Solutions Architect Flashcards

Question

What 3 features are provided by AWS organizations?

Answer 1

Consolidated billing AWS account restrictions using SCP Account organizations via OU's

Answer 2

Account wide auditing and API logging

Answer 3

If AWS organizations are used.. but not the management account

Answer 4

Assuming role in another AWS account to access the account via console UI

Answer 5

Private by DEFAULT

Answer 6

- form of resource policy - like identity policies, but attached to bucket - resource perspective permissions - ALLOW/DENY same or diff accounts - ALLOW/DENY anonymous principles

Answer 7

- In objects and buckets - subresource - legacy - inflexible and simple permissions

Answer 8

- Controlling different resources - You have preference for IAM - Same account

Answer 9

- Just controlling S3 - Anonymous OR Cross-Account

Answer 10

NEVER, unless you MUST

Answer 11

via AWS APIs

Answer 12

HTTP; blogs

Answer 13

Index and Error documents are set

Answer 14

Static Web Hosting

Answer 15

Custom Domain via R53 MUST match

Answer 16

Take all media to static hosting in S3

Answer 17

Can be accessed via cellular network -can be used as a backup page in case a web app is down

Answer 18

Applies to all policies within "Principal"

Answer 19

Default is Disabled Once enabled, cannot be Disabled, but can be suspended

Answer 20

Once changed, version id will be updated.

Answer 21

Hides past versions of an object

Answer 22

Enabled in versioning configuration MFA required to change bucket versioning state Required to delete versions Serial number (mfa) + code passed w/API calls

Answer 23

Single data streeam to S3 If stream fails, upload fails, and requires full restart Speed & reliability = limit of 1 stream

Answer 24

Data is broken up Min data size = 100MB for multipart 10,000 max parts, 5mb -\> 5gb Last part can be smaller than 5mb Parts can fail and be restarted Transfer rate = speeds of all parts

Answer 25

When Edge Locations support S3 buckets in remote regions

Answer 26

To deter from physical tampering e.g; password. 'a very expensive paperweight'

Answer 27

Data is encrypted before leaving laptop and upon arrival

Answer 28

encrypted data

Answer 29

Keys never leave KMS - Provides FIPS 140-2 (L2) Regional & Public Service; separate product in each region Create, store, manage cryptographic keys Symmetric & Asymmetric keys Cryptographic operations - Backing Key ( and previous backing keys) - Aliases

Answer 30

Customer Master Key managed by KMS Logical - ID, date, policy, desc & state Backed by physical key material; generated or imported Up to 4kb of data Isolated to a region & never leave Support rotation

Answer 31

GenerateDataKey through KMS, works on \> 4kb KMS does not store the DEK beyond generating them 1. Plaintext version 2. Ciphertext version 3. Discard 4. Store encrypted key w/data

Answer 32

Key policies ( resource ) Every CMK has one Key Policies + IAM policies

Answer 33

Buckets aren't encrypted, objects are Client-side encryption server-side encryption

Answer 34

Server side encryption with customer-provided keys

Answer 35

Server side encryption with amazon S3-managed keys - AES256 - Stored persistently, data is at rest

Answer 36

Server side encryption w/customer master keys (CMKs) stored in was key management service

Answer 37

Key Management: YOU Encryption Processing: YOU

Answer 38

Key Management: YOU Encryption Processing: YOU

Answer 39

Key Management: S3 Encryption Processing: S3

Answer 40

Key Management: S3 & KMS Encryption Processing: S3 Extras: Rotation Control, Role Separation

Answer 41

Bucket header: x-amz-server-side-encryption

Answer 42

S3 storage class Objects are replicated across 3+ AZs in the AWS region AZ-A: 99.9% durability for 10mil objects, 1 object loss per 10k years AZ-B: replication over 3 AZ's & content-md5 checksums & cyclic redundancy checks (CRCs) used to detect & fix data corruption

Answer 43

Stored in HTTP/1.1 200 OK response by S3 API endpoint

Answer 44

Billed for data stored. No specific retrieval fee, no minimum duration, no minimum size

Answer 45

S3 storage class Objects are replicated across 3+ AZs in the AWS region AZ-A: 99.9% durability for 10mil objects, 1 object loss per 10k years AZ-B: replication over 3 AZ's & content-md5 checksums & cyclic redundancy checks (CRCs) used to detect & fix data corruption

