AWS 전반의 공부를 기록으로 남기고자 만들었습니다.
AWS Certified Solutions Architect 시험을 위해 만들었습니다.
AWS Certified Solutions Architect - Associate 2020
Pythoholic AWS Certified Solutions Architect Associate 2021
배운 내용이 너무 많아 잠시 점검 복습이 필요하다 느꼈습니다.
내용의 추가, 수정이 조금 줄겠지만 복습한 내용조차 기록하도록 하겠습니다. ㅋㅋ
이것은 조금 개인적인 공부니까 가이드에는 부적절해서 나중에 아마 삭제할 것 같아요...
- 21/5/29
- 암기가 부족한 내용
- Archive Retrieval Options
- Bucket policy, acl, crr, event notification
- S3 까지
line 232/2493
- 암기가 부족한 내용
- 21/5/30
- 암기가 부족한 내용
- AWS AD, VPC, Customer gateway, VPC gateway, VPC cloudHub, Nacl 숫자가 작은 것이 더 우선순위, Interface endpoints, gateway endpoints, transitive peering, flow logs, KMS symetric, asymetric, access keys, route53 logging,
- AWS STS 까지
line 700/2493
- 암기가 부족한 내용
- 21/5/31
- 암기가 부족한 내용
- Cognito sync, user pools, identity pools, DNS top/second level domain, SOA, failover routing, multivalue awnser routing, route53 logging, ec2 accelerated optimized, ec2 partition, dedicated instance, systems manager -> patch manager, asg health check ASG Lifecycle hooks, load balancers in general, sticky sessions are from cookies, cross zone load balancing,
- AWS EC2 까지
line 1210/2493
- 암기가 부족한 내용
- 21/6/1
- 암기가 부족한 내용
- instance store, ebs optimizes, ebs lifecycle, cloudfront seer, cloudfront invalidation, lambda@edge view/origin, WAF in general, rds backups, read replicas can be multi regional, aurora rds distribution, aurora fast ddl, redshift is single az, mpp, leader/compute nodes, redshift enhanced vpc routing, what is the meaning of multi master in dynamoDB?, LSI, GSI, DAX
- DynamoDB 까지
line 1761/2493
- 암기가 부족한 내용
- 21/6/6
- 암기가 부족한 내용
- cloudformation templates, nestedstacks, cloudwatch api, cloudwatch agent, managed/data events, cloudtrail, lambda async, lambda /tmp, sqs consumer must delete message, sqs standard/fifo,
api gateway throttling, api gateway resource policy, api gateway access control,
- cloudformation templates, nestedstacks, cloudwatch api, cloudwatch agent, managed/data events, cloudtrail, lambda async, lambda /tmp, sqs consumer must delete message, sqs standard/fifo,
- Storage gateway 까지
line 2359/2493
- 암기가 부족한 내용
-
-
- 탄력적 아키텍처 설계 30%
- 고성능 아키텍처 설계 28%
- 안전한 애플리케이션 및 아키텍처 설계 24%
- 비용-최적화된 아키텍처 설계 18%
-
- 단일 선택
- 다중 선택
-
- 720/1000 (2021년 기준. 이수자의 %에 따라 다를 수 있습니다.)
-
-
-
- data as objects
- opposed to other storage architectures such as
- file systems
- block storage
-
- Like files / objects
- 0 Bytes ~ 5 Terabytes
- Contains data
- Owner
- Last Modified
- Key : Name of object
- Value : data sequence of bytes
- Version ID : Version of the object when enabled
- Metadata : Additional information
-
- Hold S3 Objects
- Universal namespace (Names need to be unique)
- Features
- Bucket Versioning
- Encryption
- Server access logging
- Cloud Trail data events
- Transfer acceleration
- Object Lock
- Write once, read many
-
- Server access logging (requests)
- Cloud Trail data events (user/role/API)
- Logging per request can be turned on a bucket
- Logs are generated and saved in a different bucket
- Different account logging is possible
-
- Standard (default)
- Fast
- 99.99% Availability
- 11 9's Durability
- Replicated at least three Availability Zone (AZ)
- Intelligent Tiering
- Uses ML
- Data is moved to most cost effective tier
- No performance impact or overhead
- Standard Infrequently Accessed (IA)
- Still Fast
- 50% Cheaper than Standard
- Reduced Availability
- Access files once a month
- Additional retrieval fee if accessed more
- One Zone IA
- Still Fast
- 20% Cheaper than Standard IA
- Reduced Availability 99.5%
- Retrieval fee
- Reduced Durability (Data could get destroyed)
- Glacier
- Long term cold storage
- Very Cheap
- Minutes to Hours for Retrieval
- Glacier Deep Archive
- Lowest Cost
- 12 Hours for Retrieval
- Must be restored before changing to another tier
- Standard (default)
-
-
- Container for storing archives
- Contains Metadata
- Async download
- Can create SNS when finished
-
- Object that you store in a vault
- Archive ID (Used to retrieve data)
-
- Expedited
- 1~5 minutes
- Standard
- 3~5 hours
- Bulk
- 5~12 hours
- Expedited
-
-
- All new buckets are PRIVATE by default
- Access Control
- Access Control Lists (ACL)
- Legacy feature (Not Deprecated)
- Simple
- Bucket Policies
- JSON
- AWS Policy Generator
- Access Control Lists (ACL)
-
- Transit
- Local Host <-> S3 achieved via SSL/TLS
(Secure Socket Layer, Transport Layer Security)
- Local Host <-> S3 achieved via SSL/TLS
- Server Side Encryption (SSE) (Encryption At Rest)
- S3 Managed Keys (Amazon Manages all Keys)
- SSE-AES (AES-256 algorithm)
- SSE-KMS (AWS Key Management AWS and YOU manage keys)
- SSE-C (Customer Provided key, AWS and YOU manage keys)
- S3 Managed Keys (Amazon Manages all Keys)
- Client Side Encryption (CSE)
- You Encrypt files before upload
- Existing files before Encryption on is not Encrypted
- Transit
-
- All GET, PUT, DELETE, LIST operations
- Strong Read After Write Consistency
- Able to read immediately after writing
- 21년도 이후 S3는 strong read and write consistency
- All GET, PUT, DELETE, LIST operations
-
- Automatic replication to other regions
- Higher durability
- Disaster recovery
- Versioning must be on both source and destination
- Can CRR to other accounts
-
- Once enabled, cannot be disabled. Can be suspended
- Full Integration with S3 Lifecycle rules
- Delete request will put a delete marker
on the latest version
- Remove the delete marker to restore deleted data
- Previous version becomes latest if latest version is deleted
- Version ID can be NULL if object created before Versioning on
- Properties like public is not inherited between versions
-
- Automate moving storage class(Tier), or delete
- Can be used with Versioning
- Can be applied to current or previous versions
- Can be used to abort multipart uploads
- Per-request fee
- Minimum wait duration is 30 days
-
- Notification when a specific action happens in bucket
- Can add prefix, Suffix to specify object
-
- Create
- Delete
- Restore
- Replicate
-
- SNS
- SQS
- Lambda
-
- Uses CloudFront Edge Locations
- User uploads to distinct URL from edge Location
- Edge Location data is routed to S3 by AWS backbone network.
