Advertisement
Javi

AWS: Facts

Oct 11th, 2017
368
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.87 KB | None | 0 0
  1. # AWS Updated facts
  2.  
  3. A Region is a copy of the AWS technology placed in a concrete location
  4. Criteria to choose one: pricing, latency, regulations, available services
  5. Each AZ is one of the datacenters of a region (actually, a group of datacenters)
  6. We use AZ to achieve High Availability
  7. The SLA of EC2 will only be applied if the deployment is performed over multiple AZ
  8. Create resilient system because *potentially* everything fails all the time
  9. You pay for what you use (or reserve), to try a new idea and fail is not expensive
  10. Decouple everything to scale horizontally
  11. Be creative and find new ways to get the work done
  12. AWS takes care of the physical security. The customer takes care of the rest
  13.  
  14. Don't use your master account on a daily basis
  15. Create several master accounts to isolate resources and use consolidated bill
  16. Use multifactor (device based) authentication
  17. Security groups mark resources with a shared port security configuration
  18. They are enforced at hypervisor level
  19. Security groups can be chained to increase the protection
  20. Security groups can block incoming and outcoming traffic
  21.  
  22. VPC is a network configuration
  23. The VPC address range can be increased with secondary ranges
  24. A subnet is a subset of your VPC and it's attached to an AZ
  25. Each subnet has at least one Route table
  26. Every EC2 instance in the VPC can access the rest of the instances in the same VPC
  27. An IGW is a virtual device that connects a VPC to the internet
  28. If a subnet doesn't has a route to the IGW the instances on it cannot access internet
  29. Most AWS services can only be used through their internet endpoints (except S3 & DynamoDB) so...
  30. A subnet without IGW routing will need a NAT instance to upgrade the OS or accessing AWS
  31. AWS Storage Gateway provides a way to extend on premise storage to the cloud
  32. AWS Virtual Private Gateway provides a way to bridge a vpc with a on premise lan
  33. An Elastic IP is a static IP with its own life cycle and it's attached to a region
  34. An Elastic Network Interface is a network card with its own life cycle and it's attached to a subnet
  35. An EIP and a ENI can be attached to any subnet of the VPC
  36.  
  37. Access key/secret key are the credentials used to call an AWS API
  38. An user can have two ak/sk simultaneously assigned (to allow easier rotation)
  39. Multi Factor Authentication should be used to improve the security
  40. A User is a physical person, you can create user groups to share a configuration
  41. A Role is a way to give credentials directly to an EC2 instance
  42. A Role can also provide credentials to an user of another master account
  43. A user/group/role should have at least one permission policy attached
  44. A policy includes grants/denies access to a group of operations
  45. A policy can restrict the statement to a subset of resources
  46. A statement can claim additional conditions (ips, mfa, ssl, etc) to grant access
  47. The policy simulator is an important tool to check the correctness of a policy
  48. First login to an EC2 instance uses a key pair (public/private) to authenticate the user
  49. A key pair is an operating system concept, not an AWS concept
  50. The AWS Console is just another application
  51. Username and password for the user is a concept of that application
  52. RDS assets are just another application level resource with their own user realms
  53. The STS creates new credentials dynamically
  54. Those credentials can be used to allow direct access to aws from the users (f.e: S3)
  55. AWS supports social login provided by Amazon.com (not AWS), Google and Facebook
  56.  
  57. Direct connect is a service that provides point to point connection to AWS
  58. Direct connect is provided to the final customer by AWS ISP partners
  59. Route 53 allows to add criteria based record resolving (notably based on latency, weight and location)
  60. The infrastructure is located on the edge locations
  61.  
  62. It is possible to assign a ELB identificator as an alias of an APEX record
  63. Http health check supported
  64. ELB is a layer 4 load balancer proxy
  65. Scales automatically to handle the traffic
  66. Http health check supported
  67. Easily integrated with the autoscaling group service
  68. Several 1m granularity metrics provided for free (request count, latency, etc)
  69. Not suitable for managing a huge amount of unexpected traffic (huge spikes)
  70. TCP mode closes the connection after 1 (to 15) minutes of innactivity (configurable).
  71.  
  72. Cloudfront nodes are located at edge locations
  73. CF supports live streaming
  74. Cloudwatch provide both 5m and 1m metrics (additional costs)
  75. It works at hypervisor level (you can add additional custom metrics like free memory using a simple agent)
  76. Provides a mechanism to create alarms
  77. Alarms can trigger several types of notifications: mail, mobile push, http request, sqs and sms (in USA).
  78. Beanstalk provides a way to automatically create the infrastructure needed to deploy an application
  79. Most platforms supported directly or by using docker
  80.  
