## 11. AWS Part I

## What is Cloud Computing?

Cloud Computing consists of accessing virtualised resources over the network (e.g. a website online). 

AWS, Azure, Google Cloud are some of the big names in the Public Cloud Computing environment.

**Cloud Computing for AWS**:

"Cloud Computing is the on-demand delivery of IT resources over the internet with pay-as-you-go pricing. Instead of buying, owning, and maintaining physical data centers and servers, you can access technology services, such as computing power, storage, and databases, on an as-needed basis from a cloud provider like Amazon Web Services (AWS)"

*Benefits:*

* Agility: You can deploy technology services in a matter of minutes, and get from idea to implementation several orders of magnitude faster than before.

* Elasticity: You provision the amount of resources that you actually need. You can scale these resources up or down to instantly grow and shrink capacity as your business needs change.

* Cost savings: The cloud allows you to trade capital expenses (such as data centers and physical servers) for variable expenses, and only pay for IT as you consume it.

* Deploy globally in minutes: You can deploy your application in multiple physical locations with just a few clicks. 

*Types of cloud computing:*

* **Infrastructure as a Service (IaaS)**: Provides access to networking features, computers (virtual or on dedicated hardware), and data storage space. Similar to existing IT services. EC2 services of AWS are an example of IaaS.

* **Platform as a Service (PaaS)**: Removes the need for managing underlying infrastructure (usually hardware and operating systems), and allows to focus on the deployment and management of applications. AWS RDS services for Oracle Data Bases, for example.

* **Software as a Service (SaaS)**: Provides a complete product that is run and managed by the service provider. You don't have to think about maintaining the service or the underlying infrastructure but about how to use that particular service.

## AWS Free Tier

**AWS Regions and Zones:**

AWS has presence in so many regions, within which there are multiple zones:

* Region -> Country

* Zone -> Multiple (clustered) Data Centers

"The AWS Cloud spans 102 Availability Zones within 32 geographic regions around the world, with announced plans for 12 more Availability Zones and 4 more AWS Regions in Canada, Malaysia, New Zealand, and Thailand." October, 2023

-> https://aws.amazon.com/about-aws/global-infrastructure/

**AWS Global Infrastructure:**

* High availability through multiple Availability Zones

* Improving continuity with replication between Regions

* Meeting compliance and data residency requirements

* Geographic expansion 

**Availability Zones:**

![](https://docs.aws.amazon.com/images/whitepapers/latest/get-started-documentdb/images/regions-and-zones.png)

* When you launch a VM (instance), you can select an Availability Zone or let AWS choose for you.

* When designing your apps, you can distribute your instances across multiple Availability Zones, so in case one instance fails, an instance in another Availability Zone handles requests.

## Using AWS Platform

Connect to the AWS platform using your root account and check the available services. 

AWS has so many services, but we will focus on **sysops and devops** services and some **developer** services:

**Compute**:

* *EC2*: Virtual Servers in the cloud

* *Elastic Beanstalk*: Run and manage Web Apps

**Storage**:

* *S3*: Scalable Storage in the cloud

* *EFS*: Managed File Storage for EC2

* *S3 Glacier*: Archive Storage in the cloud

**Database**:

* *RDS*: Managed Relational Database Service

* *ElastiCache*: In-memory cache

**Networking & Content Delivery**:

* *VPC*: Isolated Cloud Resources

* *CloudFront*: Global Content Delivery Network

* *Route 53*: Scalable DNS and Domain Name Registration

**Developer Tools**:

* *CodeCommit*: Store code in private Gir repositories

* *CodeArtifact*: Secure, scalable and cost-effective artifact management for software development

* *CodeBuild*: Build and test code

* *CodeDeploy*: Automate code deployments

* *CodePipeline*: Release software using Continuous Delivery

**Management & Governance**:

* *CloudWatch*: Monitor resources and applications


## EC2 Services

EC2: Amazon Elastic Compute Cloud

**Features**:

* EC2 provides web services API for provisioning, managing and deprovisioning virtual servers inside Amazon cloud.

* Ease in scaling up/down: e.g., scale RAM from 8Gb to 16Gb or viceversa

* Pay only for what you use

* Can be integrated into several other services, e.g. S3

**Pricing**:

1. On Demand: Pay per hour or seconds

2. Reserved: Reserve capacity (for 1 or 3 years) for discounts

3. Spot: Bid your price for unused EC2 capacity; but if someone outbids you, your EC2 instance will be gone.

4. Dedicated Hosts: Dedicate a complete physical server for you (very expensive)

**Components**:

To launch an EC2 instance, you need:

* Amazon Machine Image (AMI): provides the information required to launch an instance, which is a virtual server in the cloud (similar to Vagrant boxes)

* Instance type: when you launch an instance, the instance type that you specify determines the hardware of the host computer used for your instance: size of the instance, computing resources: CPU, RAM, network, etc.

* Amazon Elastic Block Store (EBS): provides a flexible, cost effective and easy-to-use data storage options for your instances (virtual hard disks on which you can store your OS)

* Tags: simple label consisting of a customer-defined key and an optional value that can make it easier to manage, search for and filter resources

* Security Group: a security group acts as a virtual firewall that controls the traffic for one or more instances

* Key-pairs: EC2 uses public-key cryptography to encrypt and decrypt login information.

### Steps to create an EC2 instance

1. Login to your AWS Console

2. Select the region: usually North Virginia (us-east1) since it is less costly

3. Search for the EC2 service

4. Click on Instances (in the left part) and the Launch Instances button

5. Give name and tags and select the Amazon Machine Image (AMI): browse for the OS you prefer, be careful with free-tier alternatives as they may charge you after some time.

6. Check the instance type: select t2.micro since it is included in the free tier version. Some documentation on the instance types: https://aws.amazon.com/ec2/instance-types/

7. Set a key pair login using "Create new key pair", give a name and keep in RSA and .pem formats

8. In Network settings, create a new security group by editing the current settings: change the name of the security group and the description. Also, in security group rule 1, change Source type for "My IP". Additional, in advanced settings, go to "User data" and add the provisioning for the instance:

```
#!/bin/bash

sudo yum install httpd -y
sudo systemctl start httpd
sudo systemctl enable httpd
mkdir /tmp/test1
```

9. Click on Launch Instance

10. Check the status of the instance (Instance state and Status check). If you select the instance, you can check its public and private IP addresses. Also, you can connect to it by clicking on Connect.

11. In the Connect to instance page, select the "SSH client" tab and follow the steps. Use the key (.pem file) downloaded when setting the key pair login (`web-dev-key.pem`), the user (`ec2-user`) and the public DNS name (`ec2-50-17-123-122.compute-1.amazonaws.com`):

`ssh -i "web-dev-key.pem" ec2-user@ec2-50-17-123-122.compute-1.amazonaws.com`

12. Open Git Bash and go to the directory where the .pem file is dowloaded or stored. Then, copy and paste the complete command as shown in step 11. You should be able to connect to the instance.

### Accessing the `httpd` service

* Provisioning was included in the creation of the instance, so the `httpd` service should be running. Check it by running the command `systemctl status httpd`

* Check connection through port 80 is related to httpd: `ss -tunlp | grep 80`

* You can try and connect through the public IP address to see if the connection is given. The problem is that the initial security rule for the instance only allowed connections through port 20.

* Go to the security tab in your instance and click the security group. Go to Inbound Rules and modify them by clicking on Edit Inbound Rules.

* Add a new rule to allow connections through port 80:

    Type: Custom TCP; Port range: 80; Source: My IP/Anywhere IPv4/Anywhere IPv6

* Save changes and try to connect again.

### Terminate an instance

In the section "Instances", select the instance and click on Instance state button. Select "Terminate instance".

### Best Practices of EC2 Instance Creation

1. Gather the computing requirements:

    - OS to choose: CentOS, Ubuntu? -> AIM to go with

    - Size: RAM, CPU, Network -> Instance type

    - Storage: for OS and applications 

    - Project information -> Tagging

    - Services/Apps running: SSH, HTTPD, MySQL, etc.

    - Environment: Development, QA, Staging, preproduction, production, etc.

    - Login User/Owner -> Tagging and tracking

2. Create the key pairs

3. Create the security group (firewall)

4. Start launching the instance: select your security group, key-pair and make all the decisions based on your requirements

**IMPORTANT INFO ON SECURITY GROUPS**:

A security group acts as a virtual firewall that controls the traffic for one or more instances.

* Firewall is a network security system that monitors and controls incoming and outgoing network traffic. Think of it as the gatekeeper who has a register of who's allowed to come in and also who is allowed to go out.

You can *add rules* to each security group that **allow traffic to or from its associated instances**

Security groups are "stateful" -> Outbound rules are updated when inbound rules are added/modified.

Two types of rules:

* Inbound rules: Traffic coming from outside on the Instance

* Outbound rules: Traffic going from Instance to outside

Allowing every IP address to access every port of an Instance IS NOT A GOOD PRACTICE.

### Setting up a Website in EC2

First, enter the EC2 service:

1. Check the webpage you want to set up on Tooplate: https://www.tooplate.com/view/2128-tween-agency. So project name will be **Tween Website**

2. Create a key pair: Go to the menu on the left and search for Key Pairs in the *Network & Security* section. Create a key pair for development environment in North Virginia zone:

    - Name: tween-dev-nvir (very helpful to have proper naming convention)

    - Type: RSA (Rivest-Shamir-Adleman): 
    
        Assymetric encryption algorithm: Given a key pair, data that is encrypted with one key can only be decrypted by the other.

    - File format: .pem (container format for the key)

    It will download the **private key** and the **public key** will be "injected" in the instance (saved in the key-pairs menu). DO NOT SAVE THE PRIVATE KEY IN GITHUB OR A PUBLIC SPACE!

3. Create security group (firewall): Go to the menu on the left and search for Security Group again in the *Network & Security* section. Create a new security group:

    - Name: tween-web-dev-sg

    - Description: tween-web-dev-sg

    - Inbound rules: Add rules:

        * A rule to access SSH from My Corporate/Home IP only: 

            - Type: SSH, Source: My IP

        * We will come back later to add rules to allow the access to the webpage.

    - Outbound rules: DO NOT MODIFY!

4. Go to the *Instances* section on the left and, in Instances, click on Launch Instances:

    - In Name and Tags, click on Additional Values and add:

        - Key: Name, Value: web01, Resource types: Instances, Volumes (virtual hard disk) & Network Interface

    - Add additional tags:

        * Key: Project, Value: tween

        * Key: Environment, Value: prod

        * Key: Owner, Value: lead-devops

    - Select AMI: Ubuntu 22.04 (free tier eligible)

    - Select Instance type: t2.micro (free tier eligible)

    - Select Key pair: the one we created in step 2: tween-dev-nvir (creating it beforehand and selecting it here is a good practice!) 

