AWS Certified Solutions Architect Associate

Exam prep notes

NOTES TO SELF:

• Read the prouct page at least once.
• Remember the acronyms
• https://read.acloud.guru
• think about how similar sounding servies differ.
• think which services have “overlap”
• scenario questions
• TODO: Review AWS CLI commands list. What is the command to do X?

Lambda

Cloud Evolution: Data center -> IAAS –> PAAS –> Containers –> Serverless

Lambda is the ultimate abstraction layer:

• data center
• hardware
• assembly code/protocols
• high level languages
• OS
• application layer / AWS APIs

Using lambda:

• event driven compute service
• compute service to service http service using Amazon API gateway or api calls made using AWS SDKs.

Lambda functions can trigger other lambda functions

API gateway does the load balancing. A million requests will launch million lambda functions.

serverless architecture:

user -> api gateway -> lambda -> RDS

Languages:

• node.js
• java
• python
• C#
• Go
• Powershell

Pricing:

• Number of requests. FIrst 1M free. $0.20 subsequently.
• Duration. $0.00001667 for GB-second

EXAM TIPS:

• Lambda scales out(not up)
• Lambda functions are INDEPENDENT, 1event=1function
• Lambda is serverless
• Know what services are serverless
• Lambda functions can trigger other lambda functions
• X-Ray service allows you to debug what is happening
• Lambda can do things globally
• Know the trigger [TODO]. RDS cannot trigger lambda for now.

API gateway is the trigger.

Applications

SQS - Simple Queue Service

distributed queue system.

decouple components of an application.

SQS eases message management between components

256kB of Text in any format.

Messages can be kept in the queue from 1 minute to 14 days; default retention period is 4 days.

Types:

• SQS “standard” is the default queue type. atleast once. sometimes more than one copy can be delivered out of order.
• FIFO - exactly once processing. duplicates are not introduced. THey also support message groups.

Visibility Timeout default is 12 hours.

SQS Long Polling saves Money.

SWS - Simple work flow service

SWS is a web service that makes it easy to coordinate work across distributed application components. SWS enables application for a range of use casess to be designed as a coordination of tasks.

Tasks represent invocations of various processing steps in a application which can be performed by executable code, web service calls, human actions, an scripts. Eg: the entire workflow of ordering a book on amazon.com and getting it delivered. Human Interactions

• Workflow executions can last up to ONE year.
• Presents a Task oriented API. SQS is message-oriented.
• Task is assigned only once.
• Keeps track of all the tasks and events in applications.
• Domain refers to a collection of related workflows.

SWF Actors:

• Workflow starters
• Deciders
• Activity workers – carry out the activity tasks

SNS - Simple Notification Service

• is a web service makes it easy to setup, operate and send notifications from the cloud.
• Capability eo publish messages from an application to subscribers
• Push notifications to Apple, Google, Fire OS, Windows devices as well as android devices in china with Baidu Cloud Push
• Can also push to Mobile via SMS, HTTP endpoint.

• Flexible message delivery over multiple Transport protocols.

• TOPIC iss an accesspoint for subscribers

• SNSS is stored across multiple AZs.

• NO PULL only push

REVIEW: Topics

Elastic Transcoder

• Media transcoder in the cloud
• provides presets for popular output formats
• pay based on the minutes used for transcoding and the resolution at which you transcode.

API Gateway

fully managed service that makes it eassy for developers to publish, maintain, monitor and secure APIs at any scale.

“Front door”. Distribute load (somewhat like a load-balancer).

Throttle gateway to prevent attacks

Log results to CLoudwatch

Configuring an API Gateway:

• define an API (container)
• define Resources and nested Resources (URL Paths)
• for each resource …
  • select supported HTTP methods (verbs)
  • set security
  • choose target (eg: EC2, lambda, dynamoDB etc)
  • set request and response transformation

Deploying an API gateway:

• Deploy API to a stage:
  • uses api gateway domain, by default
  • can use custom domain
  • supports aws certificate manager: free SSL/TLS certs

API gateway caching:

• reduce number of calls made to endpoint
• reduce latency
• TTL

Same origin policy

• a web browser permits scripts in awebpage to access data in second page, ONLY IFF both web page have the same origin.
• prevents XSS attacks

CORS - Cross origin resource shaging

• HTTP OPTIONS
• servers says – other domains are approved to GET this URL
• Error – “Origin policy cannot be read at remote resource?”. You need to enable CORS on API gateway
• CORS is envforced by the client

Kinesis

Streaming data. Examples - purchases, stocks, game data, social network data, geospatial data, IoT sensor data.

Kinesis is a platform on AWS to ssend your streaming data to.

1. Kinesis Streams
2. Kinesis Firehose
3. Kinesis Analytics

Kinesis Streams:

• stores by default to 24 hours
• 7 days retention
• shard
• -> consumers

Shards – 5 transactions/ for reads. Maximum total data read rate of 2MBPS and upto 1,000 records per second for write, up to max total data write rate of 1MBPS, including partition keys.

Data capacity of steram = Sum(capacity of shard)

Kinesis Firehose:

• no persistent storage
• typically goes to a lambda function
• Producers -> Firehose -> [Lambda] -> S3

Kinesis Analytics: [TODO]

• works with streams and firehouse
• does real time analytics to understand the data.

REVIEW: clear distinction between Kinesis and SQS.

Web Identity Federation & Cognito

web id provider – amazon, facebook, google … following succesful authentication, user receives an authn code from the web id provider, which they can trade for temp AWS security credentials.

cognito is a BROKER.

Cognito synchronization – uses SNS to push updates and sync user data across multiple devices.

Load balancer

Could be:

• physical
• virtual

Typically web facing.

1. application lb – http&https, layer 7. intelligent; route
2. network lb – TCP traffic. extreme perf. Connection Level (Layer 4). Millions of req/sec.
3. classic lb – Legacy Elastic LB. Layer 7. X-forwarded and sticky session. NOT app aware. Also use strict layer 4 load balancing. If the apps stops erros Classic elb responds with504.

Load balancers Lab

• you can have private LBs (inside VPC)

• AUto scaling group needs “launch configuration”.

• Use an AMI
• give IAM role
• pass bootstrap script under “User Data”
• IP Address TYpee – you can assign Public IP address to a. all instances launches in default VPC and subnet (default) b. assign Public IP to all instances c. do not assign pub address to any instance.

Auto scaling group:

1. group name
2. launch config (created before)
3. group size. start with x instancess
4. network (VPC)
5. subnet (select multiple availability zones)

Advanced details:

1. [x] recv traffic from multiple load balancers
2. health check grace period [300] seconds
3. monitoring
4. instance protection
5. service linked role.

Scaling policy:

• scale between x and y instances
• based on “Metric type” – CPU / memory
• target value for the above
• warm up time in seconds

You can add a notification when ACG kicks off. (SMS).

Classic LB

1. give lb a name
2. configure listner config
3. use security group
4. configure health check – HTTP/80, response timeout, interval, unhealthy threshold, healthy threshold.
5. add ec2 instances to the load balancer
6. lb is NOT available in free tier.
7. ELBs do not get static ip.

Application Load balancer

TARGET GROUP

• group name
• target type - instance/ip/lambda functions
• protocol
• port
• VPC
• path – index.html

• health checks. ++ success code.

• add targets (EC2 instances)

THEN create load balancer.

You can add RULES (intelligent) to ALBs (compared to Classic LB).

REVIEW: ELB FAQ for CLASSIC Load Balancers

Advanced LB Theory

Sticky Sessions

Classic LBs routes each request independently to the registeed EC2 instance with smallest load.

Sticky Sessions allow you to bind a user’s session to a specific EC2 instance.

Sticky session can be enabled for ALBs, but the traffic will be sent at the TargetGroup level.

Useful if you are storing information locally to that instance

Cross Zone Load Balancing

Path Patterns

Create listners with rules to forward requests based on URL path.

eg: route /api/foo to TargetGroupA and /api/bar to TargetGroupB.

S3

REVIEW: IA vs One-zone, etc., S3 storage classes

REVIEW: Pricing of diff types of S3.

REVIEW: What is the max size of objects stored in S3. Is that a soft limit?

“Your proposed upload exceeds the maximum allowed object size.”. –> Design your application to use the Multipart Upload API for all objects.

How many S3 buckets can I have per account by default? == 100

Until 2018 there was a hard limit on S3 puts of 100 PUTs per second. To achieve this care needed to be taken with the structure of the name Key to ensure parallel processing. As of July 2018 the limit was raised to 3500 and the need for the Key design was basically eliminated. Disk IOPS is not the issue with the problem. The account limit is not the issue with the problem.

The following options allows users to have secure access to private files located in S3:

• CloudFront Signed Cookies
• CloudFront Origin Access Identity

• CloudFront Signed URLs

• Serving Private Content with Signed URLs and Signed Cookies - Amazon CloudFront

• Using Signed URLs - Amazon CloudFront
• Using Signed Cookies - Amazon CloudFront
• Restricting Access to Amazon S3 Content by Using an Origin Access Identity - Amazon CloudFront

S3 has READ AFTER WRITE consistency for PUTs

S3 has overwrite PUTS not UPDATEs

S3 has Eventual consistenty for overwrite PUTS and DELETES.

IAM

Remember: Organization units are not part of IAM.

New users start with no permissions

Integrates with existing active directory account allowing single sign-on.

Configure Users and Policy Documents only once, as these are applied globally.

EC2

AWS CLI command to create a snapshot of an EBS volume? aws ec2 create-snapshot

encryption at rest. Using AWS managed keys to provide EBS encryption at rest is a relatively painless and reliable way to protect assets

• How to Protect Data at Rest with Amazon EC2 Instance Store Encryption | AWS Security Blog
• Amazon EBS Encryption - Amazon Elastic Compute Cloud

EBS Root volume – the DeleteOnTermination attribute for root volumes is set to ‘true.’ this attribute may be changed at launch by using either the AWS Console or the command line. For an instance that is already running, the DeleteOnTermination attribute must be changed using the CLI. Terminate Your Instance - Amazon Elastic Compute Cloud

aws ec2 modify-instance-attribute --instance-id i-1234567890abcdef0 --block-device-mappings file://mapping.json

[
  {
    "DeviceName": "/dev/sda1",
    "Ebs": {
      "DeleteOnTermination": false
    }
  }
]

To know both the private IP address and public IP address of your EC2 instance, retrieve the instance Metadata from http://169.254.169.254/latest/meta-data/

curl http://169.254.169.254/latest/user-data
#prints boostrap info

curl http://169.254.169.254/latest/meta-data/
#prints all available metadata keys

curl http://169.254.169.254/latest/meta-data/public-ipv4
curl http://169.254.169.254/latest/meta-data/local-ipv4
#print public and local ipv4 addresses

Placement groups

Spread placement groups have a specific limitation that you can only have a maximum of 7 running instances per Availability Zone.

I can use the AWS Console to add a role to an EC2 instance after that instance has been created and powered-up.

One of the easiest options is to drive more I/O throughput than you can provision for a single EBS volume, by striping using RAID 0. You can join multiple gp2, io1, st1, or sc1 volumes together in a RAID 0 configuration to use the available bandwidth for these instances. You can also choose an EC2 instance type that supports EBS optimisation. This ensures that network traffic cannot contend with traffic between your instance and your EBS volumes. The final option is to manage your snapshot times, and this only applies to HDD based EBS volumes. When you create a snapshot of a Throughput Optimized HDD (st1) or Cold HDD (sc1) volume, performance may drop as far as the volume’s baseline value while the snapshot is in progress. This behaviour is specific to these volume types. Therefore you should ensure that scheduled snapshots are carried at times of low usage.

Underlying hypervisors for EC2 – Xen (old), Nitro (New). EC2 FAQ.

EFS

• you can share EFS between instances.
• storage is elastic

EBS, EFS, and FSx are storage services based on Block storage

Lowest cost EBS options – Throughput optimized (st1) & Cold (sc1).

You cannot delete a snapshot of an EBS Volume that is used as the root device of a registered AMI.

You cannot attach one EBS volume to more than one EC2 instance.

FSx = Fully managed third-party file systems. provides you with the native compatibility of third-party file systems with feature sets for workloads such as Windows-based storage, high-performance computing (HPC), machine learning, and electronic design automation (EDA).

• FSx for windows file server
• FSx for Lustre – high-performance file system optimized for fast processing of workloads such as machine learning, high performance computing (HPC), video processing, financial modeling, and electronic design automation (EDA). These workloads commonly require data to be presented via a fast and scalable file system interface, and typically have data sets stored on long-term data stores like Amazon S3.

Standard Reserved Instances cannot be moved between regions. You can choose if a Reserved Instance applies to either a specific Availability Zone, or an Entire Region, but you cannot change the region

VPCs

VPC.= virtual data center in the cloud. logically isolated section of the AWS. completely control over virtual network.

• the largest vpc you can have inside VPC is /16. /8 is not allowed.

Private address ranges:

• 10.0.0.0 - 10.255.255.255 – 10/8 prefix
• 172.16.0.0 - 172.31.255.255 – 172/16/12 prefix
• 192.168.0.0 - 192.168.255.255 – 192.168/16 prefix

Tools:

• - interactive IP addres and CIDR Range Visualizer.
• 10.0.0.0/16 is the largest VPC you can have in VPC
• /28 is the smallest

What can we do with a VPC?

1. launch instances into subnet of your choosing
2. assing custom IP address ranges to each SN
3. configure route tables between SNs
4. create internet gateway and attach it to VPC
5. much better security control over you aws resources
6. instance security groups ??
7. subnet access control lists (ACLs)

Default VPC vs custom VPC

• all subsnets in default vpc have a route to the internet
• each ec2 instance has both public and private IP address

Relational databases

Misc

• Differences between SAA-C01 and SAA-C02