AWS Certified Solutions Architect -Associate

---

Course Introduction

The Basics

By scmGalaxy.com

About Me

DevOps@RajeshKumar.XYZ

AWS Certification Tracks

Related Pluralsight Courses

Prerequisites

• Assumed AWS knowledge
• An understanding of cloud computing
• Microsoft / Linux essentials
• Networking essentials
• Working knowledge of virtualization
• Storage fundamentals

Infrastructure Service for the World

Virtual Private Cloud

Elastic Computing

Cloud Storage

Security and IAM

Database Services

Strategy for Success!

Exam Highlights

2500 Certified

AWS Certified Solutions Architect -Associate

Exam Guide:

https://aws.amazon.com/certification/certified-solutions-
architect-associate/

Summary

• Course at a glance
• AWS certifications
• Prerequisites
• Strategy for success

Understanding and Configuring Amazon Virtual Private Cloud (VPC)

---

Virtual Private Cloud Overview

• Logically isolated network in the AWS cloud
• Control of network architecture
• Enhanced security
• Internetwork with other organizations
• Elastic IP Address
• Enable hybrid cloud (site-to-site VPN)
• Single tenant dedicated server hardware
• VPC cost = $0 / VPN cost is $0.05/hr

VPC Characteristics

• AWS reserves 5 IP addresses per subnet (first 4 and last 1)
• Private, public or VPN subnets
• Subnets do not span AZs
• Single Region, multi-AZ
• CIDR 16 –28
• Select IP prefix

VPC Security

• Security Groups
  • Resource level traffic firewall
    • - Instance, ELB, etc…
  • Ingress and egress
  • Stateful
    • - Return traffic allowed

• Access Control Lists
  • Source and protocol filtering
  • Subnet level traffic firewall
    • - Separate inbound and outbound rule set
  • Stateless
    • - Traffic strictly filtered

Configure Wired Brain Coffee (WBC) VPC

Summary

• VPC overview
• VPC elements
• VPC security

Understanding and Configuring NAT Instances, Gateways, and VPC Endpoints

---

Configure NAT instance and NAT gateway

Configure Endpoint to Amazon S3

Summary

• NAT instances
• NAT gateways
• VPC endpoints

Understanding and Configuring VPC Peering, VPN, and Direct Connect

---

Configuring VPC Peering

AWS VPC Access

VPN Types

AWS VPC Access

Virtual Interfaces

Direct Connect can be partitioned into multiple virtual interfaces (VIF)

• Public connectivity to S3, EC2 and DynamoDB

• Private connectivity to VPC

Direct Connect

• Deep Dive -AWS Direct Connect and VPNs:
  • https://youtu.be/SMvom9QjkPk
• AWS Direct Connect:
  • https://aws.amazon.com/directconnect/

Summary

• VPC peering
• VPN access types
• Direct connect

Understanding and Using Elastic Cloud Compute (EC2)

---

EC2 Instance Types

• On-demand:
  • - Low cost and flexibility with no up front cost
  • - Ideal for auto scaling groups and unpredictable workloads
  • - Dev/test
• Reserved Instances:
  • - Steady state and predictable usage
  • - Applications that need reserved capacity
  • - Upfront payments reduce hourly rate
  • - Scheduled Ris match your capacity reservation to a predictable recurring schedule

• Spot:
  • - Flexible start and end times
  • - Grid computing and HPC
  • - Very low hourly compute cost
• Dedicated:
  • - Predictable performance
  • - Complete isolation
  • -Most expensive

EC2 Instance Family

Create EC2 instances

Standard Reserved Instances Attributes

Scheduled Reserved Instances Attributes

Modifying Your RIs

Switch Availability Zones within the same region

Change the instance size within the same instance type

Instance type modifications are supported only for Linux. Due to licensing differences, Linux RIs cannot be modified to RedHator SUSE

You cannot change the instance size of Windows Reserved Instances

Modification Requests

High Performance Computing (HPC)

• HPC used by oil & gas, pharmaceuticals, research, automotive, and other industries
• Batch processing of compute intensive workloads
• Requires high performance CPU, network, and storage
• Jumbo Frames are typically required
  • - HPC workloads typically need access to a shared filesystem, and will use a lot of disk I/O

Jumbo Frames

• Help significantly because they can carry up to 9000 bytes of data
• Supported on AWS through enhanced networking
  • - Enhanced networking is enabled through single rout I/O virtualization (SR-IOV) on supported instances
  • - Enhanced networking is only supported on Hardware Virtualization (HVM) instances. Not supported on Paravirtulized(PV) instanced

Jumbo Frames

• Enabling Enhanced Networking on Linux Instances in a VPC:
  • http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking.html
• Enabling Enhanced Networking on Windows Instances in a VPC:
  • http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/enhanced-networking.html

Summary

• EC2 instance types
• EC2 reserved instances
• High performance computing
• Placement groups

Understanding and Configuring Load Balancers

---

Elastic Load Balancer

Configuring the classic load balancer

ALB Characteristics

• Layer 7 only
• Content-based routing
• Support for microservices and containers
• Integrates with ECS
• Better performance for real-time streaming
• Reduced hourly cost
• Deletion protection
• Better health checks and Cloud Watch metrics

Comparing ELB and ALB

Listeners

Target Groups

Rules

Improved Health Checks

Cost

Summary

• Classic LB
• Application Load Balancer

Understanding and Configuring Auto Scaling

---

Auto Scaling Features

Auto Scaling Components

Summary

• Auto Scaling Features
• Auto Scaling Components
• Configuring Auto Scaling

Understanding Elastic Block Store (EBS) and Elastic File System (EFS)

---

Instance Storage Types

• Does not need to be attached to an instance
• Cannot be attached to more than one instance at the same time
• Can be transferred between Availability Zones
• EBS volume data is replicated across multiple servers in an Availability Zone
• Encryption of EBS data volumes, boot volumes and snapshots
• Designed for an annual failure rate (AFR) of between 0.1% -0.2% & an SLA 99.95%

EBS SSD Volume Types

EBS HDD Volume Types

Increasing IOPS Performance

• Multiple stripped gp2 or standardvolumes (typically RAID 0)
• Multiple striped PIOPS volumes(typically RAID 0)
• Function of the guest OS

EBS–Optimized Instances

• Dedicated capacity for Amazon EBS I/O
• EBS-optimized instances are designed for use with all EBS volume types
• Max bandwidth: 400 Mbps–12,000 Mbps
• IOPS: 3,000–65,000
  • http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSOptimized.html
• GP-SSD within 10% of baseline and burst performance 99.9% of the time
• PIOPS within 10% of provisioned performance 99.9% of the time
• Additional hourly fee (Amazon EC2 pricing page)
  • http://aws.amazon.com/ec2/pricing/#EBS-Optimized_Instances

EBS Snapshots Characteristics

• Point-in-time snapshots
• Supports incremental snapshots
• Billed only for the changed blocks
• Deleting a snapshot removes only the data not needed by any other snapshot
• EBS leverages S3 for snapshot storage

EBS Snapshots Features

• Resizing EBS volumes
• Sharing EBS snapshots
• Copying EBS snapshots across regions
• Lazy loading

• Simple, petabytes scalable file storage for use with EC2 instances
• EFS file systems are elastic, and automatically grow and shrink as you add and remove files
• Stored redundantly across multiple AZs
• 1 to 1000s of EC2 instances, from multiple AZs, concurrently
• Big Data and analytics, media processing workflows, content management, web serving, home directories
• By default, you can create up to 10 file systems per AWS account per region
• Supports NFS 4.1
• On-premises access enabledvia direct connect

Summary

• Instance storage types
• EBS characteristics
• EBS volume types
• EBS-optimized instances
• Amazon EFS

Understanding and Configuring Amazon S3 and CloudFront

---

Storage and Archive

Amazon S3 Storage Classes

Amazon S3

Amazon S3 Features

Securing Amazon S3

Amazon Glacier

AWS Storage Gateway

Suggested Reading

• AWS Storage Options:
  • https://media.amazonwebservices.com/AWS_Storage_Options.pdf

CloudFront

• Used to deliver an entire website using a global network of edge locations
  • - Dynamic, static, streaming, interactive
• Requests for content is automatically routed to the nearest edge location for best possible performance
• Optimized to work with other Amazon Web Services
  • - Amazon S3
  • - Amazon EC2
  • - Amazon Elastic Load Balancing
  • - Amazon Route 53

Summary

• Amazon S3
• Securing S3
• Amazon Glacier
• AWS Storage Gateway
• Amazon CloudFront

Understanding AWS Relational Database Services (RDS)

---

RDS Characteristics

• Database engine managed by AWS
• MySQL, Oracle, Microsoft SQL, PostgreSQL,MariaDB, or Amazon Aurora
• Multi-AZ deployment options
• On-demand and reserved instance pricing
• Magnetic, GP-SSD, or PIOPS
• Oracle and Microsoft SQL licensing:
  • - Included Licenses
  • - Bring your own licensing
• Automated or manual backups

RDS Automated Backups

• Continuously tracks changes and backs up your DB
• Volume snapshot of your entire DB instance, not just DBs
• One day of backups retained by default but can be configured up to 35 days
• Backup retention period defined during configuration
• When you delete an RDS instance, all automated snapshots are deleted
  • - Manual snapshots are preserved
• Automated backups occur daily during a 30 minute configurable backup window
• Automated backups are preserved for a configurable number of days (retention period)

• You cannot restore from a DB snapshot to an existing DB instance
  • - A new DB instance is created when you restore
• Only default DB parameters and security groups are restored
  • - You must manually associate all other DB parameters and SGs
• RDS combines daily backups in conjunction with transaction logs to restore the DB Instance to any point during the retention period
• Up to the last five minutes

Multi-AZ Failover

• Multi-AZ RDS deployment designed for HA
• Synchronous replica in secondary AZ
• Standby replica RDS instance is invisible
• DB snapshots always taken against standby instance
• AWS automatically adjusts DNS record when needed
• Multi-AZ is different from aRDS read replica

RDS Read Replicas

• Read replicas designed for workload sharing / offloading
• Created from a snapshot of the master instance
• Asynchronous replication / Read-only connections
• Read-only disaster recovery

RDS Reserved Instances

RDS Reserved Instances

• Move between Azsin the same Region
• Are available for Multi-AZ deployments
• Can be applied to Read Replicas provided the DB Instance class and Region are the same

Creating an RDS instance

Windows Integrated Authentication

• Choose one of the AWS offered directory services
• Establish a trust relationship
• Windows integrated authentication only works with a domain created using AWS directory service
• Alternatively, you can use SQL authentication

Summary

• RDS characteristics
• Multi-AZ failover
• RDS read replicas
• RDS reserved instances

Understanding Amazon DynamoDB and Redshift

---

Amazon DynamoDB

• Fully managed, highly available and scalable NoSQL
• Automatically and synchronously replicates data across three Availability Zones
• SSDs and limiting indexing on attributes provides high throughput and low latency
• ElastiCache can be used in front of DynamoDB
  • - Offload high amounts of reads for non-frequently changed data
• Ideal for existing or new applications that need:
  • - Flexible NoSQL database with low read and write latencies
  • - Ability to scale storage and throughput up or down as needed without code changes or downtime

Non-ideal DynamoDB Scenarios

DynamoDB Integration

Amazon DynamoDB

• Stores structured data in tables, indexed by a primary key
• Tables are a collection of items and Items are made up of attributes (columns)
• Primary key can be:
  • - Single-attribute hash key
  • - Composite hash-range key

DynamoDB Features

Two Ways to Search

ElastiCache

• Open-source in-memory caching engines
• - Memcached
  • Widely adopted memory object caching system
• - Redis
  • Popular open-source in-memory key-value store
  • Supports data structures such as sorted sets and lists
• Master / Slave replication and Multi-AZ
  • - Can be used to achieve cross AZ redundancy

Memcached vs. Redis

Suggested Reading

• Performance at Scale with Amazon ElastiCache:
  • https://d0.awsstatic.com/whitepapers/performance-at-scale-with-amazon-elasticache.pdf

Amazon Redshift

• Fast and fully managed petabyte-scalerelational data warehouseservice
• Analyze all your data using your existing business intelligence tools
• HDD and SSD Platforms
• Starts at $0.25/hour
• Scale to $1,000/TB/Year

Amazon Redshift Architecture

• Leader Node
  • - Simple SQL end point
  • - Stores metadata
  • - Optimizes query plan
  • - Coordinates query execution
• Compute Nodes
  • - Local columnar storage
  • - Parallel/distributed execution of all queries, loads, backups, restores, resizes

Backup and Fault Tolerance

• Continuous/incremental backups
  • - Multiple copies within cluster
  • - Continuous and incremental backups to S3
  • - Continuous and incremental backups across regions
  • - Streaming restore
• Fault tolerance
  • - Disk failures
  • - Node failures
  • - Network failures
  • - Availability Zone/Region level disasters

Security

• Load encrypted from S3
• SSL to secure data in transit
• Amazon VPC for network isolation
• Encryption to secure data at rest
• Audit logging and AWS CloudTrail integration
• SOC 1/2/3, PCI-DSS, FedRAMP, BAA

Summary

• Amazon DynamoDB
• Amazon Redshift

Understanding AWS Security

---

• Secret locations
• Controlled physical access
• Best in class datacenter security
• Video surveillance

• Hardware refresh cycle to avoid component failure
• Properly decommissioned storage
• Always on monitoring system

Security Certifications and Compliance

Shared Security Responsibility

• AWS Responsibility
  • Virtual host security
  • Storage security
  • Network security
  • Data center security
  • Database security
• Our Responsibility
  • AWS account security (MFA, API)
  • Operating system
  • Database
  • Applications
  • Data encryption
  • Authentication
  • Network integrity

Identity and Access Management (IAM)

Users, Groups, Roles, and Policies

Summary

• Physical Access
• Security Certification
• Shared Responsibility
• Security Capabilities
• IAM

Understanding Amazon Route 53

---

DNS Record Types

Routing Policies

Single(Simple)

• You can associate an A record with one or more IP addresses
• Single simply does round robin routing policies among several IP addresses
• Single does not support any health checks

Weighted

• Very similar to single but you can specify a weight per IP address
• Weight represents a numerical value that favors one IP address over another

Latency

• AWS will maintain a database of latencies from different parts of the world
• Based on the table that AWS maintains, the user is routed to the lowest latency server

Failover

• Failover allows you to failover to a secondary IP address
• Failover is associated with health checks

Geolocation

• Caters to different users in different countries and different languages
• Contains users within a particular geography and offers them a customized version of the workload that caters to their specific needs

Explore Route 53

Summary

• Route 53 overview
• Public Hosted Zones
• Private Hosted Zone

Understanding AWS Monitoring

---

CloudTrail

A web service that records AWS API calls for your account and delivers log files to you

Recorded Information Includes

CloudWatch Logs

• By default, CloudWatch Logs will store your log data indefinitely
• Alarm history is stored for 14 days
• CloudTrail logs can be sent to CloudWatch Logs for real-time monitoring
• CloudWatch Logs metric filters can evaluate CloudTrail logs for specific terms, phrases, or values
• You can assign CloudWatch metrics to the metric filers
• You can create CloudWatch alarms

Storing Logs

Monitoring

• Do not store logs on non-persistent disks:
  • - EC2 instances root volume
  • - Ephemeral storage
• Best practice is to store logs in CloudWatch Logs or S3
• CloudTrail can be used across multiple AWS accounts while being pointed to a single S3 bucket (requires cross account access)
• CloudWatch Logs subscription can be used across multiple AWS accounts (requires cross account access)

Trusted Advisor

A service that helps you reduce cost, increase performance, and improve security by optimizing your AWS environment,. It also provides real time guidance to help you provision your resources following AWS best practices

• Automated AWS account audits
  • Cost
  • Performance
  • Security
  • Fault Tolerance
• Paid version expands number of areas audited

Summary

• CloudTrail
• CloudWatch
• Trusted Advisor

Additional AWS Services

---

Kinesis Streams

Enables you to build custom applications that process or analyze streaming data for specialized needs. It can continuously capture and store TB of data per hour from thousands of sources such as website clickstreams, financial transactions, social media feeds, IT logs, and location-tracking events.

By default data is stored for 24 hours, but can be increased to 7 days

Streams Terminology

Producers

Shards

• A uniquely identified group of data records in a stream
• A stream is composed of one or more shards, each of which provides a fixed unit of capacity
• Can support up to 5 transactions per second for reads
• Max total data read rate of 2 MB/s
• Up to 1,000 records per second for writes
• Max total data write rate of 1 MB/s (including partition keys)

If your data rate increases, add more shards to increase the size of your stream. Remove shards if the data rate decreases.

Partition Keys

• Used to group data by shard within a stream
• Stream service segregates data records belonging to a stream into multiple shards
• Use partition keys associated with each data record to determine which shard a given data record belongs to
• Specified by the applications putting the data into a stream

Sequence Number

Data Blobs

The data your producer adds to a stream. The maximum size of a data blob (the data payload after Base64-decoding) is 1 megabyte (MB).

Consumers

Consumers get records from Amazon Kinesis Streams and process them. These consumers are known as Amazon Kinesis Streams Applications.

AWS CloudFormation

Gives developers and systems administrators an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion.

Supported Services

• Virtual Private Cloud (VPC)
• Auto Scaling
• Elastic Compute Cloud (EC2)
• Elastic Load Balancer (ELB)
• Identity and Access Management (IAM)
• Route 53
• Amazon S3
• CloudWatch
• Relational Database Service
• DynamoDB

• CloudFront
• CloudTrail
• Elastic Beanstalk
• Amazon ElastiCache
• Simple Notification Service (SNS)
• Simple Queue Service (SQS)
• Amazon Kinesis
• AWS OpsWorks
• Amazon Redshift
• Amazon SimpleDB

Templates and Stacks

Templates

• You don’t need to figure out the order for provisioning AWS services
• You don’t need to worry about making dependencies work
• Modify and update templates in a controlled and predictable way
  • -In effect applying version control
• Visualize your templates as diagrams and edit them using a drag-and-drop interface with the AWS CloudFormationDesigner

Deploying Stacks

Template Elements

AWS Elastic Beanstalk

A service for deploying and scaling web applications and services. Upload your code and Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring.

Elastic Beanstalk Overview

• Integrates with VPC
• Integrates with IAM
• Can provision RDS instances
• Full control of resources
• Code is stored in S3
• Multiple environments are supported to enable versioning
• Changes from Git repositories are replicated
• Linux and Windows 2008 R2 AMI support
• Deploy code using a WAR file or Git repository
• Use AWS toolkit for Visual Studio and AWS Toolkit for Eclipse to deploy to Elastic Beanstalk
• Elastic BeanStalkis fault tolerant within a single region (not FT between regions)
• By default your applications are publicly accessible

Elastic Beanstalk Management

AWS OpsWorks

A configuration management service that helps you automate operational tasks like software configurations, package installations, database setups, server scaling, and code deployment using Chef.

What Is Chef?

• Automation platform that transforms infrastructure into code
• Automates how applications are configured, deployed, and managed across your network
• Chef server stores your recipes and configuration data
• Chef client (node) is installed on each server

OpsWorks Components

• Use the AWS Management Console
• Consists of two elements: Stack and Layers
• Stacks are containers of resources (EC2, RDS, ELB) that you want to manage collectively
• Every Stack contains one or more layers:
  • - Web application layer
  • - Database layer
• Layers automate the deployment of packages for you

Summary

• Kinesis Streams
• CloudFormation
• Elastic Beanstalk
• OpsWorks

Questions?

FIN

THANKS!