A web service is any piece of software that makes itself available over the internet and uses a standardized format such as Extensible Markup Language (XML) or JavaScript Object Notation (JSON) for the request and the response of an application programming interface (API) interaction
3 ways to interact with AWS
AWS management console
Command line interface (AWS CLI)
Software development kits (SDKs)
AWS Cloud Adoption Framework (AWS CAF)
Perspectives
Business capabilities
Business => Business Managers, Finance Managers, Budget owners, Strategy stakeholders
IT finance, IT strategy, Benefits realization, Business risk management
People => Human resources, Staffing, People managers
Resource management, Incentive management, Career management, Training management
Governance => CIO, Program managers, Enterprise architects, Business analyst, Portfolio managers
Portfolio management, Program management, Business performance management, License management
Technical capabilities
Platform => CTO, IT managers, Solution architects
Compute provisioning, Network provisioning, Storage provisioning, Database provisioning, Systems and solution architecture, Application development
Security => CISO, IT security managers, IT security analyst
IAM, Detective control, Infrastructure security, Data protection, Incident response
Operations => IT operations managers, IT support managers
Service monitoring, Application performance monitoring, Resource inventory management, Reporting and analytics, Disaster recovery, IT service catalog
Cloud Economics and Billing
Fundamentals of pricing
Compute
Charged per hour/second
Varies by instance type
Storage
Charged typically per GB
Data transfer
Outbound is aggregated and charged
Inbound has no charge (with some exceptions)
Charged typically per GB
How do you pay
Pay for what you use
Pay less when you reserve
Save up to 75 percent
Options
All Upfront Reserved Instance (AURI) => Largest discount
Support Plans => Basic Support, Developer Support, Business Support, Enterprise Support
AWS Global Infrastructure
Regions
An AWS Regions a geographical area
Data replication across Regions is controlled by you
A Region typically consists of two or more Availability Zones
Availability Zones
A fully isolated partition of the AWS infrastructure, consist of discrete data centers
AWS recommends replicating data and resources across Availability Zones for resiliency
Data Center
Data centers are where the data resides and data processing occurs
A data center typically has 50,000 to 80,000 physical servers
Points of Presence
Continuously measuring internet connectivity, performance and computing to find the best way to route requests
Edge locations
Amazon Route 53 is a Domain Name System (DNS) service. Requests going to either one of these services will be routed to the nearest edge location automatically in order to lower latency
Regional edge caches used when you have content that is not accessed frequently enough to remain in an edge location
Infrastructure features
Elasticity and scalability, Fault-tolerance, High availability
AWS Cloud Security
AWS shared responsibility model
AWS Identity and Access Management (IAM)
Define fine-grained access rights
Who can access the resource
Which resources can be accessed and What can the user do to the resource
How resources can be accessed
Components
IAM user
A person or application that can authenticate with an AWS account
IAM group
A collection of IAM users that are granted identical authorization
IAM policy
The document that defines which resources can be accessed and the level of access to each resource
Types
Managed
Inline => Policy assigned to just one User or Group
Types
Identity-based => Attached to a user, group, or role
Resource-based => Attached to a resource
Supported only by some AWS services
Constructed with JavaScript Object Notation (JSON) and define permissions
IAM role
Useful mechanism to grant a set of permissions for making AWS service requests
Similar to an IAM user => Attach permissions policies to it
Authenticate as an IAM user to gain
Programmatic access
Authenticate using
Access key ID, Secret access key
Provides AWS CLI and AWS SDK access
AWS Management Console access
Authenticate using
12-digit Account ID or alias, IAM user name, IAM password
IAM multi-factor authentication (MFA)
MFA requires a unique authentication code to access AWS services
Authorization: What actions are permitted
Assign permissions by creating an IAM policy
Best practice: Follow the principle of least privilege
Grant only the minimal user privileges needed to the user
Securing a new AWS account
Avoid using the AWS account root user for day-to-day activities
Creating IAM users that have multi-factor authentication (MFA) enabled
Use AWS CloudTrail => Tracks user activity on your account
Enable a billing report, such as the AWS Cost and Usage Report
Securing Accounts
AWS Organizations
Security features
Group AWS accounts into organizational units(OUs) and attach different access policies to each OU
Integration and support for IAM
Use service control policies to establish control over the AWS services and API actions that each AWS account can access
