Sunday, August 16, 2020

AWS Solution Architect Professional Notes

 AWS Solution Architect Professional Notes

Hi All, While preparing for AWS Solution Architect Professional course, I created notes for me and always used to revise the same before the mock test. It did refresh me on the topics and key points.
Thought of sharing it with others. Enjoy :)

Updated notes as per Re-certification in 2023:

Timeseries DB stores time series data
Traffic mirroring allows to track message content as well
Amazon Data Life Cycle Manager automates EBS snapshots backups
S3 Batch replication --> Copies S3 existing data to another bucket
S3 Replication controller --> initiates copies of new Objects in S3 to desired location
IAM Access Analyzer --> policy recommendations, warning, findings
IAM Credential report --> credentials, access token and etc 
AWS Config Conformance packs --> collection of config rules and remediation steps
Patch manager --> approve, reject patches to keep security up to date
AWS Backup: List of services below:


AWS Elastic Disaster Recovery (AWS DRS) minimizes downtime and data loss with fast, reliable recovery of on-premises and cloud-based applications using affordable storage, minimal compute, and point-in-time recovery.
AWS Migration HUB: provides recommendation for EC2 instance selection, migration strategy and modernization.
Snowcone HDD has 8 TB of usable storage while Snowcone SSD has 14 TB of usable storage.
AWS DataSync comes pre-installed on AWS Snowcone to enable simple, fast, secure, and cost-effective online data import or export between storage on Snowcone devices at edge locations and Amazon S3, Amazon EFS, Amazon FSx for Windows File Server, or Amazon FSx for Lustre file systems.
Snowball device --> Moves 80 -100 TB of data which gets shipped to S3 later.
Snowball Edge > 80TB. Comes with EC2.
Snowmobil migrate upto 100 PB of data.
AWS Transfer Family allows to SFTP/FTP data to S3 or EFS
AWS Application Migration Services

DataStores:
IOPS: How much read/write you want to per sec. Small data fast times.
Throughput: How large data you want to handle at a go. Large data 

ACID: 
Atomic: All or nothing.
Consistent: Data should be valid. Not corrupted.
Isolated: Write locks. One transaction mustn't mess with another.
Durable: Persistent.

BASE:
Basic Availability: Available though not latest info. Might be stale data.
Soft State: Not all data stores are updated at the same time.
Eventual Consistent: 
S3:
Max single object size: 5TB. One single Put is 5GB. Mutlipart upload over 100 MB.
If S3 Bucket Policy allows/deny a principal then access is granted/denied irrespective of IAM permissions. Resource policy takes precedence over identity based.
If Bucket policy has neither allow or deny then IAM policy is checked.
IAM role assumed access key are rotated in the background. Cross account recommendation is to use IAM roles and not bucket policy.

Glacier:
Archival storage. Comes with faster retrieval option as well.
Used by Storage G/W Tape Library for backup.
Abort a Glacier Vault under 24 hours or it's assigned to vault post that

EBS:
Snapshot lifecycle policy for volume and instance. Removes old snapshots as well.

EFS:
Can be mounted across AZs. Based on NFS File share. Use DataSync to  sync files from OnPrem to AWS to S3 or EFS as it's more secure.

FSx:
File Share Service Windows compatible. Non NFS. FSx for NetApp ONTAP, FSx for OpenZFS, FSx for Windows(SMB) and FSx for Lustre
FSx for Lustre is used for HPC workload. Has SSD for fast access and also S3 to backup less frequent objects.

Storage G/W:
File G/W: NFS and SMB. Allows OnPrem or EC2 to use S3 via Mount Points
Volume G/W: Async replication of OnPrem on AWS S3. Backup (iSCSI)
Volume G/W Cached mode: Frequent access objects cached on OnPrem and all primary data on S3 (iSCSI)
Tape G/W: iSCSI tape library

RDS:
MySQL replication is supported with InnoDB or XtraDB on Maria
StandBy instance have Sync replication whereas Read replicas have Async replication.

Aurora:
MultiAZ by design. AWS Managed Auto Scaling. Upto 15 Read replicas.
Global DB can have upto 5 secondary regions. Underlying storage blocks are replicated.
Serverless V2 allows to scale up memory, cpu & n/w capacity.

DynamoDB:
MultiAZ, key value store, cross region replication. GSI and local index

DocumentDB: 
MongoDB Compatible, noSQL DB, MultiAZ. Designed for JSON Data

Redshift:
Petabyte scale data warehouse DB. PostgreSQL compatible BI Integration. Parallel processing and columnar data storage.
Redshift spectrum allows querying data directly from S3. Better than Athena if you have multiple joins
Data lake is heterogenous data stored in common place and then allowing querying the same. For eg. Dumping data in S3 and using redshift spectrum to query and visualize the same using Analytics tool.

Glue:
Glue performs ETL. Serverless offering.
Glue Crawler --> crawls data from different sources --> creates Glue Data Catalog --> which can be consumed by EMR/Redshift/Athena or can be fed to Glue ETL Job --> to feed it to S3/Lake Formation/Redshift and CW


Glue Data Quality --> recommendations and pre-defined rules for data quality
Athena --> Petabyte scale analysis --> queries data from S3 --> Can also run apache spark code on athena. Based on Presto.

Neptune --> Fully managed Graph database. Ideal for social networking or product recommendation engine. Supports OpenGraph API for Gremlin and SPARQL

Amazon Quantum Ledger DB: Ledger DB.
Amazon Managed Blockchain: Supports open source Fabric and Ethereum frameworks

ElasticSearch/OpenSearch: Search engine and analytics service. Has fuzzy logic and part of ELK(ElasticSearch(Search/Storage) , LogStash (Intake) & Kibana(Analytics/View))

TCP is request and response(ephemeral ports)
UDP is just one way. Used for streaming data.
Upto 5000 transit G/W attachment is possible with a single TGW.

Placement Group:
Clustered: Placed in Same AZ
Spread: Spans Multiple Azs. Max 7 instance per group per AZ
Partition: grouped into partitions and spread across racks
Direct Connect:
OnPremise --> Cx Gateway (BGP routing) --> Direct Connect- --> Private VIF --> Virtual Private G/W --> VPC
OnPremise --> Cx Gateway (BGP routing) --> Direct Connect- --> Direct Connect G/W --> Transit G/W --> VPC
Direct Connect G/W can only connect to 3 VPC

Site to Site VPN:
Fastest way. IPSec Tunnel. OnPremise --> Cx Gateway --> IPSec Tunnel --> VPN Connection --> Virtual Private G/W --> VPC

Global Accelerator: Provides edge based Static IP to load balancer. Improves latency. Multi region failover

Route 53: DNS Service port is 53

Control Tower: Landing Zone, guardrails(SCP + Config rules) & Baseline( CFN Stacks). Enforce and manages governance rules in multi account setup
A landing zone is a well-architected, multi-account AWS environment that is a starting point from which you can deploy workloads and applications. It provides a baseline to get started with multi-account architecture, identity and access management, governance, data security, network design, and logging.

IAM Identity Center: Uses IAM role, AD Connector for AD and also has federated identity


Resource Access Manager is enabled at Organization level. Allows sharing of n/w and resources. Only share resources within same region.
RAM --> create resource share. Add managed policies for those resources.
CloudHSM: FIPS 140-2 Level 3 certified. Current CloudHSM is pay as u use. Single tenant.
KMS is FIPS 140-2 Level 2 certified. Few cases of level 3 


Rolling Update: Update the Auto Scaling to read a different version of launch template. And terminate old instances.
Swap environment URL of Elastic Beanstalk.
Clone stack in AWS OpsWork and update DNS

Code  commit is equivalent to Git
Code pipeline : Orchestration layer
Code build: compiles and packages
Code Deploy: Deploy packages to compute . AWS and on-premise
Cloud9 : IDE ..similar to Visual Studio
CodeGuru: Does code review and provide code recommendations. Connects to github, code commit, github enterprise server and bitbucket.
CodeStar: Deploys the whole project. Integrated with IDE, Code commit, pipeline and etc
CodeArtifact: looks like nexus repo

IoT Core: MQTT protocol connects to IoT devices.
IoT Analytics: Streams real time data from IoT devices. TimeSeries data.
IoT Greengrass: Provides local run of containers or lambda for inference on IoT devices.
IoT Sitewise: Analyze data locally as well and also upload to cloud.

Cannot sell Convertible RIs on Marketplace.
Global Accelerator ENIs that are created only allow traffic to and from AWS Global Accelerator service. They do not allow any type of broad access to the internet. 
DHCP Options: You can control the DNS servers, domain names, or Network Time Protocol (NTP) servers used by the devices in your VPC.
Amazon WorkSpaces Web is a low-cost, fully managed, Linux-based service designed to facilitate secure browser access to internal websites and software-as-a-service (SaaS) applications from existing web browsers.
AWS Budgets include the types of cost budget, usage budget, reservation budget and savings plan budget.
Using Simple Workflow Service was Amazons recommended method for human- involved workflows. However, Step Functions is now the preferred choice, as this requires less programmatic work to build workflows.
We can easily increase the size of an EBS from the console or the CLI (using modify-volume)
For RDS, Read Replicas require backups for managing read replica logs and thus you cannot set the retention period to 0. You must first remove the read replicas and then you can disable backups.
The Amazon S3 File Gateway enables you to store and retrieve objects in Amazon Simple Storage Service (S3) using file protocols such as Network File System (NFS) and Server Message Block (SMB). Objects written through S3 File Gateway can be directly accessed in S3.
AWS recommends using AWS Directory Service for Microsoft Active Directory if you want to establish a trust relationship with on-prem directories that have user bases more than 5,000.
CloudFormation has an optional Conditions section that contains statements to determine whether or not entities should be created or configured. Then you can use the "Fn::If" function to check the condition and return different values.
AppStream is a way to deploy an application on a virtual desktop and allow anyone with a browser to use the application.

Source platform Target platform Migration approach
VMware vSphere 6.0+ VMware Cloud on AWS 6.5+ VMware HCX
VMware vSphere AWS native VM Import

Existing VM vSphere can be migrated to VMWare AWS using vMotion or VMWare Hybrid Cloud Extension (HCX)
Application Migration Service or Cloud Endure Migration. Server Migration Service.

https://docs.aws.amazon.com/whitepapers/latest/overview-aws-cloud-data-migration-services/cloud-data-migration-challenges.html




Migration Strategies:
Re-Host: Lift & Shift. Move On-Prem MySQL to EC2 on AWS.
RePlatform: Lift & ReShape. Migrate onprem MySQL to RDS MYSQL
RePurchase: Drop & Shop. Migrate onprem CRM to Salesforce.com
ReArchitect: ReDesign app. Serverless
Retire: Get rid of app
Retain: Do nothing. Continue

Migration HUB: For tracking and dashboard migration activities. Migration HUB uses Appln Discovery Service
Application Discovery Service: Agent based discovery of workload. Encrypted data transfer. This is Just Discovery!
Application Migration Service(MGN)  : Does the actual migration of onprem Linux and Win servers to Cloud. MGN Agent is installed on VMs. Sets up staging server with test instances and then does a cutover. Replicates source servers on AWS.
Note: MGN is also a good choice for region to region migration.

Every new block read from a freshly restored EBS volume must first be downloaded from S3. This is because EBS snapshots are saved in S3. Remember that EBS snapshots are incremental in nature. Every time a new snapshot is taken, only the data that changed is written to that particular snapshot.
Redshift is optimized for analytical queries rather than high-volume data ingestion. It would be better to first load the data into S3 and then perform data transformations into Redshift.
Unfortunately it is still not possible to store Application Load Balancer access logs in an S3 bucket which is encrypted using SSE-KMS



Compute Optimizer: Can run on single account for whole organization. Runs ML to give recommendations on rightsizing(over and under provisioned)
Compute Optimizer works with EC2, EBS, Lambda and ECS Fargate.
Kinesis records can hold upto 1 MB of data. Retention period of default 24 hrs max 365 days. One shard is 1000 writes request per sec. Have more partitions to have more shard
Kinesis Data Streams: Streaming data ingestion
Kinesis Firehose: Persist data to different destination S3, Splunk, Elasticsearch, Redshift
Kinesis Data Analytics: Does the analytics on the go.
DynamoDB capacity: 1000 WCU or 3000 RCUs. Partitions decided by WCU/RCU calculations or Size (10GB for 1 partition).



IAM identity center is used for AuthN SSO via Browser mode only.
Cross Account Access with resource based policy doesn't need Principal to give up his access in base account.
Public VIF with Direct Connect allows to access AWS resources.
Use trusted-access to enable a service as Trusted service to be shared via RAM enables-sharing-with-aws-organization
Kinesis Producer Library is used to send data to Amazon Kinesis Data Streams.
Amazon RDS doesn't support certain features in Oracle such as MultiTenant DB, Real Application Clusters(RAC), unified Auditing, Database vault and etc. We need to use EC2 in such cases.
Reserved concurrency prevents lambda to use unreserved pool of concurrency limit available.
AWS Cloud Adoption Readiness Tool (CART) develops efficient and effective plans for cloud adoption
Use DMS service even for migration DB to EC2 on AWS.
Cloudfront Signed URLs are for single file. Cloudfront signed cookies is for multiple files.
Elastic Beanstalk deployment mode support is for all-at-once, rolling, rolling with additional batch and immutable. Immutable keeps existing stack as-is.
Aurora Auto Scaling is for Read Replicas.
DynamoDB Reserved Capacity units purchase to lower the cost.
For Centralized rule-based filtering with Network Firewall , you need Transit Gateway to act as N/W hub.
AWS AppSync allows to connect to Data sources such as DynamoDB, AWS Lambda with GraphQL APIs
Security HUB integrates with Macie, guard duty, config, inspector, firewall manager. Also integrates with 3rd party security solutions over marketplace. It generates recommendations as well.
N/W Firewall is Intrusion Detection and Prevention service


Firewall Manager allows firewall rules setup across organization. Standardize security tools such as WAF, SG, N/W Firewall across accounts.
Amazon WorkSpaces provides the complete VDI setup. AppStream just provides services/resources via browser..used for Application hosting.
Amazon worklink proxies internal applications on internet. Amazon AEA App.
Amazon comprehend does sentiment analysis of text input. Social media 
Amazon forecast. Forecast data based on timeseries.
Amazon Lex for Chat/Conversational 
Amazon Personalize builds recommendation engine based on behavioral and geo data
Amazon polly: text to speech
Amazon transcribe: translation of video ..subtitles.
AWS config rules can be used to check if tagging is done or not.




Starting with Few Important components/services:

 

EBS is persistent storage ideal for database, file system.

EBS is made fault tolerant by creating snapshot. To have snapshot consistent, stop the instance or flush memory

Backup strategy

Retention period of snapshot.

Snapshots are stored in S3.

Snapshot needs to be copied in other region and then volume can be created out of it.

EBS volumes are AZ specific.

 

Note: DR strategy for all DBs are around snapshot creation and creating DB in another region.

 

 

Resilient: handle exceptions, graceful handling

Modular: High Cohesion (keeping similar kind of entities together + low coupling)

AWS Step Functions for Orchestration

Use SQS or messaging/aync functions to decouple services

 

ELB and ASG: Regional services. If EC2s in different region, use R53.

Mulitple AZs to be used for fault tolerant.

 

DR Approaches

-Backup & Restore (Slowest + low cost)

-Pilot Light: only few critical components are on cloud

-Warm Standby: Smaller env with all processes

-Multi Site (fastest + highest cost)

 

With a S3 Stored Storage G/W Snapshot, we can launch an EBS volumes or another storage g/w on an EC2

Storage G/W can also provide TCP data for EC2 on AWS

 

S3: Object storage (photos, videos, files). AMI, snapshots are stored in S3. By default, multiple AZs, cross regions.

RDS: Multi AZ , read replicas. Automatic backups. Transactional logs are stored in RDS with logs 5 mins back. RDS DB Snapshot (manual backup)..no transactional logs

Multi AZ has synchronous Slave for a Master for Multi AZ RDS.

 

Consolidated Billing: (AWS Organizations)

Turn off sharing of RI instances

Master account is called Payer account.

AWS budget uses cost explorer.

 

Redshift doesn't work with spot instances.

 

AWS Organizations:

Creates a Root account which would have OUs or individual account under it. Root is a logical entity.

OU is an container of OU and accounts. OU can only have single parent.

An account can be member of only one OU.

Only 1 Master account which is the Payer account. Single payer account. Logging, control.

All other accounts are member account.

Service Control Policies

AWS Organizations is eventually consistent to replicate settings to all regions.

SCP has no effect on the Master/primary account. Apply SCP at OU level.

AWS organizations allows us to have common LDAP services, shared services.

AWS Organization creates service linked role for Master account with member account.

 

RTO: Recovery Time Objective- Time taken to restore service after crash.

 

File G/W: Files are stored in S3.

 

Storage Gateway: is Block storage. You take snapshot which is copied to S3. Create ec2 from that snapshot. iSCSI interface is placed on on-prem and interface interacts with AWS Storage Gateway service in AWS. Storage G/W is for backup…store.

Volume G/W:

Cached Volume G/W would cache frequently access data on-prem and rest of the stuff on AWS.

Stored volumes: on-prem has main set of data which gets backed-up on AWS asynch

 

Glacier: Lowest cost storage. Retrieval times needs to be considered.

 

Snowball: If data takes more than 6-7 days to transfer/copy , use snowball.

VM Import/Export to S3 is free of cost by AWS.

 

CloudFormation:

Works as Infra as Code. Template creates a Stack.

Change set is created based on delta based on template update.

Resources must always exist in Cloudformation template.

Naming conventions for "Type": AWS::Name of the service: :Instance

Conditions is how you control the template.

Intrinsic functions can be used in Resources, metadata,  outputs and update policy attributes.

GetAtt, Ref, FindInMap, GetAZs, ImportValue are few intrinsic values.

CreationPolicy: injects dependency on other resource creation. waitCondition: allows template to wait/delay for creation on policy.

Delete Stack Template would delete all the components created.

Deletion Policy attribute: For DB, snapshot or deletes.

Nested Stacks: reuse common templates. For eg. ALB

 

Elastic Beanstalk:

Least control on Infra. OpsWork sits in middle . CloudFormation highest control on Infra

Beanstalk created EC2 doesn't have EC2 volumes backedup (ethereal storage). So, do not create RDS with beanstalk

Beanstalk focuses on Application. An application version points to S3 which has the deployable code. (war, ear, jar, zip)

Environment (runs one application version)

Beanstalk runs an Agent Host Manager on EC2 for application monitoring, log files rotation and publishing logs to S3. Only available with Beanstalk.

Packer open source tool use to create AMI.

Single container/ multiple container docker image.

Beanstalk creates S3 bucket with beanstalk-region-accountid

Beanstalk allows custom web server deployment.

 

AWS Ops Works: Deploying and monitor instances, ALB, DB and application. You CANNOT change region of the stack once created.

Chef : Configs are universally applied.

Cookbook : Contains the configs and instructions called recipes.

Recipe: written in Ruby is set of instructions abt resources and their order.

Stack needs region and operating system (win or linux). Can have multiple layers.

Layers work on same set of instructions. Each layer has its own recipes.

Ops Work Lifecycle: Setup, Deploy, Configure, UnDeploy and Shutdown

Instances: OpsWork installs the agent on instances.

Instance type: 24/7, Time based & load-based.

When communication between OpsWork and OpsWork agent on instance breaks --> Auto healing starts

OpsWork doesn't support Application Load Balancer..only classic.

OpsWork supports CloudTrail logs, event logs and chef logs.

Only 1 CLB per layer in Stack.

 

AWS Config:

Helps in audit, maintenance and compliance

Overall view of resource.

Configuration item is created whenever a change is recorded on the resource.

History is collection of items. Stored in S3 and SNS.

 

AWS Service Catalog: creates Portfolio which uses cloudformation

Product is application. Catalog is collection of products. Products are delivered as Portfolios.

Service catalog has constraints which restricts cost and components.

Launch, notification and template constraints.

 

Cloudwatch:

Metrics are Data points created regionally.

Namespace is container for cloudwatch metrics.

