Skip to content

AWS Certified Solutions Architect - Associate

Published: (180 min read)  at 03:23 PM

Table of contents

Open Table of contents

AWS FUNDAMENTALS

AWS Well-Architected Framework

The AWS Well-Architected Framework helps you understand the pros and cons of decisions you
make while building systems on AWS. Using the Framework helps you learn architectural best
practices for designing and operating secure, reliable, efficient, cost-effective, and sustainable
workloads in the AWS Cloud. It provides a way for you to consistently measure your architectures
against best practices and identify areas for improvement.

The pillars of the AWS Well-Architected Framework :

NameDescription
Operational excellenceThe ability to support development and run workloads effectively, gain insight into their operations, and to continuously improve supporting processes and procedures to deliver business value.
SecurityThe security pillar describes how to take advantage of cloud technologies to protect data, systems, and assets in a way that can improve your security posture.
ReliabilityThe reliability pillar encompasses the ability of a workload to perform its intended function correctly and consistently when it’s expected to. This includes the ability to operate and test the workload through its total lifecycle. This paper provides in-depth, best practice guidance for implementing reliable workloads on AWS.
Performance efficiencyThe ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve.
Cost optimizationThe ability to run systems to deliver business value at the lowest price point.
SustainabilityThe ability to continually improve sustainability impacts by reducing energy consumption and increasing efficiency across all components of a workload by maximizing the benefits from the provisioned resources and minimizing the total resources required.

Image description Image description

Identity Access Management (IAM)

Image description

IAM allows you to manage users and their level of access to the AWS console.

IAM offers a centralized hub of control within AWS and integrates with all other AWS Services.

Root account :

The root account is the email address you used to sign up for AWS. The root account has full administrative access to AWS. For this reason, it is important to secure this account.

When you create the account you get two more generated items which are access keys and secret access keys which are basically id and password for programatic access.

4 Steps to Secure Your AWS Root Account.

How do we control permissions ?

We assign permissions using policy documents , which are made of JSON(JavaScript Object Notation).

The documented rule sets that are applied to grant or limit access. In order for users, groups, or roles to properly set permissions, they use policies. Policies are written in JSON and you can either use custom policies for your specific needs or use the default policies set by AWS.

Example of a Policy Document:

Image description

The Building Blocks of IAM :

User : any individual end user such as an employee, system architect, CTO, etc.

Groups : any collection of similar people with shared permissions such as system administrators, HR employees, finance teams, etc. Each user within their specified group will inherit the permissions set for the group.

Roles : any software service that needs to be granted permissions to do its job, e.g- AWS Lambda needing write permissions to S3 or a fleet of EC2 instances needing read permissions from a RDS MySQL database.
It’s similar to IAM user, however instead of being assiciated with one person , a role is intended to be assumed by anyone who needs it. Roles are temporary.

It’s best practice for users to inherit permissions from groups. And that’s because if you didn’t then it would harder to manage people individually.

Image description

Always work on the principle that one user equals one physical person. Never share user accounts across multiple people.

The principle of least privilege :

Only assign user the minimum amount of privileges they need to do their job.

Example:

Image description

Priority Levels in IAM:

Explicit Deny: Denies access to a particular resource and this ruling cannot be overruled.

Explicit Allow: Allows access to a particular resource so long as there is not an associated Explicit Deny.

Default Deny (or Implicit Deny): IAM identities start off with no resource access. Access instead must be granted.

Identity providers and federation :

If you already manage user identities outside of AWS, you can use identity providers instead of creating IAM users in your AWS account. With an identity provider (IdP), you can manage your user identities outside of AWS and give these external user identities permissions to use AWS resources in your account. This is useful if your organization already has its own identity system, such as a corporate user directory. It is also useful if you are creating a mobile app or web application that requires access to AWS resources.

AWS STS

AWS Security Token Service (AWS STS) is the service that you can use to create and provide trusted users with temporary security credentials that can control access to your AWS resources.

Simple Storage Service (S3)

S3 stands for Simple Storage Service and it’s a object storage in the cloud.

Image description

S3 is object based storage -

Which means it manages data as objects rather than in file systems or data blocks.

Example : You can store files like photos, videos, code, documents, text files etc.
Basically you can store static files in S3. That means you can’t store files like Database or Operating System.

S3 basics

Working with S3 Buckets

  1. Universal Namespace : All AWS accounts share the S3 namespace. Each S3 bucket name is globally unique.
  2. Example S3 URLs :
https://bucket-name.s3.region.amazonaws.com/key-name
https://acloudguru.s3.us-east-1.amazonaws.com/Ralphie.jpg
  1. Uploading Files : When you upload a file to an S3 bucket, you will receive an HTTP 200 code if the upload was successful.
As S3 works on a key value principle -

- Key : The name of the object (e.g., Ralphie.jpg).

- Value : The data itself, which is made up of a sequence of bytes.

- Version ID : Important for storing multiple versions of the same object.

- Metadata : Data about the data you are storing (e.g., content-type, last-modified, etc).

S3 is Highly available and highly durable

Securing your data in S3

  1. Server-Side Encryption : You can set default encryption on a bucket to encrypt all new objects when they are stored in the bucket.
  2. Access Control Lists (ACLs) : Define which AWS accounts or groups are granted access and the type of access. You can attach S3 ACLs to individual objects within a bucket.
  3. Bucket Policies : S3 bucket policies specify what actions are allowed or denied (e.g., allow user Alice to PUT but not DELETE objects in the bucket).

Securing your data with ACLs and Bucket Policies :

Versioning in S3:

You can enable versioning in S3 so you can have multiple versions of an object within S3.

If you enable versioning before creating your bucket then all objects will have a version id.

If you upload new versions of objects then the bucket policy will only be applied on the new ones.

Amazon S3 Storage Classes

Amazon S3 offers a range of storage classes that you can choose from based on the data access, resiliency, and cost requirements of your workloads. S3 storage classes are purpose-built to provide the lowest cost storage for different access patterns. S3 storage classes are ideal for virtually any use case, including those with demanding performance needs, data residency requirements, unknown or changing access patterns, or archival storage. *Not really important u can skip this..

Image description

General purpose -

S3 Standard

  1. High Availability and Durability Data is stored redundantly across multiple devices in multiple facilities (>=3 AZs):

    • 99.99% availability
    • 99.999999999% durability (11 9’s)
  2. Perfect for frequently accessed data.

  3. Suitable for Most Workloads :

    • The default storage class.
    • Use cases include websites, content distribution, mobile and gaming applications, and big data analytics.

Infrequent access -

S3 Standard-Infrequent Access (S3 Standard-IA)

DESIGNED FOR INFREQUENTLY ACCESSED DATA

  1. Rapid Access : Used for data that is accessed less frequently but requires rapid access when needed.
  2. You Pay to Access the Data : There is a low per-GB storage price and a per-GB retrieval fee.
  3. Use Cases : Great for long-term storage, backups, and as a data store for disaster recovery files.

S3 One Zone Infrequent Access

Like S3 Standard-IA, but data is stored redundantly within a single AZ.

99.5% Availability 99.999999999% (11 9's) Durability

Unknown or changing access -

Amazon S3 Intelligent-Tiering

Amazon S3 Intelligent-Tiering is the first cloud storage that automatically reduces your storage costs on a granular object level by automatically moving data to the most cost-effective access tier based on access frequency, without performance impact, retrieval fees, or operational overhead.

99.99% Availability & 99.999999999% (11 9's) Durability

Image description

Archive -

The Amazon S3 Glacier storage classes are purpose-built for data archiving, and are designed to provide you with the highest performance, the most retrieval flexibility, and the lowest cost archive storage in the cloud.

Amazon Glacier Instant Retrieval

Amazon S3 Glacier Instant Retrieval is an archive storage class that delivers the lowest-cost storage for long-lived data that is rarely accessed and requires retrieval in milliseconds.

Amazon S3 Glacier Flexible Retrieval

S3 Glacier Flexible Retrieval delivers low-cost storage, up to 10% lower cost (than S3 Glacier Instant Retrieval), for archive data that is accessed 1—2 times per year and is retrieved asynchronously. For archive data that does not require immediate access but needs the flexibility to retrieve large sets of data at no cost, such as backup or disaster recovery use cases.

Amazon S3 Glacier Deep Archive

S3 Glacier Deep Archive is Amazon S3’s lowest-cost storage class and supports long-term retention and digital preservation for data that may be accessed once or twice in a year. It is designed for customers—particularly those in highly-regulated industries, such as financial services, healthcare, and public sectors—that retain data sets for 7—10 years or longer to meet regulatory compliance requirements. S3 Glacier Deep Archive can also be used for backup and disaster recovery use cases, and is a cost-effective and easy-to-manage alternative to magnetic tape systems.

Lifecycle Management with S3

S3 Object Lock

You can use S3 Object Lock to store objects using a write once, read many (WORM) model. It can help prevent objects from being deleted or modified for a fixed amount of time or indefinitely.

You can use S3 Object Lock to meet regulatory requirements that require WORM storage, or add an extra layer of protection against object changes and deletion.

S3 Object Mode have 2 modes :

Governance Mode : In governance mode, users can’t overwrite or delete an object version or alter its lock settings unless they have special permissions.

With governance mode, you protect objects against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the object if necessary.

Compliance Mode :
In compliance mode, a protected object version can’t be overwritten or deleted by any user, including the root user in your AWS account. When an object is locked in compliance mode, its retention mode can’t be changed and its retention period can’t be shortened. Compliance mode ensures an object version can’t be overwritten or deleted for the duration of the retention period.

Retention Periods

A retention period protects an object version for a fixed amount of time. When you place a retention period on an object version, Amazon S3 stores a timestamp in the object version’s metadata to indicate when the retention period expires.

After the retention period expires, the object version can be overwritten or deleted unless you also placed a legal hold on the object version.

S3 Object Lock also enables you to place a legal hold on an object version. Like a retention period, a legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn’t have an associated retention period and remains in effect until removed.
Legal holds can be freely placed and removed by any user who has the s3 :PutObjectLegalHold permission.

Glacier Vault Lock

S3 Glacier Vault Lock allows you to easily deploy and enforce compliance controls for individual
S3 Glacier vaults with a vault lock policy. You can specify controls, such as WORM, in a vault lock policy and lock the policy from future edits.
Once locked, the policy can no longer be changed.

Encrypting S3 Objects -

Types of Encryption :

  1. Encryption in Transit :

    When the traffic passing between one endpoint to another is indecipherable. Anyone eavesdropping between server A and server B won’t be able to make sense of the information passing by. Encryption in transit for S3 is always achieved by SSL/TLS.

- SSL/TLS
- HTTPS
  1. Encryption at Rest:

    When the immobile data sitting inside S3 is encrypted. If someone breaks into a server, they still won’t be able to access encrypted info within that server. Encryption at rest can be done either on the server-side or the client-side. The server-side is when S3 encrypts your data as it is being written to disk and decrypts it when you access it. The client-side is when you personally encrypt the object on your own and then upload it into S3 afterwards.

Server-Side Encryption -

You encrypt files after uploading them to the cloud.

S3 Managed Keys / SSE - S3 (server side encryption S3 )

When Amazon manages the encryption and decryption keys for you automatically. In this scenario, you concede a little control to Amazon in exchange for ease of use.

AWS Key Management Service / SSE - KMS

When Amazon and you both manage the encryption and decryption keys together.

Server Side Encryption w/ customer provided keys / SSE - C

When I give Amazon my own keys that I manage. In this scenario, you concede ease of use in exchange for more control.

Client-Side Encryption -

You encrypt the files yourself before you upload them to S3.

All Amazon S3 Buckets have encryption configured by default.
All objects are automatically encrypted by using server-side encryption with Amazon S3 managed keys(SSE-S3).
Applies to all objects in your S3 bucket.

Every time a file is uploaded to S3, a PUT request is initiated.

Image description

Enforcing Server-Side Encryption using bucket policy

  1. x-amz-server-side-encryption

    If the file is to be encrypted at the upload time, the x-amz-server-side-encryption parameter will be included in the request header.

  2. You get 2 encryption types :

    x-amz-server-side-encryption : AES256
    (SSE-S3- - S3-Managed keys)

    x-amz-server-side-encryption : aws:kms
    (SSE-KMS — KMS-Managed keys)

  3. PUT Request Header

    When this parameter is included in the header of the PUT request, it tell S3 to encrypt the object at the time of upload, using the specified encryption method.

Image description

If you want to change the encryption type of any object then just go to the object in the bucket and scroll down and you’ll see Server-side encryption settings.

