AWS Solution Architect Preparation

AWS Solution Architect  Reference Materials

Content AreaReference Material Link
Source Destination Checkhttp://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck
S3 Put performancehttp://docs.aws.amazon.com/AmazonS3/latest/dev/request-rate-perf-considerations.html
S3 Consistency Modelhttp://docs.aws.amazon.com/AmazonS3/latest/dev/Introduction.html#Regions
S3 Data Checkhttp://docs.aws.amazon.com/AmazonS3/latest/API/SOAPPutObject.html
ELB Domain namehttp://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elastic-load-balancing.html
ELB SSL Certificatehttps://forums.aws.amazon.com/message.jspa?messageID=520926
NAT Gateway vs NAT Instancehttp://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-comparison.html
Route 53 and VPChttps://blogs.aws.amazon.com/security/post/Tx3SU68M25RX2PS/How-to-Set-Up-DNS-Resolution-Between-On-Premises-Networks-and-AWS-Using-AWS-Dire
Taking EC2 AMI Imagehttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html
NACL Rule Evaluation Order http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
Weighted Routinghttp://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html#routing-policy-weighted
Placement Groupshttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html
Cloudfront GET Optimization https://aws.amazon.com/cloudfront/
EBS Volumes attachmenthttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-attaching-volume.html
Instance Types and Workloadshttps://aws.amazon.com/ec2/purchasing-options/
DDoS Attack White Paperhttps://d0.awsstatic.com/whitepapers/DDoS_White_Paper_June2015.pdf
Cloud Formationhttps://aws.amazon.com/cloudformation/
Elastic BeanStalkhttps://aws.amazon.com/elasticbeanstalk/
VPC Peering Infohttp://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/invalid-peering-configurations.html#overlapping-cidr
VPN Options dochttp://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpn-connections.html"
ElasticCahce Documentationhttps://aws.amazon.com/elasticache/
AWS EMR Documentationhttp://docs.aws.amazon.com/ElasticMapReduce/latest/ManagementGuide/emr-plan.html
VPC Subnet Basicshttp://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#vpc-subnet-basics
AWS Direct Connect and VPChttp://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/GenericConfigNoBGP.html
RDS Performancehttp://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_BestPractices.html
Subnet Calculatorhttp://www.subnet-calculator.com/cidr.php
VPC and Subnethttp://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/default-vpc.html
Instance Meta Datahttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
EBS Storagehttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html
S3 Documentation http://docs.aws.amazon.com/AmazonS3/latest/gsg/GetStartedWithS3.html
Cloud Watch Metricshttp://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/publishingMetrics.html
Internet Gateway and Internet Accesshttp://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html
ElasticIP Documentation http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html
Security white Paperhttp://www.utdallas.edu/~muratk/courses/cloud11f_files/AWS_Security_Whitepaper.pdf
EMR Best Practiceshttps://d0.awsstatic.com/whitepapers/aws-amazon-emr-best-practices.pdf
AWS RDS API Describe Eventshttp://docs.aws.amazon.com/AmazonRDS/latest/CommandLineReference/CLIReference-cmd-DescribeEvents.html
CloudFormation Linkhttps://aws.amazon.com/cloudformation/
S3 Bucket Permissionshttp://docs.aws.amazon.com/AmazonS3/latest/dev/s3-access-control.html
Elastic Network Interfacehttp://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ElasticNetworkInterfaces.html
Reserved Instances FAQhttps://aws.amazon.com/ec2/faqs/
IAM Permissionshttp://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions.html
AWS Security Grouphttp://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
EC2 Limitshttp://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html#limits_ec2
Automated Backups Documentation http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.BackingUpAndRestoringAmazonRDSInstances.html
Route 53 Supported Record Resource Typeshttp://docs.aws.amazon.com/Route53/latest/DeveloperGuide/ResourceRecordTypes.html
EC2 Instance Meta Datahttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-retrieval
DB Parameter Groupshttp://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html
Network ACL Referencehttp://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
SAML Integrationhttp://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
AWS Encryption Optionshttp://docs.aws.amazon.com/AmazonS3/latest/dev/UsingEncryption.html

Load Balancing :

https://aws.amazon.com/documentation/elastic-load-balancing/

Elastic Load Balancing automatically distributes incoming application traffic across multiple Amazon EC2 instances. It enables you to achieve greater levels of fault tolerance in your applications, seamlessly providing the required amount of load balancing capacity needed to distribute application traffic.

AWS Recommends pre-warming ELB’s for Spiky or Flash Flood Traffic.
In my personal experience , I have noticed numerous 503 Errors while load testing.

