Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # AWS Updated facts
- A Region is a copy of the AWS technology placed in a concrete location
- Criteria to choose one: pricing, latency, regulations, available services
- Each AZ is one of the datacenters of a region (actually, a group of datacenters)
- We use AZ to achieve High Availability
- The SLA of EC2 will only be applied if the deployment is performed over multiple AZ
- Create resilient system because *potentially* everything fails all the time
- You pay for what you use (or reserve), to try a new idea and fail is not expensive
- Decouple everything to scale horizontally
- Be creative and find new ways to get the work done
- AWS takes care of the physical security. The customer takes care of the rest
- Don't use your master account on a daily basis
- Create several master accounts to isolate resources and use consolidated bill
- Use multifactor (device based) authentication
- Security groups mark resources with a shared port security configuration
- They are enforced at hypervisor level
- Security groups can be chained to increase the protection
- Security groups can block incoming and outcoming traffic
- VPC is a network configuration
- The VPC address range can be increased with secondary ranges
- A subnet is a subset of your VPC and it's attached to an AZ
- Each subnet has at least one Route table
- Every EC2 instance in the VPC can access the rest of the instances in the same VPC
- An IGW is a virtual device that connects a VPC to the internet
- If a subnet doesn't has a route to the IGW the instances on it cannot access internet
- Most AWS services can only be used through their internet endpoints (except S3 & DynamoDB) so...
- A subnet without IGW routing will need a NAT instance to upgrade the OS or accessing AWS
- AWS Storage Gateway provides a way to extend on premise storage to the cloud
- AWS Virtual Private Gateway provides a way to bridge a vpc with a on premise lan
- An Elastic IP is a static IP with its own life cycle and it's attached to a region
- An Elastic Network Interface is a network card with its own life cycle and it's attached to a subnet
- An EIP and a ENI can be attached to any subnet of the VPC
- Access key/secret key are the credentials used to call an AWS API
- An user can have two ak/sk simultaneously assigned (to allow easier rotation)
- Multi Factor Authentication should be used to improve the security
- A User is a physical person, you can create user groups to share a configuration
- A Role is a way to give credentials directly to an EC2 instance
- A Role can also provide credentials to an user of another master account
- A user/group/role should have at least one permission policy attached
- A policy includes grants/denies access to a group of operations
- A policy can restrict the statement to a subset of resources
- A statement can claim additional conditions (ips, mfa, ssl, etc) to grant access
- The policy simulator is an important tool to check the correctness of a policy
- First login to an EC2 instance uses a key pair (public/private) to authenticate the user
- A key pair is an operating system concept, not an AWS concept
- The AWS Console is just another application
- Username and password for the user is a concept of that application
- RDS assets are just another application level resource with their own user realms
- The STS creates new credentials dynamically
- Those credentials can be used to allow direct access to aws from the users (f.e: S3)
- AWS supports social login provided by Amazon.com (not AWS), Google and Facebook
- Direct connect is a service that provides point to point connection to AWS
- Direct connect is provided to the final customer by AWS ISP partners
- Route 53 allows to add criteria based record resolving (notably based on latency, weight and location)
- The infrastructure is located on the edge locations
- It is possible to assign a ELB identificator as an alias of an APEX record
- Http health check supported
- ELB is a layer 4 load balancer proxy
- Scales automatically to handle the traffic
- Http health check supported
- Easily integrated with the autoscaling group service
- Several 1m granularity metrics provided for free (request count, latency, etc)
- Not suitable for managing a huge amount of unexpected traffic (huge spikes)
- TCP mode closes the connection after 1 (to 15) minutes of innactivity (configurable).
- Cloudfront nodes are located at edge locations
- CF supports live streaming
- Cloudwatch provide both 5m and 1m metrics (additional costs)
- It works at hypervisor level (you can add additional custom metrics like free memory using a simple agent)
- Provides a mechanism to create alarms
- Alarms can trigger several types of notifications: mail, mobile push, http request, sqs and sms (in USA).
- Beanstalk provides a way to automatically create the infrastructure needed to deploy an application
- Most platforms supported directly or by using docker
- Cloudformation templates are parametrizable in order to adapt the same stack to different regions, sizes, etc
- Your infrastructure can be versioned using git/svn!
- To run a autoscaled infrastructure most tasks need to be automated (cf, opswork, puppet, chef, beanstalk, scripts...)