Answer 46

per gig data retrieval fee, overall cost increases

Answer 47

should be used for long-lived data which is important or irreplaceable or data access is infrequent. Do not: use for small files or temporary data, data that is constantly accessed,

Answer 48

- Used for long-lived data (non-critical & replaceable) and where access is infrequent - Doesn't provide multi-AZ resilience model of Standard or Standard-IA. 1 used w/in region - Min duration of 30 days - Min capacity of 128kb/object

Answer 49

Objects cannot be made publicily accessible, requires retrieval process Data is retrieved to S3 standard-IA temporarily Expedited(1-5 minutes) Standard(3-5 hours) bulk(5-12 hours) First byte latency = minutes or hours

Answer 50

40kb min size 180 Day min Duration Requires retrieval process Restore time longer than Glacier Standard(12 hours) Bulk(up to 48 hours)

Answer 51

Tiers: Frequent Access, Infrequent Access, Archive, Deep Archive (Monitoring & Automated Migration) - automatically moves objects not accessed for 30 days to low cost infrequent access tier, archive, deep archive - used for long-lived data, w/changing or unknown patterns - cost per 1k objects. frequent access tier costs same as S3 standard, infreqent same as Standard-IA. - Archive/Deep Archive comparable to glacier equivalents

Answer 52

Set of Rules For Bucket or groups of objects Transaction Actions & Expiration Actions

Answer 53

S3 Standard - \> S3 STandard-IA - \> S3 Intelligent Tiering - \> S3 One Zone-IA - \> S3 Glacier - \> S3 Glacier Deep Archive For exam: small object has to remain for min 30 days on S3 standard before to S3 Standard-IA or S3 One Zone-IA

Answer 54

Source bucket & desination bucket are different regions

Answer 55

Source bucket & destination bucket are same regions

Answer 56

- All objects or subset - Storage class - default is to maintain - Ownership - default is that they will be owned by the source account - Replication Time control (RTC): SLA for buckets to be in sync

Answer 57

- Replication is NOT retroactive & versioning needs to be ON - One-way replication from source -\> destination - Unencrypted, SSE-S3 & SSE-KMS (w/extra config) - Source bucket owner needs permissions to objects - Won't replicate system events, Glacier or Glacier Deep Archive - DELETES are NOT replicated (to prevent against malicious deletions)

Answer 58

- SRR (log aggregation - SRR (PROD and TEST sync) - SRR (Resilience w/strict sovereignty) - CRR (Global resilience improvements) - CRR (latency reduction)

Answer 59

iamadmin -\> 1. Generate presignedURL from Bucket, 2. Bucket sends presignedURL - GET & PUT operations - whoever uses presignedURL is using as if they were iamadmin

Answer 60

- You can create URL for object you have NO ACCESS TO - When using URL, permissions match identity that generated it - Access denied could mean the generating id NEVER had access, or doesn't know - Don't generate w/a role, URL stops working when temporary credentials expire

Answer 61

- can store objects (up to 5TB) - You often want to retrieve ENTIRE object - Retrieving 5TB, takes time, uses %TB - Filtering at client side doesn't reduce this - Service lets you use SQL-like statements - to select part of object, pre-filtered by S3 - CSV, JSON, Parquet, BZIP2 compression for CSV & JSON

Answer 62

- Notification generated when events occur in bucket - can be delivered to SNS, SQS, & Lambda functions - Object created (Put, Post, Copy, CompleteMultiPartUpload) - Object delete (\*, Delete, DeleteMarkerCreated) - Object restore (Post (Initiated), Completed) - Replication (OperationMissedThreshold, OperationReplicatedAfterThreshold,OperationNotTracked,OperationFailedReplication)

Answer 63

CREATE, DELETE, RESTORE, REPLICATE

Answer 64

- Public Service - usable from AWS or on-premises - Store, Monitor, & access logging data - AWS Integrations - EC2 VPC flow logs, lambda, ClouTrail, R53, more - Can generate metric logs based on metric filter

Answer 65

Log events from the same source -Log event format: YYYYMMDDHHMMSS message

Answer 66

Logs API calls & activities

Answer 67

Stored for 90 days by default

Answer 68

Enabled by default - no cost for 90 days

Answer 69

Create 1 or more trails

Answer 70

Management of Events & Data Events

Answer 71

Global Services - one region or all regions

Answer 72

Manage CloudTrail events through CloudWatch logs

Answer 73

- Enabled by default, for 90 days, no s3 - Trails are how you configure S3 & CWLogs - Management events only by default - IAM, STS, CloudFront =\> Global Service Events - NOT REAL TIME - there is a delay, ~15 minutes

Answer 74

- Size of VPC - Are there Networks we can't use... - Avoid ranges that other services use - VPC structure - tiers & resiliency zones

Answer 75

- VPC minimum /28 (16 IP's), maximum /16 (65456 IP's) - Avoid common ranges - avoid future issues - Reserve 2+ networks per region being used per account

Answer 76

- Regional service - all AZs in the region - Isolated network - Nothing IN or OUT w/out explicit configuration - Flexible configuration - simple or multi-tier - Hybrid networking - other cloud & on premises - Default or dedicated tenancy!

Answer 77

- IPv4 cidr blocks & public ips - 1 primary private ipv4 cidr block - min /28 (16 IP) max /16 (65,536 IPs) - Optional secondary ipv4 blocks - Optional single assigned ipv6 /56 cidr block

Answer 78

- Provided by R53 - VPC 'Base IP + 2' address - enableDnsHostnames - gives instances DNS names - enableDnsSupport - enables DNS resolution in VPC

Answer 79

- AZ resilient - Subnetwork of a VPC - w/in a particular AZ - 1 subnet =\> 1 AZ, 1 AZ =\> 0+ subnets (EXAM Q) - IPv4 CIDR is a subset of the VPC CIDR - Cannot overlap w/other subnets - Optional IPv6 CIDR (/64 subset of the /56 VPC - space for 256) - Subnets can communicate w/other subnets in the VPC

Answer 80

- Reserved IP addresses (5 in total) - 10.16.16.0/20(10.16.16.0 =\> 10.16.31.255) - Network address (10.16.16.0) - 'Network +1' (10.16.16.1) - VPC Router - 'Network +2' (10.16.16.2) - reserved (DNS\*) - 'Network +3' (10.16.16.3) - reserved future use - Broadcast address 10.16.31.255 (last IP in subnet)

Answer 81

- A highly available router - every VPC has one - Every subnet 'network +1' address - Routes traffic between subnets - controlled by 'route tables' each subnet has one - VPC has Main route table - subnet default

Answer 82

- Region resilient gateway attached to a VPC - 1 VPC = 0 or 1 IGW, 1 IGW =0 or 1 VPC - Runs from w/in AWS public zone - Gateways traffic btw VPC & Internet or AWS public zone (S3...SQS...SNS...etc) - Managed - AWS handles performance

Answer 83

1. Create IGW 2. Attach IGW to VPC 3. Create custom RT 4. Associate RT 5. Default Routees =\> IGW 6. Subnet allocate IPv4

Answer 84

Never touches the actual servers inside the VPC -IGW changes address of packet between instance and server

Answer 85

- Bastion Host = Jumpbox - Instance in a public subnet - Incoming management connections arrive there - Access internal VPC resources - Often the only way IN to a VPC

Answer 86

Intelligent to identify REQUEST & RESPONSE components of connection being related

Answer 87

Doesn't understand the 'state' of connections -Remember the 'response ephemeral ports', not well known APP port

Answer 88

NACLs filter traffic crossing the subnet boundary INBOUND or OUTBOUND - Connections w/in a subnet aren't impacted by NACLs - STATELESS; 1 x INBOUND & 1 x OUTBOUND

Answer 89

- Can be created for a specific VPC & are initially associated w/NO SUBNETS; result -\> ALL TRAFFIC IS DENIED - 1 INBOUND rule: implicit(\*) DENY - 1 OUTBOUND rule: implicit(\*) DENY

Answer 90

- STATELESS: REQUEST & RESPONSE seen as different - Only impacts data crossing subnet boundary - NACLs can EXPLICITLY ALLOW & DENY - IPs/CIDR, Ports & Protocols - no logical resources - NACLs cannot be assigned to AWS resources - only subnets - Use w/Security Groups to add explicit DENY(Bad IPs/Nets) - Each subnet can have ONE NACL(Default or custom) - NACL can be associated w/MANY SUBNETS

Answer 91

- STATEFUL - detect response traffic automatically - ALLOWED (IN/OUT) REQUEST = allowed response - NO EXPLICIT DENY......only ALLOW or implicit DENY - .....can't block specific bad actors - Supports IP/CIDR & logical resources - Attached to ENI's, not instances

Answer 92

- "SG source" is same as "anything with the SG attached" - Using "self reference" means "anything with this SG attached" - Scales w/ ADDS & REMOVES from the SG

Answer 93

Set of processes - remapping SRC or DST IPs - IP masquerading - hiding CIDR blocks behind one IP - Public IPv4 addresses are running out - Gives Private CIDR range OUTGOING internet\* access

Answer 94

- (Not publicly routable) Route table =\> NATE Gateway =\> VPC router = Internet Gateway/ Public Internet

Answer 95

- runs from public subnet - uses elastic IPs (static IPv4 public) - AZ resilient service (HA in that AZ) - For region resilience - NATGW in each AZ.... - ...RT in for each AZ w/NATGW as target - Managed, scales to 45 Gbps, $ duration & data volume

Answer 96

- NAT isn't required for IPv6 - all IPv6 addresses in AWS are publicly routable - Internet Gateway works w/ALL IPv6 IPs directly - Exam Q: NAT Gateways DON'T WORK WITH IPV6 - ::/0 Route + IGW for bi-directional connectivity - ::/0 + Egress-only internet gateway - outbound only

Answer 97

-Private Subnet (Internal Test) a. public part is added an 'authorised key' on SSH servers \<=\> Public Subnet (Bastion) a. no private key \<=\> Public Internet

Answer 98

-Private Subnet (Internal Test) a. private key remains on client at all times, authentication requests are forwarded \<=\> Public Subnet (Bastion) a. SSH client connects agent forwarding) \<=\> Public Internet a. ssh-agent service (ssh-add)

Answer 99

The Hypervisor has knowledge of the virtualization

Answer 100

Enhanced networking in EC2

Answer 101

- Virtual Machines (OS + Resources) - Run on EC2 hosts - Shared Hosts or Dedicated Hosts - Hosts = 1 AZ -AZ fails, Host Fails, Instances fail

Answer 102

Look for availability zones in answer

Answer 103

- Raw cpu, memory, local storage capacity & type - Resource ratios - storage & data network bandwidth - system architecture/vendor - additional features and capabilities

Answer 104

General purpose - default- diverse workloads, equal resource ratio Compute organized - media processing, HPC, scientific modeling, gaming, machine learning Memory Optimized - processing large in-memory datasets, some database workloads Accelerated computing - hardware GPU, field programmable gate arrays (FPGAs) Storage optimized - sequential & random IO - scale-out transactional databases data warehousing, elastic search, analytics workloads

Answer 105

- Instance family - "R" - Instance generation - "5" - Additional capabilities - "dn" - Instance type - "R5dn.8xlarge" - Instance size - "8xlarge"

Answer 106

- Direct (local) attache storage - storage on the EC2 host - Network attached storage - volumes delivered over the network (ebs) - Ephemeral storage - temporary storage - Persistent storage - permanent storage - lives on past the lifetime of the instance

Answer 107

-Block storage - VOLUME presented to the OS as a collection of blocks.... no structure provided. MOUNTABLE. BOOTABLE. -File storage - presented as a file share.... has structure. MOUNTABLE. NOT BOOTABLE. -Object storage - collection of objects, flat. NOT MOUNTABLE. NOT BOOTABLE.

