AWS Solution Architect Certification Notes – Part 4

My AWS certification notes part 4 from A Cloud Guru material

Code Commit

  • Private GIT repository
  • Regional
  • Data is encrypted in transit and in rest (TLS)
  • Events (pull, comment, commit comments) can be notified through SNS topic
  • Connection type – SSH, HTTPS
  • As roor cannot configure to connect with SSH
  • To connect
  • Install GIT
  • Install AWS CLI
  • IAM user with CodeCommit policy
  • Configure the user access key and secret access key in AWS CLI
  • And GIT commands

Code Deploy

  • Automated deployment service
  • Allows you deploy the code automatically to EC2, on premises systems and lambda functions
  • Auto scales with your infrastructure
  • Integrates with various CI/CD tools, Jenkins, GitHub, Atlassian and AWS code pipeline
  • Also config management tools like Ansible, Puppet and Chef
  • Two deployment approaches,
  • In-place
    • Rolling update
    • Deploys new version in batches
    • Each batch of instances will be out of service during the deployment
    • Your environment capacity will be reduced by the number of instances in a batch during the deployment
    • If the instances are behind the load balancer, configure load balancer to stop the traffic to the instances where the deployment is going on
    • It can only be used in EC2 and on-premise systems
    • Not supported for AWS lambda
    • If the update fails, you need to perform additional rolling update to revert the changes
  • Blue/Green
    • Immutable
    • Blue – active deployment
    • Green – New Release
    • Deploys the newer version to fresh group of instances in their own auto scaling group
    • When the new instances passed the health checks, they are moved to existing auto scaling group (elastic load balancer) nand the old instances are terminated
  • Deployment Group – Set of EC2 instances, lambda functions to which new version is to be deployed
  • Deployment – process
  • Deployment configuration – rules, success / failure conditions
  • AppSpec File – defines the deployment actions you want AWS code deploy to execute. Must be placed root directory of your revision
  • Revision – everything needed to deploy
  • Application
  • Lambda deployment – AppSpec file
  • AppSpec file – used to define the parameter will be used for codedeploy deployment – appspec.yml
  • For lambda deployment, AppSpec file – yaml or json
  • Version – reserved for future release, currently only 0.0 is allowed
  • Resources – name and properties of the lambda function to deploy
    • Type
    • Properties
  • Name
  • Alias
  • CurrentVersion
  • TargetVersion
  • Hooks – specifies lambda function to run at set points in the deployment lifecycle to validate the deployment
    • BeforeAllowTraffic – used to specify the tasks or functions you want to run before allowing the traffic to your deployed lambda functions
    • AfterAllowTraffic – vice versa
  • EC2 / OnPremises deployment – AppSpec file
  • Supports only yaml
  • Version – reserved for future release, currently only 0.0 is allowed
  • Os – windows or linux
  • Files – location of application files need to be copied and where to be copied,
    • source
    • destination
  • Hooks – specifies scripts to run at set points in the deployment lifecycle to validate the deployment
    • BeforeInstall
  • Location
  • timeout
    • AfterInstall
    • AppicationStart
    • ValidateService
  • Runas
  • Hooks order of a code deploy – In place deployment
  • 1
    • BeforeBlockTraffic
    • BlockTraffic
    • AfterBlockTraffic
  • 2
    • ApplictionStop
    • DownloadBundle
    • BeforeInstall
    • Install
    • AfterInstall
    • ApplicationStart
    • ValidateService
  • 3
    • BeforeAllowTraffic
    • Allowtraffic
    • AfterAllowTraffic

Code Pipeline

  • Fully managed CI CD service
  • Pipeline workflow
  • Can be integrated with code commit, code deploy etc
  • Workflow can be automatically triggered for every push
  • Eg : user adds the code to S3  cloud watch trigger the code pipe line – code pipe line trigger code deploy  code deploy get the code from S3 and deploy to EC2
  • Code pipeline can source the code from S3 or Code Commit or Git Hub – source provider
  • Build provider – no build, Jenkins, AWS code build or Solano CI
  • Deployment provider – no deployment, ECS, cloudformation, code deploy or elastic beanstalk

VPC Lab

  • CreateVPC
  • CIDR – 10.0.0.0/16 – biggest range
  • it will create route table, NACL, Security group
  • no subnet, no IGW
  • Create Subnet 10.0.1.0-us-east-1a[AZ]
  • CIDR block – 10.0.1.0/24 – will give 256 IP addresses
  • another Create Subnet 10.0.2.0-us-east-1b[AZ] – CIDR 10.0.2.0/24
  • When you create subnet, y default they are private
  • Create IGW
  • attch to VPC
  • Route Table – Main route table wil be created with VPC
  • Routes – By default Subnet’s in VPC can talk to each other. default rule in route table – local route.
  • Subnet association – by default no subnet’s will be associated
  • Main route table will not have access to internet by default
  • Create another route table – for internet access
  • Add route, along with local route, Destination : 0.0.0.0/0 and ::/0 and Target – IGW
  • Now associate Subnet – this will be Public subnet now
  • By default auto assign public IP is NO for subnets. Even it has public route to internet. Enable to Yes
  • Security groups exists only within the VPC. When you create EC2 in public subnet, you can select the security group with in the VPC
  • For Private EC2, create a security group with source as custom, 10.0.1.0/24 also add All ICMP protocol, 0-65535 port
  • To SSH to private EC2 from public EC2 you need to move private key pem file to your public EC2. in real world use Bastion server. (NAT instance)
  • Nat instance – EC2 – Community AMI’s
  • Choose public subnet
  • Security Group, SSH and HTTP, HTTPS
  • disable source / destination check
  • No need to login to NAT instance
  • add the route in route table which is assigned to private subnet which is default subnet here
  • Destination : 0.0.0.0/0 and Terget is NAT instance
  • if NAT instance is down, your private EC2 will not have internet access
  • NAT Gateway
  • choose public subnet
  • create Elastic IP address
  • Go to route table – default route table
  • add rule – Destination : 0.0.0.0/0 and Terget is NAT gatway
  • NAT Gateways dont sit behind the security and its Highly availiable
  • NACL
  • open ephemeral port, Custom TCP rule, 1024 – 65535 – important to access from externally
  • you can block specfic IP
  • what is my IP
  • add a deny rule 10.34.45.65/32 as source
  • Rules are validated in numerical order
  • VPC endpoint
  • With Nat GateWay, if you do AWS S3 ls from private EC2, it will list your buckets. it has access to internet through NAT Getway
  • remove Nat GateWay route from private (default) route table
  • now AWS S3 ls will not work
  • Create NAT endpoint to make it work
  • Role for EC2 with S3 full access
  • assign this role to private Ec2
  • Create VPC endpoint
  • Gateway
  • Interface
  • S3 Gateway
  • select VPC

– choose private subnet

VPC

  • Virtual private Cloud
  • when you create VPC, it creates, Route table, security group and nacl
  • By default 5 VPC’s can be created per region. For more need to contact amazon
  • Public subnet
  • Private subnet
  • When we create custom subnet, by default they can talk to each other across AZ
  • VPC Subnet can have multiple route tables
  • 1 subnet = 1 AZ
  • Internet Gate way – only one internet gateway per vpc
  • Virtual private gateway – VPN
  • Route Table
  • Security Group – it exists only with in the VPC, its attached with VPC
  • ACL – Access control List
  • NACL, SNACL – Subnet Network ACL
  • Security Groups – Stateful (if you add inbound rule, automatically outbound is added)
  • NACL – StateLess (need to add both inbound and outbound rule)
  • Default VPC
  • All subnets in default vpc have route to internet
  • Each EC2 will have private / public ip address. Custom VPC – EC2 have only private ip
  • Can have multiple VPC’s in one account
  • http://cidr.xyz/
  • VPC peering
  • Allows you to connect one VPC to other via direct network route using private ip address
  • Can peer VPC’s in other aws accounts also within single region
  • now VPC peering can be done in multiple region (updated)
  • Peering is star configuration, 1 central vpc peers with 4 others
  • No transitive peering – all 4 vpc peers thorough centeral vpc. 4 vpc will not not peer directly
  • you cant connect if the if vpc’s are peered and they are in same CIDR IP range (or)
  • you cant create VPC peering between VPC’s whcih has matching or overlapping CIDR blocks
  • AWS reserves 5 ip addresses in a subnet. First 4 and last one in each subnet CIDR block
  • For subnet with CIDR block 10.0.0.0/24 following 5 are reserved
  • 10.0.0.0 – Network Address
  • 10.0.0.1 – VPC router
  • 10.0.0.2 – DNS
  • 10.0.0.3 – for future
  • 10.0.0.255 – network broadcast
  • For public subnet – enable auto assign public ip address to yes
  • IGW – internet gateway can be attached with only one VPC – always
  • Route Table – attach IGW with IPv4 and IPv6 for internet access – for public subnet
  • IPv4 – 0.0.0.0/0
  • IPv6 – ::0/0
  • For private subnet, attach NAT instance or NAT GateWay In route table
  • NAT – Network Address Translation
  • Baston server – jump server
  • NAT instance
  • EC2 instance search NAT
  • by default EC2 will check source and destination. Disable for NAT instance
  • you have to manage
  • use script to manage failovers
  • attached with security group
  • must be in public subnet
  • NAT Gateway – Ipv4
  • In VPC, create NAT GateWay and attach public subnet
  • Highly available (to make it highly avaliable, create another NAT GATWAY in another AZ)
  • Create in each AZ
  • AWS managed
  • Security group not required
  • Scale automatically
  • More secure
  • use ports from 1024 to 65535
  • Egress only internet Gateways – ipv6
  • NACL
  • Subnet can be associated with one NACL always. But NACL can have multiple subnets
  • If a subnet is associated new another NACL 2, existing association with NACL 1 will be automatically removed
  • NACL can be attached with one VPC
  • Default NACL will be created with VPC – by default it allows all traffic
  • Custom NACL (when you create) – by default it deny all traffic
  • Each subnet in VPC must be associated with NACL. If not subnet will be associated with default NACL
  • Rule 100 – ipv4
  • Rule 101 – ipv6
  • Amazon recommends to start rule from 100
  • StateLess (need to add both inbound and outbound rule)
  • Rules are validated in numerical order. If rule 99 is deny and rule 100 is allows, as per 99 traffic will be denied
  • Can add a rule to deny traffic from particular IP range. Can’t do with security groups
  • VPC flow logs
  • Capture information about the IP traffic going to and from – VPC
  • Stored in cloud watch logs
  • Can be created at 3 levels
    • VPC
    • SubNet
    • Network interface level
  • You cannot enable flow log for VPC’s that are peered with your VPC’s unless peer VPC is in your account
  • You cannot tag a flow log
  • After created the flow log, cannot change the configuration. (cannot change the role)
  • Not all IP traffic is monitored. ( below will not be monitored)
    • Traffic generated by your instances when they contact amazon DNS server. If you use your own DNS server, it will be monitored
    • Traffic generated by windows instance for amazon windows license activation
    • Traffic to and from 169.254.169.256 meta data
    • DHCP traffic
  • VPC endpoint – to access AWS resources via virtual private gateway (IGW not required)
  • If you want to access S3 from private EC2, you can access through NAT GateWay which is in public subnet. NAT Gateway communitcate with S3 over internet
  • VPC endpoint helps you communicate with S3 internally through internal Gateway. No internet
  • Interface
  • Gateway
  • If you want to multiple apps (different ip’s) on a single EC2
  • Launch a vpc instance with 2 network groups
  • Assign elastic IP
  • Assign separate security groups
  • NATGatway cannot send traffic over VPC endpoints, VPN connections, AWS direct connect or VPC peering.
  • Internet Gatways are two way traffic. NAT Gatway is not
  • For any route table local route cannot be edited or deleted
  • if both NAT Gateway and VPC endpoint is associated with same route table, VPC endpoint always takes the precedence.
  • VPC endpoints doesnt support cross region S3 requests
  • if route table has both NAT gateway and VPC endpoint route, if you want to access S3 from private Ec2, VPC endpoint always takes the precedence. it will not communicate via internet which NAT Geteway. But if the S3 in the different region then communication will be over NAT Gateway. since VPC endpoints doesnt support cross region S3 requests
  • in VPC endpoint, we can add a policy to restrict access to certain S3 bucket and certain actions. by default policy allows all actions.
  • In NACL if SSH allowed in inbound and SSH denied in outbound and ephemeral allowed in outbound – SSH will work
  • when you SSH to EC2, inbound port is 22 and outbound port in ephemeral
  • Nat Gatway should be associated with public subnet which has IGW
  • Nat Gatway cannot be created without elastic IP
  • NACL – should allow outbound traffic to all ports or ephemeral ports or specific protocol to allow traffic
  • VPC gateway endpoints not supported outside VPC
  • By default security groups allows all outbound traffic. but you can change the ruke to allow traffic on specific protocols
  • In VPC peering, you cant use NAT GateWay created in one VPC in another VPC. using NAT Gateway in another VPC becomes transitive routing and its not allowed in AWS
  • with custom VPC, dy default DNS hostnames are disabled. This can be enabled from VPC actions
  • once the VPC and subnets are created, CIDR range cannot be edited
  • if all the IP address in CIDR range is use, need to use more
  • Create another VPC and peer with old VPC – complex approach
  • Add secondary CIDR range for VPC and create subnet with the new range
  • Custom route table can be changed to as main route table
  • VPC peering beteen VPC A and VPC B, VPC A should have route table route to VPC B as destination and VPC B should have route table route to VPC A as destination
  • For VPC peering – route will contain target as pcx-xxxxxx
  • For direct connect and VPN – route will contain target as pcx-xxxxxx as vgw-xxxxxxx
  • For secondary CIDR range – route will contain target as ipv4 address (20.0.0.0/32)
  • x.x.x.x/16 – 65, 536 IP addresses
  • x.x.x.x/24 – 256 IP addresses
  • x.x.x.x/32 – 1 IP address
  • To connect on primeses to AWS VPC via AWS VPN, you need
  • Hardware compatible VPN device
  • Virtual private Gateway
  • Direct connect is not for VPN
  • Enhanced VPC Routing
  • No additional cost
  • Redshift require Enhanced VPC Routing to access S3 (both S3 and Redshift is in same region)
  • NatInstance cannot be reached by Redshift without Enhanced VPC Routing
  • If enhanced VPC routing enabled, RedShift used aws internal route through VPC
  • if its not enabled, redshift routes traffic through internet