- Highly coupled or stateful components doesn't scale (see http://microservices.io/patterns/microservices.html)
- Scale horizontally, be happy
- It is possible to create a custom AMI from a snapshot in order to reduce the boot time by providing the most stable part of the stack
- The user data parameter allows to finish the configuration of the instance
- The metadata service (http://169.254.169.254) can be used to make the instances self configured
- An autoscaling group will try to have a desired number of instances
- All the instances of an autoscaling group will share the configuration indicated by the Launch Configuration
- The number of desired instances can be changed at any time executing autoscaling policies
- ASP can be scheduled to be run at a determined time
- A CW Alarm can trigger an ASP
- An ASG can be integrated with an ELB to register the new instances and use its health check
- Always avoid single point of failure and create resilient applications
- On the cloud Disaster Recovery is just another step in High Availability architecture
- It is possible to create multiregion deployments
- Snapshots on S3 are a very good incremental type of backup
- Elastic IP can be used to redirect traffic to a new instance
- R53 plays an important role on HA in order to redirect all the traffic to a different region
- An autoscaling group of 1 desired instance is a good pattern to create a "poor man HA solution"
- Cloudformation can be considered a cold backup of the infrastructure
- Main multiregion DR patterns: backup & restore, pilot light, low capacity clone and full capacity clone
- EBS is a network based block storage device user can format with any type of filesystem
- EBS is replicated on a single AZ automatically and you need to create a snapshot to attach a clone in another AZ
- Maximum allocated space per volume is 1TB
- Classical EBS volumes provide a performance of about 100 IOPS
- Several volumes can be attached to the same instance under a RAID 0 conf in order to increase the IOPS
- Provisioned IOPS is the mechanism to guarantee a performance of up to 20000 operations per second
- Each IO operation can use up to 256KB
- IO Optimized instances have a second ethernet card dedicated only to EBS traffic and are needed to take full advantage of the PIOPS feature
- The SSD volumes offer 3PIOPS per GB (up to 10000)
- An SSD volume has credits to burst to 3000IOPS
- The final result of a snapshot will be stored in S3
- Snapshots only need a small amount of time to be started (take a look at the fsfreeze command)
- Custom AMIs can be created from an snapshot
- Snapshot are also useful to change the size of a volume (by cloning it into a bigger one)
- The snapshots are incremental and you pay only for what its needed
- Several snapshots will increase the durability of the EBS volumes
- The first snapshot of a 1TB volume can take hours to be completed
- hs1.8xlarge provides 48TB of ephemeral (free!!) storage
- S3 is a object oriented storage system based on http
- Write once, read many
- Eventually consistent operations due distributed nature (get after post consistent except in US Standard)
- 99.999999999% durability (99.99% availability, Reduced redundancy option available with 99.99% durability)
- Region wide service (bucket names are global)
- EBS Snapshots are placed on S3
- A bucket is a container for objects (equivalent to a disk unit letter on Windows)
- The first 16 characters of the object path determines the nodes used to store it
- Glacier is a Write Once Read Never low (lowest) cost storage
- Several fine grained access policies available
- S3 can be used as a http server for static content
- Each object can have an Expiration/archiving-to-glacier policy
- Multipart upload recommended for large objects (take a look at Tsunami UDP to increase performance)
- Automatic versioning prevents deletion of modified objects
- IAM conditions may be used to force Two Factor Authentication on delete operations
- SQS is a poll type unicast only easy to use queue
- Messages can have a max size of 256kb
- Unacknowledged messages become visible again in the queue
- Messages in queue is the most important metric for autoscaling SQS workers
- SNS is a push type multicast queue
- SNS allows to send messages via mail, http/s, sms, sqs and mobile push
- You pay (mostly) only for what you use, you reserve or for the extra hardware required by some services (IPSec, HSM)
- Cloudformation, Opsworks and beanstalk are free
- Reserved instances have an upfront cost (100% in the case of the heavy use option)
- Reserving is mostly a billing exercise: two machines with the same configuration (type, OS, AZ) running for 12 consecutive hours each day will receive a heavy discount if they do are not running at the same time
- Is it possible to change the AZ of a reserved instance
- There is a secondary market for reserved capacity
- Spot market is a very efficient way to reduce the cost of non essential computer capacity
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement