IAM

IAM user
- 5000 per account limit
IAM Groups
- inline and managed policy
- no nesting
- no credentials
- 300 groups per account
IAM Roles
- assign = temporary credential from STS
- external account/identity can’t be used directly on AWS
- permission and trust policy
AWS Organization
- one master/management account
- consolidated billing - master is payer
Service Control Policy
- is account permission boundaries
- limit what account they do
- don’t grant any permission
- default is deny list

S3 Storage class
- S3 Standard​​- for frequently accessed data which is important and non replaceable
- S3 Standard IA​​- should be used for long-lived data, which is important but where access is
infrequent
- S3 One Zone-IA​​- should be used for long-lived data, which is NON-CRITICAL &
REPLACEABLE and where access is infrequent
- S3 Glacier -​ for archival data where frequent or real time isn’t needed. Minutes-hours
retrieval. Data retrieval: Expedited - 1-5 minutes, Standard - 3-5 hours, Bulk - 5-12 hours
- S3 Glacier Deep Archive​​- for archival data that rarely if ever needs to be accessed - hours
of day retrieval. e,g, legal or regulation data storage. Data retrieval: Standard - 12 hours, Bulk
- up to 48 hours
- S3 Intelligent Tiering​​- should be used for long-lived data, with changing or unknown
patterns

NACL
- stateless - Initiation and response seen as different
- only impacts data crossing subnet border
- default allow in/out traffic
- can explicitly allow and deny
- IPs/Networks, Ports, Protocols - no logical resource
- NACLs cannot be assigned to aws resource - only subnets
- use with Security Group to add explicit deny (BAD IPs/Nets)
- one subnet = One NACL at a time

Security Group
- stateful - traffic and response = same rule
- SGs can filter based on AWS Logical resources other SGs and even themselves
- Implicit deny and explicit allow
 - no explicit deny

Security Groups VS NACL

- NACLs on subnet for any products which don’t work with SG’s e.g. NAT Gateways
- NACLs when adding explicit deny (bad IP’s bad actors)
- SG as the default almost everywhere

NAT Gateway
- runs from public subnet
- uses Elastic IPs (static IPv4 public)
- AZ resilient Service (HA in that AZ)
- for region resilience = NATGW in each AZ
- RT in for each AZ with that NATGW as target
- managed, scales to 45 Gbps, $ duration and data volume

EC2 Storage
- Block storage ​- Volume presented to the OS as a collection of blocks ..no structure provided.
Mountable and bootable
- File Storage​- Presented as a file share … has structure. Mountable, but not bootable
- Object Storage​- collection of objects, flat. Not mountable, not bootable
- Direct(local) attached Storage​- Storage on the EC2 host
- Network attached storage​- Volumes delivered over the network
- Ephemeral Storage ​- Temporary storage
- Persistent Storage​- permanent storage - lives on past the lifetime of the instance

EBS
- Volumes created in an AZ, isolated in that AZ
- AZ- fails - Volume impacted… Snapshot help
- Highly available and resilient in that AZ
- Generally one volume <-> 1 instance (..but multiattach)
- GB/m free regardless of instance state
- EBS MAX 80k IOPS (Instance,) 64k (Vol) (io1)
- Max 2375 MB/s (Instance), 1000 MiB/s (Vol) (io1)

Instance Store Volume

- Local on EC2 Host
- Add at launch ONLY
- Lost on instance move, resize or hardware failure
- High performance
- You pay for it anyway - included in instance price
- TEMPORARY

EBS vs Instance Store

When use EBS:
- Highly Available and Reliable storage
- Persist independently from EC2 instance
- Clusters - Multi-Attach feature of io1
 - Region resilient backups
- Require up to 64k IOPS and 1k MiB/s per volume
- Require up to 80k IOPS and 2.375MB/s per instance

When to use an Instance Store?

- Value - Included in instance cost
- More than 80k IOPS & 2.375 MB/s
- Temp storage volumes
- Stateless services
- Rigid lifecycle link storage <-> instance

EBS Snapshot
- Snapshots are incremental volume copies to S3
- The first is a fully copy of ‘data’ on the volume
- Future snaps are incremental
- Volumes can be created (restored) from snapshots
- Snapshot can be copied to another region
- New EBS volume = full performance immediately
- Snaps restore lazily - fetched gradually
- Force a read of all data immediately
- Fast Snapshot Restore (FSR) = immediate restore up to 50 snaps per region. Set on the
Snap & AZ

EBS Encryption
- Accounts can be set to encrypt by default - default CMK
- otherwise choose a CMK to use
- Each volumes uses 1 unique DEK
- Snapshots & future volumes use the same DEK
- Can’t change a volume to NOT be encrypted
- The OS isn’t aware of the encryption .. no performance loss

EC2 Network & DNS Architecture

- Secondary ENI + MAC = licensing
- Multi-homed(subnets) Management & Data
- Different Security Groups - multiple interfaces
- OS -DOESN’T see public IPv4
- IPv4 Public IPs are Dynamic .. Stop & Restart = change
- Public DNS - private IP in VPC, public IP everywhere else

Amazon Machine Image (AMI)

- Can be used to launch EC2 instance
- AWS or Community provided
- Marketplace (can include commercial software)
- Regional .. unique ID e.g. ami-0989834434
- Permissions (Public, Your Account, Specific Accounts)
- You can create an AMI from an EC2 instance what you want
- AMI lifecycle: Launch, Configure, Create Image, Launch
- AMI = One region, only works in that one region
- AMI Baking - creating an AMI from a configured instance + application
- An AMI can’t be edited .. launch instance, update configuration and make a new AMI
 - Can be copied between regions ( included it’s snapshot)
- Remember permissions .. default = you account

EC2 Instance Pricing Models

On-Demand Instances
- Instance have an hourly rate
- Billed in seconds (60s minimum) or Hourly
- Default pricing model
- No long-term commitments or upfront payments
- New or uncertain application requirements
- Short-term, spiky or unpredictable workloads which can;t tolerate any disruption

Spot Instances
- Spot pricing offers up to 90% off vs On-Demand
- A spot price is set by EC2 - based on spare capacity
- You can specify a maximum price you’ll pay
- If spot price goes above yours - instances terminate
- Application that have flexible start and end times
- Apps which only make sense at low cost
- Apps which can tolerate failure and continue later

Reserved Instances
- Up to 75% off vs On-Demand - for a commitment
- 1 or 3 years, All Upfront, Partial Upfront, No Upfront
- Reserved in region, or AZ with capacity reservation
- Scheduled Reservation
- Know steady state usage
- Lowest cost for apps which can’t handle disruption
- Need reserved capacity

EC2 Scaling
Vertical Scaling
- Each resize requires a reboot
- Larger instances often carry a $ premium
- There is an upper cap on performance - instance size
- No application modification required
- Works for All applications = even Monoliths

Horizontal Scaling
- Sessions, sessions, sessions
- Requires application support or off-host sessions
- No disruption when scaling
- No real limits to scaling
- Often less expensive - no large instance premium
- More granular…

Instance Metadata
- EC2 service provides data to Instances
- Accessible inside ALL instances
- http://169.254.169.254
 - Environment
- Networking
- Authentication
- User-Data
- Not Authenticated or Encrypted

User Data
- It’s opaque to EC2 .. it’s just a block of data
- It’s NOT secure, don’t use it for passwords or long term credentials (ideally)
- User data is limited to 16 KB in size
- Can be modified when instance stopped
- But only executed once at launch

EC2 Instance Roles

- Credentials are inside meta-data
- iam/security-credentials/role-name
- Automatically rotated - Always valid
- Should always be used rather than adding access keys into instance
- CLI tools will use ROLE credentials automatically

AWS ECS
- Dockerfiles are used to build images
- Portable - self-contained, always run as expected
- Lightweil - Parent OS used, fs layer are shared
- Container only runs the application & environment it needs
- Provides much of the isolation VM’s do
- Ports are exposed to the host and beyond
- Application stacks can be multi-container

ECS Concepts
- Container definition - Image & Ports
- Task definition - Security (Task Role), Container(s), Resources
- Task Role - IAM Role which the TASK assume
- Service - How many copies, HA, restarts

Cluster Types
- EC2 Mode
- Fargate Mode

EC2 vs ECS(EC2) vs Fargage

- If you use containers .. ECS
- Large workload - price conscious - EC2 Mode
- Large workload - overhead conscious - Fargate
- Small/Burst workloads - Fargate
- Batch/Periodic workloads - Fargate

SSM Parameter Store

- Storage for configuration & secrets
- Value Type: String, StringList & SecureString
 - License codes, Database Strings, Full Configs & Passwords
- Hierarchies & Versioning
- Plaintext and Ciphertext
- Public parameters - Latest AMIs per region

Logging on EC2
- CloudWatch is for metrics
- CloudWatch Logs is for logging
- Neither natively capture data inside an Instance
- CloudWatch agent is required
- … plus configurations and permissions

EC2 Placement groups

Cluster​- Pack instances close together
- Can’t span AZ - ONE AZ Only
- Can Span VPC peers - but impacts performance
- Requires a supported instance type
- Use the same type of instance (not mandatory)
- Launch at the same time ( not mandatory)
- 10Gbps single stream performance
- Use cases: Performance, fast speeds, low latency
Spread​- Keep instances separated
- Provides infrastructure isolation - each instance runs from a different rack
- 7 instances per AZ (HARD Limit)
- Not supported for Dedicated instances or Hosts
- Use case: Small number of critical instances that need to be kept separated from each other
Partition​- groups of instances spread apart
- 7 partition per AZ
- Instances can be placed in a specific partition or auto placed
- Partition placement groups are not supported for Dedicated Hosts
- Great for HDFS, HBase and Cassandra

EC2 Dedicated Hosts

- EC2 Host dedicated to you
- Specific family e.g. a1, c5, m5
- No instance charger … you pay for the host
- On-Demand & Reserved options available
- Host hardware has physical sockets and cores

Limitation & Features

- AMI Limits - RHEL, SUSE Linux and Windows AMIs aren’t supported
- Amazon RDS instances are not supported
- Placement Groups are not supported for dedicated hosts
- Hosts can be shared with other ORG Accounts - RAM

Enhanced Networking
- Uses SR-IOV - NIC is virtualization aware
- No charge - available on most EC2 Types
- Higher I/O & Lower Host CPU Usage
- More bandwidth
 - Higher packets-per-second (PPS)
- Consistent lower latency

EBS Optimized
- EBS = Block storage over the network
- Historically network was shared ,, dataf and EBS
- EBS Optimized means dedicated capacity for EBS
- Most instances support and have enabled by default
- Some support, but enabling costs extra

Amazon RDS
- Database-as-a-service (DBaaS)
- DatabaseServer-as-a-Service
- Managed Database Instance ( 1 + Databases)
- Multiple engines MySQL, MariaDB, PostgreSQL, Oracle, Microsoft SQL Server, Amazon
Aurora

Amazon RDS High Availability (Multi AZ)

- No free-tier - extra cost for standby replica
- Standby replica can’t be directly used
- 60-120 seconds failover
- Same origin only ( other AZs in the VPC)
- Backups taken from Standby ( removes performance impact)
- AZ Outage , Primary Failure, Manual failover, Instance type change and software patching

RDS Restores
- Creates a NEW RDS Instance - new address
- Snapshots = single point in time, creation time
- Automated = any 5 minute point in time
- Backups is restored and transaction logs are ‘replayed’ to bring DB to desired point in time
- Restores aren’t fast - think about RTO

RDS Read Replicas

- Synchronous replication - Multi AZ is for availability
- Asynchronous replication - Read-Replica - read scaling
Performance Improvements
- 5x direct read-replicas per DB instance
- Each providing an additional instance of read performance
- Read replicas can have read-replicas - but lag starts to be a problem
- Global performance improvements
Availability Improvements
- Snapshot & Backups improve RPO
- RTOs are problem
- Read Replicas offer nr.0 RPO
- Read Replicas can be promoted quickly - low RTO
- Failure only - watch for data corruption
- Read only - until promoted
- Global Availability Improvements … global resilience
Amazon RDS Security
- SSL/TLS(in transit) is available for RDS< can be mandatory
- RDS supports EBS volume encryption - KMS
- Handled by HOST/EBS
- AWS or Customer Managed CMK generated data keys
- Data keys used for encryption operations
- Storage, Logs, Snapshots & replicas are encrypted, encryption can’t be removed
- RDS MSSQL and RDS Oracle Support TDE - Transparent Data Encryption
- Encryption handled within the DB engine
- RDS Oracle supports integration with CloudHSM
- Much stronger key controls (even from AWS)

Amazon Aurora
- Aurora architecture is VERY different from RDS uses a Cluster
- A single primary instance + 0 or more replicas
- No local storage - uses cluster volume
- Faster provisioning & improves availability & performance
Aurora Storage Architecture
- All SSD Based - high IOPS, low latency
- Storage is billed based on what’s used
- High water mark - billed for the most used
- Storage which is freed up can be re-used
- Replicas can be added and removed without requiring storage provisioning
Cost
- No free-tier option
- Aurora doesn’t support Micro Instances
- Beyond RDS single AZ(micro) Aurora offers better value
- Compute - hourly charge, per second, 10 minute minimum
- Storage - GB-Month consumed, IO cost per request
- 100% FB Size in backups are included
Aurora Restore, Clone & Backtrack
- Backups in AUrora work in the same way as RDS
- Resotres create a new cluster
- Backtrack can be used which allow in-place rewinds to a previous point in time
- Fast clones make a new database MUCH faster than copying all the data - copy-on-write

Aurora Serverless
- Scalable - ACU - Aurora Capacity Units
- Aurora Serverless cluster has a MIN & MAX ACU
- Cluster adjust based on load
- Can go to 0 and be paused
- Consumption billing per second basis
- Same resilience as Aurora ( 6 copies across AZs)
Uses Cases
- infrequently used applications
- New applications
- Variable workloads
- Unpredictable workloads
- Development and test databases
- Multi-tenant application
Aurora Global Database
- Cross Region Disaster Recovery and Business Continuity
- Global Read Scaling - low latency performance improvements
- ~1s or less replication between regions
- No impact on DB performance
- Secondary regions can have 16 replicas
- Can be promoted to Read/Write
- Currently MAX 5 secondary regions

Aurora Multi Master

- Default Aurora mode is SIngle-Master
- One R/W and 0+ read only replicas
- Cluster endpoint is used to write, read endpoints is used for load balanced reads
- Failover takes time = replica promoted to R/W
- In multi-Master mode all instances are R/W

Database Migration Service (DMS)

- A managed database migration service
- Runs using a replication instance
- Source and Destination endpoint point at ..
- .. Source and Target Databases
- One endpoint MUST be on AWS

Amazon Elastic File System (EFS)

- EFS in an implementation of NFSv4
- EFS File Systems can be mounted in Linux
- Shared between many EC2 instances
- Private Service, via mount targets inside a VPC
- Can be accessed from on-premises - VPN or DX
- Linux only
- General Purpose and Max I/O Performance Modes
- General Purpose = default for 99.9% of uses
- Bursting and Provisioned Throughput Modes
- Standard and Infrequent Access (IA) Classes
- Lifecycle Policies can be used with classes

Load Balancing
- Clients connect to the Load Balancer
- … specifically the listener of the LB
- The LB connects on your behalf to 1+ targets (servers)
- 2 connections .. listener & backend
- Client abstracted from individual servers
- Used for High-Availability, Fault Tolerance and Scaling

Application Load Balancer (ALB)

- ALB is a ‘layer 7’ LB - understands HTTP/S
- Scalable and highly available
- Internet-Facing or Internal
- Listens on the outside -> Sends to Target(s) (Groups)
 - Hourly rate and LCU Rate (Capacity)
- Targets => Target Groups which are addressed via rules
- Rules are path based or host based
- Support EC2, ECS, EKS, Lambda, HTTPS, HTTP/2 and Websockets
- ALB can use SNI for multiple SSL Certs - host based rules
- Recommended vs CLB (Legacy)

Network Load Balancer (NLB)

- NLB’s are Layer-4 .. only understand TCP and UDP
- Can’t understand HTTP/S but are faster - ~100ms vs 400ms for application load balancers
- Rapid scaling - millions of requests per second
- 1 interface w/static IP per AZ, can use Elastic IPs (whitelisting)
- Can do SSL pass through
- Can load balancer non HTTP/S applications - doesn;t care about anything above TCP/UDP
SSL Offload
- Bridging - Listener is configured for HTTPS. Connection is terminated on the ELB & needs a
certificate for the domain name
- Pass-through - Listener is configured for TCP. No encryption or decryption happens one the
NLB. Connection is passed to backend instance
- Offload - Listener is configured for HTTPS. Connections are terminated and then backend
connections use HTTP

Launch Configuration and Launch Templates Concepts

- Allow you to define the configuration of an EC2 instance in advance
- AMi, Instance Type, Storage & Key Pair
- Networking and Security Groups
- Userdata & IAM Role
- Both are not editable - defined once. LT has versions.
- LT provide newer features - including T2/T3 Unlimited, Placement Groups, Capacity
Reservation, Elastic Graphics

Auto Scaling Groups

- Automatic Scaling and Self-healing for EC2
- Uses Launch Templates or Configurations
- Has a Minimum, Desired, Maximum Size ( e.g 1:2:4)
- Provision or Terminate Instances to keep at the Desired level ( between Min/Max)
- Scaling Policies automate based on metrics
- Autoscaling Groups are free
- Only the resources created are billed
- Use cool downs to avoid rapid scaling
- Think about more, smaller instances - granularity
- Use with ALB for elasticity - abstraction
- ASG defines WHEN and WHERE, LT defines WHAT

Scaling Policies
- Manual Scaling - Manually adjust the desired capacity
- Scheduled Scaling - Time based adjustment
- Dynamic Scaling
- Simple - “CPU above 50% +1”,”CPU Below 50 -1”
- Stepped - Bigger +/- based on difference
 - Target Tracking - Desired Aggregate CPU = 40% … ASG handle it

AWS Lambda
- Function-as-a-Service (FaaS)
- Event driven invocation ( execution)
- Lambda function = piece of code in one language
- Lambda functions use a runtime ( e.g. Python 3.6)
- Runs in runtime environment
- You are billed only for the duration a function runs
- Key component of serverless architecture
Key considerations
- Currently - 15 minute execution limit
- New runtime environment every execution - no persistence
- Execution Role provides permission
- Load data from other services (e.g. S3)
- Store data to other services (e.g. S3)
- (free tier) 1M free requests per month and 400.000 GB-seconds of compute time per month

CloudWatch Events and EventBridge

- If X happens, or at Y time(s) … do Z
- EventBridge is CloutWatch Events v2
- A default Event bus for the account
- … In CloudWatch Events this is the only bus (implicit)
- EventBridge can have additional event busses
- Rules match incoming events ,, (or schedules)
- Route the events to 1+ targets e.g. Lambda

