AWS Global Infrastructure

• AWS regions — Regions all around the world, a cluster of data centres, Most AWS services are region-scoped.
• Choose AWS region — Compliance, Proximity to the customer, Available services, Pricing.
• AWS Availability Zones — Each region has many availability zones, min 3, max 6, Each AZ is one or more discrete data centres with redundant power, networking, and connectivity, Isolated from disasters, connected with high brand width | AWS Data Centers
• AWS Edge Locations/Point of Presence — 400+ edge locations and contents are delivered to end users with lower latency.

AWS Global Services

• I AM
• DNS
• CloudFront
• WAF

Region Scoped Services

• EC2
• Beanstalk
• Lambda
• Rekognition

Identity and Access Management(IAM)

IAM Policies

IAM Policies Inheritance

Policies structure

IAM Password Policies

• Strongest PW
• Minimum pw character policies
• lowercase letters
• numbers inclusion
• Prevent password reuse

MFA

• Virtual MFA device
• U2F — Universal 2-Factor Security Key
• Hardware key Fob MFA device
• Hardware key Fob MFA device for AWS Gov Cloud

IAM roles for Services

• EC2 Instance Roles
• Lambda Function Roles

IAM Security Roles

EC2

• Instance TypesWe can give interruption behaviour when we create EC2.
• Under advanced details, we can find spot instance allocation details.
• Bootstrap our instance using an EC2 User data script.
• Bootstrapping means launching commands when a machine starts.
• Only run once at the instance's first start.

Instance Types

• General purpose → Web servers, Code Repositories
• Memory-optimized → Compute-intensive task, Batch processing, Media transcode, High-performance web servers, High-performance computing, Scientific modelling and Machine Learning, Dedicated gaming servers
• Accelerated Computing → Large datasets in memory, High performance, relational and non-relational databases, Distributed web-scale cache stores, memory db optimised for BI, Applications performing real-time processing of big unstructured data.
• Storage Optimized → Storage incentive tasks, OLTP, Non-Relational, No SQL, Cache in memory, Distributed file systems.
• Instance Features
• Measuring Instance Performance

EC2 Spot Instances

Spot Block

• Block spot instances during a specified time frame(1 to 6 hours) without interruptions.
• In rare situations, the instance may be reclaimed.
• Used for batch jobs data analysis or workloads that are resilient to failures.

Security Groups

• Allow containing rules.
• Fundamental of network security in AWS.
• Control how traffic is allowed into or out of our EC2 instances. — Inbound and outbound traffic
• Security group rules can be referenced by IP or by the security group.
• It can be attached to multiple instances.
• Locked down to a region/VPC combination

EC2 Purchasing Options

• On-Demand Instances — Short workload, Predictable pricing, pay by second
• Reserved(1&3 years) — Long workloads, 72%
• Convertible reserved instances — long workloads with flexible instances. Can change the instance type, family, scope and tenancy 66% discount
• Savings Plans(1&3 years) — commitment to an amount of usage($10) if not on-demand price, long workload 72%
• Spot Instances — short workloads, cheap, can lose instances, 90%, distributed workloads

• Dedicated Hosts — book an entire physical server, control instance placement, and compliance requirements.
• Dedicated Instances — no other customers will share your hardware
• Capacity Reservation — reserve capacity in a specific AZ for any duration, short-term uninterrupted workloads

EC2 Solution Architect

• Public IP: machine can be identified on the internet, Unique across the whole web
• Private IP: Can only identified on a private internet only
• Elastic IP: This enables fixed IP for our EC2 instances, This is an IPv4 IP we own as long as we don’t delete it
• We can attach it to one instance.
• Only can have 5 Elastic IPs for one account.
• It’s better to set up DNS rather than this.

Placement Groups

EC2 Hibernate

• Long-running processing
• Saving the RAM state
• Services that take time to initialise

EBS and EFS(EC2 Instance Storage)

Elastic Block Storage(EBS)

EBS Snapshots

• Can move the EBS Snapshot Archive it is cheaper.
• Recycle bin for EBS snapshots.
• Fast Snapshot restore

AMI

• AMI — Amazon Machine Image
• AMI is a customisation of an EC2 instance
• AMIs are built for a specific region( and can be copied across regions)
• You can launch EC2 instances from: A public AMI, Your own AMI, or AWS Marketplace AMI.
• Build an AMI — this will also create EBS snapshots.
• Monitoring AMI CreateImageAPI call + SNS topic to send an alert when a CreateImage API call is detected.

EC2 instance store

• High-performance hardware disk, use EC2 instance store.
• Better I/O performance hardware disk, use EC2 instance storage.
• Better I/O performance
• EC2 Instance Stores lose their storage if they’re stopped
• Cache, Scratch data, Temporary content
• Risk of data loss if hardware fails

EBS Volume Types

• gp2/ gp3 — Can be used as boot volumes, Cost-effective, Low latency, Virtual desktops
• io1/ io2 — Can be used as boot volumes — Sustained IOPS performance, Great for database workloads over 32000 IOPS
• st1
• sc1

EBS Multi Attach

• Achieve higher application availability in clustered Linux applications.
• Must manage concurrent write operations

EBS Encryption

• Create an EBS snapshot of the volume.
• Encrypt the EBS snapshot(using copy)
• Create a new EBS volume from the snapshot( the volume will also be encrypted)
• Now, you can attach the encrypted volume to the original instance

Elastic File System(EFS)

• General Purpose
• Max IO

• Bursting
• Provisioned
• Elastic

• Standard
• Infrequent access

• Standard
• One zone

EBS vs EFS

• One instance
• Locked at the AZ
• Migrate an EBS volume across AZ: Take a snapshot.
• EBS gets terminated by default if the EC2 instance gets terminated.

• Mounting 100s of instances across AZ
• EFS shares website files
• only for Linux Instances

ALB & ASG(Scalability & High Availability)

• Vertical Scalability: increase the size of the instance
• Horizontal Scalability: implies distributed systems/Increased number of instances.

• Application at least 2 data centers (AZ)
• To avoid data loss
• Auto Scaling Group multi-AZ
• Load balancer multi-AZ

Elastic Load Balancer

Importance of ELB

• Spread load across multiple downstream instances.
• Expose a single point of access (DNS) to your instances.
• Do regular health checks on your instances
• Provide SSL termination (HTTPS) for your websites.
• Enforce stickiness
• High availability across zones
• Separate public traffic from private traffic

Types of load balancer on AWS

Classic Load Balancer

Application Load Balancer

• The application load balancer is layer 7
• Load balancing to multiple HTTP applications across machines(target groups)
• Load balancing to multiple applications on the same machine
• Support redirects
• Routing table to different target groups
• ALB are a great fit for microservices
• Has a port mapping feature.

• Fixed hostname
• Application servers don’t see the IP of the client directly.
• NLBs are used for extreme performance or TCP or UDP traffic

Network Load Balancer

• We can allow a set of Static IPs to access our application.
• Network load balancer (Layer 4) — TCP & UDP
• Handle millions of requests per second.
• NLB has one static IP per AZ

Gateway Load Balancer

• Deploy, Scale, and manage a fleet of 3rd party network virtual appliances in AWS
  ex: Firewalls, Intrusion Detection and Prevention Systems, Deep Packet Inspection Systems
• Route tables are modified, and every traffic goes through the gateway load balancer. We can analyse traffic.
  Operates at Layer 3 (Network Layer)
• Combine the following functions: Transparent Network Gateway and load balancer.
• Uses the GENEVE protocol on port 6081

Sticky Sessions (Session Affinity)

• Application based cookie
• custom cookie — Generated by the target, Can include any custom attributes required by the application
• application cookie — Generated by the load balancer
• duration-based cookie — cookie generated by the load balancer

Cross-Zone Load Balancing

SSL/TLS — Basics

• An SSL Certificate allows traffic between your clients and your load balancer to be encrypted in transit (in-fight encryption)
• SSL refers to the Secure Sockets Layer, used to encrypt connections
• TLS refers to Transport Layer Security, which is a newer version
• Nowadays, TLS certificates are mainly used, but people refer as SSL.
• Public SSL certificates are issued by Certificate Authorities (CA)
• ACM is used to manage
• You can upload our one.

SNI

Connection Draining

Auto Scaling Group

• Goal — Scale out or in according to load
• Ensure we have a minimum and a maximum number of EC2 instances running.
• Automatically register new instances to a load balancer.
• Recreate an EC2 instance in case a previous one is terminated.
• ASG free
• A Launch Template
• Min / Max and initial capacity
• AS policies
• It is possible to scale an ASG based on Cloudwatch alarms
  An alarm monitors a metric — Based on this, can create AS policies
  Scaling cooldowns — 300 seconds

• Target Tracking Scaling — CPU over 40%
• Simple / Step Scaling →70%
• Scheduled Actions — based on usage pattern
• Predictive scaling