Elastic Load Balancing allows you identify the originating IP Address connecting to the client.

ELB can’t span across regions.

Route 53 Can be used to route across Regions.

SSL Termination and Processing.

If its not done at Load Balancer level , then it needs to be done at Instance Level which might spike CPU Cycles.

Cookie-based Sticky Session – Good or Bad ?? Not sure. User is always routed to the same Instance. Amazon recommends to use Database , so failover would be seamless.

ELB Integrates with Auto Scaling.

ELB EC2 health checks / Amazon CloudWatch.

ELB Integration with Route 53.

ELB doesn’t support EIP.

One ELB supports one SSL certificate.

Supports domain Zone Apex.

VPC – Virtual Private Cloud

https://aws.amazon.com/vpc/

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define.

NACL – Network Access Control List – Subnet Level.

VPC Peering.

Logically isolated network in the Cloud

Control of network architecture.

Hybrid Cloud ( Site-to-Site VPN )

Direct Connect

MPLS Connection

Single Tenant or Dedicated Server Hardware

VPN:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpn-connections.html

You can connect your VPC to remote networks by using a VPN connection.

AWS hardware VPN  – By default it provides multiple routes. Port Redundancy

Direct Connect – By Default you get single port , no port redundancy.

Supports IPv4 and IPv6. But VPC only supports IPv4.

Direct Connect

Predictable bandwidth – Upto 10 Gbps

Less than 1 Gbps through AWS Partner Network ( APN )

Predictable Performance. Sub MilliSeconds connectivity
Bypass Internet Service Provers in your network path.
Industry standard 802.1q VLAN.

NAT Instance vs NAT Gateway

NAT Gateway – AWS Managed Service

NAT Instance – Customer is responsible

Source / Destination Check

Route Creation

Private subnet to access Internet.

Colo Advantages

Private connection or via Internet

Redundancy : Two Ports on Two Routers. By default redundancy is not factored in.

Active Directory

Simple AD – Small – 500 Users Large – 5000 Users

Simple AD – Doesn’t support MFA

AD Connector – StandAlone managed directory Samba 4

Microsoft Active Directory

SAML Steps

https://aws.amazon.com/blogs/aws/aws-identity-and-access-management-using-saml/

  1. A user in your organization browses to an internal portal in your network. The portal also functions as the IdP which handles the SAML trust between your organization and AWS.
  2. The IdP authenticates the users identity against AD.
  3. The client receives a SAML assertion (in the form of an authentication response) from the IdP.
  4. The client posts the SAML assertion to the new AWS sign-in endpoint. Behind the scenes, sign-in uses the AssumeRoleWithSAMLAPI to request temporary security credentials and construct a sign-in URL.
  5. The user’s browser receives the sign-in URL and is redirected to the AWS Management Console.

RISK Compliance
Shared Responsibility Model
Customer assumes the responsibility of patching and managing the OS

Customers can request vulnerability scan.
SOC 1 /SSAE / ISAE 3402
SOC2
SOC3
FISMA , DIACAMP and FedRAMP
PCI DSS Level1
Several Industry specific Standards.

Storage Options in Cloud
Amazon S3
Amazon Glacier
Amazon EBS
Amazon Instance Storage – Temporary Block Storage volume
AWS Import Export
Amazon Storage GateWay
Amazon Cloudfront
Amazon SQS
Amazon RDS
Amazon DynamoDB
Amazon Elastic Cache
Amazon RedShift
Databases on Amazon EC2

Consolated Billing
Paying account with are linked to multiple accounts ( like Dev / Test / Prod ) and each account billing is separate and consolidated.
Economies of Scale for pricing point of view.

Resource Groups and Taggig:
Tags : Key Value pair attached to AWS Resource
Resource Groups: easy to group resources based on Tags ( Region . Name , Health Checks ).

VPC Peering
Transitive Peering is not supported. Its only star configurations
Can’t create peering with matching CIDR or overlapping CIDR Blocks
Its within a region and can’t be across regions.
It can be with multiple accounts.

DNS ( Route 53 )

Private Hosted Zone for Amazon VPC

YOu can extend on -premises DNS to Amazon VPC

You cannot extend Route 53 to on premises instances.

Name Resolutions for EC2 Instances.
CName
A Record
MX Record
IPV4 – 32 Bit
IPV6 – 128 Bit
Alias Record – map one DNS to another DNS Name.
Difference between CNAME and Alias Record.
Use Alias Record which points to Elastic Load Balancer DNS , so underlying IP Address changes are handled graciously.