        * **Important!**: One key can be used for all the instances or each and every instance can have their own keys

        * The best way is to divide your key **based on the ENVIRONMENT!** e.g., one key for development, another one for QA, another key for production, ...

    - Edit Network settings:

        * Firewall: Click on select existing security group and select the one created in step 3.

    - Go to advanced settings:

        * User data: Add provisioning if required

    - Go to Summary and Select the number of instances you want to create and click on Launch Instance.

5. Go and select the Instance: Click on connect and copy the command to access it:

    `ssh -i "tween-dev-nvir.pem" ubuntu@ec2-3-94-87-13.compute-1.amazonaws.com`

6. Go to the directory where the `.pem` file with the private key is located using Git Bash. Paste the command to access the Instance and run it. 

7. Once inside the instance, you need to run the following commands to set up the website:

    ```
        sudo apt update
        sudo apt install apache2 wget unzip -y
        wget https://www.tooplate.com/zip-templates/2128_tween_agency.zip
        unzip 2128_tween_agency.zip
        cp -r 2128_tween_agency/* /var/www/html/
        systemctl restart apache2
    ```

8. We need to access the website using port 80, so we need to add a new rule in the security group:

    - Go to the Instance, select the Security tab and click on Security Groups link.

    - Edit Inbound rules and add new rule:

        * Type: Custom TCP, Port: 80, Source: My IP

    - Save rules

9. Go to the Instance page and copy the public IP address. Go to a browser and go the IP address: http://3.94.87.13 and you will find the webpage.

### Getting a Static Public IP address

* Start the instance by clicking on the dropdown button Instance state and then Start instance

* Go to Network & Security in the side bar and search for **Elastic IPs** (5 for free, then you can purchase more)

* Click on Allocate Elastic IP address, keep the region and click on Allocate.

* Then, go to the dropdown button Actions and click on Associate Elastic IP address.

* Tick the Instance option and select the instance in the search box. Finally, click on Associate.

* Confirm the association by clicking on the instance.

## AWS Command Line Interface (CLI)

You have to install `awscli` using **chocolatey**: `choco install awscli -y`. The documentation is available here: https://docs.aws.amazon.com/cli/

Then, go to **Git Bash** and check the version of AWS CLI you've got installed:

`aws --version`

To use the AWS CLI, you need to create a new user:

* Go to **IAM services** > Users

* Click on *Create user*: add a name and don't tick the box to provide access to the AWS Management Console. Click on Next.

* In Permissions options, select *Attach policies directly*. We want to use this user for our entire AWS account, so we give (tick the following boxes):

    - AdministratorAccess

    - (For another user): Give access only to specific servers (S3 for example)

* Click on Next and Create user

* Click on the user name and go to *Security credentials*

* We need to create Access keys to use it for CLI: Go to Access keys section and click on *Create access key*

    - Select *Command Line Interface (CLI)*

    - Tick the confirmation box and click Next, and then Create access key

    - Download the .csv file with the Access keys

    - DO NOT REVEAL THIS ACCESS KEY AND THE SECRET ACCESS KEY TO ANYBODY ELSE! especially when the user has administrator access

* Go to Git Bash, execute `aws configure` and copy and paste the Access key and the Secret access key

* Enter the Default region name: `us-east-q` and Default output format: `json`. Click Enter.

* You can check this information running the command: `ls ~/.aws/`. You can check the `config` (`cat ~/.aws/config`) and `credentials` (`cat ~/.aws/credentials`) files.

**Important**: All commands to create and launch a new instance are given in the **Command Reference** menu in the CLI documentation: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/index.html

## Elastic Block Storage (EBS)

EBS provides two things:

* EBS volume (virtual hard disk)

* Snapshot (backup of the EBS volume)

EBS are:

* Block-based storage (like hard disks)

* Used to run EC2 OS, store data from database, file data, etc.

* Placed in specific Availability Zone. Automatically replicated within the same availability zone of the instance to protect from failures.

* Snapchot is used for backup of the entire volume


### EBS Types

* **General purpose (SSD)**: Used in most work loads (best combination of right price and speed)

* **Provisioned IOPS**: Used to run large databases (higher input-output per seconds)

* **Throughput Optimised HD**: Used for big data and data warehouses

* **Cold HDD**: Use for file servers (very low-cost)

* **Magnetic**: Recommended for backups and archives (the slowest!)

Some more information about EBS types in: https://docs.aws.amazon.com/ebs/latest/userguide/ebs-volume-types.html

### Configuring EBS

You can select the prefered storage configuration:

* When launching an instance: 

    - Go to the section Configuration Storage
    
    - Select the type of storage in the dropdown list: default is `gp2 (general purpose)`

* After launching an instance:

    - Select the instance and go to the Storage tab

    - In *Root device details* > *Block devices*, you find your current Volume ID and the size in GiB

    - Click on the Volume ID and edit its name, according to the instance-hierarchy: e.g., web01-ROOT-volume.

    **Important**: Always give proper names to your volumes for easy identification

    - Both instance and volume need to be in the same availability zone so they can connect!

    - To **add more storage**: Go to Elastic Block Store on the left menu > Volumes > Create Volume:

        * Select volume type: `gp2`

        * Size (GiB): `5`

            Volumes over 30GiBs are more than the Free Tier allowance: Over 30GiB, you would need to pay!

        * Availability zone: **Same as the instance you want to connect with!**

        * Encryption: Tick, in case you want it encrypted

        * Add Tag: 

            - Key: Name, Value: gymso-web01-Images (We want to create this storage for our website Image)

        * Finally, click on Create Volume

    - When it is created, select the volume you want to attach to an instance and click on Actions > Attach volume:

        * Select the instance you want to attach the volume in the zame Availability Zone

        * Click on Attach

* Connect to the instance:

    - `ssh -i {PATH_TO_KEY.pem} ec2-user@CURRENT.IP.0.0`

    - Switch to root user: `sudo -i`

    - Go to `cd /var/www/html` and find the `images` directory.

* We need to partition and mount this image in our recently attached storage:

    - List all the disks in the Linux instance: `fdisk -l`

        * Identify the name of the partition you want to use for mounting the webpage image.

        * Run `df -h`: It will show the name of the root disk with `/` in the column Mounted on.

        * Once identified (`/dev/xvdf`), create a partition for the attached disk:

            Run: `fdisk /dev/xvdf`

            Run `m` for help

            You will find that the command to add a new partition is `n`

            Run command `n` > type: `p` (primary or just enter) > number: (enter) > first sector: (enter) > +size: `+3G`
            (or just enter to create a partition of the entire disk)

            Run `p`to print the partition table.

            Run `w` to write and confirm!

        * Check the partition in `fdisk -l`

        * Format the disk using `mkfs`. 
        
            - First, check the available formats by running `mkfs` and two times the tab key.

            - Use the `.ext4` format: Run `mkfs.ext4 /dev/xvdf1`

    - Mount the webpage image: 

        - Go to `cd /var/www/html` and find the `images` directory.

        - Create a directory: `mkdir /tmp/img-backups`

        - Move from `images` to `img-backups`: Run `mv images/* /tmp/img-backups/`

        - Do a temporary mount: `mount /dev/xvdf1 /var/www/html/images/` (`images/` should be empty)

        - Run `df -h` to check where the partition was Mounted on.

        - To unmount, run: `umount /var/www/html/images`

        - Do a permanent mount: Opem file `vi /etc/fstab`:

            In the last line, add:

            ```
                /dev/xvdf1      /var/www/html/images        ext4    defaults    0   0
            ```

        - Run `mount -a` to mount all the entries from the `fstab` file.

        - Check by running `df -h`

        - Move data from the temp directory: `mv /tmp/img-backups/* /var/www/html/images/`

* Once finished, restart the `httpd` service: `systemctl restart httpd` and check status: `systemctl status httpd`

* See using the browser. If there's a problem with the webpage images, modify the file `vi /etc/selinux/config`:

    - Modify the line to: `SELINUX=disabled`

* Reboot the machine: `reboot`

### EBS Snapshots

Provides a backup mechanism for the EBS volumes: e.g., for databases.

Snapshot is mostly used to take backups and restore in the event of failures. When restoring a snapshot, you should:

* Unmount the partition (to prevent data from being overwritten)

* Detach the volume from your instance

* Create a new volume from snapshot

* Attach the newly created volume

* Mount it back (replace it!)

### Creating a Snapshot

In the Volumes section:

* Select the volume you want to create a backup

* Go to Actions > Create Snapshot

* Give a description and a tag: Key: Name, Value: db01-volume-db-SNAP

* Click on Create Snapshot

* Go to Snapshots section to see the snapshot

Inside the instance:

* Stop the service you want to recover/replace: e.g., `systemctl stop mariadb`

* Unmount the volume partition: `umount /var/lib/mysql/`

* Check using `df -h`

* To detach the volume partition, go to Volumes section in AWS, select the volume and click on Actions > Detach Volume

* Go to Snapshot section, select the snapshot you want to recover and click on Actions > Create Volume

* Apply the preferred settings: Volume Type, Size, Availability Zone, Tags, etc.

* Create volume, attach volume to the instance and mount it using `mount -a`

## Elastic Load Balancer (ELB)

When building a cluster of services (multiple servers), you need a single endpoint to access them and that's mostly provided through a **Load Balancer**.

AWS provides with a Load Balancer for these situations:

**Ports**:

* **Frontend Port**: Listens from the User Requests on this port aka "Listeners" (generally on port $443$ for https)

* **Backend Ports**: Services running on OS listening on this port. E.g., a Tomcat server which is running on port 8080

ELB distributes incoming application or network traffic accross multiple targets, such as Amazon EC2 instances, containers, and IP addresses, in multiple availability zones.

ELB supports three types of load balancers:

1. Application Load Balancer: Popular for web traffic (websites, apps, http & https). It routes traffic based on advanced application level information that includes the content of the request. (Level 7)

2. Network Load Balancer: Functions at the 4th layer of the Open Systems Interconnection (OSI) model. It can handle millions of requests per second. It gets a static IP.

3. Classic Load Balancer: Simplest one. It routes traffic based on either application or network level information.

    * Ideal for simple load balancing where you don't need any other complications 

More information on Load Balancing in: https://docs.aws.amazon.com/elasticloadbalancing/

### Configuring ELB to an Instance

1. Create an instance: Use the bash script in the **AWS/Load-balancer-websetup** directory as a provision: `multios_websetup.sh` to deploy the webpage. Remember to create a Key-Pair and define security groups.

2. Once the instance is created and the webpage is working (check the IP), create an Amazon Machine Image (AMI) for the instance:

    * Select the instance, go to Actions > Image and templates > Create image.

    * Creating an image is similar to creating a *snapshot* in EBS:

        - Image name: health-ami > Create image

        - Go to the Images section and check AMIs

    * The custom AMI with the website in it is used to launch a cluster of instances from it.

3. In order to avoid all the steps of creating an instance from an image (which are the same as for creating a new instance), create a *template* to very quickly launch an instance. 

    * Go to Instances section and Launch Templates > Create launch template

    * Launch template name: health-template, Template version description: v1

    * In Application and OS Images: Select My AMIs tab and Owned by me: Your AMI from step 2 should appear here.

    * Finish other settiongs:
        
        - Instance type: t2.micro
        
        - Key pair (Login): the same one created in step 1

        - Network settings > Security groups: the same one created in step 1

        - Resource tags: Key: Name, Value: web00, Resource types: Instances

    * Create launch template

4. In Launch Templates section, select the recently created template and go to Actions > Launch instance from template.

    - While launching, you can modify any of the preset settings. For example, change the Name tag to web01, web02 and so on ...

    - Click on Launch instance

5. Now we have two instances: They cannot be accessed separately by the user, they need to be *accessed from a single endpoint* and that endpoint should **route the request** to either of these instances. That single endpoint is the *Load Balancer*

    * Go to Load Balancing section > Target Groups

        - Target groups is a group of instances that we want to balance with "health checks". 

        - Click on Create target group > Instances

        - Give a Target group name: heath-tg, and Port (same as the instances): HTTP: 80

        - Define a Health checks: 
        
            * Health check protocol: HTTP: `/`

            * Health check port: Same as instance: Traffic port (or if different, use Override)

            * Healthy threshold (number of times to check if healthy): 2

            * Unhealthy threshold (number of times to check if unhealthy): 2

            * and so on...

        - Click on Next

        - Select the instances in Register targets and click on Include as pending below

        - Review them in Review targets. Finally, click on Create target group.

    * Go to Load Balancers in the Load Balancing section:

        - Click on Create load balancer

        - Select Application Load Balancer (for HTTP, HTTPS). Click on Create.

        - Set the ELB:

            * Name: health-elb, Scheme: internet-facing

        - Define Network Mapping: Make the ELB highly available by defining two or more zones: select all the zones

        - Security Groups: Click on Create a new security group:

            * SG name and description: health-elb-sg

            * Inbound rules: 
            
            a. Type: Custom TCP, Port range: 80, Source: Anywhere IPv4

            b. Type: Custom TCP, Port range: 80, Source: Anywhere IPv6

            * Click on Create security group

        - Refresh and select the recently created security group: health-elb-sg

        - Listeners and routing: Protocol: HTTP, Port: 80, Default action: Forward to **health-tg** (target group created before)

        - Click on Create load balancer

6. Once created, you can visualise your Load Balancer. To access it, you can copy the **DNS name** and paste it on a browser. However, you will need to fix a problem first: 

    * The LB won't load the page with error 504 Gateway Time-out (Server error): There's something in between the instance and the load balancer that doesn't let it pass.

    * Remember that every instance is protected by a Security group. That is, the *Inbound rules* of the security group for the instances need to be set so the Load balancer can access the instances.

    * You can also check the Target group section: select the target group and check the Health Status column. If the instances are "Unhealthy", it means that the Load Balancer cannot access the group.

    * So, go to Network & Security section > Security Groups: Find the security group for the instances and add a new Inbound rule:

        - Type: Custom TCP, Port range: 80, Source: Custom, and search for the security group of the Load Balancer: health-elb-sg, Description: Allow port 80 from ELB

    * Wait for the instances in the Target group to be healthy and go again to the DNS address given by the Load balancer. The webpage should appear now.

7. To add/remove instances to a Target group:

    * Add them using the Targets tab when selecting the Target group > Register targets: Select the instances and click on Include as pending below

    * Remove them by selecting the instances in the Targets tab when selecting the Target group > Deregister: It will not immediately remove but drain the request first.

## Elastic File System (EFS)

If you have a cluster of servers and you want to store data at one centralised place, you can use EFS to for shared storage.

More info on: https://docs.aws.amazon.com/efs/latest/ug/whatisefs.html

## Auto Scaling

Auto Scaling is a service that automatically monitors and adjusts computational resources to maintain performance for applications hosted in AWS.

We need the Cloud Watch alarms to monitor the metrics for the instance.

* For example, adding more CPU capacity in case the CPU utilisation is too high for a long time: with Cloud Watch alarms.

* Also, you can remove capacity to keep costs low.

How does it work?

* Auto Scaling uses **Launch Configuration/Template** to launch EC2 instances.

* Auto Scaling also uses **Scaling Policy** to increase and decrease the number of running instances in the group dynamically to meet changing conditions.

![](https://docs.aws.amazon.com/images/autoscaling/ec2/userguide/images/asg-basic-arch.png)

### Configuring Auto Scaling Groups

We need some requirements before setting up an Auto Scaling Group:

* A Launch template (We can use the one we created in the Load Balancer section)

* A Load balancer (without instances yet)

    - Create an empty Target group: health-tg (no instances registered)

    - Create an Application Load Balancer: health-elb (You need to create a security group for the ELB and assign the Target group in the Listeners section)

Once we have these requirements:

* Go to the Auto Scaling Groups section and click on Create Auto Scaling group:

    - Set Name: health-ASG

    - Select Launch template: health-template

    - After clicking Next, select the Availability Zones (all the zones), and Next again

    - In Load balancing: select Attach to an existing load balancer and Choose from your load balancer target groups: select health-tg

    - Health checks: Tick on the Turn on Elastic Load Balancing health checks box

    - Click on Next

    - Define the Group Size: Desired capacity: 2 and Scaling: Min desired: 1, Max desired: 4

    - Set Automatic scaling to Target tracking scaling policy:

        * Select Metric type: Average CPU utilization

        * Target value: 50

    - Click on Next and set notifications to the SNS Topic

    - Define Tags: Key: Name, Value: webserver

    - Finally, read all the setting and click on Create Auto Scaling group

You can see the Auto Scaling group crated and check the different tabs (options) available:

* Details: Use it to modify the Launch template. **All the modifications you do to your Auto Scaling group should be done to the Launch template**: Click on Edit and Update.

* Automatic Scaling: Used to check the auto scaling policy

* Instance management: Used to check the number of instances and if they are healthy or not

Whenever you make changes, go to Instance refresh and click on Start instance refresh.

* Set Minimum healthy percetage to 90% (Keep it higher than 80% to prevent traffic/capacity problems) 

**Important**: Remember these are dynamic instances. Make sure you don't store any information (dynamic information) inside instances in Auto Scaling. The storage *should be out of them by using EFS or NFS*.

## S3: Simple Storage Service

One of the most popular and oldest service of AWS.

S3 is storage for the internet. You can use S3 to store and retrieve any amount of data at any time, from anywhere on the web. It's like Google Drive or Dropbox but with many features.

**Basics**:

* Object-based storage: files can be uploaded (pictures, videos, etc.)

* Data is replicated across multiple facilities: 

* Unlimited storage

* S3 stores data as *objects* within *buckets*

* Bucket name has to be unique (we need an endpoint to access it)

**Buckets**:

A bucket is a logical unit of storage (container) in AWS.

**Object Storage**:

Computer data sotrage architecture that manages data as objects.

![](https://assets.cloudacademy.com/bakery/media/uploads/lab/blobid1-c96cfbd2-5276-479f-90a1-6b13aea01d73.png)

One very common use case of S3 is connecting it to EC2 instances which are running a service (e.g., web or app) and they require to store some file-based data. 

![](https://www.c-sharpcorner.com/article/introduction-to-aws-s3/Images/3.png)

**Differences with EFS**:

For EFS, we mount the File System at the OS level, i.e, there is a folder in the OS level. For S3, we are going to programmatically access and store data through the application.

### S3 Storage Classes

![](https://static.javatpoint.com/tutorial/aws/images/aws-storage-classes.jpg)

* **S3 Standard**: General-purpose storage of frequently accessed data. Fast access & object replication in multiple Availability Zones

* **S3 IA (Infrequent Access)**: Long-lived, but less frequently accessed data. Slow access, object replication in multiple AZ.

* **S3 One Zone-IA**: It's used for data that is accessed less frequently, but requires rapid access when needed. Slow access, no object replication.

* **S3 Intelligent Tiering**: Automatically moves data to most cost effective tier.

* **S3 Glacier**: Low-cost storage class for data archiving (rarely access, once per year for audit).

* **S3 Glacier Deep Archive**: Lowest cost storage for long time data; retrieval time of 12 hrs.

![](https://www.scaler.com/topics/images/aws-lifecycle-policies-tansition.webp)

**S3 Charges**

* Storage

* Requests

* Tiers

* Data Transfer

* Region Replication

### Creating S3 Buckets

Search for the S3 service and click on Create bucket.

* General configuration:

    - Check the region: The S3 bucket will be created in the region you are currently in.

    - Bucket type: Use General Purpose: several availability zones

    - Bucket name: It needs to be unique: s3-devops-doc

* Object Ownership: Access list of AWS account users that can access the bucket.

    - Select Access Control Lists (ACLs) *disabled*: private (Most of bucket permissions will be through policies). When we want the S3 bucket to be public, we will need to *enable* ACLs.

* Block Public Access settings:

    Whenever you upload any object in the S3 bucket, **it's by default private**. Even if you want to make it public, you cannot do it because *by default, all the public access is blocked*.

    (We'll get back to this point later)

* Bucket Versioning: Enable

    What happens if you delete data in S3 buckets? Can you recover it? -> It depends on if you have enabled versioning. With versioning, it's super easy!

* Default Encryption:

    All S3 buckets are encrypted, the thing is to select the type of encryption:

    - Server-side encryption with Amazon S3 managed keys (SSE-S3): Cheapest option 

    - Server-side encryption with AWS Key Management Service keys (SSE-KMS): Create your own encryption key. Not free! Mostly used for compliance. You own the key, so AWS doesn't have any keys.

    - Dual-layer server-side encryption with AWS Key Management Service keys (DSSE-KMS): Pricing increases

Finally, click on Create bucket!

### Uploading a file and Making it Public

Once created, select the S3 bucket and click on Upload to upload any object (e..g, a pdf file).

* When uploading, you can see the **Properties** drop-down menu and the Storage class section:

    - Select the object storage class according to your preferences/policy

* Also, you can specify a different Server-side encryption key for the specific document (different from that of S3)

Once uploaded, you can check other properties:

* Objects are not publicly accessible by default. Select an object and in the tab Properties > Object URL, you will find the public access URL. Try accessing the URL using a browser. An Access Denied error appears!

* To make it public, select the object, go to Actions > Make public using ACL. If in grey, it means that ACL is disabled on the bucket. To change this:

    - First, go to the Permissions tab, and go to Object Ownership and change it to ACLs enabled. Acknowledge that ACLs will be restored and Save changes

    - Then, go back to the Permissions tab and go to Block public access (bucket settings). Uncheck "Block all public access" (Do it only when it's really required!) and Save changes.

    - Now, you can go again to Actions > Make public using ACL. A successful message should appear!

* Check again the public URL to confirm you can access it.

**Important**: Even though you've changed the bucket permissions and block public access settings to make the bucket accessible, every object in the bucket is uploaded private (Access denied!) by default.

* You need to make it public using the step Actions > Make public using ACL.

### Hosting a Website on S3

Hosting a website on S3 is a very popular use case! Especially static websites: 

1. Select the template from tooplate.com: https://www.tooplate.com/view/2137-barista-cafe

2. Download the .zip file and extract it (saved in folder AWS > S3-cafe-barista-website).

3. We need to create two S3 buckets: 

    **1st one: website files**

    * Choose a unique name: 1st: s3-barista-web

    * Enable Bucket Versioning

    * Create bucket

    * Drag and drop all the website files into this S3 bucket and click on Upload.

    2nd one: website access logs 

    * Choose a unique name: s3-barista-accesslogs

    * Simply click on Create bucket

4. Make website bucket files public:

    * Go to Permissions tab

    * Uncheck Block public access settings

    * Edit Object Ownership by enabling ACLs

    * Go to Objects tab, select all the objects, go to Actions > Make public using ACL and click on Make public

    * The website is accessed through the main `index.html` page. S3 gives an option for hosting static websites:

        - Go to the Properties tab and scroll down until you find the Static website hosting settings

        - Edit to Enable static website hosting

        - In Index document, provide the index document `index.html`. We don't have any Error document but give the name `error.html`

        - Save changes

        - In the Static website hosting settings, you will get a public URL for the website. But, we need to configure the website access log files.

    **2nd one: website access logs**

    * Choose a unique name: s3-barista-accesslogs

5. **Before accessing the website**: Configure the 2nd S3 bucket to store the access logs

    * First, configure the s3-barista-web bucket Server access logging in the Properties tab:

        - Edit to Enable access logs 

        - In Destination, specify the bucket: Click on Browse S3, select s3-barista-accesslogs and click on Choose destination

        - Keep the default Log object key format and Save changes

6. Access the website from the public URL: You will see the website hosted

7. Check the access logs

### Lifecycle Configuration in S3

It's helpful to transition objects from one storage class to another, minimising storage costs.

Go to the S3 bucket and the Management tab. Find the Lifecycle rules settings and click on Create lifecycle run:

- Define a Lifecycle rule name: CostEffectiveTransitions

- Choose a rule scope: Apply to all objects in the bucket (depends on your documents). Acknowledge to apply to all the objects.

- Choose Lifecycle rule actions: This is important when you have versioning activated in your S3 bucket. If you want to minimise costs, you will need to do something about the non-current version files (do they get expired or permanently deleted?)

    * Move current versions of objects between storage classes: Tick

    * Move noncurrent versions of objects between storage classes: Tick when versioning

    * Expire current versions of objects: In a non-versioned bucket, expire means delete. In a versioned bucket, it means placing a delete marker

    * Permanently delete noncurrent versions of objects: For versioned buckets.

    * Delete expired object delete markerers or incomplete multipart uploads.

- Transition current versions:

    * Choose storage class transitions: E.g., Standard-IA

    * Days after object creation: Depends on your use case

    And start adding other transitions: One-Zone IA -> Glacier Flexible Retrieval -> Glacier Deep Archive (and define the days)

- Transition noncurrent versions: Similar to current versions (omit number of versions)

- Expire current versions: Set the number of days after object creation according to your use case

- Permanently delete noncurrent versions: Set the number of days after object creation according to your use case

- Delete expired object delete markers or incomplete multipart: Tick on Delete incomplete multipart uploads

- Create rule

### Replication Rules in S3

Used for disaster recovery.

Go to the Management tab, find the Replication rules settings and click on Create replication rule:

* Set a Replication rule name: DisasterRecoveryBarista

* Status: Enabled

* In Source bucket, choose a rule scope: 

    - Limit the scope of this rule using one or more filters: based on your requirements

    - Apply to all objects in the bucket

* In Destination, choose a bucket in this account or in another account

    - Create a new S3 bucket in your account or another account in a different region and enter the bucket name

    - Enable versioning in the created bucket

* IAM role: Create new role: This creates a permission on the destination bucket so the source bucket copies data in it (tick)

* Encryption: In case you want to encrypt using KMS.

* Destination storage class: Replicated data won't be accessed frequently, so you want to Change the storage class to, for example, One-Zone IA or Standard-IA

* Additional replication options: Make replication faster using Replication Time Control (RTC), for example

## Amazon Relational DataBase Service (RDS)

DB Administration:

* Installing

* Patching

* Monitoring

* Performance Tuning

* Backups

* Scaling

* Security

* Hardware Upgrades

* Storage Management 

### Amazon RDS

* Distributed relational database service

* High-availability Muli-AZ deployments

* Effortless scaling

* Read replicas for performance

### Creating a RDS

Search the RDS in the Services catalog in the Database section

RDS supports various database engines like MySQL, PostgreSQL, Oracle. If you are using MySQL or PostgreSQL, AWS recommends using **Amazon Aurora** (5 times faster than MySQL and 3 times faster than PostgreSQL). Aurora also supports up to 64Tb of auto-scaling storage capacity.

Click on Create database.

* Choose a database creation method: Standard create

* Engine options and version: Select according to your use case: MySQL, version 5.7.44

* Templates: Choose according to your use case: 

    - Production vs Dev/Test: Production provides multi AZ, and the EBS storage type is provisioned IOPS (the fastest one).

* Settings: 

    - DB instance identifier: rds-vprofile-mysql

    - Credential settings: 

        * Master username: admin

        * Credentials management: Check how Managed in AWS Secrets Manager (most secure). For now, we use Self managed and tick the Auto generate password box.

* Instance configuration:

    - Memory Optimized classes: For large databases 

    - Burstable classes: For free tier (db.t3.micro)

* Storage: 

    - Storage type: General Purpose (SSD)

    - Allocated storage: 20 GiB

    - Storage autoscaling: Enable to a maximum of 1000 GiB

* Connectivity:

    - Compute resource: Don't connect to an EC2 compute resource

    - Network type: IPv4

    - Virtual private cloud (VPC): Default VPC

    - DB subnet group: default

    - Public access: No

    - VPC security group (firewalll): Create new

    - New VPC security group name: rds-vprofile-sg

    - Availability zone: No preference

    - Additional configuration: Database port: 3306

* Database authentication: Password authentication

* Monitoring: Enable and keep defaults

* Database options: 

    - Initial database name: accounts

* Backup: Enable automated backups, retention period: 7 days, Copy tags to snapshots (tick)

* Backup replication: Enable replication in another AWS Region (Untick for Free Tier)

* Encryption: Enable encryption and keep defaults

* Log exports: Select them all: Audit, Error, General, Slow

* Maintenance: 

    - Enable if you want minor updates for the MySQL version we chose will be automatically patched.

    - Maintenance window: Select window preference if you have any

* Deletion protection: Enable if you want to prevent your RDS instance from being deleted accidentally

* Check estimated costs and click on Create Database

When created, **make sure you copy the credentials, i.e., the password for the master user (admin): eqUrQzgJZEWcwfdhULTk

You will also need the Endpoint: rds-vprofile-mysql.cx0uiwkyytbd.us-east-1.rds.amazonaws.com

### Accessing a RDS

To access a database in RDS, we need to create an E2 instance in the same region as the database using the same VPC (see the Connectivity & Security tab your recently created RDS).

Go to EC2, make sure you are in the same region (VPC) and click on Launch instance:

* Name: ec2-vprofile-db

* OS image: Ubuntu Server 22.04 (Free tier eligible)

* Create and download a Key pair: kp-vprofile-db.pem 

* Create a new Security group: vprofile-db-sg

    - Type: ssh, Source type: My IP

* Launch instance

Go back to RDS and find the endpoint for the database instance (Connectivity & security tab).

Now, log in the EC2 instance:

* Copy Public IPv4 address in the Details tab: 54.235.35.97

* Using git bash, go to the directory where the instance Key pair is located (.pem file) and log in: `ssh -i kp-vprofile-db.pem ubuntu@54.235.35.97`

* Go to root user and run `apt update` to update the instance

* Install MySQL-client: `apt install mysql-client -y`

* Access MySQL using the VPC and credentials in the previous section: 

    `mysql -h rds-vprofile-mysql.cx0uiwkyytbd.us-east-1.rds.amazonaws.com -u admin -peqUrQzgJZEWcwfdhULTk`

    - If there are connections problems (EC2 and RDS are not connecting), you can try `telnet rds-vprofile-mysql.cx0uiwkyytbd.us-east-1.rds.amazonaws.com 3306` to check the connection to the VPC on port 3306. 
    
    You will see it's not connecting. This is because the RDS security group is not allowing any connection from the EC2 instance (similar to the ELB exercise)

**Fixing connection problem:

Go to RDS in AWS:

* In the Connectivity & security tab, check Security > VPC security groups

    - Click on it and check the Inbound rules (so far, only allows connection from MyIP)

    - Edit inbound rules: Remove the current IP and add the following inbound rule:

        Type: MYSQL/Aurora, Source: Custom, Search for the EC2 instance security group: sg-077df06bf2a170293 (vprofile-db-sg) OR

        Type: MYSQL/Aurora, Source: Custom, Go to your EC2 instance and search for the Private IPv4 addresses: 172.31.27.100/32

    - Click on Save rules

Go again to the git bash and try the connection between the EC2 instance and the MySQL db.

The `mysql >` command should appear.

* Run the usual SQL commands and use it to implement your database

**Stop the RDS service to reduce computation costs**: Go to RDS and select the database, then go to Actions > Stop