AWS Solution Architect Reference Materials
Load Balancing :
Elastic Load Balancing automatically distributes incoming application traffic across multiple Amazon EC2 instances. It enables you to achieve greater levels of fault tolerance in your applications, seamlessly providing the required amount of load balancing capacity needed to distribute application traffic.
Elastic Load Balancing allows you identify the originating IP Address connecting to the client.
ELB can’t span across regions.
Route 53 Can be used to route across Regions.
SSL Termination and Processing.
If its not done at Load Balancer level , then it needs to be done at Instance Level which might spike CPU Cycles.
Cookie-based Sticky Session – Good or Bad ?? Not sure. User is always routed to the same Instance. Amazon recommends to use Database , so failover would be seamless.
ELB Integrates with Auto Scaling.
ELB EC2 health checks / Amazon CloudWatch.
ELB Integration with Route 53.
ELB doesn’t support EIP.
One ELB supports one SSL certificate.
Supports domain Zone Apex.
VPC – Virtual Private Cloud
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define.
NACL – Network Access Control List – Subnet Level.
Logically isolated network in the Cloud
Control of network architecture.
Hybrid Cloud ( Site-to-Site VPN )
Single Tenant or Dedicated Server Hardware
You can connect your VPC to remote networks by using a VPN connection.
AWS hardware VPN – By default it provides multiple routes. Port Redundancy
Direct Connect – By Default you get single port , no port redundancy.
Supports IPv4 and IPv6. But VPC only supports IPv4.
Predictable bandwidth – Upto 10 Gbps
Less than 1 Gbps through AWS Partner Network ( APN )
Predictable Performance. Sub MilliSeconds connectivity
Bypass Internet Service Provers in your network path.
Industry standard 802.1q VLAN.
NAT Instance vs NAT Gateway
NAT Gateway – AWS Managed Service
NAT Instance – Customer is responsible
Source / Destination Check
Private subnet to access Internet.
Private connection or via Internet
Redundancy : Two Ports on Two Routers. By default redundancy is not factored in.
Simple AD – Small – 500 Users Large – 5000 Users
Simple AD – Doesn’t support MFA
AD Connector – StandAlone managed directory Samba 4
Microsoft Active Directory
- A user in your organization browses to an internal portal in your network. The portal also functions as the IdP which handles the SAML trust between your organization and AWS.
- The IdP authenticates the users identity against AD.
- The client receives a SAML assertion (in the form of an authentication response) from the IdP.
- The client posts the SAML assertion to the new AWS sign-in endpoint. Behind the scenes, sign-in uses the AssumeRoleWithSAMLAPI to request temporary security credentials and construct a sign-in URL.
- The user’s browser receives the sign-in URL and is redirected to the AWS Management Console.
Shared Responsibility Model
Customer assumes the responsibility of patching and managing the OS
Customers can request vulnerability scan.
SOC 1 /SSAE / ISAE 3402
FISMA , DIACAMP and FedRAMP
PCI DSS Level1
Several Industry specific Standards.
Storage Options in Cloud
Amazon Instance Storage – Temporary Block Storage volume
AWS Import Export
Amazon Storage GateWay
Amazon Elastic Cache
Databases on Amazon EC2
Paying account with are linked to multiple accounts ( like Dev / Test / Prod ) and each account billing is separate and consolidated.
Economies of Scale for pricing point of view.
Resource Groups and Taggig:
Tags : Key Value pair attached to AWS Resource
Resource Groups: easy to group resources based on Tags ( Region . Name , Health Checks ).
Transitive Peering is not supported. Its only star configurations
Can’t create peering with matching CIDR or overlapping CIDR Blocks
Its within a region and can’t be across regions.
It can be with multiple accounts.
DNS ( Route 53 )
Private Hosted Zone for Amazon VPC
YOu can extend on -premises DNS to Amazon VPC
You cannot extend Route 53 to on premises instances.
Name Resolutions for EC2 Instances.
IPV4 – 32 Bit
IPV6 – 128 Bit
Alias Record – map one DNS to another DNS Name.
Difference between CNAME and Alias Record.
Use Alias Record which points to Elastic Load Balancer DNS , so underlying IP Address changes are handled graciously.
Easy to establish dedicated on-premise to AWS.
Reduce cost with large volume of data
Difference between VPN / Direct Connect
VPN – Through Internet
Direct Connect – Dedicated connection
Active Directory Federation with AWS:
Combine all of those ( DNS NTP SSDP SNMP )
Minimize attack surface –
Scale to Absorb the Attack
Overwhelm the resources and ability to respond with AWS Elasticity
SPOF Elimination ( Single Point of Failure )
CloudFront – Hundreds of Edge Location
20 Linked Account by default
Dev/Test/Prod/UAT linked to One Paying Account
Volume Discount – Savings aren’t going be significant but its something to take advantage of.
Resource Group :
Grouping of resources for specific group / environment , etc. Group resources based on Tags.
CloudTrail – Logs can be consolidated from several accounts.
Encryption options available for IN-TRANSIT Data as well as DATA at Rest.
Consistency Models for PUTS and DELETES – Read after write Consistency vs Eventual Consistency
Ways to ensure the Data is written to S3 Successfully?.
What are good options to prevent direct access to S3 Content but you want your public website to be able to access it?.
How to configure CloudFront with S3 Content.
POST /Neo HTTP/1.1
Date: Wed, 01 Mar 2006 12:00:00 GMT
Authorization: authorization string
Expect: the 100-continue HTTP status code
Sample Response with Versioning Suspended
The following shows a sample response when bucket versioning is suspended.
HTTP/1.1 100 Continue
HTTP/1.1 200 OK
Date: Wed, 12 Oct 2009 17:50:00 GMT
Goal: Setup VPC with Public and Private Subnets
The configuration for this scenario includes a virtual private cloud (VPC) with a public subnet and a private subnet.
Good for running a public-facing web application, while maintaining back-end servers that aren’t publicly accessible.
A common example is a multi-tier website, with the web servers in a public subnet and the database servers in a private subnet. You can set up security and routing so that the web servers can communicate with the database servers.
The instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in the private subnet can’t. The instances in the public subnet can send outbound traffic directly to the Internet, whereas the instances in the private subnet can’t. Instead, the instances in the private subnet can access the Internet by using a network address translation (NAT) gateway that resides in the public subnet. The database servers can connect to the Internet for software updates using the NAT gateway, but the Internet cannot initiate connections to the database servers.
AWS Link for Private and Public Subnet :
WebServerSG: Recommended Rules
|0.0.0.0/0||TCP||80||Allow inbound HTTP access to the web servers from anywhere|
|0.0.0.0/0||TCP||443||Allow inbound HTTPS access to the web servers from anywhere|
|Your home network’s public IP address range||TCP||22||Allow inbound SSH access to Linux instances from your home network (over the Internet gateway)|
|Your home network’s public IP address range||TCP||3389||Allow inbound RDP access to Windows instances from your home network (over the Internet gateway)|
|The ID of your DBServerSG security group||TCP||1433||Allow outbound Microsoft SQL Server access to the database servers assigned to DBServerSG|
|The ID of your DBServerSG security group||TCP||3306||Allow outbound MySQL access to the database servers assigned to DBServerSG|
|0.0.0.0/0||TCP||80||Allow outbound HTTP access to the Internet|
|0.0.0.0/0||TCP||443||Allow outbound HTTPS access to the Internet|
Numerous supported services. Pretty much automate anything.
Deploy very complex infrastructure at AWS Environment.
Templates and Stacks
AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, >NER, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.
Integrates with IAM , RDS , VPC
BPC / DR – Business Process continuity and Disaster Recovery
RTO – Recovery Time Objective
RPO – Recovery Point Objective
Import / Export – Encryption
HA for Databases
AWS vCenter to support VMWare