CIDR

  • x.x.x.x/y – 2^(32-y) – 2
  • /16 232-16 – 2 65,534
  • /17 232-17 – 2 32,766
  • /18 232-18 – 2 16,382
  • /19 232-19 – 2 8,190
  • /20 232-20 – 2 4,094
  • /21 232-21 – 2 2,046
  • /22 232-22 – 2 1,022
  • /23 232-23 – 2 510
  • /24 232-24 – 2 254
  • /25 232-25 – 2 126
  • /26 232-26 – 2 62
  • /27 232-27 – 2 30
  • /28 232-28 – 2 14
  • /29 232-29 – 2 6
  • /30 232-30 – 2 2

CloudFormation

  • Template – template
  • Description Declaration
  • Format Version Declaration
  • Parameters
  • Resources
  • Mappings
  • Outputs
  • Stack – provisioned
  • Json and yaml
  • Mandatory fields – aws resource
  • Options fields
  • input parameters (eg : tags), limit is 60
  • Output parameters (eg:public ip), limit is 60
  • Version – latest template version is 2010-09-09. If you don’t specify, aws will assume the latest version
  • Fn:GetAtt – to output data
  • Fn::join – appends set of value into single value separated by delimiter, id delimiter is empty, just concat
  • Fn::FindInMap – returns the value corresponding to keys in a two level map which is declared in mappings section
  • Fn:Select – returns single object from a list of objects by index
  • By default, “automatic rollback on error” is enabled
  • You are charged for errors
  • Cloud formation is free. You need to pay only for resources
  • Waitcondition – stacks can wait for apps to be provisioned
  • Route53, IAM role is supported
  • You can create A records and aliases
  • Templates – No limit
  • Stacks per account – 200
  • Stack can be increased beyond 200 by contacting AWS
  • ListStackResources – API to list all the resources in a stack
  • ListStacks – list all the stacks including deleted (90 days)
  • DescribeStacks – lists only running Stacks
  • For deleted Stacks, ListStackResources will returns upto 90 days from the day deleted
  • Provides python helper scripts – to install software, start service in EC2. You can call the helper script directly from your template. This will be executed in Ec2 as part of stack creation process
  • Can be used to bootstrap Chef and Puppet
  • Data can be saved before deleting the stack by defining delete policy

Route 53

  • Global service
  • IPv4 – 32 bit
  • IPv6 – 128 bit, 340 undecillion addresses
  • supports MX records
  • default limit is 50 domain names. but can be increased by contacting AWS
  • Domain Registrars
  • Names are registered with InterNIC – a service of ICANN. They enforce the uniqueness.
  • Route53 isn’t free, but domain registrars include things like GoDaddy.com etc.
  • NS records – Name Server records
  • A record – Address record – used by computer to translate the name of the domain to the IP address.
  • ELB always use DNSName – no ip
  • TTL – Time to live – your computer always cashes the ipv4 address of domain name. by default TTL is 2 days. So everytime you hit DNS, it will search in local cache, and then does dns look up and update the cache. If you planning DNS migration, drop the ttl to 5 mins, so that your computer refresh the cache for every 5 mins
  • Length that the DNS is cached on either the Resolving Server or on your PC
  • SOA Records
  • supplies name of the server
  • admin of the zone
  • current version of the data file
  • number of seconds a server should wait before retrying a failed zone
  • Default number of seconds for TTL on resource records
  • NS Records
  • Name Server Records
  • used by Top Level Domains to direct traffic to the Content DNS servers which contains the authoritative DNS records.
  • A Records
  • Address record – used to translate from a domain name to the IP address. A records are always IPv4. IPv6 is AAA.
  • CName – Canonical Name – used to resolve one domain name to another. You can use mobile.aacloud.com to m.aacloud.com so users can use both and its points to same dns
  • Alias records
  • Alias is free
  • Similar to CName
  • Diff is you cant use Cname for naked domain names
  • Naked domain name – zone apex record, no www, http://acloud.guru
  • CName is chargeable
  • You can’t have a CNAME for acloud.guru. It must be either an A record or an Alias.
  • The naked domain name MUST always be an A record, not a C name. eg dennis.com.
  • The Alias will map this A record to an ELB.
  • Always choose alias records over CName
  • Routing Policy
  • Simple
  • Weighted –
    • let you to split the traffic,
    • 95% traffic to region 1 and 5 % traffic to region 2 or 2 different ELB’s
    • Need to provide weightage 1- 255
    • blue-green deployments
  • Latency –
    • let you send traffic to region which has less latency (region near to user) t.
    • Eg 1 elb in india and one in London. If users access from india, latency routing take him to india elb since London elb will have more latency
    • Need to select region
  • Failover
    • Let you to create active passive setup
    • If active region health check fails traffic to passive region
    • Need to add health check of your target (ELB)
  • Geolocation
    • Let you to send traffic based on the geolocation of the user
    • Eg: EU customers will be sent to London and US customers will be sent to Mumbai
    • You need to select location. Continent or Country or state or default (everywhere else)
  • GeoProximity
    • route traffic based on the location of your resouce and can shift traffic from resources in one location to resources in anothetr
  • MultiValue answer
    • when you want Route53 to respond to DNS queries with upto eight healty records selected in random
  • Supports SSL termination – all regions
  • New instances can be added on the fly. No need to stop ELB
  • Global
  • 3 main functions
  • Register domain names
  • route internet traffic to the resources for your domain
  • check health of your resources (can send notifications if the resource is unavailiable)
  • To access S3 static website through Route 53 -> A IPv4 address with Alias = Yes
  • To route traffic to ELB through Route 53 -> A IPv4 address with Alias = Yes
  • To route traffic to RDS through Route 53 -> CNAME – Canonical with Alias = No
  • To route traffic to Cloudfront through Route 53 -> create an alias record point to cloudfront distribution
  • Can route traffic to
  • CloudFront
  • Ec2
  • Elastic BeanStalk
  • ELB
  • RDS
  • S3
  • Amazon work mail
  • If Route53 couldnt reach your resouce and the browser says “Server Not Found”
  • you didnt create a record for the doamin or sub domain name
  • you created the record but specified the wrong value (like wrong IP)
  • resurce that you are routing is not avaliable
  • Health checks
  • monitor endpoint
  • monitor Cloudwatch alarm
  • monitor other health cheks

AutoScaling

  • Free of cost
  • Can autoscale
  • EC2 autoscaling groups
  • Aurora DB clusters
  • DynamoDB tables
  • DynamoDB global secondary index
  • ECS
  • Spot fleet requests
  • Ways
  • Ec2 auto scaling
  • Application auto scaling api
  • EC2 Auto Scaling can also detect when an instance is unhealthy, terminate it, and launch an instance to replace it.
  • Components required to setup effectively
  • Launch configuration
  • ELB
  • Auto Scaling
  • Launch configuration cannot be edited once its created
  • if you want to update launch configuration, you can use existing launch configuration as base, create new one, and update the new launch configuration in a auto scaling group.
  • Scaling default metict types
  • Average CPU Utilization
  • Network In
  • Network Out
  • Application ELB request count per target
  • Scalling based on Memory (RAM) – custom metric
  • Health check grace period – even if the EC2 is unhealthy, auto scaling will not act until the health check grace period expires
  • Termination Policy
  • Default – useful if you have more then one scaling policy for the group
  • Oldest Instance – useful if you are upgrading the instances in the auto scaling group. This will be helpful to get rid of old instance types
  • Newest instance – useful if you want to test your new launch configuration
  • Oldest launch configuration – useful if you have updated the launch configuration
  • ClosestToNextInstanceHour – terminates the instances that are closest to next billing hour. helps to manage EC2 usage costs
  • Scaling policy
  • Simple scaling
  • Step Scaling
  • Target tracking scaling
  • Default Termination poilcy
  • If multiple AZ, choose AZ which has more instances
  • select the instance which has oldest launch configuration
  • if more then 1 instace with oldest launch configuration, then select the instance which is close to next billing hour
  • if more then one then select random
  • Cooldown period
  • Autoscaling used to scale both proxy servers and backend instances

Placement Group

  • Placement group nane is unique per AWS account
  • AWS supports, hemogenous instances with in placement group. Same family, storage, size
  • You cant merge placement groups
  • you cant move existing instance into placement group
  • you can create AMI from existing instance, launch new instance from AMI into placement group
  • Two types
  • Clustered placement group
    • grouping of instances within single AZ
    • recommended for applications that require low network latency or high network throughput or both
    • Big data, you dont want to spread
    • in exam, by default clustered
    • only certain instances can be launched. you cant launch t2 micro
    • Instance families are compute optimized, GPU, memory optimized, storage optimized
    • cant span mutiple AZ
  • Spread placement group
    • grouping of instances that are each placed on distinct underlying hardware
    • recommended for applications that have small number of critical instances that should be kept seperate from each other.
    • can span mutiple AZ



Leave a comment