Please enable JavaScript.

Coggle requires JavaScript to display documents.

Cloud Practicioner - Coggle Diagram

- - - - Spread across multiple zones
    - - Broad set of products
      - Low to no cost to entry
    - - Scale on demand
      - Eliminate wasted capacity
    - - Compliant many compliance certifications
      - Shared responsibility model
    - - Experimentation
      - Innovation
      - Speed
  - - - Trade capital expense for variable expense
      - Benefit from massive economies of scale
      - Stop guessing about capacity
      - Increase speed and agility
      - Stop spending money running and maintaining data centers
      - Go global in minutes
    - - Features include agility, security, reliability, performance efficiency, cost optimization, and operational excellence.
  - - - Scalability
        
        virtually unlimited on-demand capacity
        
        ways to scale
        
        Vertical Scaling
        
        increase specifications of an individual resource
        
        not always cost effective
        
        Horizontal Scaling
        
        increasing number of resources
        
        not all the architectures can be designed to distribute their workload to multiple resources
        
        elasticity of cloud computing
        
        stateless
        
        State, if needed
        
        Low latency e.g. DynamoDB
        
        Session affinity e.g. ELB sticky sessions
        
        Load can be distributed across multiple resources using
        
        Push model
        
        through ELB where it distributes the load across multiple EC2 instances
        
        Pull model
        
        through SQS or Kinesis where multiple consumers subscribe and consume
        
        Distributed processing
        
        using EMR or Kinesis, helps process large amounts of data by dividing task and its data into many small fragments of works
      - Disposable Resources
        
        no fixed servers
        
        temporary disposable resources
        
        immutable infrastructure
        
        server never updated throughout its lifetime
        
        resources are always in a consistent (and tested) state and easier rollbacks
        
        instantiate compute resources in an automated and repeatable way
        
        Bootstraping
        
        scripts to configure and setup
        
        Golden Images
        
        snapshot of a particular state of that resource
        
        faster start times and removes dependencies to configuration services or third-party repositories
        
        Containers
        
        docker images
        
        Elastic Beanstalk
        
        ECS
        
        infrastrucutre as Code
        
        make the whole infrastructure reusable, maintainable, extensible, and testable.
        
        services like
        
        CloudFormation
        
        OpsWorks
      - Automation
        
        services
        
        Elastic Beanstalk
        
        Paas
        
        quick application deployment while handling resource provisioning, load balancing, auto scaling, monitoring etc
        
        EC2 Autorecovery
        
        creates CloudWatch alarm that monitors an EC2 instance
        
        recovered instance is identical to the original instance
        
        instance ID, private & Elastic IP addresses, and all instance metadata.
        
        Auto Scaling
        
        maintain application availability and scale the capacity up or down automatically as per defined conditions
        
        CloudWatch Alarms
        
        SNS triggers to be configured when a particular metric goes beyond a specified threshold for a specified number of periods
        
        CloudWatch Events
        
        allows real-time stream of system events that describe changes in AWS resources
        
        OpsWorks
        
        continuous configuration through lifecycle events that automatically update the instances’ configuration to adapt to environment changes
        
        Events can be used to trigger Chef recipes on each instance to perform specific configuration tasks
        
        Lambda Scheduled Events
        
        allows Lambda function creation and direct AWS Lambda to execute it on a regular schedule.
      - Loose Coupling
        
        Asynchronous Integration
        
        does not involve direct point-to-point interaction but usually through an intermediate durable storage layer
        
        or e.g. SQS, Kinesis
        
        decouples the components and introduces additional resiliency
        
        suitable for any interaction that doesn’t need an immediate response and an ack that a request has been registered will suffice
        
        Service Discovery
        
        allows new resources to be launched or terminated at any point in time and discovered as well for e.g. using ELB as a single point of contact with hiding the underlying instance details or Route 53 zones to abstract load balancer’s endpoint
        
        Well-Defined Interfaces
        
        allows various components to interact with each other through specific, technology agnostic interfaces for e.g. RESTful apis with API Gateway
      - Removing Single Points of Failure
        
        redundancy
        
        Standby Redundancy
        
        failover process
        
        When a resource fails, functionality is recovered on a secondary resource
        
        for stateful components as relational database
        
        Active Redundancy
        
        requests are distributed to multiple redundant compute resources, if one fails, the rest can simply absorb a larger share of the workload.
        
        replication
        
        Synchronous replication
        
        Asynchronous replication
        
        Quorum-based replication
        
        services provided
        
        Regions, Availability Zones with multiple data centers
        
        ELB or Route 53 to configure health checks and mask failure by routing traffic to healthy endpoints
        
        Auto Scaling to automatically replace unhealthy nodes
        
        EC2 auto-recovery to recover unhealthy impaired nodes
        
        S3, DynamoDB with data redundantly stored across multiple facilities
        
        Multi-AZ RDS and Read Replicas
        
        ElastiCache Redis engine supports replication with automatic failover
      - Optimze costs
        
        Economies of scale
        
        provided services
        
        EC2 instance types – On Demand, Reserved and Spot
        
        Trusted Advisor or EC2 usage reports to identify the compute resources and their usage
        
        S3 storage class – Standard, Reduced Redundancy, and Standard-Infrequent Access
        
        EBS volumes – Magnetic, General Purpose SSD, Provisioned IOPS SSD
        
        Cost Allocation tags to identify costs based on tags
        
        Auto Scaling to horizontally scale the capacity up or down based on demand
        
        Lambda based architectures to never pay for idle or redundant resources
        
        Utilize managed services where scaling is handled by AWS for e.g. ELB, CloudFront, Kinesis, SQS, CloudSearch etc.
      - Security
        
        security responsability model
        
        AWS responsibilities
        
        dev responsabilities
        
        security features
        
        IAM to define a granular set of policies and assign them to users, groups, and AWS resources
        
        IAM roles to assign short term credentials to resources, which are automatically distributed and rotated
        
        Amazon Cognito, for mobile applications, which allows client devices to get controlled access to AWS resources via temporary tokens.
        
        VPC to isolate parts of infrastructure through the use of subnets, security groups, and routing controls
        
        WAF to help protect web applications from SQL injection and other vulnerabilities in the application code
        
        CloudWatch logs to collect logs centrally as the servers are temporary
        
        CloudTrail for auditing AWS API calls, which delivers a log file to S3 bucket. Logs can then be stored in an immutable manner and automatically processed to either notify or even take action on your behalf, protecting your organization from non-compliance
        
        AWS Config, Amazon Inspector, and AWS Trusted Advisor to continually monitor for compliance or vulnerabilities giving a clear overview of which IT resources are in compliance, and which are not
      - Caching
        
        ways
        
        Application Data Caching
        
        provides services thats helps store and retrieve information from fast, managed, in-memory caches
        
        ElastiCache is a web service that makes it easy to deploy, operate, and scale an in-memory cache in the cloud and supports two open-source in-memory caching engines: Memcached and Redis
        
        Edge Caching
        
        allows content to be served by infrastructure that is closer to viewers, lowering latency and giving high, sustained data transfer rates needed to deliver large popular objects to end users at scale.
        
        CloudFront is Content Delivery Network (CDN) consisting of multiple edge locations, that allows copies of static and dynamic content to be cached
- - - - global infrastracture security
        
        reports from third-party auditors
        
        verified compliance with a variety of computer security standards and regulations
        
        hardware, software, networking
      - security configuration of its products
        
        For Managed Services
        
        basic security tasks
        
        guest operating system (OS) and database patching,
        
        firewall configuration
        
        disaster recovery
        
        for e.g. RDS, DynamoDB
    - - AWS Infrastructure as a Service (IaaS) products
        
        your control
        
        for e.g. EC2, VPC, S3
        
        require you to perform all of the necessary security configuration and management tasks
        
        Management of
        
        the guest OS (including updates and security patches)
        
        any application software or utilities installed on the instances
        
        the configuration of the AWS-provided firewall (called a security group) on each instance
        
        configure
        
        logical access controls for the resources
        
        protect the account credentials
  - - - storage decomissioning
    - - Amazon Corporate Segregation
        
        separate set of credentials for logical access
        
        AWS Production network
        
        SSH public-key authentication through a bastion host.
        
        Amazon Corporate network
        
        user IDs, passwords, and Kerberos
    - - monitors
        
        port scanning activities
        
        application usage
        
        server and network usage
        
        unauthorized intrusion attempts
      - custom performance metrics threshold for unusual activity
      - protection against traditional network security issue
        
        DDos
        
        Man in the Middle attacks – AWS APIs are available via SSL-protected endpoints which provide server authentication
        
        IP spoofing – AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
        
        Port Scanning – Unauthorized port scans by Amazon EC2 customers are a violation of the AWS Acceptable Use Policy. When unauthorized port scanning is detected by AWS, it is stopped and blocked. Penetration/Vulnerability testing can be performed only on your own instances, with mandatory prior approval, and must not violate the AWS Acceptable Use Policy.
        
        Packet Sniffing by other tenants – It is not possible for a virtual instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance. While you can place your interfaces into promiscuous mode, the hypervisor will not deliver any traffic to them that is not addressed to them. Even two virtual instances that are owned by the same customer located on the same physical host cannot listen to each other’s traffic.
    - - AWS Credentials
        
        type
        
        Passwords
        
        Multi-Factor Authentication
        
        Access Keys
        
        X.509 Certificates
        
        Individual User Accounts
        
        create an IAM User for each user
        
        unique set of Credentials
        
        least privilege
        
        Secure HTTPS Access Points
        
        for data transmissions
        
        public-key cryptography
        
        Security Logs
        
        CloudTrail
        
        logs of all requests for AWS resources
        
        Trusted Advisor Security Checks
        
        provide reccomandations
        
        improve system performance
        
        close security gaps
        
        optimize cost
  - - - vs. AWS Config
      - Processing Library (CPL)
        
        build applications to take immediate action on events in CloudTrail log files
      - Enabled Use Cases
        