API Gateway
- API Gateway is a managed API Endpoint Service
- Create, Publish, Monitor and Secure APIs .. as a Service
- Billed based on NUmber of API Calls, Data Transfer and additional performance features
such as caching
- Can be used directly for serverless architecture
- Or during a architecture evolution

Serverless Architecture
- Serverless isn’t one single thing
- You manage few, if any servers - low overhead
- Applications are a collection of small & specialised functions
- … Stateless and Ephemeral environments - duration billing
- Event driven .. consumption only when being used
- FaaS is used where possible for compute functionality
- Managed Services are used where possible

Simple Notification Service (SNS)

- Public AWS Service - network connectivity with public endpoint
- Coordinates the sending and delivery of messages
- Messages are <= 256KB payloads
- SNS Topics are base entity of SNS - permission and configuration
 - A publisher send messages to a TOPIC
- TOPIC have Subscribes which receive messages e.g. HTTP(s), Email, SQS, Mobile Push,
SMS Messages, Lambda
- SNS used across AWS for notifications - e.g. CloudWatch & CloudFormation
- Delivery Status - including http, lambda, SQS
- Delivery Retries - reliable delivery
- HA and Scalable (Region)
- Server Side Encryption (SSE)
- Cross-Account via TOPIC policy

Simple Notification Service (SNS)

- Public AWS service - network connectivity wit public endpoint
- Coordinates the sending and delivery of messages
- Messages are <=256kb payloads
- SNS Topics are the base entity of SNS - permissions and configurations
- A publisher sends messages to a topic
- Topics have subscribes which receive messages e.g. HTTP, Email SQS, Mobile Push, SMS,
Lambda
- SNS used across AWS for notifications - e.g. CloudWatch & CloudFormation
- Delivery Status - (Including HTTP, Lambda, SQS)
- Delivery Retries - Reliable Delivery
- HA and Scalable - Region
- Server Side Encryption (SSE)
- Cross-Account via Topic Policy

Simple Queue Service (SQS)

- Public, Fully Managed, Highly Available Queues - Standard or FIFO
- Messages up to 256kb in size - link to large data
- Received messages are hidden (VisibilityTimeout) then either reappear (retry) or are explicitly
deleted
- Dead-Letter queues can be used for problem messages
- ASGs can scale and Lambdas invoke based on queue length
- Standard = at least once, FIFO - exactly one
- FIFO (Performance) 3000 messages per second with batching, or up to 300 messages per
second without
- Billed based on requests
- 1 request = 1-10 messages up to 65KB total
- Short (immediate) vs Long(waitTimeSeconds) Pooling
- Encryption at rest (KMS) & in transit
- Queue policy

Kinesis & Kinesis Firehose

- Kinesis is a scalable streaming service
- Producers send data into a kinesis stream
- Streams can scale from low to near infinite data rates
- Public service & highly available by design
- Streams store a 24h moving window of data
- Multiple consumers access data from that moving window
SQS vs Kinesis
SQS
- SQS 1 production group, 1 consumption group
- Decoupling and Asynchronous communications
- No persistence of messages, no window
Kinesis
- Kinesis designed for huge scale ingestion and multiple consumers … rolling window
- Data ingestion, Analytics, Monitoring, App click

CloudFront
- CloudFront is a global object cache (CDN)
- Content is cached in locations close to customers
- Lower latency and higher throughput
- Load one the content server is decreased
- It can handle static and dynamic content
CloudFront Terms
- Origin - The source location of your content
- Distribution - The configuration unit of CloudFront
- Edge Location - local infrastructure which hosts a cache of your data
- Regional Edge Cache - Larger versions of an edge location. Provides another layer caching

AWS Certificate Manager (ACM)

- HTTP - Simple and Insecure
- HTTPS - SSL/TLS Layer of Encryption added to HTTP
- Data is encrypted in-transit
- Certificates prove identity
- Signed by a trusted authority
- Create, renew and deploy certificates with ACM
- Supported AWS Services ONLY(e.g. CloudFront and ALBs..not EC2)

Lambda@Edge
- You can run lightweight Lambda at edge locations
- Adjust data between the Viewer & Origin
- Currently supports Nde.js and Python
- Run in the AWS Public Space ( Not VPC)
- Layers are not supported
- Different Limits vs Normal Lambda Functions
Lambda@Edge Use Cases
- A/B Testing - Viewer Request
- Migration between S3 Origins - Origin Request
- Different Objects Based on Device - Origin Request
- Content by Country - Origin Request

AWS Global Accelerator

- Moves the AWS Network closer to customers
- Connections enther at edge using anycast IPs
- Transit over AWS backbone to 1+ locations
- Can be used for NON HTTP/S(TCP/UDP) - Difference from CloudFront
VPC Flow Log
- Capture packet Metadata .. NOT packet contents
- Applied to a VPC - All interfaces in that VPC
- Subnet - interfaces in that Subnet
- Interface directly
- VPC Flow Logs are NOT realtime
- Destination can be S3 or CloudWatch Logs

Egress-Only Internet Gateway

- With IPv4 addresses are private or public
- NAT allows private IPs to access public networks .. without allowing externally initiated
connections (IN)
- with IPv6 all IPs are public
- Internet Gateway (IPv6) allows all IPs IN and OUT
- Egress-Only is outbound-only for IPv6
- Egress-Only Gateway is HA by default across all AZs in the region - scales as required

VPC Endpoints
Gateway
- Provide private access to S3 and DynamoDB
- Prefix List added to route table => Gateway Endpoint
- Highly Available (HA) across all AZs in a region by default
- Endpoint policy is used to control what it can access
- Regional … can’t access cross-regions services
- Prevent Leaky Buckets - S3 Buckets can be set to private only by allowing access ONLY from
a gateway endpoint
Interface
- Provide private access to AWS Public Service anything not S3 and DynamoDB
- Added to specific subnets - and ENI - not HA
- For HA .. add one endpoint to one subnet, per AZ used in the VPC
- Network access controlled via SG
- Endpoint Policies - restrict what can be done with the endpoint
- TCP and IPv4 only
- Uses PrivateLink

VPC Peering
- DIrect encrypted network link between two VPCs
- Works same/cross-region and same/cross-account
- (optional) Public Hostnames resolve to private IPs
- Same region SG’s can reference peer SGs
- VPC peering does NOT support transitive peering
- Routing Configuration is needed, SGs & NACLs can filter

Border Gateway Protocol (BGP)

- Autonomous System (AS) - Routers controller by one entity … a network in BGP
- ASN are unique and allocated by IANA (0-65535),64512-65534 apre private
- BGP Operates over tcp/179 - it;s reliable
- Not Automatic - peering is manually configured
 - BGP is a path-vector protocol it exchanges the best path to a destination between peers .. the
paths is called the ASPATH
- iBGP = Internal BGP - Routing within an AS
- eBGP = External BGp = Routing between AS

AWS Site-to-Site VPN

- A logical connection between a VPC and on-premises network encrypted using IPSec,
running over the public internet
- Full HA - if you design and implement it correctly
- Quick to provision … less than an hour
- Virtual Private Gateway (VGW)
- Customer Gateway (CGW)
- VPN Connection between the VGW and CGW
VPN Considerations
- Speed Limitations ~ 1.25Gbps
- Latency Considerations - inconsistent, public internet
- Cost - hourly cost, GB out cost, data cap (on premises)
- Speed of setup - hours … all software configuration
- Can be used as a backup for Direct Connect (DX)
- Can be used with Direct Connect (DX)

AWS Direct Connect (DX)

- A 1 Gbps or 10 Gbps Network Port into AWS at a DX Location (1000-Base-LX pr
10GBASE-LR)
- to your Customer Router ( requires VLANS/BGP)
- or partner Router(if extending to your location)
- Multiple VIrtual Interfaces (VIFS) over one DX
- Private VIF (VPC) & Public VIF(Public Zone Services)
Considerations
- Takes MUCH longer to provision vs VPN
- DX port provisioning is quick .. the cross-connect takes longer, extension to premises can
take weeks/months
- Use VPN first.. then replace with DC(or leave as backup)
- Faster … 40Gbps with Aggregation
- Low consistent latency, doesn’t use business bandwidth
- No encryption

Transit Gateway (TGW)

- Network Transit Hub to connect VPCs to on premises networks
- Significantly reduces network complexity
- Single network object - HA and Scalable
- Attachments to other network types
- VPC, Site-to-Site VPN & Direct Connect Gateway
Considerations
- Supports transitive routing
- Can be used to create global networks
- Share between accounts using AWS RAM
- Peer with different regions .. same or cross account
- Less complexity vs w/o TGW
Storage Gateway
- Hybrid Storage Virtual Appliance (On-premises)
- Extension of File & Volume Storage into AWS
- Volume storage backups into AWS
- Tape backups into AWSMigration of existing infrastructure to AWS
Storage Gateway Modes
- Tape Gateway (VTL) Mode - Virtual tapes => S3 and Glacier
- File Mode - SMB and NFS - File Storage backed by S3 Object
- Volume Mode (Gateway Cache/Storage) - iSCSI - block storage backed by S3 and EBS
Snapshot.
1. Storage​- Primary data is stored on-premises backup data is asynchronous
replication to AWS. AWS side creates EBS snapshots from backup data. Can be
used to create standard EBS volumes. Ideal for migrations to AWS. 16TB per
volume, 32 Volumes (MAX), 512TB total capacity. Is for migrations and disaster
recovery.
2. Cached​- Primary data is stored in AWS. Data which is accessed frequently is
cached locally. Ideal for extending storage into AWS. Primary data is stored on a
S3-Backed Volume (AWS Managed Bucket) snapshots are stored as standard EBS
Snapshots. 32TB per volume, 32 Volumes (MAX), 1PB total capacity
3. Volumes are made available via iSCSI for network based servers to access( single
connection per volume unless servers are clustered)

Directory Service
- Stores objects (e.g. Users, Groups, Computers, Servers, FIle Shares) with a structure
(domain. tree)
- Multiple trees can be grouped into a forest
- Commonly used in Windows Environment
- Sing-in to multiple devices with the same username/password provides centralised
management for assets
- … Microsoft Active Directory Domain Services (AD DS)
- AD DS most popular, open source alternatives (SAMBA)
- AWS Managed Implementation
- Runs within a VPC
- To implement HA … deploy into multiple AZs
- Some AWS services need a directory e.g. Amazon Workspace
- Can be isolated or integrated with existing on-premises system or act as a proxy back to on
-premises
Directory Modes
- Simple AD - The default. Simple requirements. A directory in AWS
- Microsoft AD - Applications in AWS which need MS AD DS, or you need to TRUST AD DS
- Ad Connector - Use AWS Services which need a directory without storing any directory info in
the cloud … proxy to your on=premises Directory

AWS DataSync
- Data Transfer service TO and FROM AWS
- Migrations, Data Processing Transfers, Archival Cost Effective Storage or DR/BC .. designed
to work at huge scale
- Keeps metadata (e.g. permissions/timestamps)
- Built in data validation
Key features
 - Scalable - 10Gbps per agent (~100TB per day)
- Bandwidth Limiters ( avoid link saturation)
- Incremental and scheduled transfer options
- Compression and encryption
- Automatic recovery from transit errors
- AWS Service Integration - S3, EFS, FSx
- Pay as you use .. per GB cost for data moved
Components
- Task - A job within DataSync, defines what is being synced, how quickly, FROM where and
TO where
- Agent - Software used to read or write to on-premises data stores using NFS or SMB
- Location - every task has two locations FROM and TO. e.g. NFS, SMB, Amazon EFS,
Amazon FSx and Amazon S3

FSx for WIndows File Server

- Fully managed native windows file servers/shares
- Designed for integration with windows environments
- Integrates with Directory Service or Self-Managed AD
- Single or Multi-AZ within a VPC
- On-demand and Scheduled Backups
- Accessible using VPC, Peering, VPN, Direct Connect
Key Features and Benefits
- VSS - User Driven REstores
- Native File System accessible over SMB
- Windows permission model
- Support DFS .. scale-out file share structure
- Managed - no file server admin
- Integrates with DS and your own directory

FSx for Lustre

- Managed Lustre - designed for HPC - Linux Clients (POSIX)
- Machine Learning, Big Data, Financial Modeling
- 100’s GB/s throughput & sub millisecond latency
- Deployment types Persistent or Scratch
- Scratch - Highly optimised for Short term no replication & fast
- Persistent - longer term, HA (in one AZ), self-healing
- Accessible over VPN or Direct Connect
- Scratch is designed for pure performance
- Short term or temp workloads
- NO HA .. NO replication
- Larger file systems means more servers, more disks and more chance of failure
- Persistent has replication within ONE AZ only
- Auto-heals when hardware failure occurs
- You can backup to S3 with both. Manual or Automatic 0-35 day retention

AWS Secrets Manager

- It does share functionality with Parameter Store
- Designed for secrets (.. passwords, API Keys)
- Usable via Console, CLI, API or SDK’s (integration)
- Supports automatic rotation .. this uses lambda
 - Directly integrates with some AWS products (RDS)

AWS Shield and Web Application FIrewall (WAF)

AWS Shield
- Provides AWS resources with DDoS protection
- Shield Standard - free with Route53 and CloudFront
- Protection against Layer 3 and Layer 4 DDoS Attacks
- Shield Advanced - 3k per month
- Shield Advanced: EC2. ELB, CloudFront, Global Accelerator & R53
- DDos Response Team & Financial Insurance
WAF
- Layer 7 (HTTP/s) Firewall
- Protects against complex Layer 7 attacks/exploits
- SQL Injections, Cross-Site Scripting, GEO Blocks, Rate Awareness
- Web Access Control List (WEBACL) integrated with ALB, API Gateway and CloudFront
- Rules are added to a WEBACL and evaluated when traffic arrives

CloudHSM
- With MKS .. AWS Managed .. Shared but separated
- True “Single Tenant” Hardware Security Module (HSM)
- AWS provisioned … fully customer managed
- Fully FIPS 140-2 Level 3 ( KMS is L2 overall, some L3)
- Industry Standard APIs - PKCS#11, Java Cryptography Extensions (JCE), Microsoft
CryptoNG (CNG) libraries
- KMS can use CloudHSM as a custom key store, CloudHSM integration with KMS
Use cases
- No native AWS integration .. e.g. no S3 SSE
- Offload the SSL/TLS Processing for Web Servers
- Enable Transparent Data Encryption (TDE) for Oracle Databases
- Protect the Private Keys for an Issuing Certificate Authority (CA)

DynamoDB
DynamoDB Concepts
- No SQL Public Database-as-a-Service (DBaaS) - Key/Value & Document
- No self-managed server or infrastructure
- Manual/Automatic provisioned performance IN/OUT or On-Demand
- Highly Resilient … across AZs and optionally global
- Really fast .. single digit milliseconds (SSD based)
- Backus, point-in-time recovery, encryption at rest
- Event-Driven Integration .. do things when data changes
DynamoDB Considerations
- No SQL ..preference DynamoDB in the exam
- Relation Data .. generally NOT DynamoDB
- Key/Value .. preference DYnamoDB in the exam
- Access via console, CLI, API .. ‘NO SQL’
- Billed based RCU, WCU, Storage and features
DynamoDB - Operations, Consistency and Performance
- On-Demand - unknown, inpredictable, low admin
- On-Demand - price per million Read or Write Units
- Provisioned .. RCU and WCU set on aper table basis
 - Every operation consumes at least 1 RCU/WCU
- 1 RCU is 1 x 4KB read operation per second
- 1 WCU is 1 x 4KB write operation per second
- Every table has a RCU and WCU burst pool (300 seconds)

DynamoDB Streams & Triggers

Streams concepts
- Time ordered list of ITEM CHANGES in a table
- 24-hour rolling window
- Enabled on a per table basis
- Records Inserts, Updates and Deletes
- Different view types influence what is in the stream: KEYS_ONLY, NEW_IMAGE,
OLD_IMAGE, NEW_AND_OLD_IMAGES
Trigger Concepts
- item changes generate an event
- That event contains the data which changed
- A action is taken using that data
- AWS = Streams + Lambda
- Reporting & Analytics
- Aggregation, Messaging, Notifications

DynamoDB Local (LSI) and Global (GSI) Secondary Indexes

- Query is the most efficient operation in DDB
- Query can only work on 1 PK value at the time and optionally a single, or range of SK values
- Indexes are alternative views on table data
- Different SK (LSI) or Different PK and SK (GSI)
- Some or all attributes ( projection )
Local Secondary Indexes (LSI)
- LSI is an alternative view for a table
- MUST be created with a table
- 5 LSI’s per base table
- Alternative SK on the table
- Shares the RCU and WCU with the table
- Attributes - ALL, KEYS_ONLY & INCLUDE
Global Secondary Indexes (GSI)
- Can be created at any time
- Default limit of 20 per base table
- Alternative PK and SK
- GSI’s have their own RCU and WCU allocations
- Attributes - ALL, KEYS_ONLY & INCLUDE
LSI and GSI Considerations
- Careful with projection (KEYS_ONLY, INCLUDE, ALL)
- Queries on attributes NOT projected are expensive
- Use GSIs as default, LSI only when strong consistency is required
- Use indexes for alternative access patterns

DynamoDB Global Tables

- Global tables provides multi-master cross-region replication
- Tables are created in multiple regions and added to the same global table (becoming replica
tables)
 - Last writer wins is used for conflict resolution
- Reads and Writes can occur to any region
- Generally sub-second replication between regions
- Strongly consistent reads ONLY in the same region as writes

DynamoDB Accelerator (DAX)

- Primary node (Writes) and Replicas (Read)
- Nodes are HA .. Primary failure = election
- In-Memory cache - Scaling ..Much faster reads, reduced costs
- Scale UP and Scale OUT ( Bigger or More)
- Supports write-through
- DAX deployed within a VPC
- Supports read caching of items and query/scan result
- Supports write-through and read caching

Amazon Athena
- Serverless Interactive Querying Service
- Ad-hoc queries on data - pay only data consumed
- Schema-on-read - table like translation
- Original data never changed - remains on S3
- Schema translates data => relational-like when read
- Output can be sent to other services

ElastiCache
- In-memory database .. high performance
- Managed Redis or memcached as a service
- Can be used to cache data - for READ HEAVY workloads with low latency requirements
- Reduces database workloads ( expensive)
- Can be used to store Session Data ( Stateless Servers)
- Requires application code changes!!

Redshift Architecture
- Petabyte-scale data warehouse
- OLAP(Column based) not OLTP(row/transaction)
- Pay as you use .. similar structure to RDS
- Direct Query S3 using Redshift Spectrum
- Direct Query other DBs using federated query
- Integrates with AWS tooling such as Quicksight
- SQL-like interface JDBC/ODBC connections
- Server based (not serverless)
- One AZ in a VPC - network cost/performance
- Leader Node - Query input, planning and aggregation
- Compute Node - performing queries of data
- VPC Security, IAM Permissions, KMS at rest Encryption, CW Monitoring
- RedShift Enhanced VPC Routing - VPC Networking!!!