InProgress….

 

Region – 12

Availability Zone – 33

Edge Locations – 56

Placement Group: keeping multiple instances together in a single AZ, where you want to get low latency, high throughput, 10 gbps network

ASG

ELB

Route53
  ELB don not have pre-defined IPv4 addresses, you resolve to them using a DNS name.
  Difference between Alias Record and a CNAME.
  The DNS port is on Port 53 and Route53 is a DNS service
  Route53 Routing Policies:
  Simple -> Single Webserver scenarios.
  Weighted -> Lets you split traffic based on different weights assigned
  Latency ->  Allows you to route your traffic based on the lowest network latency for your end user(i.e which region will give them the fastest response time).
  Failover -> Failover routing policies are used when you want to create an active/passive set ip. 
  GeoLocation -> GeoLocation lets you chosse where your traffic will be sent based on the geographic location of your users(local language supported instances).

Ec2 
  Pricing Models for Ec2:
    On Demand
    Reserved
    Spot  -> if you terminate, you need pay for usage. If aws terminated – its free
    Dedicated
  Instance types:
    Dr MC GIFT PX
    File Service, Memory Optimised, General Pupose appln service, Compute Optimized, (G)Graphics intensive, (I)High Speed Storage, (F)Field Programmable Gate Array, (T)Low cost general purpose, (P)Graphics& Genreal purpose, (X)xtreme Memory Optimised  
  EBS :Elastic BLock Service
    SSD – general purpose – GP2, upto 10000 IOPS
    SSD – provisioned IOPS  – 101 – more than 10000
    HDD – Throughput optimised, – ST1 frequently accessed workloads -not used for root volumes, used for just attching
    HDD, Cold – SC1 , less frequenced accessed data.-not used for root volumes, used for just attching
    HDD – Magnetic, Standard – cheap & infreq accessed storage.

    You can not mount 1 EBS in to multiple Ec2 instances, instead use EFS.
  Volumes vs Snapshots
    Volumes exsits on EBS
    Snapshot exsits on S3

Monitoring: 
   Standard Monitoring : 5 min
   Detail Monitoring : 1 min
   CloudWatch is performance monitoring
   CloudTrail is for Auditing
  Dashboards, Alarms, Events & Logs
Roles:
   Roles are more secured than access key and secret access key. Roles can be assinged to Ec2 instance after creating it, butonly throguh command line.
   Roles are universal, no region.
Instance metadata: curl http://169.254.169.254/latest/metadata/
EFS (Elastic File System) 
Lambda: Serverless, AWS lambda is a compute service where you can upload your code and create a lambda function

S3

IAM

AMI

Database
  RDS – OLTP (Online Txn Processing)
   SQL,Oracle,MySqlServer,PostgresSQL,Aurora,MariaDB
  NonRelation Database:  
   DynamoDB (DocumentBased)
    Collection = table,Document = row,Key Value Pairs = fields 
  ElasticCache is a web service that makes it east to deploy, operate, and scale an in-memory cache in the cloud. Elastic cache supports two open-source in-memory caching engines.
   – Memcached
   – Redis 
  DMS(Database Migration Service) : Allow you to migrate your production database to AWS.
  Backups: Automated Backups and Database Snapshots
  Multi-AZ RDS is for disastr recovery only not for improving performance. For performance improvements, use read replicas.
  Read Replica :for performance improvement/scaling.Read replicas allow you to have a only copy of your production db. This is achieved by using asynchronous replication from the primary RDS instance to the read replica.
    – Must have automatic backups truned on in order to deploy a read replica.
    – You can have up to 5 read replicas copies of any databases.
    – You can have read replicas of read replicas.
    – Each read replica will have its own dns endpoint.
    – You cannot have read replicas that have multi-AZ.
  DynamoDB: 
    -Supports both document and key-value data models
    -Stored on SSD storage
    -Stored across 3 geographically distince data centers
    -Eventually consistent reads(default) = 1sec
    -Strongly Consistent reads < 1sec
RedShift – OLAP (Online Analytical Processing)
    -Single Node 
    – Multi Node cfg
       .Leader node (1 leader node)
       .Compute node (up to 128 nodes)
Aurora : 
    -Amzon SQL engine. 2 copies of your data is contained in each avaliability zone, with minimum of 3 AZ. 6 copies of your data.
    -Transparently handles loss up to two copies of data with out affecting database write avaliability and up to 3 copies with out affecting read avaliability
    -Self healing.
    -2 replicas. 1. Aurara Replicas(15 replicas ) 2. mySQL Replical(5 replicas)

VPC Virtual Private Cloud
   – VPC as a logical datacenter in AWS, consists of IGW's( Virtual Private Gateways), route tables, Network Access Control Lists, Subnets, Security Groups.
   – 1 Subnet = 1 Avaliability Zone
   – Security groups are stateful
   – Netwrok Access Control Lists are stateless
   – No Transitive peering (if VPC A <-> VPC B, VPC B <-> VPC C, but you cannot between VPC A <->VPC C)
 What you can do with a VPC ?
   – Launch instances in to a subnet of your choosing
   – Assign custom IP address ranges in each subnet
   – Cfg route tables between subnets
   – Create internet gateway and attach it to our VPC
   – Much better secusrity control over your AWS resources.
   – Instane security groups
   – Subnet netwrok access control lists(ACLS)

Points to Remember: 
  – When you create a custom VPC, by default,it creats security groups, Route Tables, Netwrok ACL's. It doesn't create Subnets, Gateways
  – One Internet Gateway(IGW) to one VPC
  – ICMP SG is for ping
  NAT instances (2016) 
  – NAT instance is an EC2 instance provides access to IGW. 
  – When creating a NAT instance, Disable Source/Destination Check on the Instance
  – NAT insatnce must be in a public subnet.
  – There must be a route out of the private subnet to the NAT insatnce, in order for this to work
  – Nat Instances are behind security groups
  NAT Gateways
  – Scale automatically up to 10Gbps
  – Automatically assigned a public ip address
  – You need to update your route tables.
  – No need to disable Source/Destination checks

 Network Access Control Lists Vs Security Groups (NACLs Vs SG)  
  SG – Operates at the instance level (1st layer of defence)
     – Supports allow rules only
     – is stateful, return traffic is automagically allowed regardless of any rules
     – evaluate all rules before deciding wether to allow traffic
     – Applies to an instance only if someone specifies the security group when launching the instance or associates the security group with the instance later on
  
  Network ACL – Operates at subnet level(2nd layer of defence)
     – Operates at the Subnet level
     – Supports allow rules and deny rules
     – Is stateless – return traffic must be explicitly allowed by rules
     – process rules in number order when deciding wether to allow traffic
     – Automatically applies to all instances in the subnet its associated with (backup layer of defence, so you don't have to rely on someone specifying the security group)
     – Custom Netwrok ACL, inbound and outbound restricted
     – Default Netwrok ACL, inbound and outbound allowed
     – One subnet = One AZ = 1 Netwrok ACL
     – NACL works only when Ephimeal outbound&inbound rules defined with range 1024-65535
 I   – Rules evaluated in order. Lower rule number take effect in case conflict(rule 99 get priorty than 100)

 *Network ACL's
 1. Your VPC automatically comes a default network ACL andby default it allows all the outbound and inbound traffic.
 2. You can create a custom network ACL. By default, each custom network ACL denies all inbound and outbound traffic until you add rules.
 3. Each subnet in your VPC must be associated with a network ACL. If you don't explicitly associate a subnet with a network ACL, the subnet is automatically assoicated with the default network ACL.
 4. You can associate a network ACL with multiple subnets; however, a subnet can be assoicated with only one network ACL at a time. When you assoicate a new network ACL with a subnet, the previous association is removed.
 5. A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic.
 6. Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic(and vice versa)
 7.Block IP addresses using network ACL's not security groups.
 
VPC ELB setup: You will need to select a subnet for each avaliabilty zone where you wish traffic to be routed by your load balancer. If you have instances in only one Availability Zone, please select at least two subnets in different avaliability Zones to provide higher avaliability for your load balancer.

NAT vs Bastion Servers: 
A NAT is used to provide a internet traffic to EC2 instances in private subnets
A Bastion is used to securely administer EC2 instances(using SSH or RDP) in private subnets. These are like jump boxes.

VPC Flow Logs: Flow logs enable you to capture IP traffic flow for the network interfaces in your resources.

Application Section:

SQS – is a web service that gives you access to a message queue that can be used to store messages while waiting for a computer to process them.
Amazon SQS is a distributed queue system that enables web service applications to quickly and reliably queue messages that one component in the application generates to be consumed by another component.  
1. Messages can contain up to 256 KB of text in any format. 
2. Order is not posibble 
3. Asynchronously pulls the task messages from the queue.
4. 12 hr Visibilty timeout period. 
5. Does not offer FIFO
6. Amazon SQS engineered to provide "at least once" delivery of all messages in its queues.
7. Billed at 64kb chunks.

SWF (Simple Workflow Service) is a web service that makes it easy to coordinate work across distributed application component.

SQS vs SWF : 
 – SQS has a retention period of 14 days, SWF up to 1 yr(12 months) for workflow executions.
 – SQS offers a message-oriented API where as SWF presents atask-oriented API
 – SWF ensures that a task is assigned only once.

 SWF Actors 
   Workflow Starters – An application that can initiate a workflow
   Deciders – Control the flow of activity tasks in a workflow(or fails) a Decider decides to do next
   Activity Workers – carry out the actitivty tasks.

SNS (Simple notification service) – is a webservice that makes it easy to set up, operate, and send notifications from the cloud. SNS is pushing messaging system. Messages are stored under multiple AZ.
Create a SNS topic and assign a subscriber
 – Insatantaneous, push-based delivery(no polling])
 – Felxible message delivery over multiple transport protocols.
 SNS Subscribers – HTTP, HTTPS, Email, Email-JSON, SQS, Application, Lambda

SQS Vs SNS
– SNS -push 
– SQL – polls(pull)

Elastic Transcoder : Media Transcoder in the cloud. Convert media files form their original source format in to different formats that will play on smartphones, tablets, pc's etc.

API Gateway 
1. Api Gateway has caching capabilities to increase performance.
2. Api gateway is low cost and scales automatically
3. You can throttle API Gateway to prevent attacks
4. You can log results to CloudWatch
5. If you are using Javascript/AJAZ that uses multiple domains with API gateway, ensure that you have enabled CORS on API Gateway.

Kinesis 
  Streaming data – is data that is generated continuously by thousands of data sources, which typically send in the data records simultaneously, and in small sizes. etc, 
  Amazon Kinesis is a platform on AWS to send your streming data too.Kinesis makes it easy to load and analyze streaming data, and also providing the ability for you to build your own custom applications for your business needs.
  Core Kinesis Services:
   1) Kinesis Streams
     – default stores 24hrs.Increased to 7 days retension. Data stored in shards. Total capacity of the stream is number of shards configured in the stream.
   2) Kinesis Firehose
   3) Kinesis Analytics

#!/bin/bash

Yum update -y
yum install httpd php php-mysql stress -y
cd /etc/httpd/conf
cp httpd.conf httpd-bk.conf
nano httpd.conf
 update in http.conf AllowOVerride all(allow url rewrite)
cd /var/www/html
nano healthy.html 
  healthy
wget https://wordpress.org/latest.tar.gz
tar -xzf latest.tar.gz
cp -r wordpress/* /var/www/html/
rm -rf wordpress
rm -rf latest.tar.gz
chmod -R 755 wp-content
chown -R apache.apache wp-content
service httpd start
chkconfig httpd on

aws s3 ls
aws s3 cp –recursive /var/www/html s3://wordpresscode16acloudguru
aws s3 ls wordpresscode16acloudguru
aws s3 cp –recursive s3://wordpresscode16acloudguru /var/www/html
aws s3 sync /var/www/html/wp-content/uploads/ s3://wordpressmedia16acloudguru –delete –dryrun
aws s3 sync /var/www/html/wp-content/uploads/ s3://wordpressmedia16acloudguru –delete

wget https://s3-eu-west-1.amazonaws.com/acloudguru/config/htaccess
cp htaccess .htaccess

cd /etc
nano crontab
*/2**** root aws s3 sync  –delete /var/www/html/wp-content/uploads/ s3://wordpressmedia16acloudguru/
*/2**** root aws s3 sync –delete /var/www/html/ s3://wordpresscode16acloudguru/
*/3**** root was sync -delete s3://wordpresscode16acloudguru/ /var/www/html/

stress –cpu 100

CloudFormation : Its kind of bootstrap of most of aws services.

AWS 12 regions 
– 1 region -> multiple AZ
– Access is authorized on a "Least previleged access"
– IAAS 
Amazon Protects against DDos, Man in the middle attacks(MITM), Ip Spoofing, Port Scanning, Packet Sniffing by other tenants
Trusted Advisor inspects your AWS environment and makes recommendations when opportunities may exist to save money, improve system performance, or close security gaps

Different instances running on the same physical machine are isolated from each other via the Xen hypervisor. In addition, the AWS firewall resides with in the hypervisor layer, between the physical network inteface and the instance's virtual interface.
Guest Operating System
Elastic Load Balancing – SSL Termination on the load balancer is supported.
Direct Connect – ByPass Internet Service providers in your network path.
Storage Gateway – is a service that connects an on-premises software appliance with cloud-based storage to provide seamless and secure integration between an orgnization on-premises and AWS storage infrastructure. 
1.gateway-cached 
2.gateway-stored volumes (asynchronously backup data from data center to AWS)

Implement Elasticity
1. Proactive Cyclic Scaling : periodic scaling that occurs at fixed interval(daily, weekly, monthly, quaterly)
2. Proactive Event-based Scaling : scale on events like balck friday
3. Auto-Scaling based on demand

Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto scaling to application health monitoring based on the code you upload to it, where as CloudFormation is an automated provisionig engine designed to deploy entire cloud environments vis a JSON script.

General Design Priciples
– Stop guessing about your capacity needs
– Test systems at production scale
– Lower the risk of architecture change
– Automate to make architectural experimentation easier
– Allow for evolutionary architectures

Well-Architected Framework – 4 pillars
– Security
– Reliabilty
– Perforamce Efficiency
– Cost Optimisation

Security:

  Design Priciples:
    – Apply securities at all layers
    – Enable tracebility
    – Automate responses to security events
    – Focus on securing your system
    – Automate security best practies (centerforinternetsecurity.com)
    AWS Shared Responsibility Model:
    – Customer responsible for OS, network, firewall, encryption, network traffic
    – AWS responsible for Compute, Storage, Database, Networking, Regions, AZ, Edge Locations

  Definition: Secutiry in the cloud consist of 4 areas
    – Data protection
       .encryption/decryption at rest and transit(using ssl) 
       .logging
       .versioning
       .AWS doesn't move data between regions
    – Privilege management
       .IAM
       .ACl (Access Control List)
       .Role based access control
       .Password management(such as password rotation policies)
       .MFA
    – Infrastructure protection
       .RFID, Secutiy guards, CCTV
       .VPC (secutiry groups, subnets, etc)
    – Detective controls
       .AWS cloudTrail
       .AWS CloudWatch
       .AWS Config
       .Amazon Simple Storage Service
       .Glacires

Reliability:
   Design Principles:
    – Test Recovery Procedures
    – Automatically Recover from failures.
    – Scale Horizontally to increase aggregate system avaliabilty
    – Stop guessing capacity
   Definations: 3 Ares
    – Foundation -> IAM VPC    
    – Change Management -> CloudTrail
    – Failure Management ->AWS Cloud Formation  

Performance Efficiency Pillar:
   Design Priciples:
    – Democratize advanced technologies (use new technologies as a service.)
    – Go global in minutes
    – Use server-less architectures
    – Experiment more often
   Defination
    – Compute – AutoScaling
      -> Access Method – block , fileor Object
      -> Patterns of Access – Random or Sequential
      -> Throughput Required
      -> Frequency of Access – Online, Offline or Archival
      -> Frequency of Update – Dynamic, Worm
      -> Avaliability Constraints
      -> Durabiltiy Constraints
    – Storage  – EBS, S3, Glacier
    – Database – RDS, DynamoDB, RedShift
    – Space-Time Trade-off – CloudFront, ElasticCache, Direct Connect, RDS Read Replicas etc

Cost Optimization:
   
  Design Principles:
    -Transparently attribute expenditure
    -Use managed services to reduce cost of ownership
    -Trade capital expense for operating expense
    -Benefit from economies of scale.
    -Stop spending money on data center operations
    
  Defination:
    -Matched supply and demand  – Autoscaling
    -Cost Effective Resources – Ec2(reserved instances), AWS trusted Advisor
    -Expenditure Awareness – CloudWatch Alarms, SNS
    -Optimizing Over Time – AWS Blog, AWS Trusted Advisor