  81. Cloudformation templates are parametrizable in order to adapt the same stack to different regions, sizes, etc
  82. Your infrastructure can be versioned using git/svn!
  83. To run a autoscaled infrastructure most tasks need to be automated (cf, opswork, puppet, chef, beanstalk, scripts...)
  84. Highly coupled or stateful components doesn't scale (see http://microservices.io/patterns/microservices.html)
  85. Scale horizontally, be happy
  86. It is possible to create a custom AMI from a snapshot in order to reduce the boot time by providing the most stable part of the stack
  87. The user data parameter allows to finish the configuration of the instance
  88. The metadata service (http://169.254.169.254) can be used to make the instances self configured
  89.  
  90. An autoscaling group will try to have a desired number of instances
  91. All the instances of an autoscaling group will share the configuration indicated by the Launch Configuration
  92. The number of desired instances can be changed at any time executing autoscaling policies
  93. ASP can be scheduled to be run at a determined time
  94. A CW Alarm can trigger an ASP
  95. An ASG can be integrated with an ELB to register the new instances and use its health check
  96.  
  97. Always avoid single point of failure and create resilient applications
  98. On the cloud Disaster Recovery is just another step in High Availability architecture
  99. It is possible to create multiregion deployments
  100. Snapshots on S3 are a very good incremental type of backup
  101. Elastic IP can be used to redirect traffic to a new instance
  102. R53 plays an important role on HA in order to redirect all the traffic to a different region
  103. An autoscaling group of 1 desired instance is a good pattern to create a "poor man HA solution"
  104. Cloudformation can be considered a cold backup of the infrastructure
  105. Main multiregion DR patterns: backup & restore, pilot light, low capacity clone and full capacity clone
  106.  
  107. EBS is a network based block storage device user can format with any type of filesystem
  108. EBS is replicated on a single AZ automatically and you need to create a snapshot to attach a clone in another AZ
  109. Maximum allocated space per volume is 1TB
  110. Classical EBS volumes provide a performance of about 100 IOPS
  111. Several volumes can be attached to the same instance under a RAID 0 conf in order to increase the IOPS
  112. Provisioned IOPS is the mechanism to guarantee a performance of up to 20000 operations per second
  113. Each IO operation can use up to 256KB
  114. IO Optimized instances have a second ethernet card dedicated only to EBS traffic and are needed to take full advantage of the PIOPS feature
  115. The SSD volumes offer 3PIOPS per GB (up to 10000)
  116. An SSD volume has credits to burst to 3000IOPS
  117. The final result of a snapshot will be stored in S3
  118. Snapshots only need a small amount of time to be started (take a look at the fsfreeze command)
  119. Custom AMIs can be created from an snapshot
  120. Snapshot are also useful to change the size of a volume (by cloning it into a bigger one)
  121. The snapshots are incremental and you pay only for what its needed
  122. Several snapshots will increase the durability of the EBS volumes
  123. The first snapshot of a 1TB volume can take hours to be completed
  124. hs1.8xlarge provides 48TB of ephemeral (free!!) storage
  125.  
  126. S3 is a object oriented storage system based on http
  127. Write once, read many
  128. Eventually consistent operations due distributed nature (get after post consistent except in US Standard)
  129. 99.999999999% durability (99.99% availability, Reduced redundancy option available with 99.99% durability)
  130. Region wide service (bucket names are global)
  131. EBS Snapshots are placed on S3
  132. A bucket is a container for objects (equivalent to a disk unit letter on Windows)
  133. The first 16 characters of the object path determines the nodes used to store it
  134. Glacier is a Write Once Read Never low (lowest) cost storage
  135. Several fine grained access policies available
  136. S3 can be used as a http server for static content
  137. Each object can have an Expiration/archiving-to-glacier policy
  138. Multipart upload recommended for large objects (take a look at Tsunami UDP to increase performance)
  139. Automatic versioning prevents deletion of modified objects
  140. IAM conditions may be used to force Two Factor Authentication on delete operations
  141.  
  142. SQS is a poll type unicast only easy to use queue
  143. Messages can have a max size of 256kb
  144. Unacknowledged messages become visible again in the queue
  145. Messages in queue is the most important metric for autoscaling SQS workers
  146. SNS is a push type multicast queue
  147. SNS allows to send messages via mail, http/s, sms, sqs and mobile push
  148.  
  149. You pay (mostly) only for what you use, you reserve or for the extra hardware required by some services (IPSec, HSM)
  150. Cloudformation, Opsworks and beanstalk are free
  151. Reserved instances have an upfront cost (100% in the case of the heavy use option)
  152. Reserving is mostly a billing exercise: two machines with the same configuration (type, OS, AZ) running for 12 consecutive hours each day will receive a heavy discount if they do are not running at the same time
  153. Is it possible to change the AZ of a reserved instance
  154. There is a secondary market for reserved capacity
  155. Spot market is a very efficient way to reduce the cost of non essential computer capacity
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement