Understand highly available architectures. A system is highly available when it can withstand the failure of an individual or multiple components. If you design architectures around the assumption that any component will eventually fail, systems won’t fail when an individual component does.

Understand redundancy. Redundancy can be implemented in either standby or active mode. When a resource fails in standby redundancy, functionality is recovered on a secondary resource using a process called failover. The failover will typically require some time before it is completed, and during that period the resource remains unavailable. In active redundancy, requests are distributed to multiple redundant compute resources, and when one of them fails, the rest can simply absorb a larger share of the workload. Compared to standby redundancy, active redundancy can achieve better utilization and affect a smaller population when there is a failure.

Understand elasticity. Elastic architectures can support growth in users, traffic, or data size with no drop in performance. It is important to build elastic systems on top of a scalable architecture. These architectures should scale in a linear manner, where adding extra resources results in at least a proportional increase in ability to serve additional system load. The growth in resources should introduce economics of scale, and cost should follow the same dimension that generates business value out of that system. There are generally two ways to scale an IT architecture: vertically and horizontally.

Understand vertical scaling. Scaling vertically takes place through an increase in the specifications of an individual resource (for example, upgrading a server with a larger hard drive or a faster CPU). This way of scaling can eventually hit a limit, and it is not always a cost efficient or highly available approach.

Understand horizontal scaling. Scaling horizontally takes place through an increase in the number of resources. This is a great way to build Internet-scale applications that leverage the elasticity of cloud computing. It is important to understand the impact of stateless and stateful architectures before implementing horizontal scaling.

Understand stateless applications. A stateless application needs no knowledge of the previous interactions and stores no session information. A stateless application can scale horizontally because any request can be serviced by any of the available system compute resources.

Understand loose coupling. As application complexity increases, a desirable characteristic of an IT system is that it can be broken into smaller, loosely coupled components. This means that IT systems should be designed as “black boxes” to reduce interdependencies so that a change or a failure in one component does not cascade to other components. The more loosely system components are coupled, the larger they scale.

Understand the different storage options in AWS. AWS offers a broad range or store age choices for backup, archiving, and disaster recovery, as well as block, file, and object storage to suit a plethora of use cases. It is important from a cost, performance, and functional aspect to leverage different storage options available in AWS for different types of datasets.
Exercises

In this section, you will implement a resilient application leveraging some of the best practices outlined in this chapter. You will build the architecture depicted in Figure 14.7 in the following series of exercises.
 
Figure 14.7 Sample web application for chapter exercises
For assistance in completing the following exercises, reference the following user guides:

• Amazon VPC—http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/GetStarted.html
• Amazon EC2 (Linux)—http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html
• Amazon RDS (MySQL)–http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_GettingStarted.CreatingConnecting.MySQL.html

EXERCISE 14.1
Create a Custom Amazon VPC

• Log in to the AWS Management Console.
• Navigate to the Amazon VPC console.
• Create an Amazon VPC with a Classless Inter-Domain Routing (CIDR) block equal to 192.168.0.0/16,a name tag of Ch 14—VPC, and default tenancy.
   
  EXERCISE 14.2
  Create an Internet Gateway for Your Custom Amazon VPC
• Log in to the AWS Management Console.
• Navigate to the Amazon VPC console.
• Create an internet gateway with a name tag of Ch 14-IGW.
• Attach the Ch 14—IGW Internet gateway to the Amazon VPC from Exercise 14.1.

EXERCISE 14.3
Update the Main Route Table for Your Custom Amazon VPC

• Log in to the AWS Management Console.
• Navigate to Amazon VPC console.
• Locate the main route table for the Amazon VPC from Exercise 14.1.
• Update the route table name tag to a value of Ch 14—Main Route Table.
• Update the route table routes by adding a destination of 0.0.0.0/0 with a target of the Internet gateway from Exercise 14.2.

EXERCISE 14.4
Create Public Subnets for Your Custom Amazon VPC

• Log in to the AWS Management Console.
• Navigate to the Amazon VPC console.
• Create a subnet with a CIDR block equal to 192.168.1.0/24 and a name tag of Ch 14—Public Subnet 1. Create the subnet in the Amazon VPC from Exercise 14.1, and specify an Availability Zone for the subnet (for example, US—East— 1a).
• Create a subnet with a CIDR block equal to 192.168.3.0/24 and a name tag of Ch 14-Public Subnet 2. Create the subnet in the Amazon VPC from Exercise 14.1, and specify an Availability Zone for the subnet that is different from the one previously specified (for example, US-East-1b).

EXERCISE 14.5
Create a NAT Gateway for Your Custom Amazon VPC

• Log in to the AWS Management Console.
• Navigate to the Amazon VPC console.
• Create a Network Address Translation (NAT) gateway in the Amazon VPC from Exercise 14.1 within the Ch 14—Public Subnet 1 Subnet from Exercise 14.4.
   
  EXERCISE 14.6
  Create a Private Route Table for Your Custom Amazon VPC
• Log in to the AWS Management Console.
• Navigate to the Amazon VPC console.
• Create a route table for the Amazon VPC from Exercise 14.1 with a name tag of Ch 14—Private Route Table.
• Update the route table routes by adding a destination 0f 0.0.0.0/0 with a target of the NAT gateway from Exercise 14.5.

EXERCISE 14.7
Create Private Subnets for Your Custom Amazon VPC

• Log in to the AWS Management Console.
• Navigate to the Amazon VPC console.
• Create a subnet with a CIDR block equal to 192.168.2.0/24 and a name tag of Ch 14—Private Subnet 1. Create the subnet in the Amazon VPC from Exercise 14.1, and specify the same Availability Zone for the subnet that was used in Exercise 14.4 for the Ch 14—Public Subnet 1 (for example, US—East-1a).
• Update the route table for the created subnet to the Ch 14—Private Route Table from Exercise 14.6.

Create a subnet with a CIDR block equal to 192.168.4.0/24 and a name tag of Ch 14—Private Subnet 2. Create the subnet in the Amazon VPC from Exercise 14.1, and specify the same Availability Zone for the subnet that was used in Exercise 14.4 for the Ch 14—Public Subnet 2 (for example, US-East-1b).

Update the route table for the created subnet to the Ch 14—Private Route Table from Exercise 14.6.
EXERCISE 14.8
Create Security Groups for Each Application Tier

• Log in to the AWS Management Console.
• Navigate to the Amazon VPC console.
• Create an Amazon VPC security group for the ELB with a name tag and group tab of Ch14-ELB-SG and a description of Load balancer security group for Ch 14 exercises. Create the security group in the Amazon VPC from Exercise 14.1 with an inbound rule of Type HTTP, a protocol of TCP, a port range of 80, and a source of 0.0.0.0/0.
• Create an Amazon VPC security group for the web servers with a name tag and group tab of Ch14-WebServer-SG and a description of Web server security group for Ch 14 exercises. Create the security group in the Amazon VPC from Exercise14.1 with an inbound rule of Type HTTP, a protocol of TCP, a port range of 80, and a source of the Ch14-ELB-SG security group. You may want to add another inbound rule of Type SSH, a protocol of TCP, a port range of 22, and a source of your IP address to provide secure access to manage the servers.
• Create an Amazon VPC security group for the Amazon RDS MySQL database with a name tag and group tab of Ch14-DB-SG and a description of Database security group for Ch 14 exercises. Create the security group in the Amazon VPC from Exercise 14.1 with an inbound rule of Type MYSQL/Aurora, a protocol of TCP, a port range of 3306, and a source of the Ch14-WebServer-SG security group.

EXERCISE 14.9
Create a MySQL Multi-AZ Amazon RDS Instance

• Log in to the AWS Management Console.
• Navigate to the Amazon RDS console.
• Create a DB subnet group with a name of Ch14-SubnetGroup and a description of Subnet group for Ch 14 exercises. Create the DB subnet group in the Amazon VPC from Exercise 14.1 with the private subnets from Exercise 14.7.
• Launch a MySQL Amazon RDS instance with the following characteristics:
  DB Instance Class: db.t2.small
  Multi—AZ Deployment: yes
  Allocated Storage: no less than 5GB
  DB Instance identifier: ch14db
  Master User Name: your choice
  Master Password: your choice
  VPC: the Amazon VPC from Exercise 14.1
  DB Security Group: Ch14-SubnetGroup
  Publicly Accessible: No
  VPC Security Group: Ch14-DB-SG
  Database Name: appdb
  Database Port: 3306

EXERCISE 14.10
Create an Elastic Load Balancer (ELB)

• Log in to the AWS Management Console.
• Navigate to the Amazon EC2 console.
• Create an ELB with a load balancer name of Ch14-WebServer-ELB. Create the ELB in the Amazon VPC from Exercise 14.1 with a listener configuration of the following:
  Load Balancer Protocol: HTTP
  Load Balancer Port: 80
  Instance Protocol: HTTP
  Instance Port: 80
• Add the public subnets created in Exercise 14.4.
• Assign the existing security group of Ch14-ELB-SG created in Exercise 14.8.
• Configure the health check with a ping protocol of HTTP, a ping port of 80, and a ping path of /index.html.
• Add a tag with a key of Name and value of Ch14-WebServer-ELB.
• Update the ELB port configuration to enable load-balancer generated cookie stickiness with an expiration period of 30 seconds.

EXERCISE 14.11
Create a Web Server Auto Scaling Group

• Log in to the AWS Management Console.
• Navigate to the Amazon EC2 console.
• Create a launch configuration for the web server Auto Scaling group with the following characteristics:
  AMI: latest Amazon Linux AMI
  Instance Type: t2.small
  Name: Ch14-WebServer-LC
  User data:

! /bin/bash

yum update –y
 
yum install —y php
yum install —y php-mysql
yum install -y mysql
yum install -y httpd
echo “

powered by AWS

” > /var/www/htm1/index.html
service httpd start
Security Group: Ch14-WebServer-SG
Key Pair: existing or new key pair for your account

• Create an Auto Scaling group for the web servers from the launch configuration Ch14-WebServer— LC With a group name of Ch14-WebServer-AG. Create the Auto Scaling group in the Amazon VPC from Exercise 14.1 with the public subnets created in Exercise 14.4 and a group size of 2.
• Associate the load balancer Ch14-WebServer-ELB created in Exercise 14.10 to the Auto Scaling group.
• Add a name tag with a key of Name and value of Ch14—WebServer-AG to the Auto Scaling group.
  NOTE
  You will need your own domain name to complete this section, and you should be aware that Amazon Route 53 is not eligible for AWS Free Tier. Hosting a zone on Amazon Route 53 will cost approximately $0.50 per month per hosted zone, and additional charges will be levied depending on what routing policy you choose. For more information on Amazon Route 53 pricing, refer to http://aws.amazon.com/route53/pricing/.

EXERCISE 14.12
Create a Route 53 Hosted Zone

• Log in to the AWS Management Console.
• Navigate to the Amazon Route 53 console and create a hosted zone.
• Enter your domain name and create your new zone file.
• In the new zone file, you will see the Start of Authority (SOA) record and name Servers. You will need to log in to your domain registrar’s website and update the name servers with your AWS name servers.

If the registrar has a method to change the Time To Live (TTL) settings for their name servers, it is recommended that you reset the settings 900 seconds. This limits the time during which client requests will try to resolve domain names using obsolete name servers. You will need to wait for the duration of the previous TTL for resolvers and clients to stop caching the DNS records with their previous values.

• After you update your name servers with your domain registrars, Amazon Route 53 will be configured to serve DNS requests for your domain.

EXERCISE 14.13
Create an Alias A Record

• Log in to the AWS Management Console.
• Navigate to the Amazon Route 53 console.
• Select your Route 53 hosted zone created in Exercise 14.12. Create a record set with a name of www and a type of A—IPv4 Address.
• Create an alias with an alias target of the ELB Ch14-WebServer-ELB created in Exercise14.10 and leave your routing policy as simple.

EXERCISE 14.14
Test Your Configuration

• Log in to the AWS Management Console.
• Navigate to the Amazon EC2 console.
• Verify that the ELB created in Exercise 14.11 has 2 of 2 instances in service.
• In a web browser, navigate to the Web farm (www.example.com) using the Hosted Zone A record created in Exercise 14.13. You should see the powered by AWS on the web page.
   
  Review Questions
  When designing a loosely coupled system, which AWS services provide an intermediate durable storage layer between component? (Choose 2 answers)
• Amazon CloudFront
• Amazon Kinesis
• Amazon Route 53
• AWS CloudFormation
• Amazon Simple Queue Service (Amazon SQS)

Which of the following options will help increase the availability of a web server farm? (Choose 2 answers)

• Use Amazon CloudFront to deliver content to the end users with low latency and high data transfer speeds.
• Launch the web server instances across multiple Availability Zones.
• Leverage Auto Scaling to recover from failed instances.
• Deploy the instances in an Amazon Virtual Private Cloud (Amazon VPC).
• Add more CPU and RAM to each instance.