Alarms: OK, ALARM & INSUFFICIENT DATA

Period ( in seconds), evaluation period ( no. of datapoints/ per period), datapoints to alarm: how many datapoints to raise alarm.

Alarms can trigger EC2 actions, ASG or SNS actions..NO LAMBDA or SQS

Empty Log stream retention period is 2 months only.

Log retention from 1 day to 10 years. Logs are stored indefinite.

Cloudwatch logs insight needs JSON based events.

Encryption and metric filters are applied at Log Group level.

Unified cloudwatch agent: works with windows as well. Faster than old one.

Cloudwatch logs --> kinesis, kinesis streams or lambda (real time)

Cross account logging possible

Aws events can be shared with other aws accounts.

Synthetics: Canaries scripts tries to mimic Customer actions. Checks API latency and endpoints.

ServiceLens: integrated with Xray to provide end to end view of application.

 

Systems Manager:

Needs ssm agent to be deployed and running on host.

Actions: run command, session manager, patch mgr, automation, state mgr

Maintenance window

SSM resource groups are collection of resources in a region

State manager to run scripts on a recurring basis, patch updates, software updates

Amazon QuickSight for visualization

Resource DataSync syncs data from multiple accounts.

 

Symmetric key better than asymmetric keys

CSR Request --> X509 Types --> private key --> certificate chain

CSR should have CN (FQDN), Country and etc

PEM format (Privacy Encoded mail)

SSL or Session Keys are generated for the session only

 

AWS VPC:

5 IPs of every subnet is reserved. First 4 and last.

1st - base n/w

2nd- vpc

3rd - router

4th - future use

5th - last ip

 

VPN setup over internet ipsec based is fastest to achieve connection with on-prem. Performance could be slow. VPN has option of static and dynamic routing.

Direct connect only supports BGP Dynamic routing.

10 customer G/W can connect to 1 VGW (Soft limit) through ipsec tunnel

BGP is Dynamic Routing Mechanism

Autonomous System Number (ASN) ( Eg. Customer G/W and AWS G/W) used by BGP

LAG (Link Aggregator Groups) joins the links together as one. The links must be of same bandwidth.

BGP Communities for routing preferences.

Route table needs to point to VGW. There's no target with direct connect or vpn.

BGP prefers Direct Connect over vpn site to site

Static route is preferred over BGP (Dynamic)

Longest subnet mask is preferred ( /24 over /16)

From customer g/w to vpc, we need to configure local preference or route for BGP

Direct Connect G/W is a global resource and is not linked to a single region. This cloud be attached to multiple regions VGW.

You can ONLY attach one VGW with one Direct Connect G/W.

Private or public VIF could be max 50 per direct connect.

Cannot have more than 4 Dedicated connections per LAG. 10 LAGs per Region.

200 Direct connect gateways per account.

Inter region peering is allowed.

Transit gateway are regional resource. Direct connect g/w is Global.

Transit G/W attaches a VPC or VPN. Doesn't connect to Direct connect

Enhanced EC2 networking -IOPS - SR I/OV- Low latency- HVM AMI

Spread placement group provides Distinct underlying hardware. Max 7 instances each AZ.

NAT G/W is per AZ.

EC2 creates ENI primary by default. ETH0 types

Interface endpoint is an ENI entry.

 

Load Balancer:

NLB supports TCP and TLS

handles million of request

access log, cross zone LB are disabled by default

lambda as target type not supported for NLB

if instance id is the target type, ec2 instances get the client ip directly

in case of IP address, we need to use proxy protocol

microservices works with IP address

 

Proxy protocol enables actual client headers to be sent ahead (Only for TCP /layer 4)

For https/http, use x-forwarded- for header

ELB is region specific

Non standard webserver health check should be done with TCP instead of http

Session affinity/stickiness is cookies based

ELB doesn't support 2 way authentication over HTTPS. Client side certificates are not checked.

TCP would allow via proxy protocol settings .

ALB supports Server Name Indication (SNI) certificates (multiple certs pointing to same IP). CLB doesn't support SNI.

Re-resolving of DNS is important for ALB to respond correctly. Caching caches IP

Access logs are disabled by default. Details of client, protocol and etc.

API calls are in Cloudtrail.

100 rules per ALB

One Target Group Can only be attached to one Load balancer.

Target of target group can be ec2 instance, ecs application, Private IP address or one lambda function.

Cannot register the IP of another ALB in same vpc as target.

On-prem instance's IP address can be used as well as same ip address with different ports (microservice).

 

DNS:

CLB/ALB/NLB, CDN, S3 are routed using DNS. IPs can change so use Alias record.

Cannot create CNAME for apex/naked domain name.

Routing policy: Simple, failover , geo-location, latency, weighted routing policy.

Weighted routing policy has weights defined from 1 -255

No health check would be treated as healthy target. Evaluate target health no would not care about health check.

About 8 recordset as part of multi-value answer r53 policy

R53 Resolvers: (regional service)

Inbound(on-prem to AWS) and outbound (aws vpc to on-prem)

Internet resolver is created by default.

 

CloudFront:

Global service - not regional

PCI DSS and HIPAA compliant

For dynamic content loading, ttl =0 and use query strings

Streaming distribution is RTMP CDN, progressive/download is web distribution

Rtmp is for adobe media server streaming

CDN cache get and head type request

Signed URLs , cookies and object access identifier

URL should have valid end date and time for validity

Cloudfront Access logs needs to be enabled

Cannot use signed urls or cookies if existing url uses expires, policy, signature, key-pair-id

TTL Cache keeps sending GET/Header call to Origin with a flag isModifiedSince

Default TTL is 1 day 86400

S3 bucket only allow http connection. No https

Server Name Indication (SNI) for multiple certificates . SNI should be supported by browser.

Chunk encoding is supported by Apple HLS (HTTP live streaming), Adobe http dynamic streaming (HDS), Microsoft smooth streaming

Use elastic transcoder to convert video to HLS.

Signed cookies better choice than signed URLs for media streaming.

Signed URLs are more appropriate for static content.

RTMP should have only S3 bucket as origin and should also have web distribution for media player

Cloudfront viewer reports --> user location, devices, browsers

 

Compute:

AutoScalingGroup:

PCI DSS compliant

One EC2 instance can be part of only one ASG

Instance states -> pending, health check --> in service --> terminating --> terminated

In service to standby or detaching state

Regional component

Merge ASG only via CLI

Suspend ASG policies to troubleshoot EC2s

 

VMs concept: Traditional approach is Physical H/W --> OS --> Apps

VMs: Physical H/W --> hypervisor --> VM (OS + Apps) ..supports diff OS

Containers: Applications and binaries (libraries) are packaged together

Docker has application, libraries and runtime.

 

ECS -> Task Definition --> Docker Image

Kubernetes is container management system

Docker Enterprise Edition is also container management system used by ECS

Fargate launch type --> serverless container

AWS Glue is for ETL.

ECS is regional service

Task Definition can have upto 10 containers defined

Create Task Definition (max 10 containers) --> create service (no. of tasks required) --> run the service --> creates tasks which are running containers --> accessed by ENIs

Container agent runs on every container which is EC2 type and reports running tasks and resource utilization.

Clusters are region specific. Can contain both EC2 and Fargate launch types.

ECS Service is kind of ASG. Runs behind a ALB

Only one LB/TargetGroup per Service

AWS doesn't recommend one CLB infront of multiple services.

Mapping of container port to host port is dynamic port mapping in alb

If host port is 0 then it becomes dynamic host port

 

Lambda:

Trigger based. Passes events. S3, SNS, API triggers.

Configuration for lambda: Memory (128 -3 gb), Maximum execution time (3- 900 sec), IAM execution role.

Networking of lambda would need the vpc, subnets and security group

Invocation of Lambda:

Event sources: SNS, S3, Dynamo DB and etc

Https/ rest: API Gateway backend

Aws sdk: codes to call lambda

Events: scheduled or cron job with lambdas

Event source mapping is done for lambda triggers.

Event sources (S3, CDN) maintains the mapping for lambda

But streams based (Kinesis and DynamoDB) are maintained at lambda

1000 concurrent execution for lambdas per region

AWS layers is zip packaged with runtime, libraries and code.

For Async lambda, the function retries twice.

Dead Letter Queue is configured to handle the lambda async responses.

Stream based polling will stop the lambda processing if there's an issue.

SQS based polling would return the message in the queue if not processed and would be available in the queue after visibility timeout

Lambda@Edge needs to be created in us-east-1. Assign upto 4 lambda on CDN

Also used for http redirect, auth functions

API Throttling is ..how many get/put request being allowed per sec. after that http respoce 429 is returned.

API GW Caching is chargeable per gig of storage

API GW Proxy integration passes the client info to backend system

AWS SAM is based on cloud formation for serverless application

AWS Batch uses containers to run

Batch --> Job --> Job Definition --> Job Queues --> Priorities

 

 

 

Storage Service:

5GB file upload needs multipart. Upto 5TB

Once version is enabled on S3 , it cannot be disabled only suspended.

Delete marker if file is selected not version

 

Storage Classes:

S3 Standard --> highly durable. Suited for frequent access

RRS (Reduced Redundancy Storage) is not recommended and is on demise path

 

Infrequent access, IA_One Zone. Suited for infrequent access

 

Intelligent tiering. Expensive then IA

 

Glacier -> suited for archival. Retrieval time is upto 5 mins with special provisions

Glacier deep archive needs 12 hours

 

IA, IA_One_Zone and intelligent tiering have minimum storage for 30 days and size of 128kb

Glacier for 90 days and deep archive for 180 days

Glacier by defaults encrypts data being stored.

Data cannot be uploaded directly via console into Glacier

Not to use Glacier when we have real time data retrieval or frequently changing data

S3 Static hosting URL : bucketname.s3-website.region.amazonaws.com

For S3 Pre-sign URL: from CLI, aws s3 presign --expires-in (secs) s3 location of file

S3 not suited for dynamic data, or long archival (Glacier) data

S3 Object replication also copies metadata, ACL and object tags. Supports Cross Region as well as Same region replication

Delete marker not replicated

AES 256 Encryption is also called SSE S3 .

S3 allows 3500 requests per sec for PUT, COPY, POST and DELETE

5500 for GET and HEAD per prefix

Amazon s3 and glacier select to query s3 data

EBS Backed EC2 volumes. Instance store is ephemeral.

Instance store provides higher IOPS.

For snapshot of root volumes, stop and take snapshot. Cannot detach root volumes

Redundant Array of Independent Disks (RAID) volumes.

RAID 0 has the best IOPS performance. RAID1 has redundancy. RAID10 is mix of both

EFS follows NFS protocol. Shared by multiple EC2s in a VPC

Mount targets for EFS are ENIs. ENI to be created per AZ not per subnet

EFS Suited for BigData and Analytics (high throughput, readafterwrite consistency and low latency operations)

Media processing workflows (video and audio), Content management (web serving)

And home directories

EFS allows 2 storage class (Standard and Infrequent Access) both highly durable but retrieval charges higher in IA storage and cost of storage is less.

EFS lifecycle policies shift files from Standard to IA. File metadata always stored in Standard.

NFS Port 2049 should be allowed for EFS

EFS mount points are created on EC2 instances for sharing

AWS Backup Service used to back EFS data

AWS DataSync to help migrate data from on-prem to EFS or EFS to EFS

Open after close consistency and strong consistency

Performance modes: general purpose (low latency) and max i/o. cannot change once created

Burst and provisioned throughput modes

FSx Windows File Server supports windows and linux mode. Supports SMB(Server Message Block) windows  and CIFS(Common Internet File System) protocol.

EFS supports only Linux whereas FSx supports Windows as well. Needs AD Integration for win

SMB port for TCP/UDP 445, RPC at 135

FSx also works with ENI

FSx Lustre is High Performance Computing, distributed, low latency,

Works with linux servers. Needs fsx client to be installed on the linux servers with mount for lustre

Not a repo to store long term data..use S3.

port 988 to be opened for FSx Lustre. No data replication or Multi AZ support for Lustre

 

SQL Database:

RDS allows Multi AZ synchronous replication and standby instance

Use provisioned iops for multi AZ setup

Loss of primary DB, patching, ec2 or ebs failure would lead to Failover

RDS Failover happens using DNS name

Automated backups are taken from StandBy Instances

RDS Read Replicas are created from primary instance for read operations and data is copied asynchronously.

Read Replica can also be Multi AZ.

Aurora read replicas are synchronously replicated. No standby.

Separate storage and compute for Aurora. Read replicas can be promoted to Primary

Aurora supports PostGreSQL and MySQL

Cluster endpoint is connected to Primary DB. Gets updated incase of failover.

Reader endpoint --> load balances to all reader replicas

Instance endpoint --> direct connection to instance

Custom endpoint --> logical grouping created by user

Aurora can have 15 read replicas. ASG should have at least 1 replica.

Aurora failovers to read replica

For Encrypting Aurora Cluster, we have to take a snapshot and create cluster from snapshot and choose Encryption.

Aurora Global DB: Primary in one region and secondary (read only) in another region. Secondary has 16 Aurora Replicas for readonly

Aurora MySQL can query data from S3 directly

5 Cross Region Read replicas MySQL

Cross region replication happens when clusters r publicly accessible

Aurora DB has Multi Master clusters. Master has read/write both

Aurora serverless works with Aurora Capacity Units..combo of vCPU and Storage

Aurora serverless a good option for reporting or unpredictable loads

Supports only 1 AZ

 

ElasticCache:

In memory data. Reduces read workload

Has EC2 clusters running in backend. Automatic failover happens

Memcached - plain cache..no DB

Redis - noSQL DB

Memcached is not persistent. Good for stateless app transient data

Doesn't support MultiAZ. No encryption support.

Redis: multiAZ, persistent, snapshotting of cache. Supports Pub/Sub.

Copying Redis snapshot to different region needs copying snapshot in s3 and moving it in that region

Have 2 nodes in Redis Cluster with Multi AZ setup for Automatic Failover.

Complex data operations

 

Dynamodb:

Supports 3 AZ  replication of data

Max 400KB datatype storage

Partition storage back by SSD drives.

Global Secondary Index can be any 2 attributes

GSI has separate storage

Local Secondary Index needs to be with same Primary Key (type and name)

DynamoDB backups cannot be copied to other regions

DynamoDB restore happens to new table

DAX (DynamoDB Accelerator ) for caching micro seconds response

DAX deployed in VPC. Runs in clusters with 9 read replicas and 1 primary

DAX TTL is 5 mins

DynamoDB streams are stored for 24 hrs

TransactWriteItems and TransactGetItems commits or fails all

Sparse indexes doesn’t copy GSI data if value of sort key is empty

 

Analytics:

Redshift: OLAP DB for Data Warehousing purpose.

AWS Managed. DWH solution for structured data (RDBMS).

Supports replication. Doesn't support huge real time streams ingestion.

Columnar data storage. Min 160GB size

Snapshots stored in S3. Retention 0-35 days

Redshift supports single AZ

 

Athena:

Queries S3 using SQL kind statements. AWS Managed.

Integrated with QuickSight for visualization support.

For fast retrieval , store data in columnar fashion using EMR. (Apache Parquet & ORC)

 

Kinsesis:

Streams of data. Multiple sources sending KB /MB of data.

Kinesis is AWS managed. Terabytes of data per hr

Kinesis stream take the data real time and convert them into shards.

Data from stream can be sent to dynamodb, S3 or redshift

Kinesis stream retention by default is 24 hrs

Replicates synch across 3 Azs

 

Firehose:

Firehose takes streams of data (logs, IoT or Kinesis streams) as the input and delivers the streams to services such as S3, ElasticSearch, Splunk and Redshift

Firehose also transforms the data. Encrypts, compress and batch is also available.

For sending streams to Redshift, first send the streams of data to S3 and then transform

 

Kinesis Analytics:

Used for running analytics on streams data. Allows running queries to your streams data

 

EMR (Elastic Map reduce):

Uses hadoop framework with EC2 (clusters) and S3(store input and output).

EMR is used for web indexing, data mining, machine learning, bioinformatics etc

Apache Hive is for DWH, hBase is distributed DB, Spark is compute engine and Apache Hadoop is Software

Hive is used for Querying the DWH using Hive QL.

Pig is used for Analytics ..Pig Latin

EMR has Master node (distributing load. Has software and hbase DB)

Core node..used in Multi node setup. Has software and hbase DB..no distribution logic

Task node..optional component. Only has software..apache hadoop..no persistence. Spot instanc

EMR runs cluster in single AZ.

EMR is not for real time ingestion..use kinesis. It needs S3 to store the input data.

Kinesis connector allows ingestion of streams data into EMR using Hive QL or Pig script

 

AWS DataPipeLine:

Orchestration which allows on-prem and cloud operations. Moving data and tansforming.

Task Runner: Needs to be installed on computes (on-prem VMs or EC2 or EMR Clusters). Communicates with the Pipeline

Data Nodes: Specifies the input and output data nodes. SQLDN, RedShiftDN, DynamoDBDN

Database supported: RDS, DynamoDB and JDBC

 

Quicksight:

DataSources --> DataSets (transformed data) --> Analyses -->Visuals --> Dashboard

SPICE is the engine for Quicksight. Superfast Parallel InMemory Calculation Engine

Import the data into SPICE

 

GLUE:

Fully managed ETL service. Glue Crawlers, Job Authoring (Transform), Job Execution

Glue Data Catalog: Central repo for storing metadata

Glue Crawler connects to datasource and identifies the type of DS and populates Data catalog

Use Glue when needs to run ETL with S3 and query using Amazon Athena and Redshift Spectrum

Glue is based on Apache Spark..unlike Data Pipeline (EMR)

 

Kinesis Video Streams:

Intakes streams of data from video, images producers and sends it to EC2s

Usecase: need to stream videos to many devices real time

Put media supports only mkv format

 

AWS X-Ray:

Helps in tracking operations of distributed applications.

Has a trace ID. Segment

Not an audit or compliance tool

X-Ray Agent- installed on service to send traces. EC2, ECS, Lambda

X-Ray Group is group of traces to generate service graph

 

Security:

IAM Role: Assumes permissions using STS for the policies attached.

Resource based policy: allows to have cross account policies without IAM roles being compromised

Service Role: role specific to services. Have permissions defined

S3,Glacier, SNS and SQS allows Resource Based Policies

 

AWS STS: Secure Token Service to grant temp credentials to trusted users.

Assume role : using IAM roles

Assume role SAML: SAML 2.0 Identity Provider..corporate AD

Assume role with WebIdentity: OIDC web identities such as Google, FB

GetSessionToken:  used for MFA

GetFederationToken: used by IAM users

 

For Web identity federation login, register as a developer with IDP. You'll get a developer id

Register ur application with these IDPs to get an application id. Create roles for them

OIDC ID from IDP as trust

 

SAML 2.0 IDP. For enterprise based AD login

AssumeRoleWithSAML call includes ARN of IDP XML, ARN of role requested and SAML assertion from IDP (ADFS)

AWS Signin URL: https://signin.aws.amazon.com/saml

Identity Broker calls GetFederationToken directly to STS

 

Active Directory Services:

  1. AWS Microsoft AD: Suitable for a fresh AD setup.
  1. AD Connector: connect to on-prem AD for AWS services. Existing
  2. Simple AD. Good if we have users less than 5000. Samba 4 AD

 

AWS Microsoft AD supports Simple Edition (upto 5000 users/30000 objects) and Enterprise Edition (upto 500K objects).

This is only setup compatible with RDS Microsoft SQL DB.

For authentication via AD between AWS and on-prem, we need VPN setup. Direct connect is not encrypted but VPN is.

 

AD Connector is a proxy service for on-prem AD setup.

 

Key Management System:

AWS KMS is FIPS compliant. Cloudtrail monitors the usage

KMS is Global but keys are regional

CMK is used to create Data key which is used for encrypt and decrypt

Customer Managed CMK and AWS Managed CMK (S3 default)

CMK keys have key policy to decide user permissions

GenerateDataKeyWithoutPlaintext

AWS Server Side Encryption: SSE-S3, SSE-C & SSE-KMS

SSE-S3 is free

Header x-amz-server-side-encryption:aws-kms

Data key/volume key/object key are all same

Glacier automatically encrypts data at rest with AES 256.

