upload request, and Amazon S3 encrypts.the objects using the key and securely stores the encrypted data at rest. SSE with AWS Key Management Service KMS (SSE-KMS)= with this there are separate permissions for the user of the master key , providing an additional layer of control as well as protection against unauthorized access to your object. KMS provides an audit trail so you can see whop used your key to access which object and when. As well as view failed attempts to access data from users without permission

Answer 4

S3 standard = is the default for frequently accessed data. Most common usage for web sites, content storage, and big data analytic, mobile applications. This is designed for durability 99.(11x9)%. Supports SSL encryption of data S3 standard Infrequent Access (IA) = for data accessed less frequently. Had the same durability but its availability is 99.9 percent over a given year. Cost is much cheaper than S3 standard, which makes it economical for long term storage, back up, and disaster recovery S3 Reduced Redundancy Storage (RRS) = is used to store noncritical, nonproduction data. It is often used for storing data that can be easily reproduced. RRS has 99.99 durability and availability. It is designed to sustain the loss of data in a single facility. S3 One Zone-Infrequent Access (S3 One Zone IA) = is for data access less frequently but requires rapid access when needed. Same high durability and through put and low latency of S3 standard but cost 20% less Glacier = is the storage class mainly used for data archiving. Provides 99.99999999 durability of objects and used for archiving data. • Expedited retrieval: 1-5 minutes • Standard retrieval: 3-5 hours • Bulk retrieval: 5-12 hours

Answer 5

Versioning of Objects in Amazon S3 = is like insurance policies; you know that regardless of what happens your file is safe. Once you enable versioning you cant disable it. However you can suspend versioning to stop the versioning of objects. Amazon S3 Object Lifecycle Management = • Transition Action- the means you can define when the opbjects can be transitioned to another storage class. For Example you may want to cope all older log files after another seven days to S3 IA • Expiration action- in this case you define what is going to happen when the objects expire. For example if you delete a file from S3 whare are you going to do that file. Amazon S34 Cross Region Replication = if you automatically copy the files from one region to another, you need to enable cross-regional replication. If you don’t enable versioning you wont be able to do cross-region replication. You Will get an error. CRR copies only the new objects. If you have preexisting files in the bucket you must copy them manually.

Answer 6

Static Website Hosting in Amazon S3 = Lab Magnetic tape replacement = has zero addition, these is no maintenance overhead like with magnetic tape, and you get the same durability as S3 HealthCare/Life scientific data storage = with the advancement in life sciences such as genomic data, a single sequence of genomes can take up to a terabyte of data Media assets archiving/digital preservation = Media assets such as video of news coverage and game coverage can grow to several petabytes quickly. Compliance archiving/long-term backup = many organization have a compliance requirements to achieve all the data that is x years old. Amazon glacier vault lock, helps you set compliance controls to meet your compliance objectives. You will learn more about Amazon Glacier Vault Lock in the next section.

Answer 7

Amazon Glacier Key Terminology = items stored in glacier are considered archived, you can aggregate your files using ZIP or TAR. No limit on how many files you can store each item cant be higher than 40TB. Items are write once but wont be able to modify it. You can use IAM and create the vault-level access policies. You can create up to 1,000 vaults per account per-region. WORM (write once read many) Accessing Amazon Glacier = • can access it directly via the Amazon Glacier API or SDK. • S3 lifecycle integration • Via third party tools and gateways Uploading Files to amazon Glacier = can upload direct connect, or snowball. You need to create a vault and an access policy. The next step is to crate the archives upload them Amazon Elastic Block Store = are highly available, highly reliable volumes that can be leveraged as an Amazon EC2 instances boot partition or attached to running Amazon EC2 instances as a standard block device. EBS considered the harddrive, and multiple can be attached to EC2. Only one EBS can be attached to an EC2 at time. EBS provides the ability to create apoin-in-time consistent snapshot of your vomues that are then stored in amazon S3 and automatically replicated across multi availability zones.

Answer 8

Persistent storage =as discussed before the volume lifetime is independent of any particular Amazon EC2 instance General Purpose = Amazon EBS volumes are raw unformatted block devices that can be used from any operating system High Availability and reliability = EBS volumes provide 99.999 percent availability and automatically replicate within their availability zones to protect your application from component failure. It is important to note that EBS volumes are note replicated across multiple AZ’s rather they are replicated within different facilities within the same AZ Encryption = Amazon EBS encryption provides support for the encryption of data at rest and data in transit within the same AZ Variable Size = Volumes sizes range from 1GB to 16TB and are allocated in 1GB increments Easy to use = Amazon EBS volumes can be easily created, attached, backed up, restored and deleted. Designed for resilience = The annual failure rate (AFR) of Amazon EBS is between .1 percent to .2 percent