Which of the following AWS Cloud services are designed according to the Multi-AZ principle? (Choose 2 answers)

• Amazon DynamoDB
• Amazon ElastiCache
• Elastic Load Balancing
• Amazon Virtual Private Cloud (Amazon VPC)
• Amazon Simple Storage Service (Amazon S3)

Your e-commerce site was designed to be stateless and currently runs on a fleet of Amazon Elastic Compute Cloud (Amazon EC2) instances. In an effort to control cost and increase availability, you have a requirement to scale the fleet based on CPU and network utilization to match the demand curve for your site. What services do you need to meet this requirement? (Choose 2 answers)
A. Amazon CloudWatch
B. Amazon DynamoDB
C. Elastic Load Balancing
D. Auto Scaling
E. Amazon Simple Storage Service (Amazon S3)
 

5. Your compliance department has mandated a new requirement that all data on Amazon Elastic Block Storage (Amazon EBS) volumes must be encrypted. Which of the following steps would you follow for your existing Amazon EBS volumes to comply with the new requirement? (Choose 3 answers)

• Move the existing Amazon EBS volume into an Amazon Virtual Private Cloud (Amazon VPC).
• Create a new Amazon EBS volume with encryption enabled.
• Modify the existing Amazon EBS volume properties to enable encryption.
• Attach an Amazon EBS volume with encryption enabled to the instance that hosts the data, then migrate the data to the encryption-enabled Amazon EBS volume.
• Copy the data from the unencrypted Amazon EBS volume to the Amazon EBS volume with encryption enabled.

When building a Distributed Denial of Service (DDoS)-resilient architecture, how does Amazon Virtual Private Cloud (Amazon VPC) help minimize the attack surface area? (Choose 3 answers)

• Reduces the number of necessary Internet entry points
• Combines end user traffic with management traffic
• Obfuscates necessary Internet entry points to the level that untrusted end users cannot access them
• Adds non-critical Internet entry points to the architecture
• Scales the network to absorb DDoS attacks

Your e-commerce application provides daily and adhoc reporting to various business units on customer purchases. This is resulting in an extremely high level of read traffic to your MySQL Amazon Relational Database Service (Amazon RDS) instance. What can you do to scale up read traffic without impacting your database’s performance?

• Increase the allocated storage for the Amazon RDS instance.
• Modify the Amazon RDS instance to be a Muiti-AZ deployment.
• Create a read replica for an Amazon RDS instance.
• Change the Amazon RDS instance DB engine version.

Your website is hosted on a fleet of web servers that are load balanced across multiple Availability Zones using an Elastic Load Balancer (ELB). What type of record set in Amazon Route 53 can be use to point myawesomeapp.com to your website?

• Type A Alias resource record set
• MX record set
• TXT record set
• CNAME record set
   
  You need a secure way to distribute your AWS credentials to an application running on Amazon Elastic Compute Cloud (Amazon EC2) instances in order to access supplementary AWS Cloud services. What approach provides you application access to use short term credentials for signing requests while protecting those credentials from other users?
• Add your credentials to the UserData parameter of each Amazon EC2 instance.
• Use a configuration file to store your access and secret keys on the Amazon EC2 instances.
• Specify your access and secret keys directly in your application.
• Provision the Amazon EC2 instances with an instance profile that has the appropriate privileges.

You are running a suite of microservices on AWS Lambda that provide the business logic and access to data stored in Amazon DynamoDB for your task management system. You need to create well-defined RESTful Application Program Interfaces (APIs) for these microservices that will scale with traffic to support a new mobile application. What AWS Cloud service can you use to create the necessary RESTful APIs?

• Amazon Kinesis
• Amazon API Gateway
• Amazon Cognito
• Amazon Elastic Compute Cloud (Amazon EC2) Container Registry

Your WordPress Website is hosted on a fleet of Amazon Elastic Compute Cloud (Amazon EC2) instances that leverage Auto Scaling to provide high availability. To ensure that the content of the WordPress site is sustained through scale up and scale down events, you need a common file system that is shared between more than one Amazon EC2 instance. Which AWS Cloud service can meet this requirement?

• Amazon CloudFront
• Amazon ElastiCache
• Amazon Elastic File System (Amazon EFS)
• Amazon Elastic Beanstalk

You are changing your application to move session state information off the individual Amazon Elastic Compute Cloud (Amazon EC2) instances to take advantage of the elasticity and cost benefits provided by Auto Scaling. Which of the following AWS Cloud services is best suited as an alternative for storing session state information?

• Amazon DynamoDB
• Amazon Redshift
• Amazon Storage Gateway
• Amazon Kinesis
   
  A media sharing application is producing a very high volume of data in a very short period of time. Your back-end services are unable to manage the large volume of transactions. What option provides a way to manage the flow of transactions to your backend services?
• Store the inbound transactions in an Amazon Relational Database Service (Amazon RDS) instance so that your back-end services can retrieve them as time permits.
• Use an Amazon Simple Queue Service (Amazon SQS) queue to buffer the inbound transactions.
• Use an Amazon Simple Notification Service (Amazon SNS) topic to buffer the inbound transactions.
• Store the inbound transactions in an Amazon Elastic MepReduce (Amazon EMR) Cluster so that your back-end services can retrieve them as time permits.

Which of the following are best practices for managing AWS Identity and Access Management (IAM) user access keys? (Choose 3 answers)

• Embed access keys directly into application code.
• Use different access keys for different applications.
• Rotate access keys periodically.
• Keep unused access keys for an indefinite period of time.
• Configure Multi-Factor Authentication (MFA) for your most sensitive operations.

You need to implement a service to scan Application Program Interface (API) calls and related events history to your AWS account. This service will detect things like unused permissions, overuse of privileged accounts, and anomalous logins. Which of the following AWS Cloud services can be leveraged to implement this service? (Choose 3 answers)

• AWS CloudTrail
• Amazon Simple Storage Service (Amazon S3)
• Amazon Route 53
• Auto Scaling
• AWS Lambda

Government regulations require that your company maintain all correspondence for a period of seven years for compliance reasons. What is the best storage mechanism to keep this data secure in a cost-effective manner?

• Amazon S3
• Amazon Glacier
• Amazon EBS
• Amazon EFS
   
  Your company provides media content via the Internet to customers through a paid subscription model. You leverage Amazon CloudFront to distribute content to your customers with low latency. What approach can you use to serve this private content securely to your paid subscribers?
• Provide signed Amazon CloudFront URLs to authenticated users to access the paid content.
• Use HTTPS requests to ensure that your objects are encrypted when Amazon CloudFront serves them to viewers.
• Configure Amazon CloudFront to compress the media files automatically for paid subscribers.
• se the Amazon CloudFront geo restriction feature to restrict access to all of the paid subscription media at the country level.

Your company provides transcoding services for amateur producers to format their short films to a variety of video formats. Which service provides the best option for storing the videos?

• Amazon Glacier
• Amazon Simple Storage Service (Amazon S3)
• Amazon Relational Database Service (Amazon RDS)
• AWS Storage Gateway

A week before Cyber Monday last year, your corporate data center experienced a failed air conditioning unit that caused flooding into the server racks. The resulting outage cost your company significant revenue. Your CIO mandated a move to the cloud, but he is still concerned about catastrophic failures in a data center. What can you do to alleviate his concerns?

• Distribute the architecture across multiple Availability Zones.
• Use an Amazon Virtual Private Cloud (Amazon VPC) with subnets.
• Launch the compute for the processing services in a placement group.
• Purchase Reserved Instances for the processing services instances.

Your Amazon Virtual Private Cloud (Amazon VPC) includes multiple private subnets. The instances in these private subnets must access third-party payment Application Program Interfaces (APIS) over the Internet. Which option will provide highly available Internet access to the instances in the private subnets?

• Create an AWS Storage Gateway in each Availability Zone and configure your routing to ensure that resources use the AWS Storage Gateway in the same Availability Zone.
• Create a customer gateway in each Availability Zone and configure your routing to ensure that resources use the customer gateway in the same Availability Zone.
• Create a Network Address Translation (NAT) gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone.
• Create a NAT gateway in one Availability Zone and configure your routing to ensure that resources use that NAT gateway in all the Availability Zones.

«

Prev

1

/

1

Next

»

AWS Fundamental Tutorial 2020 Part-01

AWS Fundamental Tutorial 2020 Part-02

AWS Fundamental Tutorial 2020 Part-03

AWS Fundamental Tutorial 2020 Part-04

«

Prev

1

/

1

Next

»

• Author
• Recent Posts

Follow me

Rajesh Kumar

Mentor for DevOps - DevSecOps - SRE - Cloud - Container & Micorservices at Software AG

Join my following certification courses...
- DevOps Certified Professionals (DCP)
- Site Reliability Engineering Certified Professionals (SRECP)
- Master in DevOps Engineering (MDE)
- DevSecOps Certified Professionals (DSOCP)
URL - https://www.devopsschool.com/certification/

My Linkedin - https://www.linkedin.com/in/rajeshkumarin

Follow me

Latest posts by Rajesh Kumar (see all)

• Apache Lucene Query Example - April 8, 2024
• Google Cloud: Step by Step Tutorials for setting up Multi-cluster Ingress (MCI) - April 7, 2024
• What is Multi-cluster Ingress (MCI) - April 7, 2024