Storage G/W uses SSL in transit

EMR uses SSE-S3 while copying data in S3

RDS optionally uses AWS CMK to encrypt

 

Cloudtrail:

CloudTrail trail can be created to send trail logs to S3 bucket

Cloudtrail logging for all regions is sent to one S3 bucket

Allows 5 trails per region

Stores 90 days of data

Cloudtrail to S3 is SSE-S3 encrypted

Cloudtrail can be configured to receive logs from different AWS account

For putting the logs in S3 from different account, use bucket policies

For reading the logs in S3 from different account, use IAM role

Limit access to S3 bucket storing cloudtrail logs. Provide readOnly and MFA

CloudTrail allows log integrity check using SHA 256 hashing and digital signing.

 

DDoS: Distributed Denial of Service Attacks

Attacks happen at layer 3,4,6 & 7 (network/transport and application)

Spoof attack: Spoofing of Target IP as src sent out to mediators/reflectors which then tries to respond back to Src creating multiple magnified responses.

TCP SYN Attack: SYN --> SYN-ACK --> ACK. In this case, ACK is not sent by the attacker and connection are reserved making them unusable for any other use.

HTTP Flood Attacks: Emulates human interaction and sends HTTP traffic

Cache busting attack: by using different query string, bypassing the CDN to fetch results from origin servers

DNS Query Flood attacks: flooding the DNS with different DNS names

 

Mitigation Techniques:

AWS Shield: Free Standard edition by AWS for network atacks

Use R53, Cloudfront, WAF

AWS Shield Advance: provides may features for DDoS attacks

ALB/ELB doesn't allow UDP traffic

CDN closes SYN Attacks..half connections

WAF allows Web ACL rules

Reduce Surface Attacks: Minimize Internet access and reach. Use CDN ..no EIP..No DB in public subnet

Use CDN, ELB, Private Subnets, API GW for obfuscating resources.

 

WAF works at HTTP HTTPS Application layer for CDN and ALB, API GW

WAF blocks Cross Site Scripting XSS attack, SQL injection attacks

WACL have rules to allow, block or monitor (count)

3rd Party WAF is also a good solution to obfuscate internal components

 

Intrusion Detection System & Intrusion Protection System

Host Based and Network Based Intrusion Detection System

Promiscuous port/ network tapping/sniffers not allowed in AWS

Introduce IDS/IPS 3rd Party sandwich setup (ELB --> EC2 with IDS --> ELB (APP)) for security

 

RAM: Resource Access Manager...sharing of AWS resources among AWS accounts

Sharing of Transit G/W, Subnets, R53 rules allowed to share.

RAM eliminates the need to create duplicate resources in multiple accounts, reducing the operational overhead of managing those resources in every single account you own.

 

SNS: Push based

By Default, only topic creator can publish message but can provide access to other AWS users to publish message

SNS Mobile Push Notifications for Mobile notifications. Pop up

Register ur app and device with SNS

 

SQS: Pull based,used for decoupling the application

Delete the messages in the queue without deleting the queue

SQS messages can be processed and then forwarded to other SQS

 

Standard Queue: no sequence, duplication of msg possible, at least one delivery, high throughput

 

FIFO queue: limited throughput 300 TPS, exactly one delivery, FIFO

 

Polling mechanism: Short and Long Polling (preferred)

Short returns the response immediately even if queue is empty. Receivemessagewaittime is = 0

Short is default

LongPolling is preferred option. ReceiveMessageWaitTime> 0 and <=20 secs

Default retention period is 4 days with max 14 days and min 1 min

SQS queues can have priorities ..higher ones are handled fast

Create as many queues you want

SQS Visbility timeout is the time for which the message is locked by an instance for processing and no other instance would be able to pick it up. Only after visibility time out is done, message is sent back to queue.

30 secs bydefault upto 12 hours

Once ACK is received the message should be deleted from queue

SQS is regional component .HA in Multi AZ setup

IAM policies on SQS can decide who can send and receive messages

SNS topic can publish message to SQS as subscriber

 

Amazon Mechanical Turk:

Online crowdsourcing platform where requester can post work and worker

can accept and work on the same.

 

Amazon Rekognition:

Rekognition reads images and videos. Input can be uploaded as binary to rekognition or uploaded to S3.

Output of rekognition can be S3, Kinesis streams & SNS.

If input is Live video stream so need to use Kinesis Video Streams and output would be Kinesis streams.

Has recognize celebrities API. Can detect labels like tree, flower, table etc. Events like wedding, party. Landscapes.

DetectLabels API (Images) StartLabelDetection (Videos)

DetectFaces(Images)  StartFaceDetections(Videos) CreateStreamProcessor(Streams)

People path ..activity tracking..only in videos. StartPersonTracking API

DetectText API to read from Images.

Jpg or png allowed for S3 stored images. Base64 for direct image

 

AWS Simple Workflow System: SWF

Orchestration of an asynchronous workflow system

SWF has workers. Workers performs the tasks and reports back

Workers perform tasks. Tasks can be done by person or machine

SWF has deciders which decides which activity tasks to perform.

SWF does long polling.

3 types of tasks:

Activity tasks: used by workers

Lambda Tasks: executes lambda

Decisions Tasks: used by Deciders to decide next actions

One domain SWF Workflow is independent of others

SWF is Task Oriented. SQS is Message Oriented

Workflow execution can run upto 1 year

 

AWS Step Function: Better SWF with Visual workflow

Automatic trigger and retries

Amazon states language

Activity Tasks (polls for activity ) and Service Tasks (calls another service push)

API G/W can trigger Step function with a specific state

 

AWS Application Discovery Service: Helps in migration effort

Integrated with Migration HUB

Agentless Discovery Service: Sits on VMWare and collects data on cpu, ram and disk io

Agent Based Discovery: Installed on Physical servers. Windows and linux supported

Information pushed to S3. Integrated with Amazon athena and quicksight.

Data exploration must be Turned On.

 

 AWS Storage G/W:

Connects on-prem using iSCSI interface. VMDK file is installed on on-prem servers

File G/W: NFS type. Transfers file to AWS S3

Volume G/W:

Storage G/W: iSCSI type. Uses AWS for storage perspective (backups)

Cached G/W: Frequently accessed data is on-prem and rest of the data on AWS. Block mode

VTL G/W: Virtual Tapes storage in AWS

File G/W connection would need gateway to be created. Hyper V, vmware or computes.

Create a file share and mount the same on the servers.

 

Snowball Family:

Devices to do large scale data migration

Good choice for data > 10 TB

If the link can transfer data in a week..use link..more than that use Snowball

Snowball--> 50 (Only US) - 80 TB device. Plain import/export jobs

Snowball Edge: 100TB device with compute

Snowmobile: Exabyte storage truck. 1Exabyte = 1000 petabyte = 1000000 TB

 

AWS Migration HUB:

Services to do the migration. DB and Server Migration Services. Allows central tracking of these services. Used with Discovery services as well.

3 ways Migration HUB gets the data from on-prem:

  1. Migration HUB import
  2. Agentless Discovery Agent (VM)
  3. Agent Based Discovery Agent

 

AWS Server Migration Services:

Used for on-prem migration of server VMWare, HyperV or Azure virtual machines.

Server  migration Connector gets on-prem data as AMIs. Uses Cloud Formation template to create the stack. So, AMIs --> CloudFormation . Template defines DB, App and other layers.

 

AWS Database Migration Services (DMS):

DMS is used for migration from on-prem to AWS and vice versa.

Also used to maintain the replica of DB.

Supports security at rest and in-transit

Creating indexes, primary keys and etc on target DB can be done with the help of SCT tool

Replication Task has the rules and actual tables defined.

SCT Tool is installed on-prem. Clones the source DB and uses the agent to copy data to S3. DMS copies from S3 to target.

DMS instance comes in 50GB or 100GB sizes.

DMS supports MultiAZ support.

Source & Target endpoints to have the connection of DB. You can test the connections

No CDC enabled for MS Azure SQL migration. IBM DB2 as source and not target.

MongoDB is document DB NoSQL. Document is row and collection of docs is collections ..table

MongoDB as source and not as target. Document and Table mode supported

Document DB, Redshift, Elasticsearch , kinesis cannot be source DB

MySQL, Oracle can be source as well as target for DMS.

 

 

AWS Amplify is a development platform for building secure, scalable mobile and web applications. It makes it easy for you to authenticate users, securely store data and user metadata, authorize selective access to data, integrate machine learning, analyze application metrics, and execute server-side code. Amplify covers the complete mobile application development workflow from version control, code testing, to production deployment, and it easily scales with your business from thousands of users to tens of millions. 



Key Notes:

 

    -->  Custom Application should have listeners configured for TCP.

    --> Additional ENIs have a mixed MAC address that does not change. ETH0 is the Primary ENI which cannot be detached.

    --> you cannot point an A record to Load Balancer. Either Alias or CNAME.

    --> A low RPO solution is asynchronous replication

    --> for encrypting an EBS running volume, create a snapshot and launch a volume from that

    --> On-prem and AWS CIDR Overlaps won't allow communication

    --> Enhanced networking instance and EC2 IOPS types for low latency and hight n/w throughput

    --> RAID 0 increases Read and write capacity

    --> SSE-KMS is envelope encryption

    --> SSH/RDP to limit access to ec2 NOT IAM roles

    --> Advertise AWS Public Ips over Public VIF not Private VIF

    --> During RDS Failover, DNS Record changes but not the RDS endpoint

    --> Cross Region Read Replica exists for RDS and Aurora

    --> EBS volume replication in the same region is also via snapshot

    --> NAT G/W cannot be assigned security group. Can be assigned Elastic IP but not Public IP

    --> 2 tunnels configured for each VPN Connection

    --> you need one private VIF(VPC) and one public VIF (AWS services) for Direct connect.

    --> DX connection with a VPN backup

    --> IPV6 is globally unique..same as Public IP. Egress is related to IPV6.

    --> instance store are virtual hard drive..ephemeral storage

    --> you can increase the size of volume but cant scale down

    --> bastion host allows SSH or RDP access. Can be assigned Public IP or Elastic IP. Sits in Public subnet and allows access to private subnet.

    -->  EC2 can have secondary ENI which can be detached and assigned to another EC2 incase of failover.

    --> Copying the EBS volume from one AZ to another, create a snapshot and launch the EBS from it. EBS volumes are AZ specific.

    --> For sharing encrypted snapshot with others , one would have to share the CMK key permissions as well

    --> ELB routes the traffic to Eth0 primary IP of ur EC2. ELB needs 8 IP address to scale.

    --> NLB doesn't support Lambda target type

    --> you cannot read/write to StandBy RDS instance

    --> Snapshots and Auto Backups done on StandBy Instance. Only Manual snapshots can be shared..not automatic ones

    --> The first snapshot is full and after that it's incremental backups. DB Transaction logs allows upto 5 mins of RPO

    --> you cannot restore into an existing DB..it has to be a new DB instance.

    --> Automatic backups must be enabled for Read Replica to work

    --> RDS Read Replicas can be in a different region as well. Based on automatic snapshots being copied asynchronously.

    --> you cannot encrypt the DB instance on the go. Create a snapshot--> copy the snapshot and encrypt it and create a DB instance out of it.

    --> you can't disable encryption as well.

    --> IAM DB authentication works with My SQL and PostGre SQL.

    --> AWS doesn't support IP Multicast

    --> Redshift can load data only from S3 Standard.

    --> Aurora spans Multi AZ in one region..maintains at least 6 copies

    --> Failover priority for Aurora replicas. 15 read replicas supported.

    --> Aurora Clusters can have single instance or multiple instance behind it. Aurora clusters are created inside the VPC.

    --> Aurora Global cluster has a primary cluster in one region and readonly cluster in another region. 16 replicas in other region.

    --> Backtracking takes the data backup to a point in time. Doesn't need a new DB instance to recover.

    --> Cloudtrail event history is logged for 90 days. Cloud trail logging integrity check via SHA hashing on S3

    --> Log retention of cloudwatch 1 day to 10 years. Auto delete. CW Logs encrypted at Rest and In-transit.

    --> Unified cloudwatch agent is preferred over old one.

    --> Create custom metric from CW logs --> Create Alarm using that metric filter --> Attach an EC2 instance/ASG or SNS topic with that

    --> Logs could be sent to cross account using kinesis streams

    --> S3 Max size is 5TB. Multipart upload for more than 5GB. Preferred for > 100MB

    --> Standard IA for backups. 30 day minimum charge for storage

    --> Glacier for Archives with retrieval time of minutes. Min storage is 90 days. Can sustain data loss in 2 facilities. Doesn't maintain metadata. Use a DB for that.

    --> Deep Archive ..not for real time retrieval. 180 days of min storage.

    --> RRS. Frequently accessed non critical data. Not recommended.

    --> S3 uses SSE and KMS encryption. S3 Static hosting allows redirection but only http

    --> Pre-Signed URLs to provide specific object access to users for limited time.

    --> For S3 Cross Region or same region replication, the bucket versioning must be enabled.

    --> S3 replicated the objects, metadata and the tags as well. Replicates the delete marker but doesn't delete.

    --> S3 transfer acceleration used for uploading objects over internet.

    --> S3 provides 3500 PUT/COPY/POST/DELETE per seconds and 5500 GET/HEAD. Prefixes created multiply the capacity.

    --> Elemental MediaStore is caching and distribution for video workflows. Delivers videos from S3.

    --> S3 Select to query data in S3 if stored in CSV, JSON format. Glacier Select for Glacier.

    --> Permission to enable server accesss log only via bucket ACL not by policy. ACLs are handy for object level permissions.

    --> Requester pay buckets for charging requester to pay for access or downloading

    -->EFS is POSIX (UNIX) compliant and needs to be mounted on EC2 or On-prem servers. Suited for BigData & Analytics. Low latency file operations.

    --> EFS can be mounted on linux on-prem only

    --> Amazon FSx is windows file share. Windows shadow copies are point in time snapshot stored in S3.

    --> Lustre is Open source high performance computing. Linux based DFS. Not durable

    --> cname cannot be created for naked zone apex.

    --> Traffic flow policy only for public hosted zone

    --> S3 only allows HTTP protocol for Origin access from Cloudfront.

    --> Invalidate Only Web objects from CDN

    --> EMR is not for real time ingestion or large data

    --> Redshift supports Single AZ

    --> EMR leverages Apache Hadoop + Hive . SQL based query and support for unstructured data.

    --> EMR kinesis connector to read streaming data from kinesis to EMR for processing

    --> Glue Crawlers identifies metadata and populates the glue catalog used by Glue to transform the data

    --> SQS Queue can be encryption enabled.

    --> AWS Serverless Application Module is an extension of Cloudformation.

    --> AWS Batch uses ECS Container to run jobs

    --> You cannot have mount points for the same EFS file systems in different VPC. Only 1 at a time.

    --> Amazon FSx has Standby file server in a different AZ synchronously replicated.

    --> NAT GW uses only Elastic IPs. No Public IP

    --> Session stickiness/affinity can be application controlled or LB controlled. Cookie header inserted.

    --> ALB supports only load balancer cookies. Cookie name AWSALB

    --> DAX for Dynamo DB is Only for eventual consistent and deployed on EC2 instance with a DAX agent

    --> SCP has no effect on the Primary/Master account though it is applied at root level. Whitelisting or Blacklisting policies at SCP.

    --> AWS Organization creates Service Linked Role in each of member accounts to access.

    --> IAM roles Trust Policies have principals which are Trusted Entities. Such as federated: saml-provider/ADFS or service: ec2 or lambda

    --> RDS Read Replicas are created using the snapshot from primary DB or Standby (MultiAZ). Asynchronously update

    --> Aurora Serverless clusters are always encrypted

    --> Cloudformation has Creation policy which allows waitCondition to delay resource creation. Deletion policy to delete, retain or snapshot resource.

    --> blue green deployment is an Active StandBy configuration

    --> Cloudwatch Synthetics are used for running Canaries Script to automate user/customer actions for the service.

    --> Cloudwatch ServiceLens is used for endtoend debugging with Cloudwatch + Xray

    --> AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS. Also, maintain the catalog

    portfolio stack which are cloud formation stack ready to build common stacks.

    --> AWS Resource DataSync allows to collect data configuration from multiple resources.

    --> AWS DNS Doesn't support DNSSEC (Domain Name System Security Extensions). Use 3rd Party DNS Provider for this support.

    --> AWS Systems Manager Patch Manager automates the process of patching managed instances with security-related updates.

    Patch Manager uses patch baselines, which include rules for auto-approving patches. A patch group is an optional means of organizing instances for patching.

    For example, you can create patch groups for different operating systems (Linux or Windows), different environments (Development, Test, and Production),

    or different server functions (web servers, file servers, databases).

    --> If you want a single store for configuration and secrets, you can use Parameter Store. If you want a dedicated secrets store with lifecycle management, use Secrets Manager.

    -->  To use a certificate with Elastic Load Balancing for the same site (the same fully qualified domain name, or FQDN, or set of FQDNs) in a different Region,

     you must request a new certificate for each Region in which you plan to use it. To use an ACM certificate with Amazon CloudFront,

     you must request the certificate in the US East (N. Virginia) region.

    --> DynamoDB Global Table. A replica table (or replica, for short) is a single DynamoDB table that functions as a part of a global table. Each replica stores the same set of

    data items. Any given global table can only have one replica table per AWS Region.

    --> AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud.

    Handles SSL offloading as well and for HA, needs 2 subnets

    --> can't deploy an application to your on-premises servers using Elastic Beanstalk

    --> AWS Resource Access Manager (AWS RAM) enables you to share specified AWS resources that you own with other AWS accounts. To enable trusted access

     with AWS Organizations: From the AWS RAM CLI, use the enable-sharing-with-aws-organizations command.

    Name of the IAM service-linked role that can be created in accounts when trusted access is enabled: AWSResourceAccessManagerServiceRolePolicy

    --> Rehost (“lift and shift”) - In a large legacy migration scenario where the organization is looking to quickly implement its migration and scale to meet a business case,

    we find that the majority of applications are rehosted. Most rehosting can be automated with tools such as AWS SMS although you may prefer to do this manually as

     you learn how to apply your legacy systems to the cloud.

    You may also find that applications are easier to re-architect once they are already running in the cloud. This happens partly because your organization will have developed better skills to do so and partly because the hard part - migrating the application, data, and traffic - has already been accomplished.

    --> Replatform (“lift, tinker and shift”) -This entails making a few cloud optimizations in order to achieve some tangible benefit without changing the core architecture of the application. For example, you may be looking to reduce the amount of time you spend managing database instances by migrating to a managed relational database service such as Amazon Relational Database Service (RDS), or migrating your application to a fully managed platform like AWS Elastic Beanstalk.

    --> By default, the data in a Redis node on ElastiCache resides only in memory and is not persistent. If a node is rebooted, or if the underlying physical

    server experiences a hardware failure, the data in the cache is lost.

    If you require data durability, you can enable the Redis append-only file feature (AOF). When this feature is enabled, the node writes all of the commands that change cache data to an append-only file. When a node is rebooted and the cache engine starts, the AOF is "replayed"; the result is a warm Redis cache with all of the data intact.

    -->Turn off the Reserved Instance (RI) sharing on the master account for all of the member accounts.

    --> You can use AWS SAM with a suite of AWS tools for building serverless applications. To build a deployment pipeline for your serverless applications, you can use CodeBuild, CodeDeploy, and CodePipeline. You can also use AWS CodeStar to get started with a project structure, code repository, and a CI/CD pipeline that's automatically configured for you. To deploy your serverless application, you can use the Jenkins plugin, and you can use Stackery.io's toolkit to build production-ready applications.

    --> You can improve performance by increasing the proportion of your viewer requests that are served from CloudFront edge caches instead of going to your origin servers for content; that is, by improving the cache hit ratio for your distribution. To increase your cache hit ratio, you can configure your origin to add a Cache-Control max-age directive to your objects, and specify the longest practical value for max-age. The shorter the cache duration, the more frequently CloudFront forwards another request to your origin to determine whether the object has changed and, if so, to get the latest version.