Optimizing S3 Performance

Types of Prefixes :

  1. mybucketname/folder1/subfolder1/myfile.jpg > /folderl/subfolder
  2. mybucketname/folder2/subfolder1/myfile.jpg > /folder2/subfolder1
  3. mybucketname/folder3/myfile.jpg >/folder3
  4. mybucketname/folder4/subfolder4/myfile.jpg > /folder4/subfolder4 > S3 has extremely low latency. You can get the first byte out of S3 within 100-200 milliseconds. > You can also achieve a high number of requests: 3,500 > PUT/COPY/POST/DELETE and 5,500 GET/HEAD requests per second, per prefix.

S3 LIMITATIONS WHEN USING KMS

KMS Request Rates

S3 Performance: Uploads

Multipart Uploads

Image description

S3 Performance: Downloads

S3 Byte-Range Fetches

Image description

Backing up Data with S3 Replication

Replication enables automatic, asynchronous copying of objects across Amazon S3 buckets. Buckets that are configured for object replication can be owned by the same AWS account or by different accounts. You can replicate objects to a single destination bucket or to multiple destination buckets. The destination buckets can be in different AWS Regions or within the same Region as the source bucket.

  1. You can replicate objects from one bucket to another, Versioning must be enabled on both the source and destination buckets.
  2. Objects in an existing bucket are not replicated automatically, Once replication is turned on, all subsequent updated objects will be replicated automatically. Upload objects after turning on the replication
  3. Delete markers are not replicated by default,
    Deleting individual versions or delete markers will not be replicated.If you delete an item in the source bucket then the object in the destination bucket will not be deleted

Elastic Compute Cloud(EC2)

Image description

Amazon Elastic Compute Cloud (Amazon EC2) provides on-demand, scalable computing capacity in the Amazon Web Services (AWS) Cloud. Using Amazon EC2 reduces hardware costs so you can develop and deploy applications faster. You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage. You can add capacity (scale up) to handle compute-heavy tasks, such as monthly or yearly processes, or spikes in website traffic. When usage decreases, you can reduce capacity (scale down) again.
Its configuration at launch is a live copy of the Amazon Machine Image (AMI) that you specify when you launched the instance.

Like a VM, only hosted in AWS instead of your own data center.

EC2 has an extremely reduced time frame for provisioning and booting new instances and EC2 ensures that you pay as you go, pay for what you use, pay less as you use more, and pay even less when you reserve capacity. When your EC2 instance is running, you are charged on CPU, memory, storage, and networking. When it is stopped, you are only charged for EBS storage.

EC2 Pricing Options

On Demand Instances -

  1. Low cost and flexibility of Amazon EC2 withoud any upfront payment or long-term commitment.
  2. Used for Application with short-term , spiky or unpredictable workloads that cannot be interrupted.
  3. Used for Applications that are being developed or tested on Amazon EC2 for the first time.

Reserved Instances -

  1. Used for Applications with steady state or predictable usage.
  2. Used for Applications that require reserved capacity.
  3. You can make upfront payments to reduce the total computing costs even further.
  4. With Standard-RIs you can upto save 72% off the on demand price.
  5. With Convertable RIs you can save upto 54% off the on demand price. which have the option to change to a different RI type of equal or greater value.
  6. With scheduled RI you can launch within the time window you define. Match your capacity reservation to a predictable recurring schedule that only requires a fraction of a day , week or month.

*Reserved Instances Operate at regional level

Savings Plan with Reserved Instances -

  1. Save up to 72% : All AWS compute usage, regardless of instance type or Region.
  2. Commit to 1 or 3 Years : Commit to use a specific amount of compute power (measured by the hour) for a 1-year or 3-year period.
  3. Super Flexible : Not only EC2, this also includes serverless.

Standard Reserved vs. Convertible Reserved vs. Scheduled Reserved:

Spot Instances -

A Spot Instance is an instance that uses spare EC2 capacity that is available for less than the On-Demand price. Because Spot Instances enable you to request unused EC2 instances at steep discounts, you can lower your Amazon EC2 costs significantly. The hourly price for a Spot Instance is called a Spot price. The Spot price of each instance type in each Availability Zone is set by Amazon EC2, and is adjusted gradually based on the long-term supply of and demand for Spot Instances. Your Spot Instance runs whenever capacity is available.

Image description

To terminate your spot instances you need to first cancel the spot request and then terminate the instances.

When to use spot instances :

Image description

When not to use spot instances :

Spot Fleet :

A Spot Fleet is a set of Spot Instances and optionally On-Demand Instances that is launched based on criteria that you specify. The Spot Fleet selects the Spot capacity pools that meet your needs and launches Spot Instances to meet the target capacity for the fleet. By default, Spot Fleets are set to maintain target capacity by launching replacement instances after Spot Instances in the fleet are terminated. You can submit a Spot Fleet as a one-time request, which does not persist after the instances have been terminated. You can include On-Demand Instance requests in a Spot Fleet request.

You can have the following strategies with Spot Fleets :

Dedicated Hosts -

  1. Compliance : Regulatory requirements that may not support multi-tenant virtualization.
  2. Licensing : Great for licensing that does not support multi-tenancy or cloud deployments.
  3. On-Demand : Can be purchased on-demand (hourly).
  4. Reserved : Can be purchased as a reservation for up to 70% off the on-demand price.

Dedicated Hosts allow you to use your existing per-socket, per-core, or per-VM software licenses. When you bring your own license, you are responsible for managing your own licenses. However, Amazon EC2 has features that help you maintain license compliance, such as instance affinity and targeted placement.

Instance stateDescriptionBilling
pendingThe instance is preparing to enter the running state. An instance enters the pending state when it launches for the first time, or when it is started after being in the stopped state.Not billed
runningThe instance is running and ready for use.Billed
stoppingThe instance is preparing to be stopped or stop-hibernated.Not billed if preparing to stop. Billed if preparing to hibernate
stoppedThe instance is shut down and cannot be used. The instance can be started at any time.Not billed
shutting-downThe instance is preparing to be terminated.Not billed
terminatedThe instance has been permanently deleted and cannot be started.Not billed

Roles in AWS

An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.

Security Groups and Bootstrap Scripts

Note -

  • Linux : SSH - PORT 22
  • Windows : RDP - PORT 3389
  • HTTP : WEB BROWSING - PORT 80
  • HTTPS : ENCRYPTED WEB BROWSING (SSL) - PORT 443

Security Groups :

Security groups are virtual firewalls for your ec2 isntances . By default , everything is blocked.

To let everything in : 0.0.0.0/0

In order to communicate with your ec2 instances via SSH/RDP/HTTP, you will need to open up the correct ports.

Bootstrap scripts :

A script that runs when an instance first runs.

Ex :

#!/bin/bash
yum install httpd -y
#installs apache
yum service httpd start
#starts apache

Adding these tasks at boot time adds to the amount of time it takes to boot the instance.
However, it allows you to automate the installation of applications.

EC2 Metadata & Userdata

EC2 metadata is simply data about your EC2
instance.

This can include information such as private IP address, public IP
address, hostname, security groups, etc.

Using thecurl command we can query metadata about our ec2 instance.

And also, with a simple bootstrap(user data) script we can use the curl command to save our ec2 metadata.

Implementation -

  1. Create an ec2 instance and paste this bootstrap script. and add http ,https and ssh as security rules. and enable metadata and select what IDMS(Instance Metadata Service) version you wanna use.

For IMDSv1

Use Amazon Linux 2 instance

#!/bin/bash
yum update -y
yum install httpd -y
systemctl start httpd
systemctl enable httpd
cd /var/www/html
echo "<html><body><h1>My IP is" > index.html
curl http://169.254.169.254/latest/meta-data/public-ipv4 >> index.html
echo "</h1></body></html>" >> index.html

For IMDSv2

Use Amazon Linux 2023 instance

#!/bin/bash
yum update -y
yum install httpd -y
systemctl start httpd
systemctl enable httpd
cd /var/www/html
echo "<html><body><h1>My IP is" > index.html
TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
PUBLIC_IP=$(curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/public-ipv4)
echo "$PUBLIC_IP" >> index.html
echo "</h1></body></html>" >> index.html
  1. Now copy your public-ip4 ip and paste it in browser.
Image description

Networking with EC2

An ENI will be attached by default to the ec2 instance you create.

Security Groups

Security Groups are used to control access (SSH, HTTP, RDP, etc.) with EC2. They act as a virtual firewall for your instances to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance and security groups act at the instance level, not the subnet level.

Security Groups Key Details:

You can attach 3 types of virtual networking cards to your EC2 instances.

Elastic Network Interfaces

ENI Simplified: An elastic network interface is a networking component that represents a virtual network card. When you provision a new instance, there will be an ENI attached automatically and you can create and configure additional network interfaces if desired. When you move a network interface from one instance to another, network traffic is redirected to the new instance.

ENI Key Details:

An elastic network interface is a logical networking component in a VPC that represents a virtual network card. It can include the following attributes:

The default ENI of an EC2 instance :

Image description

Enhanced Networking on Linux

For high performance networking between 10Gbps - 100Gbps

Enhanced networking uses single root I/O virtualization (SR-IOV) to provide high-performance networking capabilities on supported instance types. SR-IOV is a method of device virtualization that provides higher I/O performance and lower CPU utilization when compared to traditional virtualized network interfaces. Enhanced networking provides higher bandwidth, higher packet per second (PPS) performance, and consistently lower inter-instance latencies. There is no additional charge for using enhanced networking.

Contents -

Enhanced Networking support :

All current generation instance types support enhanced networking, except for T2 instances.

You can enable enhanced networking using one of the following mechanisms:

  1. Elastic Network Adapter (ENA) :
    The Elastic Network Adapter (ENA) supports network speeds of up to 100 Gbps for supported instance types.
  2. Intel 82599 Virtual Function (VF) interface :
    The Intel 82599 Virtual Function interface supports network speeds of up to 10 Gbps for supported instance types. Typically used on older instances.

Elastic Fabric Adapter

An Elastic Fabric Adapter (EFA) is a network device that you can attach to your Amazon EC2 instance to accelerate High Performance Computing (HPC) and machine learning applications. EFA enables you to achieve the application performance of an on-premises HPC cluster, with the scalability, flexibility, and elasticity provided by the AWS Cloud.

EFAs provide lower and more consistent latency and higher throughput than the TCP transport traditionally used in cloud-based HPC systems. It enhances the performance of inter-instance communication that is critical for scaling HPC and machine learning applications. It is optimized to work on the existing AWS network infrastructure and it can scale depending on application requirements.

Differences between EFAs and ENAs -

Elastic Network Adapters (ENAs) provide traditional IP networking features that are required to support VPC networking. EFAs provide all of the same traditional IP networking features as ENAs, and they also support OS-bypass capabilities. OS-bypass enables HPC and machine learning applications to bypass the operating system kernel and to communicate directly with the EFA device.

Note : By default, the public IP address of an EC2 Instance is released when the instance is stopped even if its stopped temporarily. Therefore, it is best to refer to an instance by its external DNS hostname. If you require a persistent public IP address that can be associated to the same instance, use an Elastic IP address which is basically a static IP address instead.

Optimizing with EC2 Placement Groups

Placement groups balance the tradeoff between risk tolerance and network performance when it comes to your fleet of EC2 instances. The more you care about risk, the more isolated you want your instances to be from each other. The more you care about performance, the more conjoined you want your instances to be with each other.

  1. Cluster – packs instances close together inside an Availability Zone. This strategy enables workloads to achieve the low-latency network performance necessary for tightly-coupled node-to-node communication that is typical of high-performance computing (HPC) applications.
Image description
  1. Partition – spreads your instances across logical partitions such that groups of instances in one partition do not share the underlying hardware with groups of instances in different partitions. This strategy is typically used by large distributed and replicated workloads, such as Hadoop, Cassandra, and Kafka.
Image description
  1. Spread – strictly places a small group of instances across distinct underlying hardware to reduce correlated failures.
Image description

Deploying vCenter in AWS with VMware Cloud on AWS

Why Use VMware on AWS?

VMware is used by organizations around the world for private cloud deployments. Some organizations opt for a hybrid cloud strategy and would like to leverage AWS services.

Use Cases for VMware -

VMware Cloud on AWS

How is it deployed?

Extending AWS Beyond the Cloud with AWS Outposts

What Is Outposts?

Outposts brings the AWS data center directly to you, on-premises. Outposts allows you to have the large variety of AWS services in your data center. You can have Outposts in sizes such as 1U and 2U servers all the way up to 42U racks and multiple-rack deployments.

Image description

Benefits of Outposts -

Outposts Family Members :

Outposts RackOutposts Servers
Hardware : Available starting with a single 42U rack and scale up to 96 racksHardware : Individual servers in 1U or 2U form factor
Services : Provides AWS compute, storage, database, and other services locallyUse Cases : Useful for small space requirements, such as retail stores, branch offices, healthcare provider locations, or factory floors
Results : Gives the same AWS infrastructure, services, and APIs in your own data centerResults : Provides local compute and networking services

Process :


Elastic Block Storage(EBS) & Elastic File System(EFS)


EBS

An Amazon EBS volume is a durable, block-level storage device that you can attach to a single EC2 instance. You can think of EBS as a cloud-based virtual hard disk. You can use EBS volumes as primary storage for data that requires frequent updates, such as the system drive for an instance or storage for a database application. You can also use them for throughput-intensive applications that perform continuous disk scans.

Image description

We recommend Amazon EBS for data that must be quickly accessible and requires long-term persistence. EBS volumes are particularly well-suited for use as the primary storage for file systems, databases, or for any applications that require fine granular updates and access to raw, unformatted, block-level storage. Amazon EBS is well suited to both database-style applications that rely on random reads and writes, and to throughput-intensive applications that perform long, continuous reads and writes.

EBS Usecase :

With Amazon EBS, you pay only for what you use.

Features :

EBS Details :

EBS Volume Types :

Image description

Volumes :

THINK OF VOLUME AS A VIRTUAL HARD DISK
Volumes are simply virtual hard disks. You need a minimum of 1 volume per EC2 instance. This is called the root device volume.

Snapshot :

Tips -

EBS Encryption -

EBS encrypts your volume with a data key using the industry-standard AES-256 algorithm. Amazon EBS encryption uses AWS Key Management Service (AWS KMS) customer master keys (CMK) when creating encrypted volumes and snapshots.

What Happens When You Encrypt an EBS Volume?


Encryption Explored -

Steps to Encrypt an Unencrypted Volume :

We have learned so far we can stop and terminate
EC2 instances. If we stop the instance, the data is kept on the disk (with EBS) and will remain on the disk until the EC2 instance is started. If the instance is terminated, then by default the root device volume will also be terminated. But we can save it if we want while launching an instance.

EC2 Hibernation :

When you hibernate an EC2 instance, the operating system is told to perform hibernation (suspend-to-disk). Hibernation saves the contents from the instance memory (RAM) to your Amazon EBS root volume. We persist the instance’s Amazon EBS root volume and any attached Amazon
EBS data volumes.

When you start your instance out of hibernation:

Image description

With EC2 hibernation, the instance boots much faster. The operating system does not need to reboot because the in-memory state (RAM) is preserved. This is useful for:

What You Need to Know about E2C Hibernation


EFS

Image description

Use Cases :

Key Details :

EFS Performance :

Controlling Performance :

When creating an EFS file system, you can set what performance characteristics you want.

Storage Tiers :

EFS comes with storage tiers and lifecycle management, allowing you to move your data from one tier to another after X number of days.

FSx for Windows :

Amazon FSx for Windows File Server provides a fully managed native Microsoft Windows file system so you can easily move your Windows-based applications that require file storage to AWS.

AMAZON FSX IS BUILT ON WINDOWS SERVER.

Image description

Amazon FSx for Lustre :

A fully managed file system that is optimized for compute-intensive workloads

FSx for Lustre Performance

With Amazon FS, you can launch and run a Lustre file system that can process massive datasets at up to hundreds of gigabytes per second of throughput, millions of IOPS, and sub-millisecond latencies.

Storage Class Usecases :

AMI

An Amazon Machine Image (AMI) provides the information required to launch an instance.

You must specify an AMl when you launch an instance.

Things You Can Base Your AMI On -

All AMIs are categorized as either backed by:

Instance Store Volumes -

Instance store volumes are sometimes called ephemeral storage. Instance store volumes cannot be stopped. If the underlying host fails, you will lose your data.
You can, however, reboot the instance without losing your data.

If you delete the instance, you will lose the instance store volume.

EBS Volumes -

EBS-backed instances can be stopped. You will not lose the data on this instance if it is stopped. You can also reboot an EBS volume and not lose your data.

By default, the root device volume will be deleted on termination. However, you can tell AWS to keep the root device volume with EBS volumes.

If you use an EBS-backed root volume, the root volume will not be terminated with its EC2 instance when the instance is brought offline. EBS-backed volumes are not temporary storage devices like Instance Store-backed volumes.

AWS Backup

Backup allows you to consolidate your backups across multiple AWS services, such as EC2, EBS, EFS, Amazon FSx for Lustre, Amazon FSx for Windows File Server, and AWS Storage Gateway.

It can include other services, such as database technologies like RDS and DynamoDB.

Backup can be used with AWS
Organizations to back up multiple AWS accounts in your organization.
It gives you centralized control across all AWS services, in multiple AWS accounts across the entire AWS organization.

Benefits :

Databases

Relational Database Service (RDS)

Image description

Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud. It provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks.

RDS runs on virtual machines, but you do not have access to those machines. You cannot SSH into an RDS instance so therefore you cannot patch the OS. This means that AWS is responsible for the security and maintenance of RDS. You can provision an EC2 instance as a database if you need or want to manage the underlying server yourself, but not with an RDS engine.

Relational Database Engines :

Multi-AZ is supported for all DB flavors except aurora. This is because Aurora is completely fault-tolerant on its own.

RDS has two key features when scaling out:

RDS is generally used for Online Transaction Processing (OLTP) workloads.

Image description

With Multi-AZ RDS creates an exact copy of your production database in another AZ.

Image description

RDS will automatically fail over to the standby during a failure so database operations can resume quickly without administrative intervention.

Multi AZ is for disaster recovery not for performance improvement. i.e you can’t pass queries to your standby DB.

With a Multi-AZ RDS configuration, backups are taken from the standby.

Improve RDS Performance :

Image description

A read replica is a read-only copy of your primary database.

Great for read-heavy workloads and takes the load off your primary database.

Details -

  1. With a Read Replica configuration, EC2 connects to the RDS backend using a DNS address and every write that is received by the master database is also passed onto a DB secondary so that it becomes a perfect copy of the master. This has the overall effect of reducing the number of transactions on the master because the secondary DBs can be queried for the same data.
  2. However, if the master DB were to fail, there is no automatic failover. You would have to manually create a new connection string to sync with one of the read replicas so that it becomes a master on its own. Then you’d have to update your EC2 instances to point at the read replica. You can have up to five copies of your master DB with read replication.
  3. Each Read Replica will have its own DNS endpoint.
  4. Automated backups must be enabled in order to use read replicas.
  5. You can have read replicas with Multi-AZ turned on or have the read replica in an entirely separate region. You can even have read replicas of read replicas, but watch out for latency or replication lag. The caveat for Read Replicas is that they are subject to small amounts of replication lag. This is because they might be missing some of the latest transactions as they are not updated as quickly as primaries. Application designers need to consider which queries have tolerance to slightly stale data. Those queries should be executed on the read replica, while those demanding completely up-to-date data should run on the primary node.
  6. You can promote read replicas to be their very own production database if needed. But it breaks the replication.

Amazon Aurora

Aurora is the AWS flagship DB known to combine the performance and availability of traditional enterprise databases with the simplicity and cost-effectiveness of open source databases. It is a MySQL/PostgreSQL-compatible RDBMS that provides the security, availability, and reliability of commercial databases at 1/10th the cost of competitors. It is far more effective as an AWS database due to the 5x and 3x performance multipliers for MySQL and PostgreSQL respectively.

Details :

Scaling Aurora :

Types of Aurora Replicas available -

Image description Image description

Amazon Aurora Serverless

An on-demand, auto-scaling configuration for the MySQL-compatible and PostgreSQL-compatible editions of Amazon Aurora. An Aurora Serverless DB cluster automatically starts up, shuts down, and scales capacity up or down based on your application’s needs.

DynamoDB

Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale. It’s a fully managed, multiregion, multimaster, durable non-SQL database. It comes with built-in security, backup and restore, and in-memory caching for internet-scale applications.

DynamoDB Key Details:

The difference between the two consistency models is the one second rule. With Eventual Consistent Reads, all copies of data are usually identical within one second after a write operation. A repeated read after a short period of time should return the updated data. However, if you need to read updated data within or less than a second and this needs to be a guarantee, then strongly consistent reads are your best bet.

DynamoDB Accelerator (DAX):

Image description Image description

With dynamoDB you cannot make concurrent updates to multiple tables at the same time
and with dynamoDB transactions you’re able to do exactly that.

DynamoDB transactions provide developers atomicity, consistency, isolation, and durability
(ACID) across 1 or more tables within a single AWS account and region.
You can use transactions when building applications that require coordinated inserts, deletes, or updates to multiple items as part of a single logical business operation.

On-Demand Backup and Restore -

Point-in-Time Recovery (PITR) -

DynamoDB Streams:

Image description

A DynamoDB stream is an ordered flow of information about changes to items in an Amazon DynamoDB table. When you enable a stream on a table, DynamoDB captures information about every modification to data items in the table.

DynamoDB Global Tables :

Global Tables is a multi-region, multi-master replication solution for fast local performance of globally distributed apps.
Global Tables replicates your Amazon DynamoDB tables automatically across your choice of AWS regions.

Operating MongoDB-Compatible Databases in Amazon DocumentDB :

MongoDB is a document database that allows for scalability and flexibility with your data as well as robust querying and indexing features.

Amazon DocumentDB

Allows you to run MongoDB on the AWS cloud. It’s a managed database service that scales with your workloads and safely and durably stores your database information.

Image description

UseCase -

You no longer have to worry about all the manual tasks when running MongoDB workloads, such as cluster management software, configuring backups, or monitoring production workloads.

Get rid of your operational overheads!

Cassandra

A distributed database (i.e., it runs on many machines) that uses NoSQL. It’s primarily used for big data solutions.

Enterprises, such as Netflix, use Cassandra on their backend.

Amazon Keyspaces

Image description

Amazon’s Apache Cassandra database service. It allows you to run Cassandra workloads on AWS and is a fully managed database service.

Graph Database

A graph database stores nodes and relationships instead of tables or documents.

Neptune

Neptune is Amazon’s graph database service.

Neptune is a fast, reliable, fully managed graph database service that makes it easy to build and run applications.

Use Cases for Neptune :

Ledger Database

It’s a NoSQL database that is immutable, transparent, and has a cryptographically verifiable transaction log that is owned by one authority.

You cannot update a record (i.e., replace old content) in a ledger database. Instead, an update adds a new record to the database.

Amazon Quantum Ledger Database (QLDB)

Image description

A fully managed ledger database that provides a transparent, immutable, and cryptographically verifiable transaction log.

QLD Use Cases :

Time-Series Data

Data points that are logged over a series of time, allowing you to track your data. Examples could be temperature readings from weather stations around the world, on the hour, every hour for years.

Time-Series Data Examples :

Amazon Timestream

Image description

A serverless, fully managed database service for time-series data. You can analyze trillions of events per day up to 1,000 times faster and at as little as
1/10th the cost of traditional relational databases.


Virtual Private Cloud (VPC) Networking

With Amazon Virtual Private Cloud (Amazon VPC), you can launch AWS resources in a logically isolated virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS. By having the option of selecting which AWS resources are public facing and which are not, VPC provides much more granular control over security.

Image description

You get a default VPC in every region in your AWS account.

Network Diagram :

Image description

VPC Details -

Features —

Amazon always reserves five IP addresses within a subnet. The first four IP addresses and the last IP address of each subnet CIDR block will always be unavailable for use.

NAT Gateways :

You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services while preventing the internet from initiating a connection with those instances.

Image description

Network Access Control Lists:

Network Access Control Lists (or NACLs) are like security groups but for subnets rather than instances. The main difference between security groups and NACLs is that security groups are stateful, meaning you can perform both allow and deny rules that may be divergent, depending if traffic is inbound or outbound, for that rule.

NACLSecurity Group
Operates at the subnet levelOperates at the instance level
Supports allow rules and deny rulesSupports allow rules only
Is stateless: Return traffic must be explicitly allowed by rulesIs stateful: Return traffic is automatically allowed, regardless of any rules
We process rules in order, starting with the lowest numbered rule, when deciding whether to allow trafficWe evaluate all rules before deciding whether to allow traffic
Automatically applies to all instances in the subnets that it’s associated with (therefore, it provides an additional layer of defense if the security group rules are too permissive)Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on

NAT Instances vs. NAT Gateways:

Attaching an Internet Gateway to a VPC allows instances with public IPs to directly access the internet. NAT does a similar thing, however it is for instances that do not have a public IP. It serves as an intermediate step which allow private instances to first mask their own private IP as the NAT’s public IP before accessing the internet.

You would want your private instances to access the internet so that they can have normal software updates. NAT prevents any initiating of a connection from the internet.

NAT instances are individual EC2 instances that perform the function of providing private subnets a means to securely access the internet.

Because they are individual instances, High Availability is not a built-in feature and they can become a choke point in your VPC. They are not fault-tolerant and serve as a single point of failure. While it is possible to use auto-scaling groups, scripts to automate failover, etc. to prevent bottlenecking, it is far better to use the NAT Gateway as an alternative for a scalable solution.

NAT Gateway is a managed service that is composed of multiple instances linked together within an availability zone in order to achieve HA by default.

To achieve further HA and a zone-independent architecture, create a NAT gateway for each Availability Zone and configure your routing to ensure that resources use the NAT gateway in their corresponding Availability Zone.

NAT instances are deprecated, but still useable. NAT Gateways are the preferred means to achieve Network Address Translation.

There is no need to patch NAT Gateways as the service is managed by AWS. You do need to patch NAT Instances though because they’re just individual EC2 instances.

Because communication must always be initiated from your private instances, you need a route rule to route traffic from a private subnet to your NAT gateway.

Your NAT instance/gateway will have to live in a public subnet as your public subnet is the subnet configured to have internet access.

When creating NAT instances, it is important to remember that EC2 instances have source/destination checks on them by default. What these checks do is ensure that any traffic it comes across must be either generated by the instance or be the intended recipient of that traffic. Otherwise, the traffic is dropped because the EC2 instance is neither the source nor the destination.

So because NAT instances act as a sort of proxy, you must disable source/destination checks when musing a NAT instance.

Route Tables:

Route tables are used to make sure that subnets can communicate with each other and that traffic knows where to go.

Every subnet that you create is automatically associated with the main route table for the VPC.

You can have multiple route tables. If you do not want your new subnet to be associated with the default route table, you must specify that you want it associated with a different route table.

Because of this default behavior, there is a potential security concern to be aware of: if the default route table is public then the new subnets associated with it will also be public.

The best practice is to ensure that the default route table where new subnets are associated with is private.

This means you ensure that there is no route out to the internet for the default route table. Then, you can create a custom route table that is public instead. New subnets will automatically have no route out to the internet. If you want a new subnet to be publicly accessible, you can simply associate it with the custom route table.

Route tables can be configured to access endpoints (public services accessed privately) and not just the internet.

Subnets :

A subnet is a range of IP addresses in your VPC. A subnet must reside in a single Availability Zone. After you add subnets, you can deploy AWS resources in your VPC.

Each subnet must reside entirely within one Availability Zone and cannot span zones. By launching AWS resources in separate Availability Zones, you can protect your applications from the failure of a single Availability Zone.

The idea of subnetting is to take a portion of the host space of an address, and use it as an additional networking specification to divide the address space again.

Internet Gateway:

If the Internet Gateway is not attached to the VPC, which is the prerequisite for instances to be accessed from the internet, then naturally instances in your VPC will not be reachable.

If you want all of your VPC to remain private (and not just some subnets), then do not attach an IGW.

When a Public IP address is assigned to an EC2 instance, it is effectively registered by the Internet Gateway as a valid public endpoint. However, each instance is only aware of its private IP and not its public IP. Only the IGW knows of the public IPs that belong to instances.

When an EC2 instance initiates a connection to the public internet, the request is sent using the public IP as its source even though the instance doesn’t know a thing about it. This works because the IGW performs its own NAT translation where private IPs are mapped to public IPs and vice versa for traffic flowing into and out of the VPC.

So when traffic from the internet is destined for an instance’s public IP endpoint, the IGW receives it and forwards the traffic onto the EC2 instance using its internal private IP.

You can only have one IGW per VPC.

Summary: IGW connects your VPC with the internet.
A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

Instances in your VPC do not require public IP addresses to communicate with resources in the service.

Traffic between your VPC and the other service does not leave the Amazon network.

Endpoints Are Virtual Devices.
They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.

Types of Endpoints :

Summary: VPC Endpoints connect your VPC with AWS services through a non-public tunnel.

Multiple VPCs

Sometimes you may need to have several VPCs for different environments, and it may be necessary to connect these VPCs to each other.

Image description

That’s what VPC Peering is all about -

VPC Peering:

VPC peering allows you to connect one VPC with another via a direct network route using the Private IPs belonging to both. With VPC peering, instances in different VPCs behave as if they were on the same network.

You can create a VPC peering connection between your own VPCs, regardless if they are in the same region or not, and with a VPC in an entirely different AWS account.

VPC Peering is usually done in such a way that there is one central VPC that peers with others. Only the central VPC can talk to the other VPCs.

You cannot do transitive peering for non-central VPCs. Non-central VPCs cannot go through the central VPC to get to another non-central VPC. You must set up a new portal between non-central nodes if you need them to talk to each other.

Image description

The following diagram highlights the above idea. VPC B is free to communicate with VPC A with VPC Peering enabled between both. However, VPC B cannot continue the conversation with VPC C. Only VPC A can communicate with VPC C.

Image description

It is worth knowing what VPC peering configurations are not supported:

You can peer across regions, but you cannot have one subnet stretched over multiple availability zones. However, you can have multiple subnets in the same availability zone.

Summary: VPC Peering connects your VPC to another VPC through a non-public tunnel.

AWS PrivateLink simplifies the security of data shared with cloud-based applications by eliminating the exposure of data to the public Internet. AWS PrivateLink provides private connectivity between different VPCs, AWS services, and on-premises applications, securely on the Amazon network.

It’s similar to the AWS Direct Connect service in that it establishes private connections to the AWS cloud, except Direct Connect links on-premises environments to AWS. PrivateLink, on the other hand, secures traffic from VPC environments which are already in AWS.

This is useful because different AWS services often talk to each other over the internet. If you do not want that behavior and instead want AWS services to only communicate within the AWS network, use AWS PrivateLink. By not traversing the Internet, PrivateLink reduces the exposure to threat vectors such as brute force and distributed denial-of-service attacks.

PrivateLink allows you to publish an “endpoint” that others can connect with from their own VPC. It’s similar to a normal VPC Endpoint, but instead of connecting to an AWS service, people can connect to your endpoint.

Further, you’d want to use private IP connectivity and security groups so that your services function as though they were hosted directly on your private network.

Remember that AWS PrivateLink applies to Applications/Services communicating with each other within the AWS network. For VPCs to communicate with each other within the AWS network, use VPC Peering.

Summary: AWS PrivateLink connects your AWS services with other AWS services through a non-public tunnel.

Virtual Private Networks (VPNs):

VPCs can also serve as a bridge between your corporate data center and the AWS cloud. With a VPC Virtual Private Network (VPN), your VPC becomes an extension of your on-prem environment.

Naturally, your instances that you launch in your VPC can’t communicate with your own on-premise servers. You can allow the access by first:

To bring up VPN connection, you must also define a customer gateway resource in AWS, which provides AWS information about your customer gateway device. And you have to set up an
Internet-routable IP address of the customer gateway’s external interface.

A customer gateway is a physical device or software application on the on-premise side of the VPN connection.

Although the term “VPN connection” is a general concept, a VPN connection for AWS always refers to the connection between your VPC and your own network. AWS supports Internet Protocol security (IPsec) VPN connections.

The following diagram illustrates a single VPN connection :

Image description

The above VPC has an attached virtual private gateway (note: not an internet gateway) and there is a remote network that includes a customer gateway which you must configure to enable the VPN connection. You set up the routing so that any traffic from the VPC bound for your network is routed to the virtual private gateway.

VGW is a VPN concentrator on the AWS side of the VPN connection between two networks. It is part of a VPC and provides edge routing for AWS managed VPN connections and AWS Direct Connect connections.

Summary: VPNs connect your on-prem with your VPC over the internet.

AWS VPN CloudHub -

If you have multiple sites, each with its own VPN connection, you can use AWS VPN CloudHub to connect those sites together.

AWS VPN CloudHub is low cost and easy to manage. Though it operates over the public internet, all traffic between the customer gateway and the AWS VPN CloudHub is encrypted.

AWS DirectConnect:

Direct Connect is an AWS service that establishes a dedicated network connection between your premises and AWS. You can create this private connectivity to reduce network costs, increase bandwidth, and provide more consistent network experience compared to regular internet-based connections.

2 Types of Direct Connect Connection :

The use case for Direct Connect is high throughput workloads or if you need a stable or reliable connection

VPN connects to your on-prem over the internet and DirectConnect connects to your on-prem off through a private tunnel.

The steps for setting up an AWS DirectConnect connection:

Data flow into AWS via DirectConnect looks like the following: On-prem router -> dedicated line -> your own cage / DMZ -> cross connect line -> AWS Direct Connect Router -> AWS backbone -> AWS Cloud

Image description

Summary: DirectConnect connects your on-prem with your VPC through a non-public tunnel.

VPNs vs. Direct Connect:

VPNs allow private communication, but it still traverses the public internet to get the data delivered. While secure, it can be painfully slow.

DIRECT CONNECT IS:

  • Fast
  • Secure
  • Reliable
  • Able to take massive throughput

Transit Gateway

AWS Transit Gateway connects VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router - each new connection is only made once.

Image description

5G Networks

5G provides mobile devices with higher speed, lower latency, and greater capacity than 4G LTE networks. It is one of the fastest, most robust technologies the world has ever seen.

AWS Wavelength

AWS Wavelength embeds AWS
compute and storage services within
5G networks, providing mobile edge computing infrastructure for developing, deploying, and scaling ultra-low-latency applications.


Route53

Amazon Route 53 is a highly available and scalable Domain Name System (DNS) service. You can use Route 53 to perform three main functions in any combination: domain registration, DNS routing, and health checking.

Details -

DNS is used to map human-readable domain names into an internet protocol address similarly to how phone books map company names with phone numbers.

AWS has its own domain registrar.

When you buy a domain name, every DNS address starts with an SOA (Start of Authority) record. The SOA record stores information about the name of the server that kicked off the transfer of ownership, the administrator who will now use the domain, the current metadata available, and the default number of seconds or TTL.

NS records, or Name Server records, are used by the Top Level Domain hosts (.org, .com, .uk, etc.) to direct traffic to the Content servers. The Content DNS servers contain the authoritative DNS records.

Browsers talk to the Top Level Domains whenever they are queried and encounter domain name that they do not recognize.

In summary: Browser -> TLD -> NS -> SOA -> DNS record. The pipeline reverses when the correct DNS record is found.

Authoritative name servers store DNS record information, usually a DNS hosting provider or domain registrar like GoDaddy that offers both DNS registration and hosting.

There are a multitude of DNS records for Route53. Here are some of the more common ones:

One other major difference between CNames and Alias records is that a CName cannot be used for the naked domain name (the apex record in your entire DNS configuration / the primary record to be used). CNames must always be secondary records that can map to another secondary record or the apex record. The primary must always be of type Alias or A Record in order to work.

Due to the dynamic nature of Alias records, they are often recommended for most use cases and should be used when it is possible to.

TTL is the length that a DNS record is cached on either the resolving servers or the users own cache so that a fresher mapping of IP to domain can be retrieved. Time To Live is measured in seconds and the lower the TTL the faster DNS changes propagate across the internet. Most providers, for example, have a TTL that lasts 48 hours.

You can create health checks to send you a Simple Notification if any issues arise with your DNS setup.

Further, Route53 health checks can be used for any AWS endpoint that can be accessed via the Internet. This makes it an ideal option for monitoring the health of your AWS endpoints.

Route53 Routing Policies:

When you create a record, you choose a routing policy, which determines how Amazon Route 53 responds to DNS queries. The routing policies available are:

Simple Routing is used when you just need a single record in your DNS with either one or more IP addresses behind the record in case you want to balance load. If you specify multiple values in a Simple Routing policy, Route53 returns a random IP from the options available.

Image description

Weighted Routing is used when you want to split your traffic based on assigned weights. For example, if you want 80% of your traffic to go to one AZ and the rest to go to another, use Weighted Routing. This policy is very useful for testing feature changes and due to the traffic splitting characteristics, it can double as a means to perform blue-green deployments. When creating Weighted Routing, you need to specify a new record for each IP address. You cannot group the various IPs under one record like with Simple Routing.

Latency-based Routing, as the name implies, is based on setting up routing based on what would be the lowest latency for a given user. To use latency-based routing, you must create a latency resource record set in the same region as the corresponding EC2 or ELB resource receiving the traffic. When Route53 receives a query for your site, it selects the record set that gives the user the quickest speed. When creating Latency-based Routing, you need to specify a new record for each IP.

Image description

Failover Routing is used when you want to configure an active-passive failover set up. Route53 will monitor the health of your primary so that it can failover when needed. You can also manually set up health checks to monitor all endpoints if you want more detailed rules.

Image description

Geolocation Routing lets you choose where traffic will be sent based on the geographic location of your users.

Image description

Geo-proximity Routing lets you choose where traffic will be sent based on the geographic location of your users and your resources. You can choose to route more or less traffic based on a specified weight which is referred to as a bias. This bias either expands or shrinks the availability of a geographic region which makes it easy to shift traffic from resources in one location to resources in another. To use this routing method, you must enable Route53 traffic flow. If you want to control global traffic, use Geo-proximity routing. If you want traffic to stay in a local region, use Geolocation routing.

Multivalue Routing is pretty much the same as Simple Routing, but Multivalue Routing allows you to put health checks on each record set. This ensures then that only a healthy IP will be randomly returned rather than any IP.

Image description

Elastic Load Balancers (ELB)

Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, Docker containers, IP addresses, and Lambda functions. It can handle the varying load of your application traffic in a single Availability Zone or across multiple Availability Zones. Elastic Load Balancing offers three types of load balancers that all feature the high availability, automatic scaling, and robust security necessary to make your applications fault tolerant.

Image description

In AWS, there are four types of LBs :

Image description

The lifecycle of a request to view a website behind an ELB:

ELB Advanced Features:

Gateway Timeouts -
If your application stops responding, the Classic Load Balancer responds with a 504 error.

This means the application is having issues. This could be either at the web server layer or database layer.

Deregistration Delay -

Enable deregistration delay : Keep existing connections open if the EC2 instance becomes unhealthy.

Disable Enable deregistration delay : Do this if you want your load balancer to immediately close connections to the instances that are de-registering or have become unhealthy.

ELB Cross Zone Load Balancing:

ELB Security:


MONITORING

CloudWatch

Amazon CloudWatch is a monitoring and observability service. It provides you with data and actionable insights to monitor your applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health.

Image description

CloudWatch Logs:

Log Stream :

A collection of log events from the same source creates a log stream. Think of one continuous set of logs from a single instance.

Log Group :

This is a collection of log streams. For example, you would group all your Apache web server logs across hosts together.

CloudWatch Events:

CloudWatch Alarms:

CloudWatch Metrics:

CloudWatch Dashboards:

Amazon Managed Grafana -

Fully managed AWS service allowing secure data visualizations for instantly querying, correlating, and visualizing your operational metrics, logs, and traces from different sources.

Image description

Use Cases :

Amazon Managed Service for Prometheus -

Image description

Serverless, Prometheus-compatible service used for securely monitoring container metrics at scale


High Availability and Scaling

What Is Horizontal Scaling?

Horizontal scaling (aka scaling out) refers to adding additional nodes or machines to your infrastructure to cope with new demands. If you are hosting an application on a server and find that it no longer has the capacity or capabilities to handle traffic, adding a server may be your solution.

Image description

What Is Vertical Scaling?

Vertical scaling (aka scaling up) describes adding additional resources to a system so that it meets demand.

While horizontal scaling refers to adding additional nodes, vertical scaling describes adding more power to your current machines. For instance, if your server requires more processing power, vertical scaling would mean upgrading the CPUs. You can also vertically scale the memory, storage, or network speed.

Image description Image description

Launch Template :

A launch template specifies all the needed settings that go into building out an EC2 instance. It is a collection of settings you can configure so you don’t have to walk through the EC2 wizard over and over.

It includes the AMI, EC2 instance size, security groups, and potentially networking information.

Baking your code into your AMIs will help reduce provisioning time.

Image description

Auto Scaling :

AWS Auto Scaling lets you build scaling plans that automate how groups of different resources respond to changes in demand. You can optimize availability, costs, or a balance of both. AWS Auto Scaling automatically creates all of the scaling policies and sets targets for you based on your preference.

Auto Scaling is only for EC2. No other service can be scaled using Auto Scaling. Other services might have a built-in option, but they aren’t included in Auto Scaling groups.

When you use Elastic Load Balancing with your Auto Scaling group, it’s not necessary to register individual EC2 instances with the load balancer. Instances that are launched by your Auto Scaling group are automatically registered with the load balancer. Likewise, instances that are terminated by your Auto Scaling group are automatically deregistered from the load balancer

Auto Scaling Steps :

Image description

Lifecylcle Hooks :

As your Auto Scaling group scale-out or scale-in your EC2 instances, you may want to perform custom actions before they start accepting traffic or before they get terminated. Auto Scaling Lifecycle Hooks allow you to perform custom actions during these stages.

For example, during the scale-out event of your ASG(Auto Scaling Group), you want to make sure that new EC2 instances download the latest code base from the repository and that your EC2 user data has completed before it starts accepting traffic. This way, the new instances will be fully ready and will quickly pass the load balancer health check when they are added as targets. Another example is this – during the scale-in event of you ASG, suppose your instances upload data logs to S3 every minute. You may want to pause the instance termination for a certain amount of time to allow the EC2 to upload all data logs before it gets completely terminated.

Image description

STEPS :

  1. EC2 instance gets launched by EC2 Auto Scaling group
  2. WAIT state is entered via the Lifecycle Hooks capability
  3. While in the WAIT state, the instance runs a custom script via EC2 user data to install a proprietary application
  4. Script install and configure application
  5. Once the application is validated to be working correctly, the instance sends a complete-lifecycle-action command

Auto Scaling Policies :

  1. Step Scaling : To use step scaling, you first create a CloudWatch alarm that monitors a metric for your Auto Scaling group. Define the metric, threshold value, and number of evaluation periods that determine an alarm breach. Then, create a step scaling policy that defines how to scale your group when the alarm threshold is breached.
Image description Image description
  1. Simple Scaling : Simple scaling relies on a metric as a basis for scaling. For example, you can set a CloudWatch alarm to have a CPU Utilization threshold of 80%, and then set the scaling policy to add 20% more capacity to your Auto Scaling group by launching new instances. Accordingly, you can also set a CloudWatch alarm to have a CPU utilization threshold of 30%. When the threshold is met, the Auto Scaling group will remove 20% of its capacity by terminating EC2 instances.
  2. Target Tracking : Target tracking policy lets you specify a scaling metric and metric value that your auto scaling group should maintain at all times. Let’s say for example your scaling metric is the average CPU utilization of your EC2 auto scaling instances, and that their average should always be 80%. When CloudWatch detects that the average CPU utilization is beyond 80%, it will trigger your target tracking policy to scale out the auto scaling group to meet this target utilization. Once everything is settled and the average CPU utilization has gone below 80%, another scale in action will kick in and reduce the number of auto scaling instances in your auto scaling group. With target tracking policies, your auto scaling group will always be running in a capacity that is defined by your scaling metric and metric value.

Instance Warm-Up and Cooldown -

Scaling Types :-

Image description

Scaling Non-Relational Databases

Types of Scaling -

There are 4 types of scaling we can use to adjust our relational database performance.

Image description

Scaling Options -
Scaling is simplified when using DynamoDB, as AWS does all the heavy lifting for you.

Image description

Capacity Units :

Read Capacity Unit (RCU)

DynamoDB unit of measurement for reads per second for an item up to 4 KB in size.

One strongly consistent read per second.

Two eventually consistent reads per second.

Knowledge Check: How many RCUs for 1 strongly consistent read per second for objects that are 7 KB in size?

1 RCU = 4 KB / 1 Strongly Consistent Read.

Round up to the next nearest amount for the item size = 8 KB / 4 KB = 2 RCU

Write Capacity Unit (WCU)

DynamoDB unit of measurement for writes per second for an item up to 1 KB in size.

Knowledge Check: How many WCUs for 1 write per second for an object that is 3 KB in size?

1 WCU = 1 KB * 1 Write per Second

3 KB * 1 WCU = 3 WCUs

Non-Relational Database Scaling -

Different Disaster Recovery Strategies

Image description

Auto Scaling Cooldown Period:

The cooldown period is a configurable setting for your Auto Scaling Group that helps to ensure that it doesn’t launch or terminate additional instances before the previous scaling activity takes effect.

After the Auto Scaling Group scales using a policy, it waits for the cooldown period to complete before resuming further scaling activities if needed.

The default waiting period is 300 seconds, but this can be modified.


Decoupling Workflows

Loose Coupling -

Image description

Tight Coupling -

Image description

Poll-based messaging is a request/response approach where a client sends a message to a server and waits for a response.


Simple Queuing Service (SQS)

SQS is a web-based service that gives you access to a message queue that can be used to store messages while waiting for another service to process them. It helps in the decoupling of systems and the horizontal scaling of AWS resources.

Simple Queue Service is a messaging queue that allows asynchronous processing of work. One resource will write a message to an SQS queue, and then another resource will retrieve that message from SQS.

The point behind SQS is to decouple work across systems. This way, downstream services in a system can perform work when they are ready to rather than when upstream services feed them data.

In a hypothetical AWS environment running without SQS, Application A would pass Application B data regardless if Application B was ready to receive the info. With SQS however, there is an intermediary step where the data is stored temporarily in a buffer. It waits there until Application B pulls the temporarily stored data. SQS is not a push-based service so it is necessary for SQS to work in tandem with another service that queries it for information.

There are two types of SQS queues; standard and FIFO. Standard queues may be received out of order based on message size or however else the SQS queues decide to optimize. FIFO queues guarantees that the order of messages that went into the queue is the same as the order of messages that leave it.

Standard SQS queues guarantee that a message is delivered at least once and because of this, it is possible on occasion that a message might be delivered more than once due to the asynchronous and highly distributed architecture. With standard queues, you have a nearly unlimited number of transactions per second.

Amazon SQS visibility timeout

Visibility timeouts in SQS are the mechanism in which messages marked for delivery from the queue are given a time frame to be fully received by a reader. This is done by temporarily making them invisible to other readers. If the message is not fully processed within the time limit, the message becomes visible again. This is another way in which messages can be duplicated. If you want to reduce the chance of duplication, increase the visibility timeout.

The visibility timeout maximum is 12 hours.

Always remember that the messages in the SQS queue will continue to exist even after the EC2 instance has processed it, until you delete that message. You have to ensure that you delete the message after processing to prevent the message from being received and processed again once the visibility timeout expires.

Image description

SQS Polling:

Dead-Letter Queues :

Dead-Letter Queues Benefits -

Image description

What is push-based messaging?

Any messages sent by a producer that arrives at the SNS Topic will immediately be sent to all consumers.

Simple Notification Service (SNS)

Simple Notification Service is a pushed-based messaging service that provides a highly scalable, flexible, and cost-effective method to publish a custom messages to subscribers who wish to be informed about a certain topic.

  • Messages can be up to 256 KB of text in any format.
  • Messages that fail to be delivered can be stored in an SQS DLQ.
  • FIFO only supports SQS FIFO queues as a subscriber.
  • Messages are encrypted in transit by default, and you can add at-rest via AWS KMS.
  • A resource policy can be added to a topic, similar to S3. Useful for cross-account access.
  • By default, every message published to a topic is sent to all subscribers
  • Filter policies use JSON to define which messages get sent to specific subscribers
Image description

API Gateway

API Gateway is a fully managed service for developers that makes it easy to build, publish, manage, and secure entire APIs. With a few clicks in the AWS Management Console, you can create an API that acts as a “front door” for applications to access data, business logic, or functionality from your back-end services, such as workloads running on EC2, code running on AWS Lambda, or any web application.

Amazon API Gateway handles all the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management.

Amazon API Gateway has no minimum fees or startup costs. You pay only for the API calls you receive and the amount of data transferred out.

API Gateway does the following for your APIs:

Since API Gateway can function with AWS Lambda, you can run your APIs and code without needing to maintain servers.

Amazon API Gateway provides throttling at multiple levels including global and by a service call.

You can add caching to API calls by provisioning an Amazon API Gateway cache and specifying its size in gigabytes. The cache is provisioned for a specific stage of your APIs. This improves performance and reduces the traffic sent to your back end. Cache settings allow you to control the way the cache key is built and the time-to-live (TTL) of the data stored for each method. Amazon API Gateway also exposes management APIs that help you invalidate the cache for each stage.

You can enable API caching for improving latency and reducing I/O for your endpoint.

When caching for a particular API stage (version controlled version), you cache responses for a particular TTL in seconds.

API Gateway supports AWS Certificate Manager and can make use of free TLS/SSL certificates.

With API Gateway, there are two kinds of API calls:

API Options :

Image description

Endpoint Types :

AWS Batch

Batch computing run jobs asynchronously and automatically across multiple compute instances. While running a single job may be trivial, running many at scale, particularly with multiple dependencies, can be more challenging. This is where using a fully managed service such as AWS Batch offers significant benefit.

Solutions built on AWS Batch allow developers to build efficient, long-running compute jobs by focusing on the business logic required, while AWS manages the scheduling and provisioning of the work.

As a fully managed service, AWS Batch helps you to run batch computing workloads of any scale. AWS Batch automatically provisions compute resources and optimizes the workload distribution based on the quantity and scale of the workloads. With AWS Batch, there’s no need to install or manage batch computing software, so you can focus your time on analyzing results and solving problems.

Batch Components :

Fargate VS EC2 -

Image description

AWS Batch VS AWS Lambda -

Image description

Managed vs Unmanaged Compute Environment :

Image description

Amazon MQ

Amazon MQ Brokers :

Image description

AWS Step Functions

AWS Step Functions is a serverless orchestration service that lets you integrate with AWS Lambda functions and other AWS services to build business-critical applications. Through Step Functions’ graphical console, you see your application’s workflow as a series of event-driven steps.

Step Functions is based on state machines and tasks. In Step Functions, a workflow is called a state machine, which is a series of event-driven steps. Each step in a workflow is called a state. A Task state represents a unit of work that another AWS service, such as AWS Lambda, performs. A Task state can call any AWS service or API.

With Step Functions’ built-in controls, you examine the state of each step in your workflow to make sure that your application runs in order and as expected. Depending on your use case, you can have Step Functions call AWS services, such as Lambda, to perform tasks. You can create workflows that process and publish machine learning models. You can have Step Functions control AWS services, such as AWS Glue, to create extract, transform, and load (ETL) workflows. You also can create long-running, automated workflows for applications that require human interaction.

All state machines are written in the Amazon States Language format.

Execution Types -

Image description

Different States :

Amazon AppFlow

Amazon AppFlow is a fully-managed integration service that enables you to securely exchange data between software as a service (SaaS) applications, such as Salesforce, and AWS services, such as Amazon Simple Storage Service (Amazon S3) and Amazon Redshift. For example, you can ingest contact records from Salesforce to Amazon Redshift or pull support tickets from Zendesk to an Amazon S3 bucket.

Image description

BENEFITS -

AppFlow Use Cases -

*Up to 100 GB per flow

BIG DATA

3 Vs that differentiate big data from traditional data -


Amazon Redshift

Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. The Amazon Redshift service manages all of the work of setting up, operating, and scaling a data warehouse. These tasks include provisioning capacity, monitoring and backing up the cluster, and applying patches and upgrades to the Amazon Redshift engine.

Redshift is used for business intelligence and pulls in very large and complex datasets to perform complex queries in order to gather insights from the data.
It fits the use case of Online Analytical Processing (OLAP). Redshift is a powerful technology for data discovery including capabilities for almost limitless report viewing, complex analytical calculations, and predictive “what if” scenario (budget, forecast, etc.) planning.

Redshift can also asynchronously replicate your snapshots to a different region if desired.

Redshift is encrypted in transit using SSL and is encrypted at rest using AES-256. By default, Redshift will manage all keys, but you can do so too via AWS CloudHSM or AWS KMS.

Redshift is billed for:

Redshift Spectrum -

Enhanced VPC Routing -

ETL

ETL stands for Extract, Transform, Load. It’s a process used in data warehousing and data integration to gather data from various sources, transform it into a consistent format, and load it into a target database or data warehouse.

ETL processes are crucial in ensuring that data is effectively collected, integrated, and made available for analysis and decision-making purposes within organizations. They help maintain data quality, consistency, and integrity across disparate data sources.

EMR

Amazon EMR (previously called Amazon Elastic MapReduce) is a managed cluster platform that simplifies running big data frameworks, such as Apache Hadoop and Apache Spark, on AWS to process and analyze vast amounts of data. Using these frameworks and related open-source projects, you can process data for analytics purposes and business intelligence workloads. Amazon EMR also lets you transform and move large amounts of data into and out of other AWS data stores and databases, such as Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB.

EMR Storage -

Amazon EMR Clusters and Nodes :
Clusters are groups of EC2 instances within Amazon EMR. Each instance is a node.

Primary Node :
Manages the cluster, coordinates distribution of data and tasks, tracks health statuses.

Core Node :
Runs tasks and stores data in Hadoop Distributed File System (HDFS). Long-running!

Task Node :
ONLY runs tasks, with no storage of data within HDFS. Optional. Typically Spot instances.

Purchasing Options and Cluster Types :

Image description

Toolsets to Keep in Mind -

Built-in support for Spark, Hive, HBase, Flink, Hudi, and Presto.


Kinesis

Amazon Kinesis makes it easy to collect, process, and analyze real-time, streaming data so you can get timely insights and react quickly to new information. With Amazon Kinesis, you can ingest real-time data such as video, audio, application logs, website clickstreams, and IoT telemetry data for machine learning, analytics, and other applications. Amazon Kinesis enables you to process and analyze data as it arrives and respond instantly instead of having to wait until all your data is collected before the processing can begin.

Amazon Kinesis makes it easy to load and analyze the large volumes of data entering AWS.

Kinesis is used for processing real-time data streams (data that is generated continuously) from devices constantly sending data into AWS so that said data can be collected and analyzed.

It is a fully managed service that automatically scales to match the throughput of your data and requires no ongoing administration. It can also batch, compress, and encrypt the data before loading it, minimizing the amount of storage used at the destination and increasing security.

There are three different types of Kinesis:

Image description Image description

Kinesis vs. SQS

Image description

Amazon Athena

AWS Athena is an interactive query service that makes it easy to analyze data directly in Amazon Simple Storage Service (Amazon S3) using standard SQL. It’s a serverless service, meaning there’s no infrastructure to manage, and you only pay for the queries you run.

Amazon Glue

AWS Glue is a serverless data integration service that makes it easy for analytics users to discover, prepare, move, and integrate data from multiple sources. You can use it for analytics, machine learning, and application development. It also includes additional productivity and data ops tooling for authoring, running jobs, and implementing business workflows.

With AWS Glue, you can discover and connect to more than 70 diverse data sources and manage your data in a centralized data catalog. You can visually create, run, and monitor extract, transform, and load (ETL) pipelines to load data into your data lakes.

You can specify the number of DPUs for an ETL job. A Glue ETL job must have a minimum of 2 DPUs. AWS Glue allocates 10 DPUs to each ETL job by default.


Amazon QuickSight

Amazon QuickSight is a cloud-scale business intelligence (BI) service that you can use to deliver easy-to-understand insights to the people who you work with, wherever they are. Amazon QuickSight connects to your data in the cloud and combines data from many different sources. In a single data dashboard, QuickSight can include AWS data, third-party data, big data, spreadsheet data, SaaS data, B2B data, and more.


AWS Data Pipeline

AWS CodePipeline is a continuous delivery service you can use to model, visualize, and automate the steps required to release your software. You can quickly model and configure the different stages of a software release process. CodePipeline automates the steps required to release your software changes continuously.

Amazon MSK

Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. Amazon MSK provides the control-plane operations, such as those for creating, updating, and deleting clusters. It lets you use Apache Kafka data-plane operations, such as those for producing and consuming data. It runs open-source versions of Apache Kafka. This means existing applications, tooling, and plugins from partners and the Apache Kafka community are supported without requiring changes to application code.

Amazon MSK detects and automatically recovers from the most common failure scenarios for clusters so that your producer and consumer applications can continue their write and read operations with minimal impact. When Amazon MSK detects a broker failure, it mitigates the failure or replaces the unhealthy or unreachable broker with a new one. In addition, where possible, it reuses the storage from the older broker to reduce the data that Apache Kafka needs to replicate. Your availability impact is limited to the time required for Amazon MSK to complete the detection and recovery. After a recovery, your producer and consumer apps can continue to communicate with the same broker IP addresses that they used before the failure.

Resiliency in Amazon MSK :

Image description

Security and Logging -

Amazon OpenSearch

OpenSearch is a managed service allowing you to run search and analytics engines for
various use cases.
It is the successor to Amazon
Elasticsearch Service.

OpenSearch is a distributed, community-driven, Apache 2.0-licensed, 100% open-source search and analytics suite used for a broad set of use cases like real-time application monitoring, log analytics, and website search. OpenSearch provides a highly scalable system for providing fast access and response to large volumes of data with an integrated visualization tool, OpenSearch Dashboards, that makes it easy for users to explore their data. OpenSearch is powered by the Apache Lucene search library, and it supports a number of search and analytics capabilities such as k-nearest neighbors (KNN) search, SQL, Anomaly Detection, Machine Learning Commons, Trace Analytics, full-text search, and more.

SERVERLESS ARCHITECTURE

AWS Lambda

AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume. With Lambda, you can run code for virtually any type of application or backend service - all with zero administration. You upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to be automatically triggered from other AWS services or be called directly from any web or mobile app.

Lambda Features -

Lambda Configuration -

Lambda Function Quotas -

Image description

AWS Serverless Application Repository

The AWS Serverless Application Repository is a managed repository for deploying and publishing serverless applications.

You can also use pre-built applications instead of cloning, building, packaging, and publishing source code to AWS before deploying it.

Each application includes an AWS SAM(Serverless Application Model) template that specifies the AWS resources that will be used.

Containerization

A container is a standard unit of software that packages up code and all its dependencies, so the application runs quickly and reliably from one computing environment to another.

Image description

Amazon ECS

Image description

Amazon Elastic Container Service is a service that allows you to easily launch and manage Docker containers running on AWS compute.

ECS VS EKS

Image description

AWS Fargate

AWS Fargate is a serverless compute engine for containers.

The Fargate launch type allows you to run your containerized applications without the need to provision and manage the backend infrastructure. Just register your task definition and Fargate launches the container for you.

Fargate makes it easy for you to focus on building your applications. It removes the need to provision and manage servers, lets you specify and pay for resources per application, and improves security through application isolation by design.

ECS Launch Types :

Image description

Fargate VS Lambda :

Fargate -

Lambda -

Amazon EventBridge

Amazon EventBridge (formerly CloudWatch
Events) is a serverless event bus.
It allows you to pass events from a source to an endpoint. Essentially, it’s the glue that holds your serverless application together.

EventBridge Concepts -

Rule Triggers :

Image description

Integrations -

Amazon Elastic Container Registry (ECR)

Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service that is secure, scalable, and reliable. Amazon ECR supports private repositories with resource-based permissions using AWS IAM. This is so that specified users or Amazon EC2 instances can access your container repositories and images.

Components of Amazon ECR

Features of Amazon ECR -

Amazon EKS Distro

Amazon EKS Distro (EKS-D) is a Kubernetes distribution based on and used by Amazon EKS.

EKS Anywnere

ECS Anywhere

ECS Anywhere Requirements -

Image description

Amazon Aurora Serverless

Popular Use Cases -

AWS X-RAY

Collects
application data for viewing, filtering, and gaining insights about requests and responses

View calls to
downstream AWS
resources and other microservices/ APIs or databases

Receives traces from your applications for allowing insights

Integrated
services can add tracing headers, send trace data, or run the X-Ray daemon

AWS X-Ray Daemon -

AWS software application that listens on UDP port 2000. It collects raw segment data and sends it to the AWS X-Ray API.

When the daemon is running, it works along with the AWS X-Ray SDKs.

AWS AppSync

Robust, scalable GraphQL interface for application developers

Combines data from multiple sources (e.g., Amazon DynamoDB and AWS Lambda)

Enables data interaction for developers via GraphQL

GraphQL: Data language that enables apps to fetch data from servers

Seamless integration with React, React Native, iOS, and Android

Security

DDoS Attack

A Distributed Denial of Service (DDoS) attack is an attack that attempts to make your website or application unavailable to your end users.

This can be achieved by multiple mechanisms, such as large packet floods, by using a combination of reflection and amplification techniques, or by using large botnets.

Layer 4 DDoS Attack -

A Layer 4 DDoS attack is often referred to as a SYN flood. It works at the transport layer (TCP).

To establish a TCP connection a 3-way handshake takes place. The client sends a SYN packet to a server, the server replies with a SYN-ACK, and the client then responds to that with an ACK.

After the “3-way handshake” is complete, the TCP connection is established. After this applications begin sending data using Layer 7 (application layer protocol), such as HTTP etc.

SYN Floods -

A SYN flood uses the built in patience of the
TCP stack to overwhelm a server by sending a large number of SYN packets and then ignoring the SYN-ACKs returned by the server.

This causes the server to use up resources waiting for a set amount of time for the anticipated ACK that should come from a legitimate client.

There are only so many concurrent TCP connections that a web or application server can have open, so if an attacker sends enough SYN packets to a server, it can easily eat through the allowed number of TCP connections.

This then prevents legitimate requests from being answered by the server.

Amplification Attack -

Amplification/reflection attacks can include things such as NTP, SSDP, DNS, CharGEN, SNMP attacks, etc.

This is where an attacker may send a third-party server (such as an NTP server) a request using a spoofed IP address.

That server will then respond to that request with a greater payload than the initial request (usually within the region of 28-54 times larger than the request) to the spoofed IP address.

This means that if the attacker sends a packet with a spoofed IP address of 64 bytes, the NTP server would respond with up to 3,456 bytes of traffic.

Attackers can coordinate this and use multiple NTP servers a second to send legitimate
NTP traffic to the target.

Layer 7 Attack -

A Layer 7 attack occurs where a web server receives a flood of GET or POST requests, usually from a botnet or a large number of compromised computers.

CloudTrail

Think of Management events as things normally done by people when they are in AWS. Examples:

Data events provide information about the resource operations performed on or in a resource.

Think of Data events as things normally done by software when hitting various AWS endpoints. Examples:

By default, CloudTrail logs management events, but not data events.

By default, CloudTrail Events log files are encrypted using Amazon S3 server-side encryption (SSE). You can also choose to encrypt your log files with an AWS Key Management Service (AWS KMS) key. As these logs are stored in S3, you can define Amazon S3 lifecycle rules to archive or delete log files automatically. If you want notifications about log file delivery and validation, you can set up Amazon SNS notifications.

AWS Shield

FREE DDOS PROTECTION

AWS Shield Advanced

Shield Advanced costs $3,000 USD per month.

AWS WAF (Web Application Firewall)

AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to Amazon CloudFront or an Application Load Balancer.

AWS WAF also lets you control access to your content.

You can configure conditions such as what IP addresses are allowed to make this request or what query string parameters need to be passed for the request to be allowed.

The Application Load Balancer or CloudFront will either allow this content to be received or give an HTTP 403 status code.

AWS WAF operates at Layer 7

AWS WAF ALLOWS 3 Different Behaviors :

You can define conditions by using characteristics of web requests such as the following :

Amazon GuardDuty

GuardDuty is a threat detection service that uses machine learning to continuously monitor for malicious behavior.

GuardDuty Features -

Threat Detection with AI

7-14 days to set a baseline - what is normal behavior on your account?

Once active, you will see findings on the GuardDuty console and in CloudWatch Events only if GuardDuty detects behavior it considers a threat.

GuardDuty Pricing

30 DAYS FREE!

CHARGES BASED ON:

Firewall Manager

Firewall Manager is a security management service in a single pane of glass. This allows you to centrally set up and manage firewall rules across multiple AWS accounts and applications in AWS Organizations.

Manage Security across Multiple Accounts -

Using Firewall Manager, you can create new AWS WAF rules for your Application Load Balancers, API gateways, and Amazon CloudFront distributions. You can also mitigate DDOS attacks using AWS Shield Advanced for your Application Load Balancers, Elastic IP addresses, CloudFront distributions, and more.

Benefits of Firewall Manager -

AWS Macie

To understand Macie, it is important to understand PII or Personally Identifiable Information:

Personal data used to establish an individual’s identity. This data could be exploited by criminals, used in identity theft and financial fraud

Amazon Macie is an ML-powered security service that helps you prevent data loss by automatically discovering, classifying, and protecting sensitive data stored in Amazon S3. Amazon Macie uses machine learning to recognize sensitive data such as personally identifiable information (PII) or intellectual property, assigns a business value, and provides visibility into where this data is stored and how it is being used in your organization.

You can be informed of detections via the Macie dashboards, alerts, or reporting.

Macie can also analyze CloudTrail logs to see who might have interacted with sensitive data.

Macie continuously monitors data access activity for anomalies, and delivers alerts when it detects risk of unauthorized access or inadvertent data leaks.

Macie has ability to detect global access permissions inadvertently being set on sensitive data, detect uploading of API keys inside source code, and verify sensitive customer data is being stored and accessed in a manner that meets their compliance standards.

Amazon Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.

Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices.

Assessment Findings -

After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity.

These findings can be reviewed directly or as part of detailed assessment reports that are available via the Amazon Inspector console or API.

2 Types of Assessment :

Image description

Instructions :

KMS

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.

Integration :

AWS KMS is integrated with other AWS services - such as EBS, S3, and RDS — as well as other services to make it simple to encrypt your data with encryption keys you manage.

Controlling Your Keys :

AWS KMS provides you with centralized control over the lifecycle and permissions of your keys.
You can create new keys whenever you wish, and you can control who can manage keys separately from who can use them.

СМК :

A customer master key (CMK) is a logical representation of a master key. The CMK includes metadata, such as the key ID, creation date, description, and key state.

The CMK also contains the key material used to encrypt and decrypt data.

HSM

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys and performs encryption and decryption functions.

An HSM contains one or more secure cryptoprocessor chips.

Ways to Generate a CMK :

Key Rotation -

You can choose to have AWS KMS automatically rotate CMKs every year, provided that those keys were generated within AWS KMS HSMs.

Automatic key rotation is not supported for imported keys, asymmetric keys, or keys generated in an AWS CloudHSM cluster using the AWS KMS custom key store feature.

Policies

The primary way to manage access to your
AWS KMS CMKs is with policies. Policies are documents that describe who has access to what.

Policies attached to an IAM identity are called identity-based policies (or IAM policies), and policies attached to other kinds of resources are called resource-based policies.

Ways to Control Permissions :

CloudHSM

AWS CloudHSM is a cloud-based HSM that enables you to easily generate and use your own encryption keys on the AWS Cloud.

It is a physical device, entirely dedicated to you, that can be deployed in a highly available fashion.

Image description

Secrets Manager

Secrets Manager is a service that securely stores, encrypts, and rotates your database credentials and other secrets.

What else can Secrets Manager do?

What can be stored?

If you enable rotation, Secrets Manager immediately rotates the secret once to test the configuration.

Ensure all of your applications that use these credentials are updated to retrieve the credentials from this secret using Secrets Manager.

If your applications are still using embedded credentials, do not enable rotation because the embedded credentials will no longer work and this will break your application.

This is the recommended setting if your applications are not already using embedded credentials (i.e., they are not going to try to connect to the database using the old credentials).

Parameter Store

Parameter Store is a capability of AWS Systems Manager that provides secure, hierarchical storage for configuration data management and secrets management.

You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can store values as plain text or encrypted data.

Limits to Parameter Store :

Presigned URLs or Cookies

All objects in S3 are private by default.

Only the object owner has permission to access these objects. However, the object owner can optionally share objects with others by creating a presigned URL, using their own security credentials, to grant time-limited permission to download the objects.

Presigned URLs :
When you create a presigned URL for your object, you must provide your security credentials, specify a bucket name and an object key, and indicate the HTTP method (or GET to download the object) as well as expiration date and time.

The presigned URLs are valid only for the specified duration.

Anyone who receives the presigned URL can then access the object. For example, if you have a video in your bucket and both the bucket and the object are private, you can share the video with others by generating a presigned URL.

Presigned Cookies :
This can be useful when you want to provide access to multiple restricted files. The cookie will be saved on the user’s computer, and they will be able to browse the the entire contents of the restricted content.

Amazon Resource Names (ARNs)

Image description

IAM Policies

JSON document that defines permissions

A policy document is a list of statements.

Each statement matches an AWS API request.

Image description

Permission Boundaries

USE CASES:

Certificate Manager

AWS Certificate Manager allows you to create, manage, and deploy public and private SSL certificates for use with other AWS services.

It integrates with other services - such as Elastic Load Balancing, CloudFront distributions, and API Gateway - allowing you to easily manage and deploy SSL certificates in your AWS environment.

Benefits :

Audit Manager

With it, you can continually audit your AWS usage to make sure you stay compliant with industry standards and regulations.

Audit Manager is an automated service that produces reports specific to auditors for PCI compliance, GDPR, and more.

Use Cases :

Artifact

Artifact is a single source you can visit to get the compliance-related information that matters to you, such as AWS security and compliance reports or select online agreements.

There are a huge number of
compliance reports available, such as AWS Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and GDPR reports, as well as other certifications (including
ISO reports, HIPAA, and more).

Cognito

Cognito provides authentication, authorization, and user management for your web and mobile apps in a single service without the need for custom code. Your users can sign in directly with a username and password they create or through a third party (e.g., Facebook, Amazon, Google, or Apple).

Features:

Use Cases -

User Pools and Identity Pools -

The two main components of Cognito are user pools and identity pools.

User pools are directories of users that provide sign-up and sign-in options for your application users.

Identity pools allow you to give your users access to other AWS services.
You can use identity pools and user pools either separately or together.

Image description Image description

Detective

Using Detective, you can analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities.

Detective pulls data in from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to quickly figure out the root cause of your security issues.

Detective Sources -

Detective uses a number of sources within your AWS account (including
VPC Flow Logs, Cloud Trail logs,
Amazon Elastic Kubernetes Service audit logs, and Amazon GuardDuty findings) to automatically create an overview of your users, resources, and the interactions between them over time.

Use Cases :

AWS Network Firewall

Network Firewall is a managed service that makes it easy to deploy physical firewall protection across your VPCs. It has a managed infrastructure (i.e., a physical firewall that is managed by AWS).

Network Firewall includes a firewall rules engine that gives you complete control over your network traffic, allowing you to do things such as block outbound Server Message Block (SMB) requests to stop the spread of malicious activity.

Use Cases :

Security Hub

Security Hub is a single place to view all your security alerts from services like Amazon GuardDuty, Amazon Inspector, Amazon Macie, and AWS Firewall Manager.

It works across multiple accounts.

Use Cases :


AUTOMATION

Manual builds are a gamble. The best-case scenario is that you’ll build it correctly, but you’re more likely to make some costly errors.

Automation Benefits -

AWS CloudFormation

CloudFormation is an automated tool for provisioning entire cloud-based environments. It is similar to Terraform where you codify the instructions for what you want to have inside your application setup (X many web servers of Y type with a Z type DB on the backend, etc). It makes it a lot easier to just describe what you want in markup and have AWS do the actual provisioning work involved.

Everything is defined via a JSON or
YAML template file.

Not ALL AWS resources are supported, but most are!

Image description

Using CloudFormation :

Template Sections :


Platform as a Service (PaaS)

PaaS is a single-stop application deployment model.
You bring your code, and the provider builds everything for you, deploys your application, and then manages it going forward.


ElasticBeanstalk

ElasticBeanstalk is another way to script out your provisioning process by deploying existing applications to the cloud. ElasticBeanstalk is aimed toward developers who know very little about the cloud and want the simplest way of deploying their code.

Elastic Beanstalk is your main stop for everything PaaS in AWS. Let your developers worry about development!

AWS Systems Manager

AWS Systems Manager is a suite of tools designed to let you view, control, and automate both your managed instances in AWS and on-premises.

You must be comfortable with the AWS Systems Manager Agent (SSM Agent)!

List of Important Capabilities -

Session Manager Concepts -

SSM Agent

Amazon EC2, edge devices (AWS and non-AWS loT), on-prem servers, and custom VMs

AWS Systems Manager Parameter Store

Parameter Store, a capability of AWS Systems Manager, provides secure, hierarchical storage for configuration data management and secrets management.


CACHING

CloudFront

The AWS CDN service is called CloudFront. It serves up cached content and assets for the increased global performance of your application. The main components of CloudFront are the edge locations (cache endpoints), the origin (original source of truth to be cached such as an EC2 instance, an S3 bucket, an Elastic Load Balancer or a Route 53 config), and the distribution (the arrangement of edge locations from the origin or basically the network itself).

ElastiCache

The ElastiCache service makes it easy to deploy, operate, and scale an in-memory cache in the cloud. It helps you boost the performance of your existing databases by retrieving data from high throughput and low latency in-memory data stores.

The service is great for improving the performance of web applications by allowing you to receive information locally instead of relying solely on relatively distant DBs.

Amazon ElastiCache offers fully managed Redis and Memcached for the most demanding applications that require sub-millisecond response times.

For data that doesn’t change frequently and is often asked for, it makes a lot of sense to cache said data rather than querying it from the database.

Common configurations that improve DB performance include introducing read replicas of a DB primary and inserting a caching layer into the storage architecture.

Memcached is for simple caching purposes with horizontal scaling and multi-threaded performance, but if you require more complexity for your caching environment then choose Redis.

Image description

Another advantage of using ElastiCache is that by caching query results, you pay the price of the DB query only once without having to re-execute the query unless the data changes.

Amazon ElastiCache can scale-out, scale-in, and scale-up to meet fluctuating application demands. Write and memory scaling is supported with sharding. Replicas provide read scaling.

AWS Global Accelerator

AWS Global Accelerator accelerates connectivity to improve performance and availability for users. Global Accelerator sits on top of the AWS backbone and directs traffic to optimal endpoints worldwide. By default, Global Accelerator provides you two static IP addresses that you can make use of.

Global Accelerator helps reduce the number of hops to get to your AWS resources. Your users just need to make it to an edge location and once there, everything will remain internal to the AWS global network. Normally, it takes many networks to reach the application in full and paths to and from the application may vary. With each hop, there is risk involved either in security or in failure.

Image description

In summary, Global Accelerator is a fast/reliable pipeline between user and application.

It’s like going on a trip (web traffic) and stopping to ask for directions in possibly unsafe parts of town (multiple networks are visited which can increase security risks) as opposed to having a GPS (global accelerator) that leads you directly where you want to go (endpoint) without having to make unnecessary stops.

It can be confused with Cloudfront, but CloudFront is a cache for content stemming from a distant origin server.

While CloudFront simply caches static content to the closest AWS Point Of Presence (POP) location, Global accelerator will use the same Amazon POP to accept initial requests and routes them directly to the services.

Route53’s latency based routing might also appear similar to Global Accelerator, but Route 53 is for simply helping choose which region for the user to use. Route53 has nothing to do with actually providing a fast network path.

Global Accelerator also provides fast regional failover.


Accelerator: Directs user traffic to the optimal AWS endpoints.

Listener: Processes inbound connections based on ports and protocols.

Endpoint: Resources that Global Accelerator
directs traffic to.


Governance

AWS Organizations is a free governance tool that allows you to create and manage multiple
AWS accounts.
With it, you can control your accounts from a single location rather than jumping from account to account.

Account Types -

Features :


Multi-account :
Allows you to easily achieve a multi-account design while maintaining centralized management.

Tag Enforcement:
Capability to require specific tags is leveraged for all AWS resources.

Organizational Unit (OU) :
Logical grouping of multiple accounts to allow for easy management and separation.

Service Control Policies (SCPs) :
JSON policies that get applied to OUs or accounts to restrict actions that are or are not allowed.

Image description

Management Account :
SCP do not affect the management account like they do all member accounts.

Account Best Practices :
Create a centralized logging account for organizational CloudTrail logs.
Also, leverage cross-account roles for accessing member accounts.

AWS Resource Access Manager (RAM)

A free service that allows you to share AWS resources with other accounts inside or outside your organization. AWS RAM allows you to easily share resources rather than having to create duplicate copies in your different accounts.

Shared Resources -

Owners and Participants -

AWS Config

Config is an inventory management and control tool.

It allows you to show the configuration history of your infrastructure over time.

State of Your Architecture -

Image description

AWS Config Rules :

With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.

Alerts and Events :

Directory Service

AWS Directory Service is a fully managed version of Active Directory. It allows you to offload the painful parts of keeping AD online to AWS while still giving you the full control and flexibility AD provides.

Why Use Directory Service?

AWS Cost Explorer

AWS Cost Explorer is an easy-to-use tool that allows you to visualize and analyze your cloud costs.
You can generate custom reports based on a variety of factors, including resource tags.
Break down cost by Monthly, Hourly, and more!
Built-in forecasting up to 12 months.

Features

AWS Budgets

AWS Budgets allows organizations to easily plan and set expectations around cloud costs.
You can easily track your ongoing spend and create alerts to let users know when they’re close to exceeding their allotted spend.

Types of Budgets -

AWS Cost and Usage Reports

Commonly abbreviated as AWS CUR

AWS CUR Use Cases -

AWS Compute Optimizer

Which resources does the service work with?

Supported Accounts :

It’s Disabled by default! You must opt in to leverage AWS Compute Optimizer. After opting in, enhance recommendations via activation of recommendation preferences (e.g., enhanced infrastructure metrics paid feature).

Savings Plans

Savings Plans Types

Using and Applying Savings Plans -

AWS Trusted Advisor

AWS Trusted Advisor is a fully managed best-practice auditing tool.

It inspects your AWS environments, and then makes recommendations when opportunities exist to save money, improve system availability and performance, or help close security gaps.


Cost Optimization: Recommendations where AWS believes we can actually save money within our accounts.

Performance: Checks where and how we can improve speed, efficiency, and responsiveness of our applications resources.

Security: How can we alter our security settings to secure our AWS accounts better? Helps maintain stricter security postures.

Fault Tolerance: What can be done to help increase resiliency and availability of our resources?

Service Limits: Checks the usage of our accounts and whether or not we are approaching service limits for the used resources/services.

AWS Control Tower

Features and Terms to Know -

Guardrails

High-level rules in plain language providing ongoing governance

Image description Image description

AWS License Manager

AWS Health

AWS is shifting to calling the service AWS Personal Health Dashboard AWS Health in the documentation.

Automate actions based on incoming events using Amazon EventBridge.

AWS Health Concepts

Service Catalog

Benefits of AWS Service Catalog -

AWS Proton

AWS Proton is a service that creates and manages infrastructure and deployment tooling for users as well as serverless and container-based applications.

AWS Well-Architected Tool


Migration

Moving Data to AWS -

Snow Family

The Snow Family is a set of secure appliances that provide petabyte-scale data collection and processing solutions at the edge and migrate large-scale data into and out of AWS. They offer built-in computing capabilities, enabling customers to run their operations in remote locations that do not have data center access or reliable network connectivity.

Snowcone :

THE SMALLEST DEVICE IN THE SNOW FAMILY

Snowball Edge :

Snowmobile :

Storage Gateway

Storage Gateway is a hybrid cloud storage service that helps you merge on-premises resources with the cloud. It can help with a one-time migration or a long-term pairing of your architecture with AWS.

CACHING LOCAL FILES

Image description

Volume Gateway

BACKUP DRIVES

Image description

Tape Gateway

Image description

DataSync

AWS DataSync is an agent-based solution for migrating on-premises storage to AWS. It allows you to easily move data between NFS and SMB shares and AWS storage solutions.

Image description

AWS Transfer Family

The AWS Transfer Family allows you to easily move files in and out of S3 or EFS using Secure File Transfer Protocol (SFTP), File Transfer Protocol over SSL (FTPS), or the File Transfer
Protocol (FTP).

Image description

AWS Migration Hub

AWS Migration Hub gives you a single place to track the progress of your application migration to AWS. It integrates with Server Migration Service (SMS) and Database Migration Service (DMS).

Server Migration Service

Image description

AWS Application Discovery Service

Discovery Types -

AWS Application Migration Service (AWS MGN)

AWS MGN RTO and RPO -

DMS (Database Management Service)

Working :

Concepts -

AWS Schema Conversion Tool (SCT)

Migration Types to Know :

Migrating Large Data Stores via AWS Snowball :


Front-End Web and Mobile

Amplify

Amplify offers tools for front-end web and mobile developers to quickly build full-stack applications on AWS.

Amplify offers two services for developers -

Device Farm

Device Farm is an application testing service for testing and interacting with Android, iOS, and web apps.
It’s usable on actual phones and tablets hosted by AWS.

AWS Device Farm allows for two primary testing methods :

Pinpoint

Pinpoint enables you to engage with customers through a variety of different messaging channels.

Who Uses It?

Pinpoint is primarily intended for marketers, business users, and even developers.

Features -

Where to Use It -


Machine Learning

Amazon Comprehend

Comprehend uses natural-language processing (NLP) to help you understand the meaning and sentiment in your text. For example, you can automate understanding whether people are saying positive or negative things about your service.
You can also pick up on key phrases.
Comprehend is a way of automating comprehension at scale.

Use Cases for Comprehend :

Kendra

Kendra allows you to create an intelligent search service powered by machine learning.

Enterprise search applications can bridge between different silos of information (such as S3 buckets, file servers, and websites), allowing your enterprise to have all the data intelligently in one place.

Use Cases for Kendra

Amazon Textract

Textract uses machine learning to automatically extract text,
handwriting, and data from scanned documents.

Use Cases for
Textract
:

Beyond OCR

Using machine learning and OCR (optical character recognition), Textract can process text, handwriting, tables, and more with no manual intervention.
You can quickly turn text (such as receipts or handwritten letters) into data, which you can then store in the AWS Cloud in databases or S3.

Time-Series Data

Data points that are logged over a series of time, allowing you to track your data. Examples could be temperature readings from weather stations around the world, on the hour, every hour for years.

Examples :

Amazon Forecast

Amazon Forecast is a time-series forecasting service that uses machine learning and is built to give you important business insights.

You can send your data to Amazon Forecast and it will automatically learn your data, select the right machine learning algorithm, and then help you forecast your data.

Usecase :

Fraud Detector

Exactly what it sounds like: an AWS Al service that is built to detect fraud in your data.

Create a fraud detection machine learning model that is based on your data. You can also quickly automate this process.

Use Cases :

Transcribe

Transcribe is used to covert speech to text automatically. You can use this service to generate subtitles on the fly.

Use Case :
Turn your audio and video files into text in a fast and automated process. One specific use case is to generate subtitles.

Lex

Lex allows you to build conversational interfaces in your applications using natural language models. Chances are that when you are talking to an automated bot online, you are interacting with the Lex service on the backend.

Use Cases :

Polly

Polly turns your text into lifelike speech and allows you to create applications that talk to and interact with you using a variety of languages and accents.

Use Case :
Polly allows you to create applications that speak rather than just display text, making your content more accessible. If you visit the AWS blog, you can see an example of Polly converting blog posts into lifelike speech.

Amazon Rekognition

Amazon SageMaker is a fully managed machine learning (ML) service. With SageMaker, data scientists and developers can quickly and confidently build, train, and deploy ML models into a production-ready hosted environment. It provides a Ul experience for running ML workflows that makes SageMaker ML tools available across multiple integrated development environments (IDEs).

With SageMaker, you can store and share your data without having to build and manage your own servers. This gives you or your organizations more time to collaboratively build and develop your ML workflow, and do it sooner. SageMaker provides managed ML algorithms to run efficiently against extremely large data in a distributed environment. With built-in support for bring-your-own-algorithms and frameworks, SageMaker offers flexible distributed training options that adjust to your specific workflows. Within a few steps, you can deploy a model into a secure and scalable environment from the SageMaker console.

Use Cases :

Two Deployment Types :

Image description

SageMaker Stages :

  1. Create a Model : This is the place that will provide predictions for your endpoint.
  2. Create an Endpoint Configuration : This is where you specify the model to use, inference instance type, instance count, variant name, and weight. This can sometimes be called a production variant.
  3. Create an Endpoint : This is where the model is published, and you can invoke the model using the InvokeEndpoint() method.

Model Training -

Image description

SageMaker Neo

Customize your machine learning models for specific CPU hardware, such as ARM, Intel, and NVIDIA processors.

It includes a compiler to convert the machine learning model to an environment that is optimized to execute the model on the target architecture.

Image description

Elastic Inference (EI)

EI speeds up throughput and decreases latency of realtime inferences deployed on SageMaker hosted services using only CPU-based instances. It is much more cost-effective than a full GPU instance.
It must be configured when you create a deployable model. El is not available for all algorithms yet.

Autoscaling SageMaker Models -

Dynamically add and remove instances to a production variant based on changes in workload.

You define and apply a scaling policy that uses a CloudWatch metric and target value, such as InvocationsPer Instance.

Amazon Translate

A machine learning service that allows you to automate language translation.

Using deep learning and neural networks, Amazon Translate allows you to translate from one language to another.

Use Cases :


Media

Elastic Transcoder

Elastic Transcoder allows businesses and developers to convert (or
”transcode”) media files from their original source format into versions that are optimized for various devices, such as smartphones, tablets, and PCS.

We use Elastic Transcoder to encode our videos you are watching now so they are optimized for the device you are viewing it on.

Benefits :

Kinesis Video Streams

If you need to stream media content from a large number of devices to AWS and then run analytics, machine learning (ML), playback, and other processing, consider using Kinesis Video Streams. A perfect example of this is Ring.

Kinesis Video Streams elastically scales to millions of devices and then stores, encrypts, and indexes video data in your streams. You can then access your data through easy-to-use APls.

Use Cases :

Smart Home :
Think Amazon Ring. You can stream video content from your Ring devices to Kinesis Video Streams and then run analysis on the data.

Smart City :
Many cities have devices like CCTV cameras at traffic lights and junctions that can be monitored automatically using Kinesis Streams.

Industrial Automation :
You can use Kinesis Streams to ingest time-encoded data (e.g., LIDAR and RADAR signals and temperature sensors) and then provide industrial automation.

Feel free to reach out to me if you have any doubts or queries.

Happy Learning!

Harshhaa Vardhan Reddy - DevOps Engineer / Blogger