Please enable JavaScript.
Coggle requires JavaScript to display documents.
AWS - Coggle Diagram
AWS
Networking
CloudFront
-
delivers dynamic / static content over N based on geo-location, D origin, CD server
-
terminology
edge location (EL)
~region in AWS, where D is cached
-
origin
where D to be distributed actually resides (S3, Ec2, etc)
-
signed URL
URL to secure some resource (file in S3, etc)
-
-
-
features
-
filtering by IP, date, path ,etc
allows access to path, NO MATTER the origin
notes
-
-
signed cookies
control who can access your content when you don't want to change your current URLs or when you want to provide access to multiple restricted files
-
notes
SSL
SNI
-
-
client specifies which host it connects to, choosing the right SSL certificate
-
-
-
-
-
-
handles dynamic content (API acceleration, dynamic site delivery)
-
-
vs API GW edge
solutions
-
-
client - CF (with caching at the edge) - API GW (regional, optional caching)
-
-
-
features
-
protection
-
integration with Shield, WAF
-
-
edge customization
Lambda Edge
-
features
-
-
-
features of Lambda funcs
longer execution, net access, etc
-
-
CF functions
-
features
-
-
-
cases
high-scale, latency-sensitive
-
-
-
-
-
-
-
Direct Connect
-
-
use-cases
-
stable, reliable, secure connection
-
-
-
-
-
-
-
DNS 101
record types
CNAME
name1 -> name2
but!
-
can't be used for naked domain names (zone apex record, like: example.com. Only www.example.com)
-
-
-
-
-
-
-
-
-
-
Route 53
policies
-
-
-
-
geo
-
proximity
-
-
'proximity bias'
0 => region is more likely to be selected
-
-
-
features
-
Hybrid DNS
resolve DNS queries btw VPC / peered VPC / on-prem network (must be connected with Direct Connect / VPN)
-
-
-
VPC
def
virtual private cloud - set of instances in AWS data center that don't have access to the internet and only private IPs
-
access pattern
Gateway to VPC -> Router -> Router Table -> network ACL (access control list) -> some VPC subnet & security group
notes
-
-
-
CIDR
Classless Inter-Domain Routing (CIDR) block basically is a method for allocating IP addresses and IP routing
-
for provisioned 256 IPs subnet - you have 251 for use and 5 reserved by AWS (network, broadcast, router, DNS - first 4 IPs, 1 IP for 'future use' - prev to the broadcast IP)
-
-
-
-
by default, VPC has: route table, security group, ACL
-
An Elastic IP address is a STATIC public IPv4 address, which is reachable from the internet.
-
-
-
-
-
-
-
-
-
VPC peering
notes
not transitive
if A, B in A-B-C are peered, NO access btw A and C
A,B must not have overlapping CIDRs
-
-
-
-
VPC Endpoints
-
types
-
gateway
features
-
-
1VGW - 1 VPC. No peering, sharing ,etc
-
-
-
security group
set of 'allow' rules, operating on the instance level
-
-
-
-
-
-
ELB
types
application
-
-
-
features
-
-
supports path-, host-based routing
-
-
-
-
network
-
-
-
notes
no SG! this is a transparent net device (if IP=instance id. If real NLB IP (only TCP/TLS cases!!!) - not transparent)
-
-
-
-
-
-
-
notes
-
-
-
If an ELB is not terminating SSL, its listener protocol has to be TCP.
cross-zone LB
when splitting traffic, division is calc based on overall #instances
features
-
cross-zone balancing
LB that is aware of instances in other LB's zone and
may send part of the load from its own zone to the other Z
path patterns
-
example
two zones: 1 - website, 2 - image data
Bastion
a host with a public IP for secure access (SSH, RDP) to private EC2s
-
-
Global Accelerator
-
-
-
notes
-
fits for
non-HTTP cases: gaming, IoT (MQTT), VoIP
-
-
AWS Private Link
-
is secure, scalable way to connect VPCs
-
-
-
Transit Gateway
features
-
works with DirectConnect, VPC connections
-
-
-
-
-
-
-
VPN CloudHub
-
features
-
-
operates over public Internet, but all traffic is encrypted
-
-
-
-
Transit VPC
-
-
-
features
allows overlapping CIDRs, net-level packet filtering
-
Site-to-site VPN
-
-
-
notes
-
-
-
best practices
N VPCs, 1 on-prem: separate VPN for each VPC - on-prem GW
-
shared services VPC
customer - (site2site) - VPC A - (peering) - VPC B, C, D
-
-
-
S3
features
-
-
-
restricting access
-
policies on concrete obj, bucket (ACLs)
transfer appliance
when retrieving, user targets closest zone's cloudFront which then targets storage (more efficient)
-
obj Lock
-
modes
-
governance
same as compliance, but U with P can modify the O
-
-
-
-
S3 / Glacier select
-
using SQL, filter out objects of interest
-
Transfer Acceleration
uploading not to S3 directly, but to a S3's zone bsed on CloudFront Edge Network
-
-
DataSync
an agent that syncs data between on-prem / S3 / EFS / FSx and S3 / EFS / FSx for FULL MIGRATION purposes
-
-
alternatives
Transfer Family
-
UC
sharing files, CRM, public data
endpoints
-
-
VPC with Internet
static private, public IPs
-
extras
static website hosting
simple, massively scalable hosting
-
-
events
types
-
-
-
CW
-
target downstream Lambda, etc
-
-
-
storage classes
-
-
-
-
Glacier
-
concepts
-
Vault lock
-
extra rules like MFA, no deletes
-
-
types
Instant Retrieval
~ms access, min 90 days storage
Flexible (expedited) Retrieval (formerly, Glacier)
-
-
-
-
reduced redundancy
freq accessed, non-critical
Snowball
-
it's actually a physical case with secure, fast and cost-effective internet setup
-
-
snowball edge
=snowball, but with Lambda and clustering features
-
-
notes
only RJ45, SFP, QSFP interfaces
-
-
-
-
access
-
-
-
By default, an S3 object is owned by the AWS account that uploaded it
Athena
-
-
-
features
-
ready-for-use Q for VPC flow logs, CT, Cost and Usage, etc
-
Storage gateway
-
types
-
-
Tape
-
use-case
can initially be installed in the on-premises environment utilizing the existing enterprise backup product to start the transition without losing access to the existing backups and archives. Over the duration of the migration, most (if not all) the backup cycles will be replaced by the new VTL & VTS tapes
notes
restore only the tape ENTIRELY, not a single file
FSx file GW
features
Windows compatibility
SMB, NTFS, Active directory, etc
-
-
-
-
-
-
Lambda
-
pricing
1M is free, 0.2$ / 1 M after
-
features
scales out (not up) based on load, i.e. new instances are provisioned for each new event
-
-
-
-
-
versioning
-
immutable, non-decreasing, each V has ARN
-
aliases
-
scenario
'dev' -> $LATEST, 'prod' -> v2
-
-
triggers
sync
Firehose, Amazon Lex, API Gateway
-
-
limitations
-
-
-
-
-
latency
-
-
-
- latency of downstream components
-
-
notes
-
When un for the first time or after an update, AWS must provision the Lambda environment and pull in any external dependencies
-
-
-
-
-
-
-
-
EC2
notes
-
-
to change AZ - create snapshot, create AMI from it, and create a new VM
-
-
AMIs are copied with empty configs and you need to manually reinstall all configs from the origin AMI
-
-
startup process
OS boots
bootstrap scripts run (bash scripts to configure instance env, etc)
services start (Apache, etc)
curl htttp://<IP>/latest/meta-data -> all of the meta I stuff (networks, etc)
curl htttp://<IP>/latest/user-data -> all of the user meta stuff (bootstrap scripts, etc)
Windows instances are billed by second increments, with a minimum of 1 minute. However, storage charges are incurred even if the instance sits idle
-
you can create AMIs from on-prem VMs quickly by exporting VM snapshots to S3 and using an API to create AMI
-
-
features
-
provisioning
options to TURN ON: termination protection, encryption, delete storage volume on termination of an instance
-
-
EFS
-
-
-
-
-
-
features
-
-
-
can be mounted on-prem
-
rather, use DataSync btw on-prem and AWS-hosted EFS
-
-
-
-
classes
-
Performance
general-purpose, latency-sensitive cases
-
-
-
-
-
-
Pricing
-
-
-
-
-
Saving Plans
-
types
instance
-
flexible in terms of I size, tenancy (dedicated / default), OS
-
compute
-
flexible in I families, regions, compute types (Fargate, ECS, etc)
-
-
Spot instances
-
-
-
spot fleet
-
-
-
spot I pools
-
diversified
great for availability, long workloads
-
-
EBS
-
types
-
-
-
-
cold hard-drive
good fit for large, sequential cold-data workloads.
notes
-
-
deliver performance for workloads that require the lowest-latency access to data from a single EC2 instance
-
-
-
if restored, 1st access means the EBS must be downloaded from S3 => extra time to wait
-
-
-
-
-
-
Placement groups
Clustered
local (one rack) set of EC2s (low latency, etc)
-
-
Partitioned
-
best for massively distributed computing (Hadoop, Cassandra, etc)
-
EC2 Networking
-
ENA
-
-
-
should be preferred to Virtual Function networking (<10Gbs, is legacy)
-
Hibernate
option to stop I that preserves its operating state (env, compute, etc)
-
-
Reserved instances
types
-
convertible
more flexibility: change instnace family, OS, tenancy, payment options
-
-
-
notes
-
-
-
reserve capacity per zone / on-demand to ensure you have the instance types you need available when they are required
-
-
Security
Networking
-
-
NACL
-
By default,
default: it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic
-
-
-
-
attacks
DDoS
-
-
protection
-
-
Cloud Front + Route 53
- Shield -> DDoS protection at the edge
-
-
-
-
-
-
-
-
AWS Shield
-
types
Standard
-
protection against level 3, 4 (OSI model) attacks
-
Facets of security
identification
authentication
authorization
trust
do others whom I trust, trust you as well?
SAML-based federation, etc
-
-
-
Root user, IAM user, temporary creds
-
-
-
API Gateway
feastures
-
-
-
-
-
-
-
-
-
-
WebSocket API
used for
real-time apps (chatbots, etc)
stateful apps (with DynamoDB, etc)
-
notes
-
-
-
-
5XX happens when a Lambda function is actually instantiated, but some error (like time out) happened inside the Lambda function
If WAF is activated on API Gateway, it will block requests when the rate exceeds the HTTP flood rate-based rule
-
-
-
-
-
-
errors
-
5xx
-
502
-
incompatible output from Lambda, etc
-
-
-
Databases
-
RDS
-
multi-AZ (for recovery)
-
-
-
-
-
cross-region solution
create async read replica -> CW health checks -> Lambda -> promote replica to master -> update DNS with R53
features
-
Automated Backups
1-35 days retention, any time recovery
-
-
-
-
-
notes
-
-
-
-
-
-
-
-
-
up to 100,000 client connections
-
-
NoSQL
DynamoDB
features
-
-
-
-
Capacity
on-demand
flexible C, more expensive
-
-
-
-
Global tables
-
UC
-
active-active replication, many instances
-
-
notes 2
-
-
-
secondary indexes
-
local
save partition key, but diff sort key
when
with the same PK, fast Q on some other attribute
-
limitations
-
limited #indexes, #attributes per index
-
-
partition and sort keys attributes must be defined as type string, number, or binary
-
-
notes 1
-
-
calc #partitions
result=max(by size, by capacity)
-
-
-
-
-
-
-
-
-
streams
ingest to Dynamo and, with extra processing (EC2, Lambda, Kinesis sink), to a data lake
-
-
-
DMS
DB migration svc
can migrate from almost anything to almost anything (including on-prem, EC2, etc)
-
-
notes
during migration, origin remains fully operational
-
-
RedShift
-
features
snapshots
-
-
-
-
point-in-time, incremental
-
-
-
-
-
-
ElastiCache
-
types
-
Redis
has many more features than Memcached: multi-AZ advanced queries, pubsub, persistence, backup, sorting
-
-
-
caching strategies
-
-
Adding TTL
-
keeps data from getting too stale and requires that values in the cache are occasionally refreshed from the database
-
-
Advanced IAM
Directory svc
Active Directory
hierarchical DB of users, groups, computers
-
-
-
-
managed Microsoft AD
-
-
when
For userbases more than 5,000
-
notes
-
-
-
to connect to on-prem
-
setup trust
-
two-way forest
-
-
when?
part of U is stored on-prem, part on AWS
HA
achieved with replicating a Microsoft AD on EC2 and setting up a forest trust btw the actual AD and EC2
-
-
-
-
IAM policies
-
-
Permission boundaries
-
-
notes
-
-
-
if U1 with PB creates U2, U2 has <= permissions than U1
RAM
-
-
limited to 8 resources (EC2 (even in VPC), DBs, etc)
-
-
-
AutoScaling
-
Launch Templates
-
defines instance type, key pair, EBS, etc
-
-
-
-
-
Organizations
-
-
Service control policy
-
notes
-
restrict root account activities of changing the root password or managing MFA settings if your accounts were created after 2017
-
-
applied hirarchy-wise: if SCP is for Project unit, Team units that inherit PU will also have the SCP
-
-
-
-
-
-
best practices
-
Creating an account for each project group facilitates security policy differences within business units, and limits the exposure of a single security event
-
tag policies
to ensure consistent tags / audit resources, etc
-
-
-
HPC
AWS Batch
-
-
UC
scheduled / reoccuring HPC tasks w/o complex logic (no complex infra to setup, only EC2s)
-
-
Data management
-
-
DataSync
transfer btw on-prem and S3, EFS, FSx
-
AWS Parallel Cluster
-
automates creation of VPC, subnets, EC2s, etc
storage
-
net storage
-
-
FSx for Lustre
HPC optimized, millions of IOps
-
-
-
-
Kinesis
Kinesis Streams
features
-
-
-
-
immutability
once data is inserted, it CANNOT be deleted
-
-
-
targets
non-AI related services
yet, not a real-time ingestion svc (consider SQS)
-
Firehose
-
-
processor can do anything, including custom analitycs, NOT real-time
notes
NEAR real-time
60s latency for non-full batches OR 1mb of data arrived
-
-
-
-
sinks
AWS, custom endpoint, Splunk, etc
-
-
-
Kinesis Video Streams
-
entities
producer
-
features
can send
-
non-video
audio feeds, images, or RADAR data
-
stream
features
-
-
can carry
audio, video, and similar time-encoded data streams
-
-
-
-
-
Reference architectures
-
-
-
-
extreme rates
Route 53 - global, unlimited scale
-
Cloud Front edge
S3
-
3500 PUT, 5500 GET per prefix / s
-
Message Buffers
SQS
features
256Kb of text, any format
-
-
-
-
visibility timeout
a M becomes invisible after reader 1 reads it and gets deleted if the read transaction completes within the timeout range
IF NOT - msg becomes visible for reader 2 to read
-
-
-
-
-
-
-
types
-
FIFO
-
-
-
-
-
-
-
8 transaction per operation <-> 2,400 transactions/sec
-
-
-
SWF
-
-
-
entities
workflow starters
-
examples
place an order, search for something
-
-
SNS
-
features
-
integrates with SQS, HTTP endpoints
-
-
-
-
-
-
-
Amazon MQ
features
supports MQTT (IoT), JMS, WebSocket protocols
-
-
-
-
Containers
ECS
-
entities
-
-
task definition
Dockerfile for ECS, can define multiple C
service
-
networking
-
-
awsvpc
-
notes
-
has simplified networking, SGs, VPC flow logs, etc
-
scaling
-
works on TASK level, not instance (unlike EC2 AS)
-
IAM role
-
instance profile
-
scenario
common for all instances: making API calls, sending logs, etc
-
security
can apply policy / task (granular, instance-wise)
-
notes
-
Task role > EC2 instance role while granting ECS cluster permission to use resources during C execution
provides tagging at the repository level, not at the individual container image level
-
Fargate
-
features
-
-
-
uses EFS for persistent storage, ephemeral storage for non-persistent
-
-
-
-
IAM
NOTES
-
-
may be added to IAM user, group, or role
-
-
Groups, roles and users are scoped within a single account
-
-
-
Entities
-
Group
-
-
notes
A group can contain many users, and a user can belong to multiple groups
can contain only users, not other groups
-
-
Policy
-
types
-
-
-
resource-based
separate policy for an S3 bucket, SQS, etc
-
-
-
-
-
Cloud Watch
features
metrics
-
features
metrics
available
-
-
-
std monitoring: each 5m, detailed - 1m
-
-
logs
defs
-
log stream
set of log units (log files, containers, etc)
features
-
-
sinks
S3 / Kinesis / Lambda
S3
buckets MUST be encr with AES-256 (SSE-S3), not SSE-
KMS!
-
-
-
-
-
-
CloudTrail
-
-
-
event types
-
data
GET/PUT/Invoke (for Lambda), etc
-
management
ops on resources: delete, create, etc
-
-
-
AWS FAW
-
monitor HTTP(s), forwarded to CloudFront / ALB / API Gateway
-
EMR
-
structure
-
cluster
-
instance config
-
instance fleet
-
select target capacity, I types, purchasing
-
Web Identity Federation
AWS Cognito
pools
-
user
about actual users sign-up/sign-in : email, ID, etc
-
steps
auth via FB -> receive response from user pool with JWT -> send JWT to identity pool -> receive temporary credentials -> access AWS
-
-
-
-
NOTES
HA
-
Cloud Formation
-
-
-
defs
-
stack
-
types
nested stack
-
scenario
component reuse
- 2 more items...
-
-
-
-
-
notes
-
-
-
to add external svc with a REST API, add a custom resource in your T
-
-
manages ASG, not EC2s!
-
-
DeletePolicy
-
options
-
Snapshot
delete, but make snapshot
Delete
default for all res, except RDS
to delete S3 bucket, empty it first
-
with Bastion Hosts
(cheap way)
2 AZ, 1 BH, 1 I + autoscaling
-
(more expensive way)
2 AZ, NLB, 2 BH, 1 I + failover
SAM
-
-
features
-
allows to test locally
run Lambda, API GW, Dynamo locally
-
-
-
-
-
Step Function
low-code, visual workflow service to build workflows of various kinds
-
-
-
-
-
-