Answer 9

Amazon EC2 instance store = the instance store is ephemeral, which means all the data stored in the instance store is gone the moment the EC2 instance shuts down. The data neither persist nor is it replicated in the instance store. Amazon EBS volumes = have multiple options that allow you to optimize storage performance and cost for any workload you would like to run. Options are divided into two major categories: SSD-backed storage which is mainly used for transactional workloads such as database and boot volumes, and HDD-backed storage, which is for throughput intensive workloads such as log processing and mapreduce. Amazon EBS-backed volume = elastic volumes are a feature of Amazon EBS that allows you to dynamically increase capacity, tune performance, and change the type of live volumes with no downtime or performance impact. You can simply use a metric from CloudWatch and write a Lambda function to automate it. Amazon EBS SSD-Backed Volume = there are two types of General Purpose SSD (gp2) and provisional IOPS SSD (io1). SSD backed volume include the highest performance iO1 for latency-sensitive transactional workloads and gp2, which balances price and performance for a wide variety of transactional data. IOPS = short for input/output operations per second. A drive spinning at 7,200 RPM can perform at 75 to 100 IOPS, whereas a drive spinning at 15,000 RPMwill deliver 175 to 210. The exact number will depend on a number of factors including the access patter (random or sequential) and the amount of data transferred per read or write operation

Answer 10

General Purpose SSD = delivers single digit millisecond laterncy, which is actually a good use case for the majority of workloads. Gp2s can deliver between100 to 10,000 IOPS. Gp2 provides great performance for a broad set of work loads, all at low cost. They reliably deliver three sustained IOPS for every gigabyte of configured storage Provisioned IOPS SSD = Example if you have a volume of 100GB then the IOPS you can providio0ns with that will be 100*50 Amazon EBS HDD Backed Volume = include Througput Optomized HDD (st1) which can be used for frequently accessed throughput intensive work-loads; and HDD (sc1) which is for less frequently accessed data that ahs the lowest cost Throughput Optimized HDD = (st1) is good when they workload you are going to run defines the performance metrics in terms of throughput instead of IOPS. The hard drives are based on magnetic drives. There are lots of workloads that can leverage this EBS volume such as data warehouse, ETL, log processing, mapreduce jobs. And so on. This volume is ideal for any workload that involves sequential IO. Any workloads that has are requirement for random IO should be run either on general-purpose or on a provisional IOPOS depending on the price/performance need.

Answer 11

Cold HDD = just like st1, Cold HDD (sc1) also defines performance in terms of throughput instead of IOPS. Great use case for noncritical, cold data workloads and is designed to support infrequently accessed data. Similar to st1 sc1 use a burst- bucket model, but in this case the burst capacity is less since overall throughput is less. To ensure a consistent snapshot, it is reommended that you detach the EMS volumesfrom the EC2 instance, issue that snapshot command and then reattach the EBS volume to instance Amazon Elastic File System: Fully managed = is a fully managed file system, and you don’t have to maintain any hardware or software. There is no overhead of managing the file system since it is managed service File system access semantic = You get what you would expect from a regular file system, including read-after-write consistency, locking, the ability to have a hierarchical directory structure, file operations like appends, atomic renames, the ability to write to a particular block in the middle of a file and so on. File system interface = it exposes a file system interface that works with standard operating system API’s. EFS appears like any other file system to your operating system. Application that leverage standard OS API’s to work with files will work with EFS.

Answer 12

Shared Storage = it is a shared file system. It can be shared across thousands of instances. When EFS is shared across multiple EC2 instances, all the EC2 instances have access to the same data set. Elastic and scalable = EFS elastically grows to petabyte scale. You don’t have to specify a provisioned size up front. You just create a file system, and it grows and shrinks automatically as you add and remote data. Performance = it is built for performance across a wide variety of workloads. It provides consistent, low latency, high throughput, and high IOPS Highly available and durable = the data is EFS is automatically replicated across AZ’s and also well protected from data loss.

Answer 13

Using Amazon Elastic File System = first step is to create a file system. The file system is the primary resource in EFS where you store files and directions. You can create ten file systems per account. Of course like any other AWS service you can increase this limit by raising a support ticket. To access you file system from instances in a VPC, you create mount targets in the VPC. A mount target has an IP address and a DNS name you use in your mount command. Performance Mode of Amazon EFS = Max I/O mode is optimized for a large-scale and data-heavy applications where tents hundreds, or thousands of EC2 instances are accessing the file system.

Answer 14

AWS Storage Gateway: the AWS storage Gateway service is deployed as a virtuial machine in your existing environment. This VM is called a storage gateway and you connect your existing application File gateway = enables you to store and retrieve objects in Amazon S3 using industry-standard fil protocols. Files are stored as objects in your S3 buckets and accessed through Network File System (NFS) mount point. Ownership permission and timestamps are durably stored in S3 and the user metadata of the object associated with the file. Volume gateway = presents you application with disk volumes using the iSCI block protocol. Data written to these volumes can be asynchronously backed up as a point in the time snapshots. You can set the schedule for when snapshots occur or create them via the AWS Management console or service Tape gateway = presents the storage gateway to you existing backup application as an industry-standard isCSI based virtual tape library (VTL) consisting of a virtual media changer and virtual tape drives. You can continue to use your existing backup applications and workflows while writing to a nearly limitless collection of virtual tapes.

Answer 15

VPC = Amazon VPC can have the app and the database tiers running on a private subnet in the same VPC • You can have some of the applications running in the cloud within VPC and some of the application running on premise • You can create a public subnets by providing it with Internet Access and can keep the resource isolated from the internet by creating a private subnet • You can have dedicated connectivity between you corporate data center and VPN by using Direct Connect. You Can also connect your data center using a hardware virtual private network via an encrypted IPsec connection. • If you need more than one VPC you can create multiple VPC and can connect each one of them by VPC peering. The way you can share the resources across multiple VPC and accounts • You can connect to resources such as S3 using a VPC endpoint Amazon VPC = First step of creating a VPC is deciding the IP range by providing a Classless Inter Domain Routing (CIDR) block. VPC is deciding the IP range by providing a Subnet = is short for a subnetwork, which is logical subdivision of an IP network. With VPC you can create various subnets as per your needs. Most common ones are public subnets, private subnets and VPN-only subnets. Public subnets are for resources that need to be connected to the internet. Private subnets are for resources that do not. VPN only subnet is for when you want to connect your virtual private could with your corporate data center.

Answer 16

VPC = Amazon VPC and can have the app and the database tiers running on a private subnet in the same VPC • You can have some of the applications running in the cloud within VPC and some of the application running on premise • You can create a public subnets by providing it with Internet Access and can keep the resource isolated from the internet by creating a private subnet • You can have dedicated connectivity between you corporate data center and VPN by using Direct Connect. You Can also connect your data center using a hardware virtual private network via an encrypted IPsec connection. • If you need more than one VPC you can create multiple VPC and can connect each one of them by VPC peering. The way you can share the resources across multiple VPC and accounts • You can connect to resources such as S3 using a VPC endpoint Amazon VPC = First step of creating a VPC is deciding the IP range by providing a Classless InterDomain Routing (CIDR) block. VPC is deciding the IP range by providing a Subnet = is short for a subnetwork, which is logical subdivision of an IP network. With VPC you can create various subnets as per your needs. Most common ones are public subnets, private subnets and VPN-only subnets. Public subnets are for resources that need to be connected to the internet. Private subnets are for resources that do not. VPN only subnet is for when you want to connect your virtual private could with your corporate data center.

Answer 17

Subnet = in VPC you can define subnet usingCIDR block. Smallest subnet you can create within VPC is /28, which corresponds to 16 available IP addresses. If you use IPv6 and create a subnet using /64 as the CIDR block, you get A LOT of ip addresses • It must be noted that a subnet is tied to only availability zone. You can not have subnet span multiple AZ’s, however a VPC can span multiple AZ’s in aregion • IF you have 3 AZ’s in a VPC, for example, you need to create a separate subnet in each AZ, such as Subnet 1 for AZ1, subnet 2 for AZ2 and Subnet 3 for AZ3. Of course within an AZ you can have multiple sibnets • Subnets are AZ specific. For multiple Az’s create multiple subnets • VPC are regions specific. For multiple AZ’s, create multiple subnets • VPC are region specific. For multiple regions create different VPC’s

Answer 18

CH3 PG84 Subnet - When creating a VPC you need to provide a CIDR block for the IP address range for VPC. It can be as big as /16, which can have 65,536 IP addresses. When creating multiple subnets, you must take into account the CIDR block of the VPC. Say you create the VPC with /16 and within VPC you create 3 subnets with /18, which has 16,384 IP addresses each. By doing this you have exhausted 49,152 IP addresses. Now you only have 65,536- m49,152 IP addresses left for creating new subnets. At this point you wont be able to create new subnets with /17, which has 32,768 IP addresses however you should be able to create new subnets between /19 and /28. If you create more than one subnets in a VPC, the CIDR blocks of the subnets cannot overlap. There are lots of tools