-
- Generated URL
- Temporary access to Object for Upload or Download
- Access to Private Objects
- Created by AWS CLI/SDK
- Expire date
- Both Download/Upload is possible
-
- You can get a range of bytes
- Specify "range" in HTTP header GET request
-
- Up to 5 GB can be uploaded with PUT
- Use multipart upload more than 5 GB
-
- Must provide MFA token/code to delete
- Enable Conditions
- By AWS CLI
- Versioning on
- Only Root User can delete
-
- ls
- return all buckets
aws s3 ls - return bucket objects
aws s3 ls s3://bucketName - return directory objects
aws s3 ls s3://bucketName/folderName
- return all buckets
- cp
- download object to a.jpg
aws s3 cp s3://bucketName/folderName/objectName.jpg ~/Desktop/a.jpg - upload a.jpg to object
aws s3 cp ~/Desktop/a.jpg s3://bucketName/folderName/objectName.jpg
- download object to a.jpg
- presign
- creates a presigned url
aws s3 presign s3://bucketName/folderName/objectName.jpg --expires-in 300
- creates a presigned url
- ls
-
- Use queries on S3
- Cheaper, Faster
- Does not need to retrieve data before query
-
-
-
- Import and export
-
- Costs thousands of dollars to transfer 100 TB in high speed internet
- Reduce cost by 1/5th
-
- Takes 100 days to download 100 TB over high speed internet
- Reduce time by less than a week
-
- E-link display (Shipping information)
- Tamper/Weather proof
- Data encrypted (256-bit encryption)
- Trusted Platform Module(TPM)
- Chip that stores RSA encryption keys for hardware authentication
- Specific to the host system
- Data transfers must be completed in 90 days
- Can import and Export S3
-
- 50 TB (42 TB usable)
- 80 TB (72 TB usable)
-
-
- LCD Display (Shipping information / functionality)
- Local processing
- Edge-computing workloads
- Can use in a cluster of 5 ~ 10 devices
-
- Storage optimized (24 vCPUs)
- Compute optimized (54 vCPUs)
- GPU optimized (54 vCPUs)
- Size
- 100 TB (83 of usable)
- 100 TB Clustered (45 TB per node)
-
- AWS personnel will help connect, and when data transfer is complete, they'll drive it back to AWS and import to S3
-
- GPS tracking
- Alarm monitoring
- 24/7 video surveillance
- Escort security vehicle while transit (Optional)
-
-
- Directory service run on Microsoft Windows Server/Windows File Server(FSx)
- Manage permissions and control access to network resources
- Manage users/groups/devices/administrators
-
-
- When you need an actual AD in AWS Cloud
-
- When you need on premise AD to authenticate AWS
-
- Low cost, low scale basic AD
-
- For SaaS
-
-
-
-
-
- Region Specific
- Do not span regions
- Every region has default VPC
- 200 subnets per VPC
- Uses IPv4 ClDR Block
- Can add IPv6 ClDR Block
- Can add additional CIDR Blocks to expand VPC
- DNS hostnames (VPC option)
- Domain Name System (DNS)
- Uniquely names a computer
- DNS server connects hostnames to IP address
- Off by default
- EC2 DNS
-
- Default VPC in every region
- Can immediately deploy ec2
- The first four IP address and the last IP in each subnet CIDR is reserved by AWS
- Network address
- Reserved for VPC router
- Reserved for DNS server
- Reserved for future use
- Network broadcast but not supported
- Features
-
- All possible IP addresses
- Internet Gateway (IGW)
- Allow All Internet Access
- Security Groups Inbound Rules
- NACL Inbound, Outbound Rules
-
-
- Allows VPC access to the Internet
- Provide a target in VPC route tables
- Performs network address translation (NAT)
- Only Addresses with public IPv4
- To connect to the Internet
- Add route table
- Route that table to Internet Gateway
- Set destination to 0.0.0.0/0
-
- Connects to the Internet via IPv6
- Prevents the Internet connection to server
- One way connection
- Stateful
- All requests from EC2 will go back to EC2
-
- Connects a on premise private IP to connect to AWS VPC
- Customer Gateway
- Connects on premise
- Virtual Private Gateway
- Connects AWS VPC
- VPN CloudHub
- Create virtual private gateway
- Create multiple customer gateways
- Each with unique BGP,ASN
- Border Gateway Protocol (BGP)
- Autonomous System Number (ASN)
- Policy-based VPN
- If using one or more pairs of security, when new connections with new security associations arrive
VPN might drop existing connections resulting in packet loss
- If using one or more pairs of security, when new connections with new security associations arrive
-
- Determines where network traffic is directed
- Each Subnet must have a route table
- Any subnets without route table will get associated with Main route table automatically
- One(Route Table) to Many(Subnet)
- Can have multiple route tables in a VPC
- Connect traffic with
- Internet Gateways
- Instance
- Nat Gateway
- Virtual Private Gateway
- From Subnet Associations
-
- EC2 instances for security
- Help gain access to EC2 in private Subnet
- Not for a internet proxy
- Via SSH or RCP
- NAT Gateways should not be used as Bastions
- NAT Gateways intentions is for security updates
- Systems Manager's Session Manager can replace Bastion
-
- Firewall for EC2 instance
- Associated with EC2 instances
- Protocol / Port security
- Allows IP range / Specific IP / Security group
- Inbound and Outbound rules
- Statefull (Inbound allowed is also Outbound allowed)
- Traffic allowed in is also allowed out
- All inbound traffic blocked by default
- All outbound traffic allowed by default
- No Defy rules, only access rules
- Many(Security Group) to Many(EC2(Multiple Subnets possible))
- Rules are permissive (Permit overrides deny)
- Limits
- Upto 10,000 (default 2,500) SG per Region
- 60 inbound rules and 60 outbound rules per SG
- Upto 16 (default 5) SG per Elastic Network Interface (ENI)
-
- Fixed MAC address
-
- Remapping one IP address to another
- Help gain outbound internet access for private subnet
- Remap private IP
- NAT must to be allocated a Private and a Elastic IP
- NAT does not support IPv6
- Solve same IP addresses (Conflicting network address)
- Redundant inside an AZ (AWS manages it/ no EC2 fails)
- 1 NAT Gateway per 1 Subnet
- Starts at 5 Gbps and scales up to 45 Gbps
- Preferred than NAT Instance
- Route Tables for the NAT Gateway must be updated
- Peered VPC cannot share NAT Gateway
- In order to connect to the internet with NAT while using a private subnet for EC2
- Put the NAT gateway in a public subnet
- Place a routing table in the public subnet
- Route that traffic to internet gateway
- Put your instances in a private subnet
- Put a routing table at the private subnet
- Route traffic to NAT gateway
-
- Private connect VPC to other AWS services
- No need for Internet Gateway / NAT / VPN / AWS direct connect
- Instance do not require public IP
- Traffic does not leave the AWS network
- Secure communication
- Fast / No bandwidth constraints
- Types
- Interface Endpoints
- In private subnet
- Uses Elastic Network Interfaces
- Private IP address
- Powered by AWS PrivateLink
- Supports many AWS services
- Costs Money
- Add policies
- May restrict certain S3
- Gateway Endpoints
- Connect From Route table
- Supports only two services
- S3
- Dynamo DB
- Free
- Interface Endpoints
-
- Connecting VPC with VPC
- Direct network route
- Connection by private IP address
- Peered VPC behave like they are on the same network
- Can peer different AWS account VPC
- Can peer different region VPC
- No Transitive Peering
- One(VPC) to One(VPC)
- Signal Traffic/Peering must be direct
- Use transit gateway instead
- Peering uses Star Configuration
- 1 Central VPC
- 4 Other VPC
- No Overlapping CIDR Blocks
- Peered VPC cannot share NAT gateways
- To send traffic from instance to instance in peer
- Add route table associated with peer subnet
-
- Log in CloudWatch Logs or S3
- Capture IP traffic information
- Within Network Interface in VPC
- Cannot be tagged like other AWS resources
- Cannot Change configuration after creation
- Cannot enable peered VPC flow logs unless in same account
- Monitor Levels
- VPC
- Subnets
- Network Interface
- Log
- version
- account-id
- interface-id (ID of network interface)
- srcaddr (Source IPv4 or IPv6)
- dstaddr (Destination IPv4 or IPv6)
- srcport (Source port of traffic)
- dstport (Destination port of traffic)
- Not Logged
- Traffic to AWS DNS Servers
- Windows license activation traffic for instances
- Instance metadata address traffic
- DHCP traffic
- Any traffic to reserved IP address of default VPC router
-
- Establish a dedicated network from Office to AWS
- Very fast network
- Private connectivity
- Lower Bandwidth 50 M ~ 500 M
- Higher Bandwidth 1 GB ~ 10 GB
- Help reduce network cost for high traffic
- More consistent network than internet
-
- Connect on-premise VPC with AWS VPC
- Supports IPSEC
- Encrypt data between internet transportation
-
- Firewall subnet traffic
- First Layer of security
- VPC is automatically given default NACL
- Default NACL will accept all traffic from VPC
- Custom created NACL will deny all traffic
- Subnets must have a NACL
- One(NACL) to Many(Subnets)
- Allow or defy traffic (Security groups only allow)
- Inbound or outbound rules (Like security groups)
- All inbound rules are not allowed to outbound by default
unlike Security groups (Stateless)
- All inbound rules are not allowed to outbound by default
- NACL needs to make Ephemeral ports open
- Ports for AWS resources
- Ports for AWS resources
- Can block a single IP (Security groups can't)
- Order of evaluation Rule number #
- Lower is higher priority
- 10 to 100 increments recommended
- The * Rule is the highest rule
- Example
- Malicious hacker IP block
- SSH block
-
-
-
-
- Access EC2 without bastion or SSL
-
- Store parameters and access by code
- Use KMS with Parameter Store
- Can organize and bulk with paths
-
-
-
-
- Uses same key for encrypt/decrypt
-
- Uses different key for encrypt/decrypt
-
-
- AWS automatically encrypt/decrypt using the rotated key
-
-
-
-
- End users using aws sdk or cli
-
- Group IAM Users
- Shared permissions
- Example : Administrators/Developers/Auditors
-
- Associate permissions to a Role
- Give Roles to Users or Groups
- Roles can also be attached to AWS Resources
-
-
-
- Version (ex: 2012-10-17)
- Statement (Container for multiple policy elements)
- Sid (Optional, ways to name statements)
- Effect (Allow/Deny)
- Principal (Account/user/role/fedrated user)
- Action (List of actions policy allows or denies)
- Resource (Resource where action applies)
- Conditional (Optional,circumstances when policy applies)
- Grants permission to Identities
- Policies are attached to User/Group/Roles
- Types
-
- Policy managed by AWS
- Cannot be edited
- Labeled with orange box
-
- A policy created by a customer
- Can be edited
- No symbol
-
- Directly attached to user / resource
-
- Rotate passwords to update after X days
- Set minimum requirements
-
-
-
- Allow users use CLI/SDK
- Cannot access console
- Two Access keys per user
- Can make active/inactive
- Only shown once, if lost delete, recreate
-
- Can be turned on per user
- User can turn on themselves
- Admin can not enforce MFA
- Admin can create policy requiring MFA for resources
- Should set MFA for Root
- Type
-
-
- AWS access key
- Secret access key
- Security token
-
- Users to assume role
- Generate Federated credentials for IAM Users
- Request temporary access
- Not for Roles, but for Users
-
- Short term use
- Active for few minutes to hours
-
- Temporary worker
- Roles for Cross Account Access
- Roles for EC2
- Access resource without embedding credentials
-
-
- Send api to
-
- Returns temporary credentials
-
- Returns temporary credentials
- Authenticated by SAML
-
- Returns temporary credentials
- Authenticated by web identity provider
-
- Decode additional information about authorization status
-
- Get AWS account ID number from Access key
-
- Returns Account,Arn,UserId of the caller
-
- Return set of credentials
- Authenticated by federated user
- Access key, secret access key, security token
-
- Return set of credentials
- From AWS account or IAM User
- Access key, secret access key, security token
-
-
-
- To exchange identity and security information between IdP and application
-
- Trusted provider for authentication (Facebook, Google ...)
-
- Security Assertion Markup Language (SAML) (Single Sign On SSO)
- OpenID Connect (OIDC) (OAuth)
-
-
- User directory with authentication to IdP to grant app access
- User Pools
- Directories to manage the actions such as
- Sign in
- Sign up
- Account recovery
- Account confirmation
- Directories to manage the actions such as
- Sign by User Pool or IdP
- Uses JWT to persist authentication
- Settings
- Allow sign in with email/phone/username
- Choose signup requirements
- Choose password requirements
- Apply MFA
- Trigger custom logs, Lambdas
-
- Temporary credentials for users to access AWS Services
-
- One line of code
- Syncs user data and preferences across devices
- Push synchronization to push updates and sync data
- Uses Simple Notification services (SNS)
- Sends Identity pools to sync data
-
-
-
-
- --profile : switch between AWS accounts
- --output : changes output between json, table and text
-
- Access Key ID, Secret Access Key (AWS Credentials)
- Store credentials in user home (~/.aws/credentials)
- Multiple credentials can be managed by profiles
[ProfileName] aws_access_key_id= aws_secret_access_key= 
-
-
- Access Key ID, Secret Access Key (AWS Credentials)
- Store credentials in user home (~/.aws/credentials)
- Multiple credentials can be managed by profiles
-
-
-
- Address space is 32 Bits
- Currently running out of space
-
- Address space is 128 Bits
-
-
- Last word within a domain name (.com)
- Controlled by Internet Assigned Numbers Authority (IANA)
-
- Second word within a domain name (.co.kr : .co)
-
-
- Every Domain must have an SOA record
- Information about the domain
-
- NAME : name of zone
- IN : zone class
- SOA : start of authority
- NNAME : master name server of zone
- RNAME : admin email of zone
- SERIAL : serial number for zone
- REFRESH : ...
- RETRY : ...
- EXPIRE : ...
- TTL : ...
-
- Convert Domain name -> IP
-
- Convert Domain name -> Domain name
-
- Direct traffic to the DNS server containing DNS records
- Multiple name servers are provided for redundancy
-
- Time that a DNS record gets cached
- Time it takes to propagate across the internet
- Measured in seconds under IPv4
-
-
-
- Visual editor for routing config
- Supports versioning
- 50$ per policy record / month
- Can use geoproximity routing
-
-
www. , api. , blog. to A, AAAA, CNAME...