Direct Connect:
Easy to establish dedicated on-premise to AWS.
Reduce cost with large volume of data
Reliability
Difference between VPN / Direct Connect
VPN – Through Internet
Direct Connect – Dedicated connection

Active Directory Federation with AWS:
FQDN
AssumeRoleWithSAML

DDOS Attack

Reflection Attack

Amplification Attack

Combine all of those ( DNS NTP SSDP SNMP )

Minimize attack surface –

Scale to Absorb the Attack

Overwhelm the resources and ability to respond with AWS Elasticity

SPOF Elimination ( Single Point of Failure )

CloudFront – Hundreds of Edge Location

Cosolidated Billing

20 Linked Account by default

Dev/Test/Prod/UAT linked to One Paying Account

Volume Discount – Savings aren’t going be significant but its something to take advantage of.

Resource Group :

Grouping of resources for specific group / environment , etc. Group resources based on Tags.

CloudTrail – Logs can be consolidated from several accounts.

Amzon S3:
Encryption options available for IN-TRANSIT Data as well as DATA at Rest.
Consistency Models for PUTS and DELETES – Read after write Consistency vs Eventual Consistency
Ways to ensure the Data is written to S3 Successfully?.
What are good options to prevent direct access to S3 Content but you want your public website to be able to access it?.
How to configure CloudFront with S3 Content.

AWS S3 Post Object

Sample Request

POST /Neo HTTP/1.1
Content-Length: 4
Host: quotes.s3.amazonaws.com
Date: Wed, 01 Mar  2006 12:00:00 GMT
Authorization: authorization string
Content-Type: text/plain
Expect: the 100-continue HTTP status code

ObjectContent
Sample Response with Versioning Suspended

The following shows a sample response when bucket versioning is suspended.

HTTP/1.1 100 Continue
HTTP/1.1 200 OK
x-amz-id-2: LriYPLdmOdAiIfgSm/F1YsViT1LW94/xUQxMsF7xiEb1a0wiIOIxl+zbwZ163pt7
x-amz-request-id: 0A49CE4060975EAC
x-amz-version-id: default
Date: Wed, 12 Oct 2009 17:50:00 GMT
ETag: "1b2cf535f27731c974343645a3985328"
Content-Length: 0
Connection: close
Server: AmazonS3

Goal: Setup VPC with Public and Private Subnets

The configuration for this scenario includes a virtual private cloud (VPC) with a public subnet and a private subnet.
Good for running a public-facing web application, while maintaining back-end servers that aren’t publicly accessible.
A common example is a multi-tier website, with the web servers in a public subnet and the database servers in a private subnet. You can set up security and routing so that the web servers can communicate with the database servers.

The instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in the private subnet can’t. The instances in the public subnet can send outbound traffic directly to the Internet, whereas the instances in the private subnet can’t. Instead, the instances in the private subnet can access the Internet by using a network address translation (NAT) gateway that resides in the public subnet. The database servers can connect to the Internet for software updates using the NAT gateway, but the Internet cannot initiate connections to the database servers.

AWS Link for Private and Public Subnet :

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

WebServerSG: Recommended Rules

Inbound
Source Protocol Port Range Comments
0.0.0.0/0 TCP 80 Allow inbound HTTP access to the web servers from anywhere
0.0.0.0/0 TCP 443 Allow inbound HTTPS access to the web servers from anywhere
Your home network’s public IP address range TCP 22 Allow inbound SSH access to Linux instances from your home network (over the Internet gateway)
Your home network’s public IP address range TCP 3389 Allow inbound RDP access to Windows instances from your home network (over the Internet gateway)
Outbound
Destination Protocol Port Range Comments
The ID of your DBServerSG security group TCP 1433 Allow outbound Microsoft SQL Server access to the database servers assigned to DBServerSG
The ID of your DBServerSG security group TCP 3306 Allow outbound MySQL access to the database servers assigned to DBServerSG
0.0.0.0/0 TCP 80 Allow outbound HTTP access to the Internet
0.0.0.0/0 TCP 443 Allow outbound HTTPS access to the Internet

CloudFormation :

Numerous supported services. Pretty much automate anything.

Deploy very complex infrastructure at AWS Environment.

Templates and Stacks

ElaticBeanStalk

AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, >NER, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.

https://aws.amazon.com/elasticbeanstalk/

Integrates with IAM , RDS , VPC

BPC / DR – Business Process continuity and Disaster Recovery

RTO – Recovery Time Objective

RPO – Recovery Point Objective

Import / Export – Encryption

TrueCrypt

HA for Databases

AWS vCenter to support VMWare

References:

A curated list of AWS resources to prepare for the AWS Certifications

https://gist.github.com/leonardofed/bbf6459ad154ad5215d354f3825435dc

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *