AWS Solution Architect Preparation

AWS Solution Architect  Reference Materials

Content AreaReference Material Link
Source Destination Check
S3 Put performance
S3 Consistency Model
S3 Data Check
ELB Domain name
ELB SSL Certificate
NAT Gateway vs NAT Instance
Route 53 and VPC
Taking EC2 AMI Image
NACL Rule Evaluation Order
Weighted Routing
Placement Groups
Cloudfront GET Optimization
EBS Volumes attachment
Instance Types and Workloads
DDoS Attack White Paper
Cloud Formation
Elastic BeanStalk
VPC Peering Info
VPN Options doc"
ElasticCahce Documentation
AWS EMR Documentation
VPC Subnet Basics
AWS Direct Connect and VPC
RDS Performance
Subnet Calculator
VPC and Subnet
Instance Meta Data
EBS Storage
S3 Documentation
Cloud Watch Metrics
Internet Gateway and Internet Access
ElasticIP Documentation
Security white Paper
EMR Best Practices
AWS RDS API Describe Events
CloudFormation Link
S3 Bucket Permissions
Elastic Network Interface
Reserved Instances FAQ
IAM Permissions
AWS Security Group
EC2 Limits
Automated Backups Documentation
Route 53 Supported Record Resource Types
EC2 Instance Meta Data
DB Parameter Groups
Network ACL Reference
SAML Integration
AWS Encryption Options

Load Balancing :

Elastic Load Balancing automatically distributes incoming application traffic across multiple Amazon EC2 instances. It enables you to achieve greater levels of fault tolerance in your applications, seamlessly providing the required amount of load balancing capacity needed to distribute application traffic.

AWS Recommends pre-warming ELB’s for Spiky or Flash Flood Traffic.
In my personal experience , I have noticed numerous 503 Errors while load testing.

Elastic Load Balancing allows you identify the originating IP Address connecting to the client.

ELB can’t span across regions.

Route 53 Can be used to route across Regions.

SSL Termination and Processing.

If its not done at Load Balancer level , then it needs to be done at Instance Level which might spike CPU Cycles.

Cookie-based Sticky Session – Good or Bad ?? Not sure. User is always routed to the same Instance. Amazon recommends to use Database , so failover would be seamless.

ELB Integrates with Auto Scaling.

ELB EC2 health checks / Amazon CloudWatch.

ELB Integration with Route 53.

ELB doesn’t support EIP.

One ELB supports one SSL certificate.

Supports domain Zone Apex.

VPC – Virtual Private Cloud

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define.

NACL – Network Access Control List – Subnet Level.

VPC Peering.

Logically isolated network in the Cloud

Control of network architecture.

Hybrid Cloud ( Site-to-Site VPN )

Direct Connect

MPLS Connection

Single Tenant or Dedicated Server Hardware


You can connect your VPC to remote networks by using a VPN connection.

AWS hardware VPN  – By default it provides multiple routes. Port Redundancy

Direct Connect – By Default you get single port , no port redundancy.

Supports IPv4 and IPv6. But VPC only supports IPv4.

Direct Connect

Predictable bandwidth – Upto 10 Gbps

Less than 1 Gbps through AWS Partner Network ( APN )

Predictable Performance. Sub MilliSeconds connectivity
Bypass Internet Service Provers in your network path.
Industry standard 802.1q VLAN.

NAT Instance vs NAT Gateway

NAT Gateway – AWS Managed Service

NAT Instance – Customer is responsible

Source / Destination Check

Route Creation

Private subnet to access Internet.

Colo Advantages

Private connection or via Internet

Redundancy : Two Ports on Two Routers. By default redundancy is not factored in.

Active Directory

Simple AD – Small – 500 Users Large – 5000 Users

Simple AD – Doesn’t support MFA

AD Connector – StandAlone managed directory Samba 4

Microsoft Active Directory

SAML Steps

  1. A user in your organization browses to an internal portal in your network. The portal also functions as the IdP which handles the SAML trust between your organization and AWS.
  2. The IdP authenticates the users identity against AD.
  3. The client receives a SAML assertion (in the form of an authentication response) from the IdP.
  4. The client posts the SAML assertion to the new AWS sign-in endpoint. Behind the scenes, sign-in uses the AssumeRoleWithSAMLAPI to request temporary security credentials and construct a sign-in URL.
  5. The user’s browser receives the sign-in URL and is redirected to the AWS Management Console.

RISK Compliance
Shared Responsibility Model
Customer assumes the responsibility of patching and managing the OS

Customers can request vulnerability scan.
SOC 1 /SSAE / ISAE 3402
PCI DSS Level1
Several Industry specific Standards.

Storage Options in Cloud
Amazon S3
Amazon Glacier
Amazon EBS
Amazon Instance Storage – Temporary Block Storage volume
AWS Import Export
Amazon Storage GateWay
Amazon Cloudfront
Amazon SQS
Amazon RDS
Amazon DynamoDB
Amazon Elastic Cache
Amazon RedShift
Databases on Amazon EC2

Consolated Billing
Paying account with are linked to multiple accounts ( like Dev / Test / Prod ) and each account billing is separate and consolidated.
Economies of Scale for pricing point of view.

Resource Groups and Taggig:
Tags : Key Value pair attached to AWS Resource
Resource Groups: easy to group resources based on Tags ( Region . Name , Health Checks ).

VPC Peering
Transitive Peering is not supported. Its only star configurations
Can’t create peering with matching CIDR or overlapping CIDR Blocks
Its within a region and can’t be across regions.
It can be with multiple accounts.

DNS ( Route 53 )

Private Hosted Zone for Amazon VPC

YOu can extend on -premises DNS to Amazon VPC

You cannot extend Route 53 to on premises instances.

Name Resolutions for EC2 Instances.
A Record
MX Record
IPV4 – 32 Bit
IPV6 – 128 Bit
Alias Record – map one DNS to another DNS Name.
Difference between CNAME and Alias Record.
Use Alias Record which points to Elastic Load Balancer DNS , so underlying IP Address changes are handled graciously.

Direct Connect:
Easy to establish dedicated on-premise to AWS.
Reduce cost with large volume of data
Difference between VPN / Direct Connect
VPN – Through Internet
Direct Connect – Dedicated connection

Active Directory Federation with AWS:

DDOS Attack

Reflection Attack

Amplification Attack

Combine all of those ( DNS NTP SSDP SNMP )

Minimize attack surface –

Scale to Absorb the Attack

Overwhelm the resources and ability to respond with AWS Elasticity

SPOF Elimination ( Single Point of Failure )

CloudFront – Hundreds of Edge Location

Cosolidated Billing

20 Linked Account by default

Dev/Test/Prod/UAT linked to One Paying Account

Volume Discount – Savings aren’t going be significant but its something to take advantage of.

Resource Group :

Grouping of resources for specific group / environment , etc. Group resources based on Tags.

CloudTrail – Logs can be consolidated from several accounts.

Amzon S3:
Encryption options available for IN-TRANSIT Data as well as DATA at Rest.
Consistency Models for PUTS and DELETES – Read after write Consistency vs Eventual Consistency
Ways to ensure the Data is written to S3 Successfully?.
What are good options to prevent direct access to S3 Content but you want your public website to be able to access it?.
How to configure CloudFront with S3 Content.

AWS S3 Post Object

Sample Request

POST /Neo HTTP/1.1
Content-Length: 4
Date: Wed, 01 Mar  2006 12:00:00 GMT
Authorization: authorization string
Content-Type: text/plain
Expect: the 100-continue HTTP status code

Sample Response with Versioning Suspended

The following shows a sample response when bucket versioning is suspended.

HTTP/1.1 100 Continue
HTTP/1.1 200 OK
x-amz-id-2: LriYPLdmOdAiIfgSm/F1YsViT1LW94/xUQxMsF7xiEb1a0wiIOIxl+zbwZ163pt7
x-amz-request-id: 0A49CE4060975EAC
x-amz-version-id: default
Date: Wed, 12 Oct 2009 17:50:00 GMT
ETag: "1b2cf535f27731c974343645a3985328"
Content-Length: 0
Connection: close
Server: AmazonS3

Goal: Setup VPC with Public and Private Subnets

The configuration for this scenario includes a virtual private cloud (VPC) with a public subnet and a private subnet.
Good for running a public-facing web application, while maintaining back-end servers that aren’t publicly accessible.
A common example is a multi-tier website, with the web servers in a public subnet and the database servers in a private subnet. You can set up security and routing so that the web servers can communicate with the database servers.

The instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in the private subnet can’t. The instances in the public subnet can send outbound traffic directly to the Internet, whereas the instances in the private subnet can’t. Instead, the instances in the private subnet can access the Internet by using a network address translation (NAT) gateway that resides in the public subnet. The database servers can connect to the Internet for software updates using the NAT gateway, but the Internet cannot initiate connections to the database servers.

AWS Link for Private and Public Subnet :

WebServerSG: Recommended Rules

Source Protocol Port Range Comments TCP 80 Allow inbound HTTP access to the web servers from anywhere TCP 443 Allow inbound HTTPS access to the web servers from anywhere
Your home network’s public IP address range TCP 22 Allow inbound SSH access to Linux instances from your home network (over the Internet gateway)
Your home network’s public IP address range TCP 3389 Allow inbound RDP access to Windows instances from your home network (over the Internet gateway)
Destination Protocol Port Range Comments
The ID of your DBServerSG security group TCP 1433 Allow outbound Microsoft SQL Server access to the database servers assigned to DBServerSG
The ID of your DBServerSG security group TCP 3306 Allow outbound MySQL access to the database servers assigned to DBServerSG TCP 80 Allow outbound HTTP access to the Internet TCP 443 Allow outbound HTTPS access to the Internet

CloudFormation :

Numerous supported services. Pretty much automate anything.

Deploy very complex infrastructure at AWS Environment.

Templates and Stacks


AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, >NER, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.

Integrates with IAM , RDS , VPC

BPC / DR – Business Process continuity and Disaster Recovery

RTO – Recovery Time Objective

RPO – Recovery Point Objective

Import / Export – Encryption


HA for Databases

AWS vCenter to support VMWare


A curated list of AWS resources to prepare for the AWS Certifications

Leave a Reply

Your email address will not be published. Required fields are marked *