Answer 108

IO(block) size X IOPS = Throughput - IO: 16k, 64k, 1MEG - IOPS: revolutions per second - Throughput: Rate of data, XX MB/S, "65 megabits per second"

Answer 109

- Block storage - raw disk allocations (volume) - can be encrypted using KMS - ....instances see block device & create file system on this device (ext3/4, fs) - storage is provisioned in ONE AZ (resilient in that AZ) - Attached to \*one EC2 instance(or other service) over a storage network - ....DETACHED and REATTACHED, not lifecycle linked to one instance...persistent - Snapshot(backup) into S3. Create volume from snapshot(migrate btw AZs) - Different physical storage types, different sizes, different performance profiles - Bill based on GB-month (some cases for performance)

Answer 110

-Volumes: 1GB, up to 16TB

Answer 111

- st1; cheap, throughput optimized - sc1; cheaper, cold HDD

Answer 112

- Block storage devices - Physically connected to 1 EC2 host - Instances on that host can access them - Highest storage performance in AWS - Included in instance price.... - only ATTACHED AT LAUNCH

Answer 113

- Instance store volumes are local on a EC2 host - Instance volumes are only added AT LAUNCH - Instance volumes lost on instance move, resize, or hardware failure - High performance - You pay for it anyway - included in instance price - INSTANCE STORE VOLUMES ARE TEMPORARY

Answer 114

- Persistence .. EBS (avoid instance store) - Resilience .. EBS (avoid instance store) - Storage isolate from instance lifecycle .. EBS - Resilience w/App in-built replication ... it depends - High performance needs ... it depends - Super high performance needs ... instance store - Cost ... instance store (often included) - Cheap = ST1 or SC1 - Throughput .. streaming ... ST1 - Boot ........NOT ST1 or SC1 - GP2/3 - up to 16,000 IOPS - IO1/2 - up to 64,000 IOPS (\*256,000) - RAID0 + EBS up to 260,000 IOPS (io1/2-BE/GP2/3) - More than 260,000 IOPS - INSTANCE STORE

Answer 115

- snapshots are incremental volume copies to S3 - First is a full copy of 'data' on the volume - Future snaps are incremental - Volumes can be created (restored) from snapshots - Snapshots can be copied to another region

Answer 116

- new EBS volume = full performance immediately - snaps restore lazily - fetched gradually - requested blocks are fetched immediately - force a read of all data immediately - fast snapshot restore (FSR) - immediate restore - up to 50 snaps per region. set on the snap & AZ

Answer 117

- customer managed; - EC2 instance \<=\> EC2 host (plaintext stored at rest) - aws/ebs; - EC2 instance \<=\> EC2 host (customer master key + data encryption key), ciphertext stored at rest, any snapshots created will share DEK

Answer 118

- Accounts can be set to encrypt by default - default CMK - Otherwise choose a cmk to use - Each volume uses 1 unique DEK - Snapshots & future volumes use the same DEK - Can't change a volume to NOT be encrypted - OS isn't aware of encryption....no performance loss

Answer 119

Primary ENI: - MAC address - Primary IPv4 Private IP - 0 or more secondary IPs - 0 or 1 Public IPv4 Address - 1 elastic IP per private IPv4 address - 0 or more IPv6 addresses - Security groups - Source/destination check Secondary ENI: -^^

Answer 120

- Secondary ENI + MAC = licensing - Multi-homed (subnets) management & data - Different security groups - multiple interfaces - OS - DOESN'T SEE PUBLIC IPV4 - IPv4 Public IPs are dynamic ... stop/start = CHANGE - Public DNS = private IP in VPC, public IP everywhere else

Answer 121

- LAUNCH : AMI -\> Instance; BOOT /dev/xvda DATA /dev/xvdf - CONFIGURE : Instance BOOT /dev/xvda DATA /dev/xvdf -\> customizations - CREATE IMAGE : Instance BOOT /dev/xvda DATA /dev/xvdf -\> AMI (referenced w/ block device mapping) - LAUNCH: AMI -\> Instance BOOT /dev/xvda DATA /dev/xvdf

Answer 122

- AMI =One region, only works in that one region - AMI baking .... creating an AMI from a configured instance + application - An AMI can't be edited ...launch instance, update configuration & make new AMI - Can be copied btw regions ( includes its snapshots) - Remember permissions .. default = your account

Answer 123

- On-Demand instances are isolated - Multiple customer instances run on shared hardware - Instances of different sizes run on same EC2 hosts (consuming defined allocation of resources) - Per-second billing while instance is running. - Associated resources such as storage consume capacity; all are billable, regardless of instance state

Answer 124

- Default purchase option - No interruption - No capacity reservation - Predictable pricing - No upfront cost - No discount - Short term workloads - Unknown workloads - apps which can't be interrupted

Answer 125

-When AWS sells unused EC2 host capacity for up to 90% discount; spot price is based on spare capacity at a given time

Answer 126

Never use SPOT for workloads which can't tolerate interruptions

Answer 127

- Non time critical - Anything which can be rerun - Burst capacity needs - Cost sensitive workloads - Anything which is stateless

Answer 128

Reservations are for 1 year or 3 year terms, you pay for the entire term - No reservation; full per/s price - Matching instance; reduced or no p/s price - Unused reservation; still billed - Partial coverage of larger instance

Answer 129

Customer pays for the host - Software licensing based on sockets/cores - Software host affinity links instances to hosts

Answer 130

- Shared; on-demand, no host exposure, per sec charges - Host; Pay for the host, no instance charges, capacity management required - Instance; you don't own, or share host,.....extra charges for instances, but dedicated hardware

Answer 131

- Ideal for long term usage which doesn't run constantly - Batch processing daily for 5 hours starting @ 23:00 - Weekly data, sales analysis, every Friday for 24 hrs - Doesn't support all instance types or regions. 1,200 hours per year & 1 year term minimums - 100 hours of EC2 per month

Answer 132

- Regional reservation provides billing discounts for valid instances launched in any AZ in that region - Zonal reservations only apply to one AZ providing billing discounts and capacity reservation in that AZ - Flexible but, don't reserve capacity w/in AZ - risk during major faults w/limited capacity - Full price & no capacity reservation - On-demand capacity reservations can be booked to ensure you always have access to capacity in AZ when you need it - but at full on-demand price. No term limits - but you pay regardless of if you consume it.

Answer 133

- Hourly commitment for 1 or 3 year term - Reservation of general compute $ amounts ($20 per hour for 3 years) - Specific EC2 savings plan - flexibility on size & OS - Compute products, currently Ec2, fargate, & lambda - Products have an on-demand rate & savings plan rate - Resource usage consumes savings plan commitment @ reduced savings plan rate - Beyond your commitment ... on-demand is used

Answer 134

- Each resize requires a reboot - DISRUPTION - Larger instances often carry a $ PREMIUM - Upper cap on performance - instance size - No application modification required - Works for all applications - even monoliths

Answer 135

- Sessions, sessions, sessions - Requires application support OR off-host sessions - No disruption when scaling - No real limits to scaling - Less expensive - no large instance premium - able to be more granular

Answer 136

- Horizontal: 1 BOB 2 BOB 4 BOB - Vertical: bob.small bob.medium bob.large

Answer 137

- EC2 service provides data to instances - Accessible inside all instances - http://169.254.169.254, always want the 'latest' 'meta-data' - http://169.254.169.254/latest/meta-data/ - Environment - Networking - Authentication - User-Data - NOT AUTHENTICATED or ENCRYPTED

Answer 138

- ECS cluster; Network O - Service definition(Container definition(Task definition, task role)) - Container definition: image & ports - Task definition: security(task role), container(s), resources - Task role: IAM role which the TASK assumes - Service: how many copies, HA, restarts

Answer 139

-ASG encompasses AZA & AZB, ECS handles cluster from Registry

Answer 140

- Serverless option - Container images uses Registry - Containers are hosted on Fargate Shared Infrastructure, no visibility of other customers

Answer 141

- If you use containers..... ECS - Large workload; price conscious: EC2 mode - Large workload; overhead conscious: Fargate - Small/Burst workloads; Fargate - Batch/Periodic workloads; Fargate

Answer 142

Network only (Fargate) EC2 Linux + Networking EC2 Windows + Networking

Answer 143

- Allows EC2 Build automation - User Data - accessed via meta-data IP - http://169[.]254[.]169[.]254/latest/user-data - Anything in user data is executed by the instance OS - ONLY on launch - EC2 doesn't interpret, OS needs to understand user data

Answer 144

-AMI -\> Instance

Answer 145

- Opaque to EC2... its BLOCK DATA - NOT secure - don't include passwords or long term credentials in it - User data limited to 16KB in size - Can be modified when instance stopped - ONLY EXECUTED ONCE AT LAUNCH

Answer 146

- IAM Role allows EC2 Service to assume it (IAM Role) - Credentials are inside meta-data - iam/security-credentials/role-name - Automatically rotated - always valid - should always be used rather than adding access keys into instance - CLI tools will use ROLE credentials automatically

Answer 147

- Storage for configuration & secrets - String, StringList, & SecureString - License codes, Database strings, full configs & passwords - Hierarchies & Versioning - Plaintext & cipher text - Public Parameters - Latest AMIs per region

Answer 148

- CloudWatch is for metrics - CloudWatch logs is for logging - Neither natively capture data inside an instance - CloudWatch agent is required... - ...plus configuration and permissions

Answer 149

- Cluster: Pack instances close together - Spread: Keep instances separated - Partition: Groups of instances spread apart

Answer 150

\*When you want to achieve the absolute highest performance possible in EC2 - Note: have to be launched into a single AZ - All members have direct connections to each other - Lowest latency and max PPS possible in AWS

Answer 151

- 10Gbps p/ stream - 5Gbps normally

Answer 152

-Same rack, sometimes additionally the same host

Answer 153

- Can't span AZ's, one only - locked when launching first instance - Can span VPC peers - but impacts performance - Requires a supported instance type - Use the same type of instance(not mandatory) - Launch at the same time(not mandatory, highly recommended) - 10Gbps single stream performance

Answer 154

Performance, fast speeds, low latency(high performance compute)

Answer 155

- Provides infrastructure isolation & resilience - .....each instance runs from a different rack - each rack has its own network and power source - 7 instances per AZ (HARD LIMIT) - Not supported for dedicated instances or hosts - Use case: small number of critical instances that need to be kept separated from each other

Answer 156

\*designed for infrastructure that has 7+ instances per AZ but you still need ability to separate those instances into separate fault domains -Similar architecture to spread placement groups

Answer 157

-Each rack has its own rack - no sharing between partitions

Answer 158

Instances can be placed in a specific partition, or auto placed -Only allowed up to 7 partition per AZ

Answer 159

Contains impact of failure to part of an application. Is also great for topology-aware applications including; -HDFS, HBase, Cassandra

Answer 160

-An EC2 Host dedicated to you Specific instance families include a1, c5, m5

Answer 161

No instance charges, you pay for the host -On demand & reserved options are available

Answer 162

Host has physical sockets and cores; 1. it dictates how many instances can be run on that host 2. licensed software based on physical sockets or cores, can utilize visibility of the hardware

Answer 163

Designed for a specific family & instance size.

Answer 164

- AMI limits - RHEL, SUSE Linux, & Windows AMIs are not supported - Amazon RDS instances are NOT supported. - Placement groups are not supported for dedicated hosts - Hosts can be shared w/other ORG accounts through the RAM(Resource Access Manager)

Answer 165

A featured used to improve the overall performance of EC2 networking. Required for any high-end performance features like cluster-placement groups

Answer 166

Enhanced networking using SR-IOV (SingleRoot-IOVirtualization). NIC is virtualization aware.

Answer 167

- No charge, available on most EC2 types. - Higher I/O & lower host CPU usage - More bandwidth - Higher packets-per-second(PPS) - Consistent lower latency

Answer 168

- EBS = Block storage over the network - Historically network was shared .. data & EBS - EBS optimized means dedicated capacity for EBS - Most instances support & have enabled by default - Some support, but enabling costs extra

Answer 169

- R53 Hosted Zone is a DNS DB for a domain - Zones are globally resilient (multiple DNS servers) - Are created w/domain registration via R53, can be created separately - Host DNS records (A, AAAA, MX, etc) - Hosted zones are the DNS system references - Authoritative for domain

Answer 170

- DNS DB (zone file) hosted by R53(public name servers) - Accessible from public internet & VPCs - Hosted on "4" R53 name servers specific to zone - use "NS records" to point to the NS - Resource records(RR) created w/in hosted zone - Externally registered domains can point at R53 public zone

Answer 171

- The same as a Public hosted zone.....just not public - Associated w/VPC's - Only accessible in those VPCs - Use different accounts supported via CLI/API - Split-view(overlapping public & private) for PUBLIC & INTERNAL use w/the same zone name

Answer 172

- CNAME maps NAME to another NAME - CNAME is invalid for naked/apex - with just CNAME - catagram.io =\> ELB would be invalid

Answer 173

- ALIAS records map a NAME to an AWS resource - Can be used for both naked/apex and normal records - For non apex/naked - functions like CNAME - There is no charge for ALIAS requests pointing at AWS resources - For AWS services - default to picking ALIAS - Should be the same "type" as what the record is pointing at - API Gateway, CloudFront, Elastic Beanstalk, ELB, Global Accelerator & S3

Answer 174

-If target of health check is healthy the primary record is used

Answer 175

* Supports **multiple records** with the *_same name_* * Supports up to 8 **healthy** records, *that are returned* * Improves **availability**; **NOT a replacement for _load balancing_** * Each record is independent & can _have_ an *associated health check* * records which **fail health checks won't be returned** when queried

Answer 176

* total weight (100) * ‘**0**’ weight means record is **never returned** unless all are ‘**0**’ then **all** are considered * each record is returned based on its **record weight** vs **total weight** * if chosen record is **unhealthy**, process of selection is **repeated** until **health** record is chosen

Answer 177

For simple load balancing or testing new software versions

Answer 178

* When you're trying to optimize for performance & user experience * AWS maintains a db of **latency** between users & **general location** and the **regions** tagged in records * routing supports **one record** w/**same name** ***in*** **each AWS region** * record that is returned is the one which offers the **lowest estimated latency** & is **healthy**

Answer 179

* Similar to latency, only instead of latency the location of customers and location of resources are used to influence resolution decisions * When creating records, you **tag the records with the location** * Four types: “continent”, “country”, “subdivision”, “default” * when user makes resolution request, IP check verifies location of the user Resolution request only returns **relevant records**

Answer 180

* Geoproximity aims to calculate the distance between the customer & the record, and return an answer with the lowest distance * Similar to latency policy however it **works on distance** * routing is **distance** based (including bias)

Answer 181

* “+” or “-” can be added to rules. * “**+**” increases region size & **decreases** neighboring regions * records can be tagged w/an **AWS region** or **lat** & **long** coordinates

Answer 182

* 2 jobs - **Domain registrar** & **domain hosting** * R53 can do **both, OR either** *domain registrar or domain hosting* * Accepts your money (**domain registration fee**) * allocates 4 name servers (NS) (**domain hosting**) * service creates a zone file (**domain hosting**) on above NS * service communicates w/registry of the TLD (**Domain registrar**) * sets NS records for domain to point at the 4 NS above

Answer 183

* ACID and BASE are DB **transaction models** * **CAP theorem - Consistency, Availability, Partition Tolerant (resilience) -** *choose 2* * ACID = **Consistency** * BASE = **Availability**

Answer 184

**ATOMIC, CONSISTENT, ISOLATED, DURABLE → RDS …..** *limits scaling* * **ALL** or **NO** components of transaction *succeeds* or *fails* * Transactions over from db from **one valid state** to **another** = *nothing in=between is allowed* * If multiple transactions occur at once, they **don't interfere w/each other**, each executes as if **the only one** * Once **committed**, transactions are **durable**. Stored on non-volatile memory, resilient to power outages or crashes

Answer 185

**BASICALLY AVAILABLE, SOFT STATE, EVENTUALLY CONSISTENT → DynamoDB\* ….** *consistency* * READ & WRITE operations are available ‘**as much as possible**’ but **without any consistency guarantees - kinda, maybe** * DB **doesn't enforce consistency**, this is offloaded onto the application/user * If we **wait long enough**, *reads* from the system will be **consistent**

Answer 186

* Access to the DB instance **OS** * **Advanced DB option tuning**….(DBROOT) * ….. vendor demands * *DB or DB version AWS don't provide…* * Specific *OS/DB combination* AWS don't provide * Architecture AWS don't provide (replication/resilience) * Decision makers who ‘**just want it**’

Answer 187

* **Admin overhead** - managing EC2 & DBHost * **Backup**/ DR Management * EC2 is **single AZ** * **Features** - some of AWS DB products are amazing * EC2 is **ON** or **OFF** - no serverless, no easy scaling * **Replication** - skills, setup time, monitoring & effectiveness * **Performance**…AWS invest time into optimization & features