ContentsAWS – Amazon Web Services......................................................................................................................4

1 Basics...................................................................................................................................................4

1.1 Regions........................................................................................................................................5

2.1 Availability Zone..........................................................................................................................5

3.1 SDK Support.................................................................................................................................5

2 Web Services Overview.......................................................................................................................5

4.1 Networking & Content Delivery...................................................................................................5

5.1 Compute......................................................................................................................................5

6.1 Storage.........................................................................................................................................6

7.1 Databases....................................................................................................................................6

8.1 Migration.....................................................................................................................................6

9.1 Analytics......................................................................................................................................6

10.1 Security andIdentify.....................................................................................................................6

11.1 Management Tools......................................................................................................................6

12.1 Application Services.....................................................................................................................7

13.1 Developer Tools...........................................................................................................................7

14.1 Mobile Services............................................................................................................................7

15.1 Business Productivity...................................................................................................................7

16.1 iOT...............................................................................................................................................7

17.1 Desktop & App Streaming............................................................................................................7

18.1 Artificial Intelligence....................................................................................................................7

19.1 Messaging....................................................................................................................................7

3 IAM - Identity & Access Management.................................................................................................8

20.1 STS (Security Token Services).......................................................................................................8

21.1 Identity Federation......................................................................................................................9

4 EC2 (Elastic Compute Cloud)..............................................................................................................10

22.1 Pricing options...........................................................................................................................10

23.1 EC2 Instance Types....................................................................................................................11

24.1 EBS (Elastic Block Storage).........................................................................................................11

25.1 Elastic IP Address.......................................................................................................................11

26.1 EBS Volume Types......................................................................................................................11

27.1 EC2 Lab......................................................................................................................................12

28.1 Security Groups.........................................................................................................................12

29.1 Upgarding EBS Volume..............................................................................................................12

30.1 EFS (Elastic File System).............................................................................................................13

31.1 AWS CLI Command....................................................................................................................13

32.1 Bash Scripting............................................................................................................................14

33.1 Instance Meta Data....................................................................................................................14

34.1 Serverless Computing................................................................................................................14

35.1 Lambda – Serverless Computing................................................................................................14

36.1 Elastic Load Balancers................................................................................................................15

37.1 SDK Exam Tips............................................................................................................................16

38.1 Volume vs Snapshots.................................................................................................................16

39.1 EBS vs Instance Store.................................................................................................................16

5 S3 - Simple Storage Service................................................................................................................17

40.1 Data Consistency.......................................................................................................................17

41.1 S3 Object based consists............................................................................................................17

42.1 Storage Tier/Classes...................................................................................................................17

43.1 S3 - Charges...............................................................................................................................18

44.1 S3 Static Website.......................................................................................................................19

45.1 S3 Versioning.............................................................................................................................19

46.1 Cross Region Replication............................................................................................................19

47.1 S3- Life Cycle Management........................................................................................................19

48.1 CDN (Content Delivery Network)...............................................................................................20

49.1 How CDN works.........................................................................................................................20

50.1 Amazon CloudFront...................................................................................................................20

51.1 Edge location.............................................................................................................................21

52.1 S3 - Encryption...........................................................................................................................21

53.1 Encryption Methods- S3............................................................................................................21

54.1 Storage Gateway........................................................................................................................22

55.1 Storage Gateway Types.............................................................................................................22

56.1 Snowball....................................................................................................................................23

57.1 S3 Transfer Acceleration............................................................................................................23

58.1 Build a Serverless Webpage.......................................................................................................23

6 AWS-Database Basics........................................................................................................................24

59.1 DynamoDB-Introduction............................................................................................................24

60.1 Types of consistency..................................................................................................................24

61.1 PricingModel..............................................................................................................................25

62.1 DynamoDb Table Creation Lab..................................................................................................25

63.1 Dynamo DB Indexes and Streams..............................................................................................25

64.1 Indexes.......................................................................................................................................25

65.1 DynamoDB Stream.....................................................................................................................26

66.1 Query & Scan.............................................................................................................................26

67.1 Provisioned Throughput............................................................................................................26

68.1 Web Identity Provider to connect DynamoDB...........................................................................27

69.1 DynamoDB-Other Key Points.....................................................................................................27

70.1 Batch Operations.......................................................................................................................28

7 SQS (Simple Queue Service)..............................................................................................................28

71.1 SQS Visibility Timeout................................................................................................................29

72.1 SQS Autoscaling.........................................................................................................................29

73.1 SQS Pricing.................................................................................................................................29

74.1 SQS Delivery...............................................................................................................................29

75.1 SQL Long Polling.........................................................................................................................29

76.1 SQS Fanning Out........................................................................................................................30

77.1 SNS - Simple Notification Service...............................................................................................30

78.1 SNS Topics..................................................................................................................................30

79.1 SQS vs SNS.................................................................................................................................31

8 SWF - Simple WorkFlow Services.......................................................................................................31

80.1 SWF vs SQS................................................................................................................................32

81.1 SWF Domain..............................................................................................................................32