- Alias
- Always should use Alias because resources changes IP
- Route traffic to specific AWS Resources
-
- API Gateway
- CloudFront
- Elastic Beanstalk
- All Load Balancers
- Global Accelerator
- S3 Static website
- VPC Endpoint
-
- EC2 instance
-
- All Load Balancers
- CloudFront
-
- RDS
-
-
-
- Default Policy
- One(Record) to Many(IP)
- Return all IP back to user in random order
- User will be directed to random IP
-
- Split traffic based on weights
- Good for A/B testing
- ex) 85(EC2 Stable) : 15(EC2 Test)
- One(Routing Policy) to Many(Record Sets)
-
- Redirect Via Geolocation of request origin
- ex) North America -> ALB US-NORTH-1
-
- Redirect Via Geolocation but with Bias Value
- Bias value expand or shrink size of geolocation
- Can only be set by Traffic Flow
-
- Direct traffic based on latency
- Based on region
- Requires latency resource record for EC2 or ELB
- ex) 100ms(ALB WEST-1) : 12ms(ALB EAST-1)
-
- If Primary fails Redirects to Secondary
- Can check via Health Checks
-
- Just like Simple Routing
- Only difference is heath check
- Returns IPs only if healthy
-
-
-
- Endpoint
- Status of other health checks
- State of CloudWatch Alarm
-
-
- HealthCheck to CloudWatch alarms
- Resolver endpoints statistics to cloudWatch
- Public hosted zones
-
- Request IP, who, when, additional details to S3
-
-
-
-
-
- Elastic Network Adapter (ENA)
- Code for Ubuntu
modify-instance-attribute --instance-id instance_id --ena-support
-
-
- Balance of memory, compute and network
- Use-cases : web servers and code repositories
-
- High performance processor
- Use-cases : Scientific modeling, gaming servers and ad server engines
-
- Fast performance for workloads and large data sets in memory
- Use-cases : In-memory caches, in-memory databases, real time big data analytics
-
- Hardware accelerators, co-processors
- Use-cases : Machine learning, compute-finance, speech recognition
-
- High sequential read and write to large data sets on local storage
- Use-cases : NoSQL, in-memory/transactional databases, data warehousing
-
-
-
- Instead of embedding AWS credentials in Code
- Let's instance have permission to access AWS services
- Attach a IAM Role to an instance via Instance Profile
- Always avoid unnecessary AWS credentials if possible
-
-
- Great performance, but has failure risk
- Same rack, same AZ
- Low latency, 10 Gbs bandwidth
- If rack fails, all instance fails
- Cannot be multi AZ
-
- High availability, limited performance
- Multi AZ
- Limited to 7 instance per AZ
- EC2 on different physical hardware
- Reduce simultaneous failure
- For critical applications where each instance must be isolated from failure
-
- Up to 7 partitions per AZ
- Up to 100s of instances
- Instances in a partition do not share rack with instances in another partition
- EC2 metadata includes partition information
- For HDFS, Cassandra, Kafka
-
- Script that automatically run when launching EC2 instance
-
- Access information about EC2 via special url endpoint in EC2
- curl http://169.254.169.254/latest/meta-data
- Get information such as IPv4 address, instance type and more
- Combind MetaData and UserData to automate AWS
-
-
- Default pricing
- No up-front payment
- No long-term payment
- For short-term, spiky, unpredictable, experimental, first-time apps
-
- Like hotels or planes, AWS offers vacant EC2
- Save up to 90%
- Instances can be terminated by AWS at anytime
- If you terminate the instance you still will be charged for any hour it ran
- Use-cases : Apps that can handle Interruptions, for non-critical background jobs
-
- Pricing = Class offering X Terms X Payment options
- Class offering
- Standard
- Save up to 75%
- Cannot change Instance Attributes
- Convertible
- Save up to 54%
- Can change Instance Attributes only higher or equal in value
- Standard
- Terms
- 1 year to 3 year contract
- The longer the cheaper
- Payment options
- All Upfront
- Partial Upfront
- No Upfront
- The greater upfront the cheaper
- Can re-sell Reserved Instances
-
- Most expensive
- Single Tenant instances with Isolated server
- Offered in On-demand and Reserved(70% save)
- Enterprises and Large Organizations may have security concerns
-
-
-
- Holds information such as
- Root Volume
- Operating system
- Application Server
- Application
- Launch Permissions
- Block device mapping
- Holds information such as
-
- You can copy to another region via Copy AMI
-
- Region
- Operating System
- Architecture
- Launch Permissions
- Root Device Type/Volume
- Instance Store
- EBS
-
- Community AMI
- Free to use
- Vendor AMI
- Cost per hour
- Security harden AMI such as CIS is popular
- My AMI
- Community AMI
-
-
-
EC2 Hibernate
- Save RAM data to EBS
- Reload saved Ram content
- No OS boot time
- Great for pre-warming instances
- Cannot enable hibernation after launched
- Check before
- Cannot enable hibernation on instance store volume
-
-
- Launch settings for new EC2 from ASG
- Cannot be edited
- Clone the existing configuration or create a new configuration
- Launch Templates
- Launch Configuration with versioning
- AMI
- Instance Type
- Storage
- Security groups
- Key pair
-
- Min
- Max
- Desired Capacity
- How much EC2 you want ideally
-
- EC2 Health Check
- Based on EC2 Status Checks
- stopping/stopped/shutting-down/terminated
- If considered unhealthy, restarts EC2
- Based on EC2 Status Checks
- ELB Health Check
- If the load balancer reports unhealthy, restarts
- If response not expected, restarts EC2
- Custom Health Check
- If not working as intended, change ec2 state as unhealthy
- EC2 Health Check
-
- When new EC2 is created, wait this period before health check
-
- Scaling Out : Adding more Instances
- Scaling In : Removing Instances
- Scaling Up : Increase the EC2 Specs
- Scheduled scaling is also possible for traffic in specific time
- Types
- Target Tracking Scaling Policy
- Scale by
- Average CPU Utilization
- Average Network In
- Average Network Out
- Application Load balancer request count per target
- Scale by
- Simple Scaling Policy (Deprecated 2021)
- Scales when alarm is breached
- Legacy, not recommended
- Step Scaling Policy (Deprecated 2021)
- Scales when alarm is breached
- Escalates based on alarm
- ex) All 2 instances if alarm value is 2
- Target Tracking Scaling Policy
- Can add SNS
-
-
- Custom action to EC2 before/after termination/initialization
- Changes the instance into a wait state
- Wait period is 1 hour
-
- ASG can be associated with ELB
- If associated richer health checks are available
- Associated indirectly via Target Groups
-
-
-
- Evaluate Traffic that matches the listeners port
- Can attach SSL Certificate
-
- Rules will decide what ports go to what target Groups
- Only for Application Load Balancer
-
- Not for Classic Load Balancer or Gateway Balancer
- Instance
- IP
- Lambda
-
-
-
- Listeners and EC2 is directly registered
- Can balance HTTP, HTTPS, TCP(Not at the same time)
- Can use Layer 7 sticky sessions and Layer 4 TCP
- Can perform Cross Zone Load Balancing
- CLB does not allow you to apply rules to listeners
- CLB -> Listeners -> Registered Targets
- Responds 504(Timeout) error if not responding
-
- Listeners, Rules and Target Groups
- Designed to balance HTTP and HTTPS traffic
- Operate at Layer 7 (OSI Model)
- Can use Sticky sessions
- Request Routing
- Add routing rules to listeners based on HTTP protocol
- Based on
- Host Header
- Http header
- Source IP
- Http header method
- Path
- Query String
- Web Application Firewall can be attached
- Great for Web Applications!
