AWS Solution Architect Reference Materials
Load Balancing :
https://aws.amazon.com/documentation/elastic-load-balancing/
Elastic Load Balancing automatically distributes incoming application traffic across multiple Amazon EC2 instances. It enables you to achieve greater levels of fault tolerance in your applications, seamlessly providing the required amount of load balancing capacity needed to distribute application traffic.
Elastic Load Balancing allows you identify the originating IP Address connecting to the client.
ELB can’t span across regions.
Route 53 Can be used to route across Regions.
SSL Termination and Processing.
If its not done at Load Balancer level , then it needs to be done at Instance Level which might spike CPU Cycles.
Cookie-based Sticky Session – Good or Bad ?? Not sure. User is always routed to the same Instance. Amazon recommends to use Database , so failover would be seamless.
ELB Integrates with Auto Scaling.
ELB EC2 health checks / Amazon CloudWatch.
ELB Integration with Route 53.
ELB doesn’t support EIP.
One ELB supports one SSL certificate.
Supports domain Zone Apex.
VPC – Virtual Private Cloud
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define.
NACL – Network Access Control List – Subnet Level.
VPC Peering.
Logically isolated network in the Cloud
Control of network architecture.
Hybrid Cloud ( Site-to-Site VPN )
Direct Connect
MPLS Connection
Single Tenant or Dedicated Server Hardware
VPN:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpn-connections.html
You can connect your VPC to remote networks by using a VPN connection.
AWS hardware VPN – By default it provides multiple routes. Port Redundancy
Direct Connect – By Default you get single port , no port redundancy.
Supports IPv4 and IPv6. But VPC only supports IPv4.
Direct Connect
Predictable bandwidth – Upto 10 Gbps
Less than 1 Gbps through AWS Partner Network ( APN )
Predictable Performance. Sub MilliSeconds connectivity
Bypass Internet Service Provers in your network path.
Industry standard 802.1q VLAN.
NAT Instance vs NAT Gateway
NAT Gateway – AWS Managed Service
NAT Instance – Customer is responsible
Source / Destination Check
Route Creation
Private subnet to access Internet.
Colo Advantages
Private connection or via Internet
Redundancy : Two Ports on Two Routers. By default redundancy is not factored in.
Active Directory
Simple AD – Small – 500 Users Large – 5000 Users
Simple AD – Doesn’t support MFA
AD Connector – StandAlone managed directory Samba 4
Microsoft Active Directory
SAML Steps
https://aws.amazon.com/blogs/aws/aws-identity-and-access-management-using-saml/
- A user in your organization browses to an internal portal in your network. The portal also functions as the IdP which handles the SAML trust between your organization and AWS.
- The IdP authenticates the users identity against AD.
- The client receives a SAML assertion (in the form of an authentication response) from the IdP.
- The client posts the SAML assertion to the new AWS sign-in endpoint. Behind the scenes, sign-in uses the AssumeRoleWithSAMLAPI to request temporary security credentials and construct a sign-in URL.
- The user’s browser receives the sign-in URL and is redirected to the AWS Management Console.
RISK Compliance
Shared Responsibility Model
Customer assumes the responsibility of patching and managing the OS
Customers can request vulnerability scan.
SOC 1 /SSAE / ISAE 3402
SOC2
SOC3
FISMA , DIACAMP and FedRAMP
PCI DSS Level1
Several Industry specific Standards.
Storage Options in Cloud
Amazon S3
Amazon Glacier
Amazon EBS
Amazon Instance Storage – Temporary Block Storage volume
AWS Import Export
Amazon Storage GateWay
Amazon Cloudfront
Amazon SQS
Amazon RDS
Amazon DynamoDB
Amazon Elastic Cache
Amazon RedShift
Databases on Amazon EC2
Consolated Billing
Paying account with are linked to multiple accounts ( like Dev / Test / Prod ) and each account billing is separate and consolidated.
Economies of Scale for pricing point of view.
Resource Groups and Taggig:
Tags : Key Value pair attached to AWS Resource
Resource Groups: easy to group resources based on Tags ( Region . Name , Health Checks ).
VPC Peering
Transitive Peering is not supported. Its only star configurations
Can’t create peering with matching CIDR or overlapping CIDR Blocks
Its within a region and can’t be across regions.
It can be with multiple accounts.
DNS ( Route 53 )
Private Hosted Zone for Amazon VPC
YOu can extend on -premises DNS to Amazon VPC
You cannot extend Route 53 to on premises instances.
Name Resolutions for EC2 Instances.
CName
A Record
MX Record
IPV4 – 32 Bit
IPV6 – 128 Bit
Alias Record – map one DNS to another DNS Name.
Difference between CNAME and Alias Record.
Use Alias Record which points to Elastic Load Balancer DNS , so underlying IP Address changes are handled graciously.
Direct Connect:
Easy to establish dedicated on-premise to AWS.
Reduce cost with large volume of data
Reliability
Difference between VPN / Direct Connect
VPN – Through Internet
Direct Connect – Dedicated connection
Active Directory Federation with AWS:
FQDN
AssumeRoleWithSAML
DDOS Attack
Reflection Attack
Amplification Attack
Combine all of those ( DNS NTP SSDP SNMP )
Minimize attack surface –
Scale to Absorb the Attack
Overwhelm the resources and ability to respond with AWS Elasticity
SPOF Elimination ( Single Point of Failure )
CloudFront – Hundreds of Edge Location
Cosolidated Billing
20 Linked Account by default
Dev/Test/Prod/UAT linked to One Paying Account
Volume Discount – Savings aren’t going be significant but its something to take advantage of.
Resource Group :
Grouping of resources for specific group / environment , etc. Group resources based on Tags.
CloudTrail – Logs can be consolidated from several accounts.
Amzon S3:
Encryption options available for IN-TRANSIT Data as well as DATA at Rest.
Consistency Models for PUTS and DELETES – Read after write Consistency vs Eventual Consistency
Ways to ensure the Data is written to S3 Successfully?.
What are good options to prevent direct access to S3 Content but you want your public website to be able to access it?.
How to configure CloudFront with S3 Content.
Sample Request POST /Neo HTTP/1.1 Content-Length: 4 Host: quotes.s3.amazonaws.com Date: Wed, 01 Mar 2006 12:00:00 GMT Authorization: authorization string Content-Type: text/plain Expect: the 100-continue HTTP status code ObjectContent Sample Response with Versioning Suspended The following shows a sample response when bucket versioning is suspended. HTTP/1.1 100 Continue HTTP/1.1 200 OK x-amz-id-2: LriYPLdmOdAiIfgSm/F1YsViT1LW94/xUQxMsF7xiEb1a0wiIOIxl+zbwZ163pt7 x-amz-request-id: 0A49CE4060975EAC x-amz-version-id: default Date: Wed, 12 Oct 2009 17:50:00 GMT ETag: "1b2cf535f27731c974343645a3985328" Content-Length: 0 Connection: close Server: AmazonS3
Goal: Setup VPC with Public and Private Subnets
The configuration for this scenario includes a virtual private cloud (VPC) with a public subnet and a private subnet.
Good for running a public-facing web application, while maintaining back-end servers that aren’t publicly accessible.
A common example is a multi-tier website, with the web servers in a public subnet and the database servers in a private subnet. You can set up security and routing so that the web servers can communicate with the database servers.
The instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in the private subnet can’t. The instances in the public subnet can send outbound traffic directly to the Internet, whereas the instances in the private subnet can’t. Instead, the instances in the private subnet can access the Internet by using a network address translation (NAT) gateway that resides in the public subnet. The database servers can connect to the Internet for software updates using the NAT gateway, but the Internet cannot initiate connections to the database servers.
AWS Link for Private and Public Subnet :
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
WebServerSG: Recommended Rules
| Inbound | |||
| Source | Protocol | Port Range | Comments |
| 0.0.0.0/0 | TCP | 80 | Allow inbound HTTP access to the web servers from anywhere |
| 0.0.0.0/0 | TCP | 443 | Allow inbound HTTPS access to the web servers from anywhere |
| Your home network’s public IP address range | TCP | 22 | Allow inbound SSH access to Linux instances from your home network (over the Internet gateway) |
| Your home network’s public IP address range | TCP | 3389 | Allow inbound RDP access to Windows instances from your home network (over the Internet gateway) |
| Outbound | |||
| Destination | Protocol | Port Range | Comments |
| The ID of your DBServerSG security group | TCP | 1433 | Allow outbound Microsoft SQL Server access to the database servers assigned to DBServerSG |
| The ID of your DBServerSG security group | TCP | 3306 | Allow outbound MySQL access to the database servers assigned to DBServerSG |
| 0.0.0.0/0 | TCP | 80 | Allow outbound HTTP access to the Internet |
| 0.0.0.0/0 | TCP | 443 | Allow outbound HTTPS access to the Internet |
CloudFormation :
Numerous supported services. Pretty much automate anything.
Deploy very complex infrastructure at AWS Environment.
Templates and Stacks
ElaticBeanStalk
AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, >NER, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.
https://aws.amazon.com/elasticbeanstalk/
Integrates with IAM , RDS , VPC
BPC / DR – Business Process continuity and Disaster Recovery
RTO – Recovery Time Objective
RPO – Recovery Point Objective
Import / Export – Encryption
TrueCrypt
HA for Databases
AWS vCenter to support VMWare