AWS Cloud Practitioner Essentials (Second Edition)

Introduction to the AWS Cloud

Cloud Computing refers to the on-demand delivery of IT resources and applications via the Internet.

Benefits:

  • Scalability
  • Flexibility
  • Agility
  • Reliability
  • Elasticity
  • Security
  • Performance
  • Customization
  • Automation

 

AWS Management Interfaces 
All of the following interfaces are built upon AWS APIs.

  • AWS Management Console
  • AWS Command Line Interface (CLI)
  • AWS Software Development Kits (SDKs) – available for multiple programming languages

 

Amazon Elastic Cloud Compute (EC2) 

  • Elastic refers to the fact that if configured properly, you can increase or decrease the number of servers required automatically based on the demand on the application.
  • Cloud refers to the fact that they are cloud hosted compute resources.
  • It comes with preconfigured templates for EC2 instances called Amazon Machine Images (AMIs).
  • Various configurations of CPU, memory, storage, and networking capacity.

 

Amazon Elastic Block Store (EBS) 

  • Provides block level storage volumes for use with EC2 instances.
  • Highly available and reliable storage volumes.
  • Could be HDD or SSD.
  • Also referred to as Volume or EBS volume.

 

Amazon Simple Storage Service (S3) 

  • Data stored in S3 and isn’t associated with any specific server.
  • Provides a simple API to store and retrieve data.
  • Objects can be any data file like images, videos, logs, databases, etc.
  • Low latency access to data through http or https
  • Data is stored in Buckets.

 

AWS Global Infrastructure 

  • Regions are geographic areas that host two or more Availability Zones.
  • Availability Zones are a collection of data centers in a specific region. They are physically isolated but connected through a fast/low-latency network. They provide High Availability, Reliability, and Redundancy.
  • Edge Locations host a Content Delivery Network (CDN) called Cloud Front.

 

Amazon Virtual Private Cloud (VPC) 

  • Used to create a private, virtual network in the AWS CLoud.
  • Complete control of network configurations and several layers of security controls.
  • Lives within a Region; can have multiple VPCs under one account.
  • Subnets are used to divide Amazon VPC.
  • Route Tables, Internet Gateway, NAT, ACLs.

 

Security Groups 

  • Act as built-in firewalls
  • Filter traffic to your instances through rules.
  • Example – Web Tier is allowed https/https from the Internet, Application Tier is only allowed API access, Database Tier is only allowed access from Application Tier through API.

 

Elastic Load Balancing Service

1. Classic Load Balancer 

2. Application Load Balancer 

  1. Path and Host-based routing
    • Path-based provides rules that forward requests to different target groups.
    • Host-based can be used to define rules that forward requests to different target groups based on hostname.
  2. Native IPv6 support
  3. AWS Web Application Firewall (WAF)
  4. Dynamic Ports
  5. Deletion Protection and Request Tracing

Screen Shot 2019-03-20 at 1.00.26 AM.png

Screen Shot 2019-03-20 at 1.45.32 AM.png

  • Supports HTTP, HTTPS, HTTP/2, and Websockets
  • CloudWatch Metrics
  • Access Logs
  • Health Checks

3. Network Load Balancer 

 

Auto Scaling

It ensures that you have the correct number of Amazon EC2 instances available to handle the load for your application.

Screen Shot 2019-03-20 at 8.25.42 PM.png

Auto Scaling Components 

  1. Launch Configuration (What)
    1. Which AMI to use?
    2. Which Instance Type to launch?
    3. What Security Groups to use?
    4. What Roles to use?
  2. Auto Scaling Group (Where)
    1. Which VPC and Subnets?
    2. Which Load Balancer to interact with?
    3. Minimum and Maximum Instances?
    4. Desire Capacity to start with?
  3. Auto Scaling Policy (When)
    1. Is it Scheduled?
    2. Is it On-demand?
    3. Scale-out and Scale-in Policy

 

Amazon Route 53 (DNS Service)

It is a Domain Name System (DNS) web service designed to provide a reliable and highly scalable way to route end-users to Internet Applications.

  • Domain Registration
  • Global, highly available DNS
  • Public and private DNS names
  • Multiple Routing algorithms
  • Both IPv4 and IPv6
  • Integrated with other AWS cloud services

 

Amazon Relational Database Services (RDS)

Challenges of Relational Databases

  • Server Maintenance and energy footprint
  • Software Install and Patches
  • Database backups and high availability
  • Limits on Scalability
  • Data Security
  • OS install and patches

Amazon RDS takes care of all of that for you.

Screen Shot 2019-03-20 at 9.15.31 PM.png

Screen Shot 2019-03-20 at 9.20.32 PM.png

  • Highly Scalable
  • High Performance
  • Easy to administer
  • Available and durable
  • Secure and Complaint

 

AWS Lambda

Event-driven, serverless compute service.

  • No Servers to manage
  • Continuous Scaling
  • Subsecond Metering

 

Use Cases:

  • Automated backups
  • Processing objects uploaded to S3
  • Process streamed data from Amazon Kinesis
  • Event-driven log analysis
  • Event-driven transformations
  • IoT
  • Operating serverless website

Screen Shot 2019-03-21 at 2.39.25 PM.png

 

AWS Elastic Beanstalk

  • Platform as a Service
  • Allows quick deployment of your applications
  • Reduces management complexity
  • Keep control in your hands
    • Choose your instance type
    • Choose your database
    • Set and adjust Auto Scaling
    • Update your application
    • Access server log files
    • Enable HTTPS on the load balancer
  • Supports a large range of platforms
    • Packer Builder
    • Single Container, Multi Container, or Preconfigured Docker
    • Go, Java, PHP, Ruby, Python, Node.js, etc.
  • Easily Implemented
  • Updating is as easy as deploying

Screen Shot 2019-03-21 at 2.53.36 PM.png

Screen Shot 2019-03-21 at 2.54.43 PM.png

 

Amazon Simple Notification Service (SNS)

  • Flexible, fully managed pub/sub messaging and mobile communication service.
  • Coordinates the delivery of messages to subscribing endpoints and clients.
  • Easy to set up, operate and send reliable communications.
  • Decouple and scale microservices, distributed systems and serverless applications.

Screen Shot 2019-03-21 at 3.05.23 PM.png

 

Amazon CloudWatch

Amazon CloudWatch monitors your AWS resources and the application you run on them in real-time.

Screen Shot 2019-03-21 at 4.05.45 PM.png

Components of Amazon CloudWatch:

  • Metrics – system and application performance metrics
  • Alarms – performs one or more actions based on the metric condition
  • Events – Near real-time stream of system events that describe changes in AWS resources
  • Logs – To monitor and troubleshoot systems
  • Dashboard – homepage to monitor your resources in a single view

 

Amazon CloudFront

It is Amazon’s Content Delivery Network (CDN).

  • Global, Growing Network
  • Secure Content at the Edge
  • Deep Integration with Key AWS Services
  • High Performance
  • Cost Effective
  • Easy to Use

Screen Shot 2019-03-21 at 4.35.59 PM.png

 

Use cases: 

  • Static Asset Caching
  • Live and On-demand video streaming
  • Security and DDoS Protection
  • Dynamic and Customized Content
  • API Acceleration
  • Software Distribution

 

AWS CloudFormation

It simplifies the task of repeatedly and predictably creating groups of related resources that power your applications.

Screen Shot 2019-03-21 at 4.50.02 PM.png

Screen Shot 2019-03-21 at 4.51.49 PM.png

 

The AWS Well-Architected Framework

Five Pillars 

1. Security 

  • Identity and Access Management (IAM)
  • Detective Controls
  • Infrastructure Protection
  • Data Protection
  • Incident Response
  • Design Principles 
    • Implement Security at all layers
    • Enable traceability
    • Apply the principle of least privilege
    • Focus on securing your system
    • Automate

 

2. Reliability 

  • Recover from Infrastructure and Service issues/failures
  • Apply best practices in:
    • Foundations
    • Change Management
    • Failure Management
  • Anticipate, respond, and prevent failures
  • Design Principles
    • Test recovery procedures
    • Automatically recover
    • Scale horizontally
    • Stop guessing capacity
    • Manage change in automation

 

3. Performance Efficiency 

  • Select customizable solution
  • Review to continually innovate
  • Monitor AWS services
  • Consider the trade-offs
  • Design Principles 
    • Democratize advanced technologies
    • Go global in minutes
    • Use a serverless architecture
    • Experiment more often
    • Have mechanical sympathy

 

4. Cost Optimization 

  • Use cost-effective resources
  • Matching supply with demand
  • Increase expenditure awareness
  • Optimize over time
  • Design Principles 
    • Adopt a consumption model
    • Measure overall efficiency
    • Reduce spending on data center operations
    • Analyze and attribute expenditure
    • Use managed services

 

5. Operational Excellence 

  • Manage and automate changes
  • Respond to events
  • Define the standards

 

Fault Tolerance and High Availability

Fault Tolerance

The ability of a system to remain operational even if some of the components of the system fail. It is the built-in redundancy of an application’s components.

High Availability

It ensures that your systems are always functioning and accessible. The downtime is minimized as much as possible, without the need for human intervention and minimal up-front financial investment.

High Availability Service Tools

Elastic Load Balancers 

  • Distributes incoming traffic (loads)
  • Sends metrics to Amazon CloudWatch
  • Triggers high latency and overutilization

Elastic IP addresses 

  • Are static IP addresses
  • Mask failures
  • Continues to access apps if an instance fails

Amazon Route 53 

  • Authoritative DNS Service
  • Supports simple routing, latency based routing, health checks, DNS failovers, and geo-location routing

Auto Scaling 

  • Terminates and launches instances
  • Assists with adjusting and modifying the capacity
  • Creates new resources on demand

Amazon CloudWatch 

  • A distributed statistics gathering system
  • Tracks the metrics of your infrastructure
  • Create and use your own custom metrics
  • Used with Auto Scaling

 

Fault-Tolerant Tools

  • Amazon Simple Queue Service (SQS)
  • Amazon Simple Storage Service (S3)
  • Amazon Relational Database Service (RDS)

 

AWS Security

Network Security 

  • Built-in Firewalls
  • Encryption in transit
  • Private/dedicated connections
  • Distributed Denial of Service (DDoS) mitigation

Data Encryption 

  • Encryption capabilities
  • AWS Key Management Service
  • AWS Cloud HSM – Hardware based cryptographic key storage options

Access Control Management 

  • Identity and Access Management (IAM)
  • Multi-factor Authentication (MFA)
  • Integration and federation with corporate directories
  • Amazon Cognito
  • AWS SSO

 

Shared Responsibility Model 

  • User Data (Customer)
  • Application (Customer)
  • Guest OS (Customer)
  • Hypervisor (AWS)
  • Network (AWS)
  • Physical (AWS)

 

Identity and Access Management (IAM) 

User (permanent, could be human or machine)

Group (collection of users)

Role (temporary, could be human or machine, its just authentication; not authorization)

Policy Docs (JSON, can be attached to Users, Groups, and/or Roles, for authorization)

 

Amazon Inspector

Assesses application for vulnerabilities and deviation from best practices.

Produces a detailed report with security findings and prioritized steps for remediation.

 

Amazon Shield

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.

DoS (Denial of Service attack) – A deliberate attempt to make your website or application unavailable to users.

DDoS (Distributed Denial of Service attack) – Multiple sources are used to attack target; infrastructure and application layers can be affected.

AWS Shield Standard 

  • Automatic protection of any AWS resource in any AWS region.
  • Quick Detection
  • Inline Attack Mitigation avoids latency impact
  • Self-service

 

AWS Shield Advanced 

  • Specialized support
  • Advanced attack mitigation
  • Visibility and attack notification
  • Always-on monitoring
  • Enhanced detection
  • DDoS cost protection

 

AWS cost fundamentals 

Pay for:

  • Compute capacity
  • Storage
  • Outbound data transfer (aggregated)

No charge for:

  • Inbound data transfer

 

Amazon EC2 instances 

On-demand instances

  • Compute capacity by the hour and second (minimum of 60 seconds)

Reserved instances

  • Low or no up-front payment instances reserved
  • Discount on the hourly charge for that instance

Spot Instances

  • Bid for unused Amazon EC2 capacity