-
- Listeners and Target Groups
- Designed to balance TCP/UDP
- Operate at Layer 4 (OSI Model)
- Can handle millions of requests per second
- Extremely low latency
- Cross Zone Load Balancing
- Great for Multiplayer Video Games or when network performance is critical
-
-
- Specific user sessions goes to a specific EC2
- All requests from that session are sent to the same EC2
- Cookies are used to remember which EC2
- Can be used in
- Classic Load Balancer
- Application Load Balancer
- Useful when specific information is stored in single instance
-
- When using Load Balancers users IPv4 addresses can be changed to Load Balancers IPv4
- Use X-Forwarded-For header to get the IP address
-
- Checks EC2 with HTTP(S)
- Reports back as InService or OutOfService
- ELB does not terminate(Kill) unhealthy instances (ASG does)
- ELB just redirect traffic to healthy Instances unlike ASG
-
- Distributes traffic evenly within Zones
- Distributes traffic evenly in all Zones
- Can not be used in Application load balancer
-
- Change private subnets to public
-
- Time X Partial Time X Capacity Unit
- Capacity Unit
- Application Load Balancer(LCU)(EC2)
- Network Load Balancer(NLCU)
- Gateway Load Balancer(GLCU)
- Classic Load Balancer(GB)
-
- CloudWatch metrics
- Access logs (S3)
- Request tracing (Track HTTP requests)
- CloudTrail logs
-
- File storage service for EC2
- Storage capacity grows up to petabytes
- Storage shrinks automatically
- Multiple EC2 in same VPC can mount a single EFS
- EFS supports Network File System version 4 (NFSv4)
- EC2 needs NFSv4 to use EFS
- Provides Read After Write Consistency
- EFS creates multiple mount targets/points in all VPC subnets
-
- General Purpose
- Latency sensitive
- Web serving environments
- Content management systems
- Home directories, file serving
- Max I/O
- Higher aggregate throughput per second
- General Purpose
-
-
- EFS Encryption at rest can only be enabled at creation
-
- Mount helper
- Not an option during or after creation
-
- EFS file sharing can be across multiple AZ EC2s
-
- AWS Direct connect
- AWS VPN
- 0.30 $ per GB / month
-
-
-
- Automatically apply to EC2/Fargate/Lambda
- No matter of Size/AZ/Region/OS
- Reduce up to 66%
-
- Lower cost in exchange for commitment of usage
- Specific families, region (ex) M5 usage in ap-southeast-2 )
- Can change within EC2 families, region
- Reduce up to 72%
-
-
-
-
- IOPS : Input/Output per second
- Throughput : data transfer to and from storage
- Bandwidth : Measurement of total possible speed of data movement along network
- Bandwidth (Pipe), Throughput (Water)
-
-
- Balanced price and performance
- Max IOPS of 16000
- For : General use cases (Backend)
- gp3 has better throughput than gp2
-
- Fast Input and Output
- Low latency and also high throughput
- For : Large databases (MySQL,Cassandra,DB)
- Max IOPS of 64000
- io2 has better durability then io1
-
- Low cost
- Designed for frequently accessed
- For : Data warehouses, Big data, Log processing
- Higher basic volume size
- Max IOPS of 500
-
- Lower cost
- Less frequently used workloads
- For : File storage
- Max IOPS of 250
-
- For Archival Storage
- Previous generation HDD
- Max IOPS of 40-200
-
-
- One AZ to another
- 1 Take a Snapshot of the volume
- 2 Create a AMI from snapshot
- 3 Launch new EC2 instance in another AZ
- One Region to another
- 1 Take a Snapshot of the volume
- 2 Create an AMI from snapshot
- 3 Copy the AMI to another region
- 4 Launch new EC2 instance in another Region
- One AZ to another
-
- Encrypt with AWS Key Management System (KMS)
- You can Encrypt the volume on creation
- If you want to Encrypt an existing volume
- 1 Take a Snapshot of the unencrypted volume
- 2 Create a copy of that Snapshot with Encrypt Option
- 3 Create a new AMI from Encrypted snapshot
- 4 Launch new EC2 instance with Encrypted AMI
-
-
- Durable
- Block level storage device
- Created from EBS Snapshots
- Data will persist when reboot
- Data can persist when stop/terminate/failures
- Can have termination protection
- For : Most use cases
-
- How to use
- Temporary block level storage
- Disks physically attached to host machine
- Created from template stored in S3
- Data will be lost when fails/stop/hibernates/terminates
- Data is saved only in reboot
- For : temporary, cache, logs ...
- Only some instance/AMI types support
-
-
- Snapshots are a point in time copy of the disk stored in S3
- Initial snapshot of an EC2 will take longer than subsequent snapshots
- EC2 should be stopped before snapshot
- But still can take Snapshot while EC2 running
- Can create AMI/Volumes from Snapshots
- Cannot unencrypt copy a snapshot
- Can encrypt copy a snapshot
- Cannot share a snapshot if encrypted
-
- Create snapshots/AMI according to tag, schedule
- Can copy across multiple AWS accounts
- Great way to create backup of EBS
-
- Optimized instance types of ec2 instances
- For I/O optimization
-
- Use EBS-optimized instances
- Penalty from first access of volumes from snapshots
- Use modern Linux kernel
- Use RAID 0
- When I/O performance is more important than fault tolerance
-
-
- Bytes from I/O
-
- Total number of I/O operations
-
- Total number of seconds spent by all operations
-
- Total seconds when no read or write
-
- Total number of I/O operations waiting to be completed
-
- Percentage of I/O operations per second from total I/O capability
-
- Total number of consumed I/O operations
-
-
-
- Delivers content to users based on geographical location
- Serves cached content
-
-
- S3 Bucket
- EC2 instance
- ELB
- Route53
-
- Location where web content will be cached
- Different from AZ
- Edge locations are not just read-only, you can also write (PUT)
-
- Collection of Edge Locations
- Defines how cached content should behave
- WEB or RTMP
-
-
-
- Select Edge Locations to distribute to specific countries
- ex ) All Edge Locations, Use Only US Canada...
-
- WEB for websites
- RTMP for streaming media
-
- Redirect to HTTPS
- Restrict specific HTTP Methods
- Restrict Viewer Access
- Set Time To Live (TTL)
-
- Can manually invalidate cache ignoring TTL
- Invalidation forces cache to expire immediately
-
- Create custom error pages like 404
-
- Blacklist specific countries
-
- Forward cached data to specific query string
- ex) ?languages=de/en/fr/jp/kr to different cache
-
-
-
- Control TTL of specific objects
-
- Control TTL of all objects
-
-
-
- Viewer request
- Viewer response
- Origin request
- Origin response
-
-
- Virtual user Identity to giver permission to fetch private objects
- In order to use Signed URL/Cookies you need OAI
-
- Signed URLs
- Signed Cookies
- Signed Cookies are not available with RTMP
-
-
-
-
-
- Marketplace rules such as bot block/ip health...
-
- Country origination
- Requests with specific header/body/params...
-
- Max amount of request an ip can have in five minutes
-
-
-
- block DDoS
-
- Configure and manage firewall
-
- Store web ACLs requests
-
- Monitoring data
-
-
- 5$ per Web ACL per month
- 1$ per rule per month
- 0.6$ per million requests
-
-
AWS infrastructure automation, management by Puppet or Chef
-
-
-
- Amazon Aurora
- Mysql
- MariaDB
- PostgreSQL
- Oracle
- Microsoft SQL Server
-
- Can turn on encryption for all RDS engines
- Encrypts automated backups, snapshots, read replicas
- Handled by Key Management Service (KMS)
-
- Automated Backups
- Once a day (Default)
- Creates a storage volume snapshot
- Retention Period between 1 ~ 35 days
- Store Transaction logs to S3 every 5 minutes throughout the day
- Enabled by default
- No additional charge
- Define backup window (When backup occur)
- Storage I/O may be suspended during backup
- Manual Snapshots
- Actions
- Restore Snapshot
- Creates a new RDS based on snapshot
- Copy Snapshot
- Move snapshot to different region
- Can enable encryption
- Share Snapshot
- Share snapshot to other AWS accounts
- Migrate Snapshot
- Change to Aurora database
- Restore Snapshot
- Actions
- Automated Backups
-
- Steps taken by AWS
- 1 AWS takes the most recent daily backup
- 2 Apply transaction log data
- This allows point-in-time recovery down to a second
- Backup is never stored overtop an instance
- Backup creates a new instance
- Steps taken by AWS
-
- Makes exact copy and automatically syncs
- Only a standby
- If one AZ goes down, the standby slave will be promoted to the master
- No url endpoint edit needed (Automatic sync)
- DNS(Canonical Name) will change IP Address
- Multi AZ cannot become a Read Replica
-
- Run multiple copies of database
- Asynchronous to main database
- Read only
- Intended to spread workloads of primary database
- Must have automatic backups enabled to use
- Up to 5 read replicas
- Can be multi AZ / Cross region
- Can have replica of replica
- Replica can be promoted to their own database
- This breaks synchronization
-
- Synchronous replication / Asynchronous replication
- Durable / Scalable
- Only primary instance active / All read replicas active
- Automated backups are taken / No backups by default
- Always span two AZ within a Region / Can be multi AZ, Region
- Database engine upgrades happen on primary / upgrades is independent from source
- Automatic failover / Manually promotion
-
- Log monitoring information to Cloudwatch
- CPU Utilization/DB Connections/Free Storage Space/Freeable Memory/Write,Read IOPS
-
-
- Aurora MySQL 5X faster
- Aurora Postgres 3X faster
-
- 1/10th the cost of other solutions
-
- Up to 128 TB
- Computing scales up to 32vCPU, 244 GB memory
-
- Minimum of 3 availability zones
- Each zone contains 2 copies
- Total of 6 copies
- Lose up to 2 copies without affecting write
- Lose up to 3 copies without affecting read
-
- Backup and Failover is handled automatically
- Storage is self-healing
- Continuously scanned for errors
- Repaired automatically
-
- Types
- Amazon Aurora Replicas
- Up to 15
- MySQL Read Replicas
- Up to 5
- Amazon Aurora Replicas
- Types
-
- Automatically
- Start up
- Shut down
- Scale
- Pay for Storage / Capacity Unit / I/O
- Automatically
-
- Mysql needs to copy a whole table to add a column
- Fast DDL lets you do this instantly
-
-
- Reduces overall disk I/O requirements
- Optimizing analytic query performance
- Stores data together as columns instead of rows
-
-
- Online Transaction Processing (OLTP)
- Fast access
- Short transactions (Queries)
- Emphasis on writes
-
- Online Analytical Processing (OLAP)
- Large data quantities
- Long, complex transactions
- Emphasis on reads
-
-
-
- Nodes come in 160 GB of size
-
- Node with Leader and Compute Nodes
- Leader Node
- Manages connections and receive queries
- Compute Node
- Stores data and performs queries
- Up to 128 compute nodes
-
- Dense Compute (dc)
- high performance / less storage
- Dense Storage (ds)
- high storage
- Dense Compute (dc)
-
-
- Enabled by default 1 day (like RDS)
- Retention period up to 35 days (like RDS)
- Attempts to maintain 3 copies
- Original
- Replica on compute nodes
- S3
- Can asynchronously replicate to different region
- Enable Cross Region Snapshots
-
- 1 unit per node / per hour
- Not charged for leader node hours, only compute nodes
- S3 Backup is billed by S3
- Billed for transfers within a VPC, not outside it
-
- Data-in-transit : SSL
- Data-at-rest : AES-256
- Can be applied using
- Key Management Service (KMS)
- Hardware Security Module (HSM)
-
- All COPY, UNLOAD traffic goes through VPC
- If not enabled, traffic goes through the Internet
-
- VPC Endpoints
- ex) Connect with S3
- NAT Gateway
- ex) S3 bucket in another region
- Internet Gateway
- ex) Connect to AWS outside VPC
- VPC Endpoints
-
- Copy data from EMR/S3/DynamoDB into redshift
- Use redshift with java JDBC to query
- Most common use case is Business intelligence
-
-
- Not relational
- Do not use SQL query
-
-
-
- Product
- Primary Key
- Partition Key
- Sort Key
- Item
- Attribute
- Primary Key
- Product
-
-
- You should use unique and distinct values
- High cardinality attributes
- Try composite attributes (combined attributes)
- Add random numbers for heavy usage
-
-
- Specify read and write capacity per second
- All data is stored on SSD
- Multi-region
- Data is spread across 3 regions
- Multi-master?
- Durable database
- Built-in security
- Backup and restore
- In-memory caching
- Eventual Consistent reads (Default)
- Strongly Consistent reads
-
- Data may be inconsistent
- Data must be copied to other regions
- Types
-
- Reads are fast
- May return inconsistent copy
- Becomes consistent within a second
-
- Not return result until all copies are consistent
- Slower reads
- Becomes slow as a second
-
-
- SQS
- Kinesis
-
- Multi-region, multi-active database
- No replica needed
-
-
- Can only define at creation
- Limited to 5 LSI
- No extra cost
-
- Copies a whole table and keeps sync
- Flipped table
- Consumes write capacity
- Limited to 20 GSI
- Extra cost
-
-
- Cache dynamoDB reads!
- Burst traffic on same key
- Eventual consistency
- Microsecond performance
- Uses cluster nodes
-
- Log changes made into tables
- Saved up to 24 hours
- Encryption at rest
- Can be turned on within a table
-
-
- Automating the creation of resources via code
- Automate AWS by code
-
- JSON
- YAML
-
-
- Additional information about template
-
- Description of what this template does
-
- Values to pass to the template
-
- Lookup table
- Map keys to value to change values to something else
-
- Like if else statements
- Whether resources are created or properties are assigned
-
- Applies macros (Mod)
-
- A AWS resource you want to create (IAM,EC2,Lambda,RDS)
- At least 1 Resource is mandatory
-
- CreationPolicy (Prevent status from reaching complete)
- DeletionPolicy (Preserve/Backup resources(ex) RDS/S3) when deleted)
-
- Values returned
-
-
- Breaks CloudFormation into smaller reusable templates
-
-
-
OnDemandAllocationStrategy: String OnDemandBaseCapacity: Integer OnDemandPercentageAboveBaseCapacity: Integer SpotAllocationStrategy: String SpotInstancePools: Integer SpotMaxPrice: String - OnDemandAllocationStrategy : How to allocate instance types
- OnDemandBaseCapacity : How much on-demand instance will be in ASG
- OnDemandPercentageAboveBaseCapacity : How much percentage of on-demand instances in ASG
- SpotAllocationStrategy : lowest-price / capacity-optimized
- SpotInstancePools : The number of spot instance pools used, only valid when lowest-price
- SpotMaxPrice : Max price willing to pay per spot instance
-
-
-
-
-
-
- Log Group
- Collection of logs
- Log files must belong in a group
- Log in a group is called Log Stream
- Log Stream
- Log streams never expire
- Most AWS services integrate CloudWatch Logs
- Some needs IAM permissions
- Log Group
-
- Time ordered set of data points
- Graph
- Predefined metrics
- Custom metrics
- Create / Send values by SDK/CLI
- Can create High Resolution Metrics
- Track under 1 minute to 1 second
- Costs more if higher resolution
-
- Event based on Event Pattern / Schedule
- Event pattern is whenever something happens in AWS
- Schedule is like serverless Cron jobs
- Event Source -> Target
- Event based on Event Pattern / Schedule
-
- Triggers a notification based on metric
- If threshold is breached
- Type
- Static / Anomaly detection
- Condition
- Greater(Equal) / Equal / Lower(Equal)
- Threshold
- ex) 1000 USD
-
- Custom dashboard of Metrics
-
- EC2 : 5 minute interval (Default)
- Turn on Detailed Monitoring in EC2 to get higher resolution (1 minute)
- Other services : 1 minute interval
- EC2 : 5 minute interval (Default)
-
- Gathers additional information of EC2
- Script can be installed via Systems Manager Run command
-
- CPU Usage
- Network Usage
- Disk Usage
- Status Checks
-
- Memory utilization
- Disk swap utilization
- Disk space utilization
- Page file utilization
- Log collection
-
-
-
- Governance
- Compliance
- Operational Auditing
- Risk Auditing
-
-
- Tracks management
- Turned on by default
- Can't be turned off
- Types
- Configure security
- Registering devices
- Configuring rules for routing data
- Setting up logging
-
- Tracks specific AWS services
- Turned off by default
- High volume will result in payment
- S3 / DynamoDB / Lambda
-
-
- Who : User, UserAgent, ...
- Where : SourceIPAddress
- When : EventTime
- What : Region, Resource, Action
-
-
- If you need more than 90 days, create custom trail
- Custom trails are output to S3, and do not have GUI, so use Amazon Athena
-
-
-
- Check Log File Validation
-
-
-
Stateless architecture
-
- Pass sensitive information
- Can encrypt by KMS (Not automatically set up)
-
- Sync (Call and wait until finish)
- Async (Call and respond immediately)
- Can send invocation records
to SQS/SNS/Lambda/EventBridge - Attempt to retry on errors (Two more times)
- Dead Letter Que (DLQ)
- SNS DLQ
- SQS DLQ
- Can send invocation records
- Sync Invocation
- ELB/Cognito/Alexa/API Gateway/CloudFront/KinesisFirehose/SSS
- Async Invocation
- S3/SNS/SES/CloudFormation/CloudWatch/CodeCommit/CodePipeline
- Poll based Invocation
- Kinesis
- DynamoDB
- SQS
-
- AWS SDK
- Other AWS Services
- API Gateway
- CloudFront
- Application Load Balancer
- CloudWatch Events
- CloudWatch Logs
- DynamoDB
- S3
- SNS
- And more!
- Third Party triggers
- DataDog
-
- First 1 million request per month is free
- $0.20 per additional 1 million
- 400,000 GB per month is free
- $ 0.0000166667 per GB second
- Differ with memory allocation
- Memory X number of requests X runtime
-
- Can run in a private VPC without NAT or VPC Endpoint
-
- You can have up to 1000 Lambdas running concurrently
- Ask AWS Support for more
- /tmp directory can contain up to 512 MB
- No VPC by default
- If VPC set, Internet access is lost
- Max timeout is 15 minutes
- Memory can be set from 128 ~ 10240 MB
- If max memory is used, the error shown is
- Process exited before completing request
- No internal error is shown in handler
- If max memory is used, the error shown is
- You can have up to 1000 Lambdas running concurrently
-
- AWS needs to turn on servers and copy code over to run lambda
- Cheap but may cause delays in user experience
- Pre Warm to keep servers continuously running
-
- Invoke Lambda with Event Patterns/Schedules(CRON)
- Receive Matched event/Part of event/Constant JSON/Input Transformer (Create custom key:value pair JSON)
-
-
- Messaging System
- Asynchronous communication and decouple processes via messages / events
- Sender(Producer) / Receiver(Consumer)
- Horizontal Scaling
- Messaging System
-
- Decouple and microservices, distributed systems, serverless applications
- Does not automatically delete message
- Server side Encryption
- Customer master key (CMK)
-
-
- Simple Communication
- Not Real-time
- Not Reactive (Has to pull requests)
- AWS SQS
-
- Event stays in the stream for long time
- Complex communication
- Multiple consumers can react to events
- Real time
- Reactive
- AWS Kinesis
-
-
- Generates queue messages by application
- Connect isolated application by passing messages
-
- 1 byte ~ 256 KB
- Poll up to 10 Queue message from Batch Size
- SQS Extended Client Library for Java
- Send messages over 256 KB ~ 2 GB
- Messages stored in S3
-
- How long the message will be hold
- Default is 4 days
- 60 Seconds ~ 14 Days
-
-
- Send nearly unlimited transactions per second
- Guarantees message delivery at least once
- More than one copy can be out of order
- Provides best-effort to keep order
-
- First in First out
- Limited to 300 transactions per second
- Ensures order
-
-
- Avoid doing the same task
- After a reader picks up a message,
the message becomes invisible for a period of time - Message can be deleted before visibility timeout expires
- If the job is not finished, the message will be visible again
- Prevents double delivery
- 30 Seconds (Default)
- 0 seconds ~ 12 hours
-
-
- Default
- Returns message immediately
- Returns even if empty
- Receive message wait time 0 sec
-
- Waits until message arrives in queue
- Waits until long poll timeout expires
- Inexpensive cost because reduce empty polls
- Most use cases
- Lesser calls
- Reduce cost
- Receive message wait time max 20 sec
-
-
-
-
-
- Publishers send messages to event bus
- Event bus categorizes messages into groups(SNS Topics)
- Subscribers subscribe to these groups
- Publishers have no knowledge of subscribers
- Subscribers do not pull messages
- Messages are automatically pushed to subscribers
-
- Decouple microservices, distributed systems, serverless applications
- Can create application within AWS
- Publishers push to SNS Topic
- Subscribers subscribe to SNS Topic
-
- Allow to group multiple subscriptions
- Topic deliver to multiple protocols at once
- Automatically format message to subscribers protocol
- Can encrypt Topics via KMS
-
- If message is not delivered to Subs DLQ is activated
- Used for future analysis or reprocessing
-
-
- Receive only a subset of the messages
-
-
- Subscriptions are created on Topic
- Subscribe to one protocol and one topic
- Protocols
- HTTP(S)
- Email
- Plain text
- If rich text needed use SES
- Email-JSON
- SQS
- Lambda
- SMS(Text message)
- Platform application endpoint(Mobile Push) (not that important)
- ADM (Amazon device messaging)
- APN (Apple push notification)
- Baidu (Baidu cloud push)
- FCM (Firebase Cloud messaging)
- MPNS (Microsoft push notification)
- WNS (Windows push notification)
- Mobile app messages come as popups, alerts, badges, updates, sound alerts
-
-
- Memcached is simple Key/Value cache store for HTML fragments
- Redis has richer data types and operations
- Memcached is arguably faster than Redis
-
-
- LOGSTASH
- KIBANA
- BEATS
-
-
-
-
- Elastic Load balancer
- Autoscaling Groups
- RDS Database
- EC2 Instance
- Health Monitoring (CloudWatch, SNS)
- Security
- Dockerized environments
-
-
-
- Supports SQS
-
-
-
- Accepts up to 10,000 requests per second
- Can be increased by request
- Throttle requests to help prevent attacks
- Manage multiple versions
- Exposes by HTTPS
- Automatically protects from DDOS attacks
-
- HTTP API (Lambda/HTTP)
- Websocket API (Lambda/HTTP/AWS services)
- Public REST API (Lambda/HTTP/AWS services)
- Private REST API (Lambda/HTTP/AWS services)
-
-
-
- Url path
- ex) www.url.com/projects (/projects)
- Can have child resources (/api/users)
-
- ANY/DELETE/GET/POST/PATCH/PUT...
- One(Resources) to Many(Methods)
-
- Lambda
- Lambda by another account by arn
- HTTP
- Connect with HTTP from outside AWS
- Private resources
- ALB, NLB, Cloud Map
-
- Link to private AWS VPC
- SQS
- Event Bridge
- AppConfig
- Lambda
-
-
- Versions of API
- Must deploy API to make changes
- Each stages have a Invoke URL
-
- Caches responses of endpoint
- Time To Live (TTL)
- Improve latency
- Reduce number of calls
- Costs more by GB
- Options
- Cache capacity
- Encrypt cache data
- TTL
- Flush entire cache
-
- Token bucket algorithm
- 429 Too Many Requests
- Types
- Account Throttling
- Applied to the account by region
- Default Route Throttling
- Applied to route
- Account Throttling
- Protect cost from traffic burst
- Burst Limit
- Rate Limit
- Burst Limit = Token size = Max concurrent request per ms
-
- Can set up API by OpenAPI 3
- Export/Import
-
- Can be only used in REST API Gateway (Not HTTP)
- Uses Resource policy (JSON)
- Allow other AWS users
- Deny API traffic by IP
- Allow API by source VPC, VPC Endpoint
- Cannot use time range for Policy
-
-
- Allow traffic from another domain/origin
- CORS is always enforced by the client(Frontend/Browser) level
- Prevent Cross-Site Scripting (XSS) attacks
- Ignore tools such as Postman or Curl
- Can be enabled to all or individual endpoints
-
-
- Alphanumeric string
- Grant access to API
-
- How much/fast can one access one or more API
- Set Throttling Limits
- Set Quota Limits
- Uses API Keys
-
- Works with Rest/Websockets API
- Types
- Token(JWT/OAuth)
- Request parameter(header/query)
-
- Used to verify that HTTP requests to backend is from API Gateway
-
- CloudWatch Logs
- Access Logging
- Who accessed API
- How the API was called
- Execution Logging
- ?
- Access Logging
- CloudWatch Logs
-
-
-
-
-
- Stock Prices
- Game Data
- Social Network Data
- Geospatial Data
- Click Stream Data
-
-
- Producers -> Kinesis Data Streams(Shards) -> Consumers
- Pay per running shard
- Data stays 24 hours (Default) ~ 168 hours
- Data is ordered
- Consumers need to be manually added
-
- Transform data served into data stores, analytics
- Only one consumer from list (S3/Redshift/ElasticSearch/Datadog/MongoDB/Splunk/HTTP endpoint)
- Data immediately disappears when consumed
- Can convert incoming data (Format/compress/secure)
- Pay per data consumed
-
- Producers (Security Cam / Web Cam / Mobile)
- Consumers (SageMaker / Reckognition / Tenserflow / Video Processing)
- Use Kinesis Producer Library(KPL)(Java) or AWS SDK
-
- Uses two Streams (Bit expensive)
- Specify Firehose or Data Stream as input or output
- Real time analytics
- Input Stream -> Data Analytics -> Output Stream
-
-
-
- VMware ESXi
- Microsoft Hyper-V
-
-
- Store files in S3
- NFS or SMB
- S3 Metadata contains Ownership, Permissions, Timestamp
- Can be managed as native S3 Object
- Bucket Policies, Versioning, Lifecycle Management, Cross-Region Replication is applied
-
- Internet Small Computer Systems Interface (iSCSI) protocol
- Store hard disk in S3 as EBS Snapshots
- Can be backed up with point in time snapshots
- Snapshot only capture changed blocks in volume
- Snapshots are used to minimize cost
-
- Primary data is stored locally while async backup in AWS
- 1 GB ~ 16 TB
-
- Primary data is stored on AWS
- Frequently accessed files on cache on-premise
- Up to 32 TB
- Cached volumes 1 GB ~ 32 GB
-
- Durable
- Cost-effective
- Uses S3 Glacier
-
-
-
- S3
- Amazon EFS
- SnowCone
- Amazon FSx
- Windows File Server
-
- Use Database Migration Service
-
- Checking if transferred data is same as on-premise
-
- Disable initial transfer check
- Enable final cut over check
-
-
-
- Windows File Server FSx can connect to Microsoft Active Directory
-
-
- Serverless container service
- Like lambda for docker images
-
-
-
- Kubernetes cluster
- May contain more than one ec2 instance
-
- EC2 instance type and VPC cannot be defined
- Specify the container information for task
- Run individual tasks
- Task Role (IAM)
- Network Mode
- JSON template
-
- Task memory
- Task CPU unit
-
- Container name
- Image
- Memory
- Port mapping
- HealthCheck
- Environment
- CPU units
- GPU
- Working directory
- Environment Files/Variables
- Timeout
- Network Settings
- Logging
- Storage/Logging(CloudWatch)
- Security
- Resource Limits
- Soft/Hard limit
- Docker Labels
- Container commands
- Volumes use by the containers within a task
-
- Cost efficient hardware acceleration for deep learning
-
-
- CPU/Memory/Disk/Network logs
-
-
-
- AWS KMS
-
- Public
- Cluster endpoint outside VPC
- Worker node traffic outside VPC
- Private
- Cluster/Worker inside VPC
- Public and Private
- Cluster endpoint outside VPC
- Worker node traffic inside VPC
- Public
-
- Enables pods to have same IP address
-
- API server/Audit/Authenticator/Controller manager/Scheduler
- CloudWatch logs
- Logs control information
-
-
-
-
-
- Can specify who
- Can be a single member
-
- Manage permissions in organization
- Gardrails, set of limits for permissions
- No permissions are granted by an SCP
- Apply to all users within organization including root
- If a parent OU is deny, child is also denied
-
- All billing in organization is shared
- Can be used to share volume pricing discounts
-
- Remove all members from old organization
- Delete the old organization
- Invite the master account to new organization
-
- Delete specific member from old organization
- Invite the account to new organization
-
-
-
-
- Use Engine conversion tool
-
- Use Schema conversion tool
-
-
- Change Schema
- ex) lowerCase, UpperCase, addPrefix...