    --> you can set up an origin failover by creating an origin group with two origins with one as the primary origin and the other as the second origin which CloudFront automatically switches to when the primary origin fails.

    --> Modifying the enableDnsHostNames attribute of your VPC to false and the enableDnsSupport attribute to true is incorrect because with this configuration, your EC2 instances launched in the VPC will not get public DNS hostnames.

    --> SCPs DO NOT affect any service-linked role. Service-linked roles enable other AWS services to integrate with AWS Organizations and can't be restricted by SCPs.

    --> You can bring part or all of your public IPv4 address range from your on-premises network to your AWS account. You continue to own the address range, but AWS advertises it on the Internet. After you bring the address range to AWS, it appears in your account as an address pool. You can create an Elastic IP address from your address pool and use it with your AWS resources, such as EC2 instances, NAT gateways, and Network Load Balancers. This is also called "Bring Your Own IP Addresses (BYOIP)".

    --> Amazon Connect provides a seamless omnichannel experience through a single unified contact center for voice and chat. Contact center agents and managers don’t have to learn multiple tools, because Amazon Connect has the same contact routing, queuing, analytics, and management tools in a single UI across voice, web chat, and mobile chat.

     

    --> Amazon Lex is a service for building conversational interfaces into any application using voice and text. Amazon Lex provides the advanced deep learning functionalities of automatic speech recognition (ASR) for converting speech to text, and natural language understanding (NLU) to recognize the intent of the text, to enable you to build applications with highly engaging user experiences and lifelike conversational interactions.

    --> Amazon Redshift workload management (WLM) enables users to flexibly manage priorities within workloads so that short, fast-running queries won't get stuck in queues behind long-running queries. Amazon Redshift WLM creates query queues at runtime according to service classes, which define the configuration parameters for various types of queues, including internal system queues and user-accessible queues.

    --> By setting up cross-account access in this way, you don't need to create individual IAM users in each account.

    --> installing the SSM Agent to all of your instances is also required when using the AWS Systems Manager Patch Manager.

    --> the best solution is to use a combination of CloudFront, Elastic Load Balancer and SQS to provide a highly scalable architecture. SQS decouples the service. Reduces cost.

    --> Inter-Region VPC Peering provides a simple and cost-effective way to share resources between regions or replicate data for geographic redundancy.

    --> Adding tags to the EC2 instances in the production environment and adding resource-level permissions to the developers with an explicit deny on terminating the instance

    which contains the tag

    --> SSE-S3 provides strong multi-factor encryption in which each object is encrypted with a unique key. It also encrypts the key itself with a master key that it rotates regularly accurately describes how SSE-S3 encryption works.

    --> SCP does not grant any permissions, unlike an IAM Policy. SCP policy simply specifies the services and actions that users and roles can use in the accounts.

    --> If you have a VPC peered with multiple VPCs that have overlapping or matching CIDR blocks, ensure that your route tables are configured to avoid sending response traffic

    from your VPC to the incorrect VPC. Add a static route on VPC A's route table with a destination of 10.0.0.0/24 and a target of pcx-aaaabbbb. The route for 10.0.0.0/24 traffic

    is more specific than 10.0.0.0/16, therefore, traffic destined for the 10.0.0.0/24 IP address range goes via VPC peering connection pcx-aaaabbbb instead of pcx-aaaacccc.

    --> In AWS Storage Gateway, your iSCSI initiators connect to your volumes as iSCSI targets. Storage Gateway uses Challenge-Handshake Authentication Protocol (CHAP) to

    authenticate iSCSI and initiator connections. CHAP provides protection against playback attacks by requiring authentication to access storage volume targets

    --> AWS Systems Manager Patch Manager automates the process of patching managed instances with security-related updates.

    --> won't be able to upload their articles to the Read Replicas in the event that the primary database goes down.

    -->  Cloudfront  signed cookies feature is primarily used if you want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all

    of the files in the subscribers' area of website.

    --> If you have multiple VPN connections, you can provide secure communication between sites using the AWS VPN CloudHub. This enables your remote sites to communicate with each other, and not just with the VPC.

    --> The deployment services offer two methods to help you update your application stack, namely in-place and disposable. An in-place upgrade involves performing application updates on live Amazon EC2 instances. A disposable upgrade, on the other hand, involves rolling out a new set of EC2 instances by terminating older instances.

    --> Hybrid Deployment model: combines the simplicity of managing AWS infrastructure provided by Elastic Beanstalk and the automation of custom network segmentation

     provided by AWS CloudFormation.

    --> AWS Control Tower is best suited if you want an automated deployment of a multi-account environment with AWS best practices. If you want to define your own custom

    multi-account environment with advanced governance and management capabilities, we would recommend AWS Organizations

    --> AWS organization entities are globally accessible, similar to how AWS Identity and Access Management (IAM) works today.

    --> You cannot change which AWS account is the master account.

    --> ELB cannot have EIP or Static IP attached.

    --> OpsCenter is a Systems Manager capability that provides a central location where operations engineers, IT professionals, and others can view, investigate, and

    resolve operational issues related to their environment.

    -->  EMR doesn't provide Detailed Monitoring. ELB, R53, RDS does

    --> IPSec Tunnel provides data encryption across internet, protection of data in transit, peer identity auth vpn GW and Customer GW and data integrity protection.

    --> ARN syntax arn:aws:service:region:account:resource. For IAM, region is left blank.

    --> Default Security Group allows No Inbound Traffic. Allows All Oubound Traffic. Allows instances to communicate which have same SG.

    --> ApplyImmediately to apply changes on RDS intances.

    --> Amazon cognito maintains the last written version of the data using synchronize() method. Cognito uses SNS Push () to send notifications to devices.

    -->AWS IAM passwords can contain the Basic Latin characters. Policy names cannot have /,\, * or ?. These are reserved. Path names should start and end with /. Max length 64 chars

    --> AWS Doesn't Auto assign Public IP to Instance with Multiple ENIs.

    --> you can create a VPC with multiple subnets and assign users to have access to only their specific subnet.

    --> ELB supports only 1 Subnet from 1 AZ

    --> IAM also has NotPrincipal in Policy.

    --> Minimum storage for Provisioned IOPS MySQL RDS is 100 GB and min IOPS is 1000.

    --> DataPipeline retries are allowed upto 10 retries.

    --> SNS doesn't push notifications to Microsoft Windows Mobile Messaging. Microsoft Push Notification is supported.

    -->  as-describe-launch-configs-show-long shows launch config name, instance type, ami id.

    --> ElasticCache stores critical piece of data in memory for low latency access.

    --> Exception to a list of actions in IAM policy is provided by NotAction. MultiFactorAuthAge to check in seconds last MFA action.

    --> Amazon ElasticCache's cache security group are applicable to cache clusters running outside of VPC.

    --> PIOPS EBS Volumes supports 4GiB to 16 TiB and provision upto 20000 IOPS. But the ratio should be max 30. Now, it is 50:1

    --> AWS Elastic Beanstalk provides several options for how deployments are processed, including deployment policies

     (All at once, Rolling, Rolling with additional batch, and Immutable)

    --> API GW Throttling error code is 429 while lambda or integration connection gives 504

    --> In CloudFront, there are 3 options that you can choose as the value for your Origin Protocol Policy: HTTP Only, HTTPS Only and Match Viewer.

    --> Amazon Inspector enables you to analyze the behavior of your AWS resources and helps you to identify potential security issues. Using Amazon Inspector, you can

    define a collection of AWS resources that you want to include in an assessment target. You can then create an assessment template and launch a security assessment

     run of this target. Just assessment..no capability to change or update.

    --> In Redshift, if your query operation hangs or stops responding: Connection to the Database Is Dropped--> Reduce the size of maximum transmission unit (MTU)

    Connection to the Database Times Out--> hang or timeout when running long queries, such as a COPY command

    Client-Side Out-of-Memory Error--> ODBC or JDBC Out of Memory. There Is a Potential Deadlock --> Check STV_LOCKS and STL_TR_CONFLICT.

    Use the PG_CANCEL_BACKEND and PG_TERMINATE_BACKEND.

    --> Amazon MQ is a managed message broker service for Apache ActiveMQ that makes it easy to set up and operate message brokers in the cloud. Connecting your current

    applications to Amazon MQ is easy because it uses industry-standard APIs and protocols for messaging, including JMS, NMS, AMQP, STOMP, MQTT, and WebSocket

    --> ALB Only supports http/https protocol..no tcp/tls

    --> Amazon AppStream 2.0 is a fully managed application streaming service. Suited for standalone desktop applications.

    --> There are a lot of available AWS Managed Policies that you can directly attach to your IAM Users, such as Administrator, Billing, Database Administrator, Data Scientist,

    Developer Power User, Network Administrator, Security Auditor, System Administrator and many others

    --> The following scenarios highlight patterns that may not be well suited for blue/green deployments:

    Are your schema changes too complex to decouple from the code changes? Is sharing of data stores not feasible?

    Does your application need to be "deployment aware"?

    Does your commercial off-the-shelf (COTS) application come with a predefined update/upgrade process that isn’t blue/green deployment friendly?

    --> Oracle RAC is not supported by RDS. RMAN

    --> Create a new CloudFront web distribution and configure it to serve HTTPS requests using dedicated IP addresses in order to associate your alternate domain names with

    a dedicated IP address in each CloudFront edge location.

    --> Code deploy provides Canary deployment configuration, the traffic is shifted in two increments.

    --> Tape Gateway which will back up your data in Amazon S3 and archive in Amazon Glacier using your existing tape-based processes.

    --> A service control policy (SCP) is a policy that specifies the services and actions that users and roles can use in the specified AWS accounts.

     SCPs are similar to IAM permission policies except that they don't grant any permissions. Instead, SCPs specify the maximum permissions for an organization,

    organizational unit (OU), or account.

    --> you can configure more than one load balancer with an autoscaling group.