Service control policies (SCPs) => Offer centralized control over accounts
Ensures that accounts comply with access control guidelines
Similar to IAM permissions policies => Never grants permissions, SCPs specify the maximum permissions for an organization
AWS Key Management Service (AWS KMS)
Enables you to create and manage encryption keys
Integrates with AWS CloudTrail to log all key usage
Amazon Cognito
Adds user sign-up, sign-in, and access control to your web and mobile applications
AWS Shield
Is a managed distributed denial of service (DDoS) protection service
AWS Shield Advanced is an optional paid service
Use it to minimize application downtime and latency
Securing data on AWS
Encryption
Data at rest => Data stored physically (on disk or on tape)
Encodes data with a secret key, which makes it unreadable
Only those who have the secret key can decode the data
AWS KMS can manage your secret keys
Data in transit => Data moving across a network
Transport Layer Security (TLS) => Formerly SSL => An open standard protocol
AWS Certificate Manager provides a way to manage, deploy, and renew TLS or SSL certificates
Secure HTTP (HTTPS) creates a secure tunnel
Uses TLS or SSL for the bidirectional exchange of data
Securing Amazon S3 buckets and objects
Newly created S3 buckets and objects are private and protected by default
Tools
Amazon S3 Block Public Access feature => Simple to use
IAM policies => A good option when the user can authenticate using IAM
Bucket policies
Access control lists (ACLs) => A legacy access control mechanism
AWS Trusted Advisor bucket permission check
Working to ensure compliance
Category
Certifications and attestations
Laws, regulations, and privacy
Alignments and frameworks
AWS Config
Assess, audit, and evaluate the configurations of AWS resources
Automatically evaluate recorded configurations versus desired configurations
It is a regional service
AWS Artifact
Is a resource for compliance-related information
Provide access to security and compliance reports, and select online agreements
Networking and Content Delivery
Networking basics
Network > Subnet > Router
IPv4 and IPv6 addresses
Classless Inter-Domain Routing (CIDR)
OSI Model
Amazon VPC
Enables you to provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define
Selection of IP address range, Can use both IPv4 and IPv6
Logically isolated from other VPCs, Dedicated to your AWS account
Belong to a single AWS Region and can span multiple Availability Zones
Subnets
Range of IP addresses that divide a VPC
Belong to a single Availability Zone
Classified as public or private
Public subnets have direct access to the internet, but private subnets do not
IP Addressing
When you create a VPC, you assign it to an IPv4 CIDR block (range of privateIPv4 addresses)
Every VM gets private IP address automatically
You cannot change the address range after you create the VPC
The largest IPv4 CIDR block size is /16, The smallest IPv4 CIDR block size is /28
Reserved IP addresses
Public IP address types
Public IPv4 address
Manually assigned through an Elastic IP address
Automatically assigned through the auto-assign public IP address settings at the subnet level
Elastic IP address
Can be allocated and remapped anytime
Additional costs might apply
Elastic network interface
A virtual network interface that you can Attach to an instance, Detach from the instance, and attach to another instance to redirect network traffic
Each instance in your VPC has a default network interface that is assigned a private IPv4 address from the IPv4 address range of your VPC
Route tables and routes
Contains a set of rules (or routes) that you can configure to direct network traffic from your subnet
Each route specifies a destination and a target
By default, every route table contains a local route for communication within the VPC
Each subnet must be associated with a route table (at most one)
VPC Wizard
VPC networking
Internet gateway
A scalable, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet
Network address translation (NAT) gateway
VPC Sharing
Enables customers to share subnets with other AWS accounts in the same organization in AWS Organizations
VPC Peering
A networking connection between two VPCs that enables you to route traffic between them privately
Restrictions
IP spaces cannot overlap, Transitive peering is not supported, You can only have one peering resource between the same two VPCs
AWS Site-to-Site VPN
Used to connect your VPC to your remote network => Create VPN connection
AWS Direct Connect
Enables you to establish a dedicated, private network connection between your network and one of the DX locations
DX uses open standard 802.1q virtual local area networks (VLANs)
VPC Endpoints
A virtual device that enables you to privately connect your VPC to supported AWS services and VPC endpoint services that are powered by AWS PrivateLink
Two types of endpoints
Interface endpoints (powered by AWS PrivateLink)
Gateway endpoints (Amazon S3 and Amazon DynamoDB)
AWS Transit Gateway
Used to simplify your networking model, only need to create and manage a single connection from the central gateway into each VPC, on-premises data center, or remote office across your network
A transit gateway acts as a hub that controls how traffic is routed among all the connected networks
VPC security
Security groups
Acts as a virtual firewall for your instance, and it controls inbound and outbound traffic
Security groups act at the instance level
Default security groups deny all inbound traffic and allow all outbound traffic
Security groups are stateful
All rules are evaluated
Network access control lists (Network ACLs)
An optional layer of security for your Amazon VPC
It acts as a firewall for controlling traffic in and out of one or more subnets
Network ACLs act at the subnet level
Default network ACLs allow all inbound and outbound IPv4 traffic
Network ACLs are stateless
You can specify both allow and deny rules
Rules are evaluated in number order, starting with the lowest number
Custom network ACLs
Each subnet in VPC must be associated with a network ACL
Custom network ACLs deny all inbound and outbound traffic until you add rules
Amazon Route 53
A highly available and scalable Domain Name System (DNS) web service
Is fully compliant with IPv4 and IPv6
Supports
Simple routing => Use in single-server environments
Weighted round robin routing => Assign weights to resource record sets to specify the frequency
Used for A/B testing (Blue/Green deployment)
Latency routing => Help improve your global applications
Geolocation routing => Route traffic based on location of your users
Geoproximity routing => Route traffic based on location of your resources
Failover routing=> Fail over to a backup site if your primary site becomes unreachable
Multivalue answer routing => Respond to DNS queries with up to eight healthy records selected at random
Amazon Route 53 DNS failover
Configuring backup and failover scenarios for your own applications
Creating health checks
Amazon CloudFront
A global Content Delivery Network (CDN), that delivers content to end users with reduced latency
Caches copies of commonly requested files (static content)
Delivers a local copy of the requested content from a nearby cache edge or Point of Presence
Compute
Compute services
Amazon Elastic Compute Cloud (Amazon EC2)
Example Uses => Application server, Web server, Database server, Game server, Mail server, Media server, Catalog server, File server, Computing server, Proxy server
Decisions to make when creating an EC2 instance using the AWS Management Console Launch Instance Wizard
Amazon Machine Image (AMI) => A template that is used to create an EC2 instance (which is a virtual machine, or VM,that runs in the AWS Cloud), Contains a Windows or Linux operating system
Quick Start => Linux and Windows AMIs that are provided by AWS
My AMIs => Any AMIs that you created
AWS Marketplace => Pre-configured templates from third parties
Community AMIs => AMIs shared by others; use at your own risk
Instance types
Determines
Memory (RAM)
Processing power (CPU)
Disk space and disk type (Storage)
Network performance
Categories
Format => FamilyGeneration.Size
Network settings
Identify the VPCand optionally the subne
IAM Role
An AWS Identity and Access Management (IAM) role that is attached to an EC2 instance is kept in an instance profile, An instance profileis a container for an IAM role
User data
Use user data scripts to customize the runtime environment of your instance
Script runs the first time the instance start
Storage options
Configure the root volume where the guest operating system is installed
Configure Size, Volume type, Encryption
Storage Options
Amazon Elastic Block Store (Amazon EBS)
Durable, block-level storage volumes
Amazon EC2 Instance Store
Ephemeral storage is provided on disks that are attached to the host computer where the EC2 instance is running
If the instance stops, data stored here is deleted
Other options for storage (not for the root volume)
Mount an Amazon Elastic File System (Amazon EFS) file system
Connect to Amazon Simple Storage Service (Amazon S3)
Tags
A tag is a label that you can assign to an AWS resource
Consists of a key and an optional value
Tagging is how you can attach metadata to an EC2 instance
Security groups
A security group is a set of firewall rules that control traffic to the instance
It exists outside of the instance's guest OS
Key pairs
At instance launch, you specify an existing key pair or create a new key pair
Consists of
A public key that AWS stores
A private key file that you store
Instance lifecycle phases
Elastic IP addresses
Rebooting an instance will not change any IP addresses or DNS host names
Instance metadata
In a browser => http://169.254.169.254/latest/meta-data/
In a terminal window => curl http://169.254.169.254/latest/meta-data/
User data => http://169.254.169.254/latest/user-data/
Amazon CloudWatch => Provides charts in the Amazon EC2 console Monitoring tab that you can view
Run containers that are orchestrated by Kubernetes on those instances
Amazon Elastic Container Registry (Amazon ECR)
A fully managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images
AWS Lambda
An event-driven, serverless compute service, enables you to run code without provisioning or managing servers
Lambda function => AWS resource that contains the code that you upload
Set the Lambda function to be triggered, either on a scheduled basis or in response to an even
Configure other AWS services as event sources to invoke your function
Alternatively, invoke a Lambda function from the Lambda console, AWS SDK, or AWS CLI
Configuration
Function code, Dependencies, Execution role
Schedule-based Lambda function and Event-based Lambda function
Hard limits for individual functions
Maximum function memory allocation = 10,240 MB
Function timeout = 15 minutes
Deployment package size = 250 MB unzipped, including layers
Container image code package size = 10 GB
AWS Elastic Beanstalk
A managed service that automatically handles Infrastructure provisioning and configuration, Deployment, Load balancing, Automatic scaling, Health monitoring, Analysis and debugging, Logging
It supports web applications written for common platforms => Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker
Deploys on servers such as Apache, NGINX, Passenger, Puma, and Microsoft Internet Information Services (IIS)
Storage
Amazon Elastic Block Store (Amazon EBS)
Persistent storage is any data storage device that retains data after power to that device is shut off
It is also sometimes called non-volatile storage
Enables you to create individual storage volumes and attach them to an Amazon EC2 instance
Amazon EBS offers block-level storage
Volumes are automatically replicated within its Availability Zone
It can be backed up automatically to Amazon S3 through snapshots
Block vs Object storage (Entire file must be updated if one character change)
Pricing
Volume, IOPS, Snapshots, Data transfer
Amazon Simple Storage Service (Amazon S3)
Data is stored as objects in buckets
Virtually unlimited storage
Single object is limited to 5 TB
Designed for 11 9s of durability
Granular access to bucket and objects
Amazon S3 includes event notifications that enable you to set up automatic notifications when certain events occur
A fast, fully managed data warehouse that makes it simple and cost-effective to analyze all your data by using standard SQL and your existing business intelligence (BI) tools
Can run complex SQL query
Parallel processing architecture
The leader node manages communications with client programs and all communication with compute nodes
Automation and scaling
Manage, Monitor, Scale
Compatibility
SQL clients and Business intelligence (BI) tools
Use cases
Enterprise data warehouse (EDW), Big data, Software as a service (SaaS)
Amazon Aurora
Enterprise-class relational database
Compatible with MySQLor PostgreSQL
Automate time-consuming tasks (such as provisioning, patching, backup, recovery, failure detection, and repair)
Fast and available, Pay-as-you-go, Managed service
High availability
Stores multiple copies of your data across multiple Availability Zones with continuous backups to Amazon S3
Aurora can use upto 15 read replicas can be used to reduce the possibility of losing your data
Resilient design
After a database crash, Amazon Aurora does not need to replay the redo log from the last database checkpoint, it performs this on every read operation
Cloud Architecture
AWS Well-Architected Framework
A consistent approach to evaluating and implementing cloud architectures
Architecture => Designing and Building
A guide for designing infrastructures that are => Secure, High-performing, Resilient, Efficient
Best practices
Define requirements for identity and access management
Secure AWS account root user
Enforce use of multi-factor authentication
Automate enforcement of access controls
Integrate with centralized federation provider
Enforce password requirements
Rotate credentials regularly
Audit credentials periodically
Pillars of the AWS Well-Architected Framework
Operational excellence => Deliver business value
Run and monitor systems to deliver business value, and to continually improve supporting processes and procedures
Key topics
Automating changes
Responding to events
Defining standards to manage daily operations
Principles
Perform operations as code
Make frequent, small, reversible changes
Refine operations procedures frequently
Anticipate failure
Learn from all operational events and failures
Questions
Organization, Operate, Prepare, Evolve
Security => Protect and monitor systems
Protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies
Key topics
Protecting confidentiality and integrity of data
Identifying and managing who can do what
Protecting systems
Establishing controls to detect security events
Principles
Implement a strong identity foundation
Enable traceability
Apply security at all layers
Automate security best practices
Protect data in transit and at rest
Keep people away from data
Prepare for security events
Questions
Security, IAM, Detection, Infrastructure protection, Data protection, Incident response
Reliability => Recover from failure and mitigate disruption
Ensure a workload performs its intended function correctly and consistently when it’s expected to
Key topics
Designing distributed systems
Recovery planning
Handling change
Principles
Automatically recover from failure
Test recovery procedures
Scale horizontally to increase aggregate workload availability