        Track changes to AWS resources
        
        Compliance Aid
        
        easier to demonstrate compliance with internal policy and regulatory standards
        
        Troubleshooting Operational Issues
        
        identify the recent changes or actions to troubleshoot any issues
        
        Security Analysis
        
        use log files as inputs to log analysis tools to perform security analysis and to detect user behavior patterns
      - Log File Integrity
        
        can be used to check whether a log file was
        
        modified
        
        deleted
        
        unchanged after CloudTrail delivered it.
      - Global Services Option
        
        applied to
        
        all regions
        
        single region
        
        events are sent to the region where the action happened
      - CloudTrail Events
        
        record of activity in an AWS account
        
        types
        
        Management Events
        
        Data Events
        
        CloudTrails Insights Event
      - with AWS Organizations
        
        Organization trail
      - Works
        
        risk auditing of the AWS account
        
        identify which users and accounts called AWS for services
        
        IP address
        
        when the call is performed
        
        log files in S3
        
        server-side encryption
        
        get a history of AWS API calls
        
        AWS Management Console
        
        AWS SDKs
        
        command-line tools
        
        APIs and higher-level AWS services
        
        AWS CloudFormation
        
        is per AWS account and per region
        
        for all the services supporting it.
        
        combined with
        
        SNS
        
        Cloud Watch
        
        created with
        
        console
        
        AWS CLI
        
        CloudTrail API
      - https://jayendrapatil.com/aws-cloudtrail/
- - - - Pay as you go
      - Pay less when you reserve
      - Pay even less by using more
      - Pay even less as AWS grows
      - Free services
      - Other, free tier
    - - charges
        
        Compute,
        
        Storage and
        
        Data Transfer Out – aggregated across EC2, S3, RDS, SimpleDB, SQS, SNS, and VPC and then charged at the outbound data transfer rate
      - not charge
        
        Inbound data transfer across all AWS Services in all regions
        
        Outbound data transfer charges between AWS Services within the same region
    - - AWS Simple Monthly Calculator tool to effectively estimate the costs, which provides per service cost breakdown, as well as an aggregate monthly estimate.
        
        AWS Economic Center provides access to information, tools, and resources to compare the costs of AWS services with IT infrastructure alternatives.
        
        AWS Account Activity to view current charges and account activity, itemized by service and by usage type. Previous months’ billing statements are also available.
        
        AWS Usage Reports provides usage reports, specifying usage types, timeframe, service operations, and more can customize reports
  - - - single bill across multiple accounts
      - Process
        
        tracks all the member accounts in your organization
        
        create
        
        organization
        
        create/invite
        
        accounts
        
        Each month charges for all member accounts un a consolidated bill
      - Scenarios
        
        separate environments (Dev/Prod)
        
        have multiple cost centers to track
      - Benefits
        
        Easy tracking
        
        Combined Usage & Volume Discounts
        
        One bill
        
        Free Tier
      - Volume Pricing Discounts
        
        determined by the usage from all accounts
    - - Analyzing costs with graphs
        
        Cost explorer
      - Budgets
        
        track AWS costs to see usage
        
        use cost visualization provided by Cost explorer
        
        create CloudWatch alarms
        
        SNS with budget notification
      - Cost Allocation Tags
        
        organize AWS resources
        
        two types
        
        AWS-generated
        
        user-defined
      - Consolidated Billing *
      - service that you use to pay AWS bill, monitor your usage, and budget your costs
      - Alerts on Cost Limits
        
        CloudWatch, create billing alerts given specified thresholds
        
        email notification
    - - Available Feature Sets
        
        provides Consolidate Billing
        
        manage multiple accounts centrally
        
        Service Control Policies - SCPs
        
        attacched to
        
        a root
        
        an OU
        
        individual account
        
        exclude management account
        
        services and actions assigned to
        
        users
        
        roles
        
        techniques
        
        Whitelisting
        
        FullAWSAccess
        
        explicity access allowed
        
        Blacklisting
        
        deny of a service action overrides any allow of that action.
      - Features
        
        centralized management of all of your AWS accounts
        
        Consolidated billing for all member accounts
        
        Hierarchical grouping of accounts to meet
        
        budget
        
        security
        
        compliance needs
        
        Control over AWS services and API actions that each account can access
        
        Organization permissions overrule account permissions
        
        Integration and support for AWS IAM
        
        Integration with other AWS services
        
        Data replication that is eventually consistent
      - Terminology and Concepts
        
        Root
        
        Organizational Unit
        
        Account
        
        master
        
        member
        
        Invitation / Handshake
  - - - compare cost of running applications in an on-premises
      - view estimate totals
    - - view analyze costs
      - Spend forecasting
      - same dataset of AWS Cost and Usage Reports