    --> If an Auto Scaling group is launching more than one instance, the cool down period for each instance starts after that instance is launched. The group remains locked until

    the last instance that was launched has completed its cool down period. In this case the cool down period for the first instance starts after 3 minutes and finishes at the 10th

     minute (3+7 cool down), while for the second instance it starts at the 4th minute and finishes at the 11th minute (4+7 cool down). Thus, the Auto Scaling group will receive

    another request only after 11 minutes

    --> Tags are assigned automatically to the instances created by an Auto Scaling group.

    --> If you have a running instance using an Amazon EBS boot partition, you can also call the Stop Instances API to release the compute resources but preserve the data on the boot

     partition

    --> When a user launches an Amazon EBS-backed dedicated instance, the EBS volume does not run on single-tenant hardware.

    --> If there is more than one rule for a specific port, we apply the most permissive rule. For example, if you have a rule that allows access to TCP port 22 (SSH) from IP address

    203.0.113.1 and another rule that allows access to TCP port 22 from everyone, everyone has access to TCP port 22.

    --> The tag key cannot have a prefix as "aws:", although it can have only "aws".

    --> The Amazon EC2 console provides a "Launch more like this" wizard which copies Instance Type, AMI, user-data, tags, placement group

    --> You are charged for the stack resources for the time they were operating (even if you deleted the stack right away)

    --> CloudFormation: Actual resource names are a combination of the stack and logical resource name.

    --> To connect to Amazon Virtual Private Cloud (Amazon VPC) by using AWS Direct Connect, you must first do the following:

    Provide a private Autonomous System Number (ASN) to identify your network on the Internet. Amazon then allocates a private IP address in the 169.x.x.x range to you.

    Create a virtual private gateway and attach it to your VPC

    --> IKE Security Association is established first between the virtual private gateway and customer gateway using the Pre-Shared Key as the authenticator.

    --> To establish redundant VPN connections and customer gateways on your network, you would need to set up a second VPN connection. However, you must ensure that the

    customer gateway IP address for the second VPN connection is publicly accessible.

    --> DynamoDB Local Secondary Indexes can only be created while Table creation. DynamoDB uses JSON only as a transport protocol, not as a storage format.

    --> you can copy data from an Amazon DynamoDB table into Amazon Redshift.

    --> To construct the mount target's DNS name, use the following generic form: availability-zone.file-system-id.efs.aws-region.amazonaws.com

    --> Component is code--> Workload is set of components --> technical capability is set of workloads.

    --> using the AWS Server Migration Service (SMS) and installing the Server Migration Connector to your on-premises virtualization environment.

    -->  Amazon WorkDocs is a fully managed, secure content creation, storage, and collaboration service. With Amazon WorkDocs, you can easily create, edit, and share content, and because it’s stored centrally on AWS, access it from anywhere on any device. Amazon WorkDocs makes it easy to collaborate with others, and lets you easily share content, provide rich feedback, and collaboratively edit documents.

    --> EC2Rescue can help you diagnose and troubleshoot problems on Amazon EC2 Linux and Windows Server instances. You can run the tool manually or you can run the tool automatically by using Systems Manager Automation and the AWSSupport-ExecuteEC2Rescue document. The AWSSupport-ExecuteEC2Rescue document is designed to perform a combination of Systems Manager actions, AWS CloudFormation actions, and Lambda functions that automate the steps normally required to use EC2Rescue.

    --> AWS Step Functions provides serverless orchestration for modern applications. Orchestration centrally manages a workflow by breaking it into multiple steps, adding flow logic, and tracking the inputs and outputs between the steps.

    --> Data Pipeline is for batch jobs.

    --> Implementing database caching with CloudFront is incorrect because you cannot use CloudFront for database caching. CloudFront is primarily used to securely deliver data, videos, applications, and APIs to customers globally with low latency and high transfer speeds.

    --> Snowball is suitable for the following use cases:

    Import data into Amazon S3, Export from Amazon S3,

    On the other hand, Snowball Edge is suitable for the below:

    Import data into Amazon S3, Export from Amazon S3, Durable local storage, Local compute with AWS Lambda, Local compute instances, Use in a cluster of devices

    Use with AWS Greengrass (IoT), Transfer files through NFS with a GUI

    --> If you got your certificate from a third-party CA, import the certificate into ACM or upload it to the IAM certificate store. Hence, AWS Certificate Manager and IAM certificate store are the correct answers.

    --> You can use an AWS Direct Connect gateway to connect your AWS Direct Connect connection over a private virtual interface to one or more VPCs in your account that are located in the same or different regions. You associate a Direct Connect gateway with the virtual private gateway for the VPC, and then create a private virtual interface for your AWS Direct Connect connection to the Direct Connect gateway.

    -->  All at once – Deploy the new version to all instances simultaneously. All instances in your environment are out of service for a short time while the deployment occurs. If the deployment fails, a system downtime will occur.

    Rolling – Deploy the new version in batches. Each batch is taken out of service during the deployment phase, reducing your environment's capacity by the number of instances in a batch. If the deployment fails, a single batch will be out of service.

    Rolling with additional batch – Deploy the new version in batches, but first launch a new batch of instances to ensure full capacity during the deployment process. This is quite similar with Rolling option. If the first batch fails, the impact would be minimal.

    Immutable – Deploy the new version to a fresh group of instances by performing an immutable update. If the deployment fails, the impact is minimal.

    Blue/green deployment – Deploy the new version to a separate environment, and then swap CNAMEs of the two environments to redirect traffic to the new version instantly. If the deployment fails, the impact is minimal.

    --> Memacached allows MultiThreaded execution unlike Redis.

    --> You can change the placement group for an instance in any of the following ways:

    Move an existing instance to a placement group. Move an instance from one placement group to another. Remove an instance from a placement group.

    Before you move or remove the instance, the instance must be in the stopped state. You can move or remove an instance using the AWS CLI or an AWS SDK.

    --> Cognito User Pool handles the user AuthN to provide temp credentials to access EC2, ECS, API. Cognito Identity pool provides AuthZ to allows other aws service access (roles)

    --> EFS storage is 47.9 TB, S3 5TB and EBS size of EBS.

    --> Only NLB provides Static and Elastic IP. SNI provided by ALB and NLB.

    --> gp2 16000 IOPS, PIOPS 64000 IOPS

    --> EC2 health check watches for instance availability from hypervisor and networking point of view. For example, in case of a hardware problem, the check will fail. Also, if an instance was misconfigured and doesn't respond to network requests, it will be marked as faulty.

    ELB health check verifies that a specified TCP port on an instance is accepting connections OR a specified web page returns 2xx code. Thus ELB health checks are a little bit smarter and verify that actual app works instead of verifying that just an instance works.

     --> Redis single AZ setup has Append Only File . MultiAZ setup has redis read replica. You can have only 1 active at a time

    --> Redis cluster mode enabled(multiple shards and multi AZ setup) and disabled (single shard and multi AZ setup).

    --> If data needs to be transferred from multiple location then use Transfer Acceleration (Cloudfront edge) or use Snowball or edge. If repeated file transfers, use Direct connect

    --> S3 Transfer Acce supports downloads as well

    --> SSM State Manager maintains the state of EC2 and Hybrid infra.

    --> CloudFormation has templates, stack and change sets

    --> OpsWork can auto heal ur stack.

    --> CloudFormation and Beanstalk can Only create infra in AWS not on-prem. AWS OpsWork and CodeDeploy can create infra on-prem and in AWS.

    --> Elastic N/W Adapter better for enhanced n/wing. Multiple ENIs shouldn't be used.

    --> The maximum size of the data payload of a Kineis Data Stream record before base64-encoding is up to 1 MB.

    --> AMIs are a regional resource. Therefore, sharing an AMI makes it available in that region. To make an AMI available in a different Region, copy the AMI to the Region and then share it.

    --> AWS Organizations comes with All Features(includes SCP and etc) or Consolidated Billing mode (only billing share)

    --> The native tools allow you to migrate your data with minimal downtime. For eg. Mysqldump for MySQL migration

    --> Tape gateway in AWS Storage Gateway service is primarily used as an archive solution. Cannot access the files on Tape Gateway directly..use File GW.

    --> You share resources in one account with users in a different account. By setting up cross-account access in this way, you don't need to create individual IAM users in each account. U create role in Prod account , assign dev account role as trustee.

    --> SCP Policies: Users and roles must still be granted permissions with appropriate IAM permission policies. A user without any IAM permission policies has no access, even if the applicable SCPs allow all services and all actions.

    --> AWS tags are case sensitive. Pro-Active taggings are done using AWS Cloudformation , AWS Service Catalog. AWS IAM can allow/disallow service creation if tags are not there.

    --> You can use AWS Config with CloudWatch Events to trigger automated responses to missing or incorrect tags.

    --> Direct Connect provides consistent performance and latency for hybrid workloads and predictable performance.

    -->  If your exising backup software does not natively support cloud storage for backup or archive, you can use a storage gateway device, such as a bridge, between the backup software and Amazon S3 or Amazon Glacier.

    --> AWS DataSync is a data transfer service that makes it easy for you to automate moving data between on-premises storage and Amazon S3, Amazon Elastic File System (Amazon EFS), or Amazon FSx for Windows File Server.

    --> When migrating from one database source or version to a new platform or software version, AWS Database Migration Service keeps the source database fully operational during the migration, minimizing downtime to applications that rely on the database.

    -->EC2 Failover to a replacement instance or (running) spare instance by remapping your elastic IP address to the new instance. An Elastic IP address is a static, public, IPv4 address allocated to your AWS account.

    --> EBS volumes can be attached to a running EC2 instance and can persist independently from the instance.

    --> Because snapshots represent the on-disk state of the application, care must be taken to flush in-memory data to disk before initiating a snapshot.

    --> When you create a member account using the AWS Organizations console, AWS Organizations automatically creates an IAM role named OrganizationAccountAccessRole in the account. This role has full administrative permissions in the member account.

    --> You can use trusted access to enable an AWS service that you specify, called the trusted service, to perform tasks in your organization and its accounts on your behalf.When you enable access, the trusted service can create an IAM role called a service-linked role in every account in your organization whenever that role is needed.

     

     

     

    https://d1.awsstatic.com/whitepapers/Storage/Backup_and_Recovery_Approaches_Using_AWS.pdf?did=wp_card&trk=wp_card