Answer 19

Route table = Every subnet should have a route table. Example if Subnet of a VPC contains an internet gateway in the route table, that subnet has access to the Internet. You can associate multiple subnets with the same route table. Whenever you create a subnet it is automatically associate with the main route table of the VPC. Thus a route with a destination of say, 0.0.0.0/0 for all IPv4 addresses wont carter the destination. If you later add a virtual private gateway, Internet gateway, NAT device or anything like that in your VPC, you must update the route table accordingly so that any subnet that wants to use these gateway can take advantage of them and have a route defined for them. If you look at the routing table, you will notice there are only two column: Destination and target. The target is where the traffic is directed, and the destination specifies the IP range that can be directed to the target. As shown in Table 3-2, the first two entries are local, which indicates internal routing within VPC for IPv4 and IPv6 for the CIDR block. Internet Gateway = it must be noted that an IG is a horizontally scaled, redundant and highly available component in VPC. An IG support both IPv4 and IPv6 traffic.

Answer 20

Network Address Translation = (NAT) tries to solve that problem. Using a NAT device you can enable any instances in a private subnet to connect to the Interne, but this does not mean the Internet can initiate a connection to the instance. The reverse is not true. A NAT device forwards traffic from the instances in the private subnet to the internet and then sends the response to the instances. When traffic goes to the internet, the source IPv4 address is replaced with the NAT devices address; similarity when the response traffic goes to those instances, the NAT device translates the address back to those instances private IPv4 addresses. This is another reasonwhy it is called address tranlations. Please note that NAT dvices can be used only for IPv4 traffic; they cant be used fo IPv6 there are two types ofNAT devices available within AWS NAT instances = NAT instances in the public subnet and route the database servers Internet traffic via the NAT instance running in the public subnet. By doing that, the database server will be able to initiate the connection to the internet, but reverse is not allowed (meaning no one will be able to connect to the database server from the internet using NAT)

Answer 21

NAT Gateways = performs the same function as that of a NAT instance, but it does not have the same limitations as a NAT instances. Moreover it is a managed service and therefore does not require administration overhead. If you want to use the same elastic IP address for a NAT gateway, you need to de-associate it first from the NAT instance and then re-associate it with the NAT gateway. Egress-Only Internet Gateway = The only difference is that a NAT gateway handles IPv4 traffic and an egress-only gateway handles the IPv6 traffic. When you use an egress-only Internet gateway, you put the entry of the egress-only internet gateway in the routing table

Answer 22

Elastic Network Interface = this ENI is avirtual network interface that you can attach to an instance in Amazon VPC. An ENI can have the following attributes: • A MAC address • One public IPv4 address • One or more IPv6 addresses • A primary private IPv4 address • One or more secondary private IPv4 addresses • One elastic IP address (IPv4) per private IPv4 address • One or more security groups • A source/destination check flag and description ENI attributes follow its attachment to the instance. Elastic IP address = EIP address is designed for application running on the cloud. Every time you launch a new EC2 instance in AWS. Instead of changing the IP address for all applications every time, what you need todo is obtain an EIP and associate that with the EC2 instance and map the EIP with the application. Now whenever the IP address of the EC2 instance changes, you just need to repoint the new EC2 instance to the EIP and applications can connect using the same EIP. • Please note at this moment that an EIP supports only IPv4 and does not support IPv6 • When you dissasocciate an EIP and don’t re-associate it with any other resource it continuous to remain in your account until you explicitly release it from your account

Answer 23

Security Group = is like a virtual firewall that can be assigned to any instance running in a virtual private cloud. A security group define what traffic can flow inside and outside a particular instance. Since it is instance specific, you can have different security group for different instances. The security group is applied at the instance level and not at the subnet level. Therefore, even within a subnet, you can have different security groups for different instances. You can attach up to five different security group to each group is stateful and consist of IP address. • Security groups are stateful. This means if you send a request from your instance and vice versa traffic is allows • The only exception is security groups • Amazon VPC always comes with a default security group

Answer 24

``` Operating systems supported by EC2 = • Windows 2003R2, 2008/2008R2, 2012/2012R2, 2016 • Amazon Linux • Debian • SUSE • CentOS • Red Hat enterprise Linux • Unbuntu ``` ``` Benefits of Amazon EC2 = • Time to market • Scalability • Control • Reliable • Secure • Multiple Instances Type • Integration • Cost effective ```

Answer 25

``` Instance types = • General Purpose • Compute Optimize • Memory Optimize • Storage Optimize • Advanced computing ```

Answer 26

General Purpose = provide a balance of computer memory and network resources and are a pretty good choice for many applications, some provide burstable performance. T2 burstable, M5, M4 and M3 do not provide burstable performance Compute Optimized = has high-performance processors, and as a result any application that needs a lot processing power benefits from these instances like > media transcoding, application supporting a large number of concurrent users, long running, batch jobs, high performance computing, gaming servers and so on Memory Optimized = is for workloads you are planning to run that has a lot of memory requirements. Good use cases are memory databases such as SAP HANA or Oracle Database in-memory, NoSQL databases like MongoDB and Cassandra, big data processing engines like Presto or Apache Spark High Performance computing HPC and electronic design automation EDA applications, Genome Assembly and analysis and so on Storage Optimized = can be used for workloads that require high sequential read and write access to very large data sets on local storage. They deliver many thousands of low-latency, random I/O operations per second (IOPS). Use cases are like running a relational database that is I/O bound running an I/O bound application, NoSQL database, data warehouse applications, MapReduce and Hadoop distributed caches for in memory databases like Redis and so on Advanced Computing = for high processing requirements like running a machine learning algorithm , molecular modeling, genomics, computation of fluid dynamics, computational finance, and so on. These instances provide access to hardware bas

Answer 27

Advanced Computing = for high processing requirements like running a machine learning algorithm, molecular modeling, genomics, computation of fluid dynamics, computational finance, and so on. These instances provide access to hardware based accelerator such as GPUs or field programmable gate arrays (FPGA) which enable parallelism and give high throughput.

Answer 28

Intel AES New Instruction (AES-NI) = faster and better encryption than the original all new EC2 instances have this Intel Advanced Vector Extensions = improves performance for application such as image and audio/video processing. For instances launched with HVM AMIs Intel Turbo Boost technology = provides more performance when needed

Answer 29

Network features = EC2- Classic run in a single flat network that is shared with other customers. New instances use VPC only. VPC has a lot of advantages such as assigning multiple private IPv4 addresses to instances, assigning IPv6 addresses to an instance, changing the security group, adding the NACL rules and so on. You can also launch an instance in a placement group, that is a logical placement group of instances in an AZ. EX if you have an application or workload that needs low latency or high-network throughput, the placement group is going to provide you with that benefit. This is know as cluster networking. When launched in a placement group instances can utilize up to 10GBPS for single flow and 25GBPS for multiflow traffic. No charge for using placement groups. Cant span multiple Az groups, must also be unique within the AWS account. To get the most out of an instance group you should get a type that supports enhanced networking. Enhanced networking provides higher bandwith, higher packet per second (PPS) performance andlower inter instance latencies. It uses single root I/O virtualization (SR-IOV)

Answer 30

General Purpose = The is the general purpose EBS volume backed up by SSD and can be used for any purpose. Often used as the default volume for all EC2 instances Provisioned IOPS (PIOPS) = if you have a computing need for a lot of I/O for example running a database workload then, you can use a provisioned IOPS-based EBS volume to maximize the I/O throughput and get the IOPS that your application Magnetic = have the lowest cost per gigabyte for all the volume time. The are good for running a development workload a non-mission critical workload or any other workload where data is accessed frequently.

Answer 31

Steps for using Amazon EC2 • Select AMI • Configure the networking and security (virtual private cloud, public subnet, private subnet, and so on) • Choose instance type • Choose the AZ attach EBS and optionally choose static EIP • Stat the instance

Answer 32

Shared Tenancy = default behavior when launching an EC2 instance Dedicated Host = means it is a physical server exclusively assigned to you. Might save you money by allowing you to use your existing server-bound software licenses including Window Server SQL Server and SUSE Linux Enterprise Server. You could also carve out many VMs Dedicated Instance = you run the EC2 instances on a single tenant hardware. Dedicated instances are Amazon EC2 instances that run in a virtual private cloud on hardware that’s dedicated to a single customer. Your dedicated instances are physically isolate at the host hardware level from instances that belong to other AWS accounts Instance and AMI’s = can launch as many as many instances from an AMI Launch Permissions = • Public – The owner grants launch permissions to all AWS accounts • Explicit – The owner grants launch permissions to specific AWS accounts • Implicit – The Owner has implicit launch permissions for an AMI Soft limit on the number of instance types.

Answer 33

Instance Root Volume = If the instance is backed by an S3 then the instance is backed by an instance store. Stop functionality is not allows here. If backed by instance store it should be constantly or in multiple Az zones. If its is backed by an EBS its called EBS-backed AMI. These can be stopped and restarted

Answer 34

Hardware Virtual Machine (HVM) = The OS runs directly on top of the VM as it is without any modification similar to the way it runs on bare metal hardware. EC2 simulates some if not all of the underlying hardware that is presented to the guest. Supported by all current generation instances. Supported by CC2, CR1, HI1 and HS1 of previous generations. Paravirtual (PV) = boots with PV-GRUB, starts the boot cycle and loads the kernel specified in the menu. Partialvirtual guest can run on host hardware that does not explicit support for virtualization. Cant take advantage of special hardware extensions that HVM can take such as enhanced networking on GPU processing and so on.

Answer 35

Launch = when the instance is launched it enters the pending state. The AMI you choose is used to boot the instance. Before starting the instance health checks are performed, once its up and running it enters the running state. Once in running state you are beginning to get billed. Start and Stop = if it passes the health check it starts, If its backed by EBS you can stop it and maintain the information Reboot = you can reboot an instance backed either by an instance store or backed by EBS. Everything is saved in a reboot. Termination = as soon as you terminate the instance you will see the status change to shutting down or terminated. Once this happens billing stops. If the instance has Termination protection, additional steps are required. You can choose to either delete the EBS volume or keep it. Retirement = when the instance has irrepreble damage the hardware is retired or scheduled to be retired.

Answer 36

Connecting to an instance = If you launch the instance in the public subnet it will be assigned a public IP address and public DNS name via which you can reach the instance from the Internet. How all Ips look Public DNS (IPv4) ec2-34-210-110-189.us-west-2.compute.amazonaws.com IPv4 public IP 34.210.110.189 Private DNS ip-10-0-0-111.us-west-2.compute.internal Private Ips 10.0.0.111 Public DNS automatically created when instance is created, cant change it. If you terminate the instance the IP address will automatically be disassociated. If you want to associate one IP address with another server us Elastic IP address If you create it in a private then you will get a private IP address and a private DNS. You will get prompted to download a private key. In your local machine and then change the permission in it. Amazon EC2 uses the public-private key conectp used in cryptography to encrypt and decrypt

Answer 37

Characteristics of security groups = • Be default security groups allow all outbound traffic • You cant change the outbound rules for an EC2 classic security group • Security group rules are always permissive; you cant create rules that deny access • Are stateful if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of the inbound security group rules. For VPC security groups this also means that reponses to allows inbound traffic are allows to flow out, regardless of outbound rules. • You can add and remove rules at any time. Your changes are automatically applied to the instance associated with the security group after a short period • When you associated multiple security groups with an instance the rules from each security group are effectively aggregate to create one set of rules. You use this set of rules to determine whether to allow access

Answer 38

For each rule you specify the following = Protocol- most common protocols are 6 (TCP), 17 (UDP), and 1 (ICMP) Port range- for TCP, UDP, or a custom protocol, this is the range of ports to allow. You can specify a single port number (for example, 22) or range of port numbers (for example, 7000 to 8000) ICMP type and code – for ICMP, this is the ICMP type and code Source or destination – • An individual IPv4 address. You must use the /32 prefix after the IP4v address for example 203.0.113.1/32 • (VPC only) an individual IPv6 address, in CIDR block notation for examples. 203.0.113.0/24 • (VPC only) a range of IPv6 addresses in CIDR block notations for examples 2001:db8:1234:1a00::/64 • Another security group. This allows instances associated with the specified security group to access instances associated with this security group. This does not addrules from the source security group to this ecurity group. You can specify on of the following security group • The current security group • EC2-Classic A different security group for EC2-Classic in the same region • EC2-Classic a security group for another AWS account in the same region (add the AWS account ID as a prefix, for examples, 111122223333/sg-edcd9784) • EC2-VPC a different security group for the same VPC or a peer VPC in a VPC peering connection • Rule allows the most permissive rule.

Answer 39

Amazon Elastic Container Service = Using ECS, you can easily launch any contrainer based application with simple API calls. Containers are similar to hardware virtualization (like EC2), but instead of partitrioning a machine , containers isolate the process the processes running on a single operating system. This is a useful concept that lets you use the OS Kernel to create multiple isolated user space processes that can have constraints on them like CPU and memory. Containers are very efficient. You can allocate exactly the amount of resources (CPU memory) you want and at any point in time you can increase or decrease these resources depending on your need. Containers enable the concept of microservice. Microservice encourage the decomposition of an app intos smaller chunks, reducing complexity and letting teams move faster while still running the process on the same host.

Answer 40

Benefits of running containers on ECS = • Eliminates cluster management software. There is no need to install any cluster management software • You can easily manage clusters for any scale • Using ECS you can design fault-tolerant cluster architecture • You can manage cluster sate using Amazon ECS • You can easily control and monitor the containers seamlessly • You can scale from one to tens of thousands of container almost instantly • ECS gives you the ability to make good placement decisions about where to plate you containers. • ECS gives you the intel about the availability of resources (CPU, memory) • At any time you can add new resources to the cluster with EC2 auto scaling • It is integrated with other services such as Amazon Elastic container registry elastic load balancing, elastic block store, elastic network interfaces, virtual private cloud, IAM and Cloud trail.

Answer 41

Authorization = Best practice if the concept of least privilege and segregation of duties. An IAM policy is a piece of code written in JavaScript Object nation where you can define one or more permissions. All users by default have no access. Auditing = Cloud trail logs every API request made through the console such as the following • Who made the request? • When was the request made? • What was the request about? • Which resources were acted upon in the response to the request? • Where was the request made from and made to?

Answer 42

IAM username and password = this will be used mainly for accessing the AWS management console E-mail address and password= This is associated with your root account Access Keys = this is often used with the CLA, API’s and SDK’s Key Pair = This is used with Amazon EC2 for logging in to the servers Multifactor authentication = This is an additional layer of security that can be used with the root account as well

Answer 43

Temporary Security Credentials = Temporary security credentials are short lived and expire automatically; therefore, you can provide access to your AWS resources to users without having to define an AWS identity for them. By using IAM you can create users and group and then assign permissions to the users. Users = Creating users via IAM steps • Create a user VIA IAM • Provide security credentials • Attach permissions roles and responsibilities • Add the user to one or more groups covered in the next section

Answer 44

Groups = These are the characteristics of IAM groups • A group consists of multiple roles and privileges, and you gran these permissions using IAM • Any user who is added to a group inherits the groups roles and privileges • You can add multiple users in a group • A user can be part of multiple groups • You cant add one group into another group. A group can contain only users and not other groups • There is no default group that automatically includes all users in the AWS account. However you can create one and assign it to each and every user

Answer 45

Roles = are for the following use cases • Delegate access to users, applications, or services that don’t normally have access to your AWS resources • When you don’t want to embed AWS keys within the app • When you want to grant AWS access to users who already have identities defined outside of AWS (for example, corporate directories) • To grant access to your account to third parties (such as external auditors) • So that applications can user other AWS services • To request temporary credentials for performing certain tasks When you create a role you need to specify to policies. One policy governs who can assume therole (in other words the principal) This policy is also called the trust policy. The second policy is the permission or access policy, which degfines what resources and action the principal or who assuming the role is allows to access to.

Answer 46

AWS Root user or the account owner = this user has unrestricted access to all enables services and resources AWS IAM user = in this case the user has limited permissions. The access is restricted by group and user policies Temporary security credentials = Access is restricted by generating identity and further by policies used to generate tokens IAM Best Practices = • Use the IAM user: immediately acter creating the account create the IAM user and Lock down the root user • Create a strong password policy: Min 8-10 characters, expires in 90 days. One upper, lower, symbol, number • Rotate Security Credentials Regularly: Use the credential report to audit credentials rotation. 90 days • Enable MFA: • Manage permissions with groups: • Grant the least Privileges: • Use IAM Roles: to delegate cross-account access, to delegate access within an account, and to provide access for federated users. If you use roles, then there is no need to share security credentials or store long-term credentials and you have a clear idea and have control over who has what access.

Answer 47

Use IAM roles for Amazon EC2 instances = best way to provide credentials to an application running on an EC2 instance is by using IAM roles. Enable AWS Cloud Trail = You must ensure that AWS cloud trail is enabled in all regions and that the AWS CloudTrail log validation is enabled. It is also important to make sure that the Amazon S3 bucket of cloudtrail logs is not publicly accessible. AWS Compliance Program = helps customers understand controls in place at AWS to maintain security and data protection in the cloud. Compliance responsibilities are shared.

Answer 48

IAM Roles for Amazon EC2 = • AWS access keys for signing request to other services in AWS are automatically made available on running instances • AWS access keys on an instance are rotated automatically multiple times a day New access keys on an instance are rotated automatically multiple times a day. New access keys will be made available at least fine minutes prior to the expiration of the old access keys • You can assign granular services permissions for applications running on an instance that make request to other services in AWS • You can include an IAM role when you launch on-demand ,spot or reserved instances • IAM roles can be used with all Windows and Linux AMI’s Caution = Types of services that cloud expose you credentials include the following • HTTP proxies • HTML/CSS validation services • XML processor that support XML inclusion

Answer 49

Dynamic Scaling = helps them provision 2 or hundreds of thousands in real time Best user experience = it also helps provide the best possible experience for users because it never runs out of resources. You can create rules suck as if the CPU utilization increases to more than 70% a new instance is started Health check and fleet management = can be done by autoscaling. Helps you maintain the fleet and replace failed instances Load Balancing = Auto Scaling can be used to balancing the workloads across multiple EC2 instances. It automatically balances the EC2 instances across multiple AZ’s when multiple AZ’s are configured. Auto scaling makes sure that there is a uniform balance of EC2 instances across multiple AZ’s Target Tracking = Auto scaling adjust the number of EC2 instances for you in order to meet that target. Target can be scaling metric that Auto Scaling supports. Example if you always want the CPU utilization of your application server to remain at 65 percent. Auto scaling will increase and decrease the number of EC2 instances automatically to meet the 65 percent CPU utilization metric.

Answer 50

Launch Configuration = is a template used for auto scaling that stores all the information about the instance, such as the AMI details, instance type, key pair, security group, IAM and instance profile, user data, storage attached and so on. Auto Scaling Groups Maintain the instance level = also know as the default scaling plan. In this scaling policy you define the number of instances you will always operate with. You define the minimum or the specified number of servers that will be running all the time. This makes it so that you are always running with the number of instances that you designate. Manual Scaling = Can be done manually either via the console or the API or CLI call. Scaling as per the demand = another usage of auto scaling is to scale to meet the demand. You can scale according to various Cloud Watch metrics such as an increase in CPU, disk reads, disk writes, network in, network out, and so on. Scaling as per schedule = If your traffic is predictable and you know that you are going to have an increase in traffic during certain hours, you can have a scaling policy as per the schedule.

Answer 51

Auto Scaling Groups = To create an auto scaling group you need to provide the minimum number of instances running at any time. You also need to set the maximum number or servers to which the instance can scale • If the desired capacity is greater than the current capacity, then launch the instances • If the desired capacity is less than the current capacity then terminate instances • Auto Scaling groups cant span regions Simple Scaling = means you can scale up or down based on ONE scaling adjustment. In this mechanism you can select an alarm which can be CPU utilization, disk read, disk write, network in or network out . You can also define how long to wait before starting or stopping a new instance. This is called the cooldown period

Answer 52

Exact capacity = You can provide the exact capacity to increase or decrease to. EX I want the total to be 5 Change in Capacity = You can provide the numbers you want it changed by. I want to increase it by 5 Percentage change in capacity =

Answer 53

Target tracking scaling policies = For example setting the utilization at 50 percent Autoscaling will automatically scale up or down to stay at 50 percent Termination Policy = When you scale down the instances will terminate. If you have to terminate tow instances, it is important to shut down an instance from each AZ so that you can have a balanced configuration. When you terminate an instance it deregisters itself from a load balancer if there was one and then has a grace period to terminate any open connections.

Answer 54

Elastic = no manual intervention at all. On prem you would have to physically hard wire the load balancer into the server. None of that here. Integrated = ELB is integrated with various AWS services. Its also integrated with cloudWatch. ELB also integrated with Route 53 for DNS failover Secured = ELB provides a lot of security features such as integrated certificate management and SSL decryption, port forwarding and so on. ELB is capable of terminating HTTP/SSL traffic at the load balancer to avoid having to run the CPU intensive decryption process on their EC2 instances. High Available = with ELB you can distribute traffic across Amazon EC2 instances containers and IP addresses. Cheap = ELB is cheap and cost effective. For example auto scaling saves network administrators a lot of time.

Answer 55

How ELB works = Even if you do not deploy your application or workload across multiple AZ’s, the load balancer that you are going to use will be always deployed across multiple AZ’s Type of Load Balancers Network Load balancer [TCP] = NLB or the TCP load balancer acts in layer 4 of the OSI model. A connection based model that can handle connections across EC instances containers and IP addresses based on IP data. Supports both TCP and SSL Application Load balancer [HTTP, HTTPS] = ALB works on layer 7 of the osi model. It supports HTTP and HTTPS. When a package comes from an application it looks at its header and then decided the course of action. It can also do content based routing depending on the services needed. Can also do Host-based routing where you route the request based on Host Field of the HTTP header and path based routing where you can route a client rqeust based on the URL path of the HTTP header Classic Load balancer [TCP, SSL, HTTP, HTTPS]= supports both network and application load balancing, in other words it operates on layer 4 and layer 7 of the OSI model

Answer 56

Load Balancer Key Concepts and Terminology = allows you to host multiple applications to be hosted behind a single load balancer. Example if one app handles images and another app. You can also have upto 10 different set of rules, which means you can host up to ten applications. Application load balancer also has native support for microservices and container-based architectures. Listeners = define the protocol and port on which the load balancer listens for incoming traffic connections. Each load balancer needs atleast one listener. For both Target Groups and Target = Tg are logical grouping of targets behind a load balancer.TG can exist independently from the load balancer. TG are regionally constructed.

S.A.A. Flashcards

(80 cards)