9 CloudFormation (Infrastructure as Code)..........................................................................................33

10 Elastic Beanstalk............................................................................................................................34

11 Shared Responsibility.....................................................................................................................35

12 DNS (Domain Naming Service).......................................................................................................37

82.1 SOA Records..............................................................................................................................37

83.1 NS Records.................................................................................................................................37

84.1 A Records...................................................................................................................................37

85.1 TTL (Time to Live).......................................................................................................................37

86.1 CNAMES (Zone Apex Record).....................................................................................................38

87.1 Alias Records..............................................................................................................................38

88.1 Routing Policy Types -Lab..........................................................................................................38

13 VPC Overview (Virtual Private Cloud)............................................................................................39

89.1 VPC IP Address...........................................................................................................................40

90.1 What can we do with VPC..........................................................................................................41

91.1 DefaultVPC vs Custom VPC........................................................................................................41

92.1 VPC Peering...............................................................................................................................41

93.1 VPC and Subnet creation...........................................................................................................41

94.1 NAT Instances or NAT Gateways................................................................................................42

95.1 Network ACL vs Security Groups................................................................................................43

96.1 VPC and ELB...............................................................................................................................43

97.1 NAT vs Bastion...........................................................................................................................43

98.1 VPC Flow Logs............................................................................................................................44

99.1 HTTP Status Code.......................................................................................................................44

100.1 HTTPS Load Balancer.............................................................................................................44

o If client application use HTTPS, then install SSL/TLS certificate on the Load Balancer...................44

101.1 ECS (EC2 Container Service)...................................................................................................44

102.1 Questions...............................................................................................................................45

103.1 Resources...............................................................................................................................45

AWS – Amazon Web Services

1 Basics Andy Jassy - CEO AWS

Gartner Magic Quadrant - Cloud Computing- AWS- Microsoft - Azzure- Google Cloud Computing- IBM, VM, Rackspace

16 regoins and 44 Availability Zones As of February 2017, there are 16 AWS Regions. Regions - Geographocal Area Availability Zone - Data Center Edge Locations - CDN End Points for CloudFront

Amazon EC2 is hosted in multiple locations world-wide. These locations are composed of regions and Availability Zones.

1.1 Regions Each region is a separate geographic area Each region is completely independent. Useful for greatest possible fault tolerance and

stability. Resources aren't replicated across regions unless you do so specifically.

2.1 Availability Zone

Each region has multiple, isolated locations known as Availability Zones The Availability Zones in a region are connected through low-latency links. If you distribute your instances across multiple Availability Zones and one instance fails, you can

design your application so that an instance in another Availability Zone can handle requests. You can also use Elastic IP addresses to mask the failure of an instance in one Availability Zone

by rapidly remapping the address to an instance in another Availability Zone. Each Availability Zone runs on its own physically distinct, independent infrastructure, and is

engineered to be highly reliable.

3.1 SDK Support Traditional : Java, .Net & C++ Mobile : Android, iOS and Browser, AWS Mobile SDK Fancy : Node.js, Python, PHP, Ruby, Go iOT - AWSiOT Device SDK

2 Web Services Overview

4.1 Networking & Content Delivery - VPC - Virtual Data Center- Route53 - Amazon DNS service - 53 - is the DNS port- Cloud Front - Content Delivery Network - Caching videos and media files- Direct Connect - Connecting Offices - Dedicated line into AWS

5.1 Compute - EC2 - Elastic Compute Cloud - Virtual Machine - Like VMWare- EC2 Container Service - ECS- Elastic Beanstalk

- Lambda - Serverless - Upload Code- Lightsail

6.1 Storage - S3 - Simple storage servive - Virtual Disc - Store Objects - Documents - Pic, word doc, ppt, Ex

Dropbox - not for DB or application..not for installing- Glacier - not for instant access - Data Archival - Low Cost - Store Files - takes time to retrieve- EFS - Elastic File Service - File based storage and share it - You could install DB, appl- Storage Gateway-

7.1 Databases - RDS - Relational Databases Services - Postgre, Oracl, SQL , Aurora- DynamoDB - Not relational DB - High performance –No SQL DB- Redshift - Datawarehousing - Query for reports - not for prod application- Elasticache - caching data - take off load of databases

8.1 Migration - Snowball - import/export - to disk amazon - transfer to S3- Enterprise - terrabyte transfer- Snowballedge - Like Dedicated Datacenter - Owning- DMS - DB migration services - DB migration to AWS - - SMS - Server Migration Services - migrating VMWare to AWS

9.1 Analytics - Athena - JSON file, SQL query- EMR - Elastic Map Reduce - use for Bigdata- Cloud Search - Fully Managed Service- Elastic Search - Open Source Framework - Search capabilities- Kinesis - Streaming - - Datapipeline - move data to S3 tpDynamoDB- Quick Sight -

10.1 Security andIdentify - IAM - Sign in and Authentication, providing access/entitl- Inspector - Agents installed in VM - Monitor VM- Certificate Manager - SSL cerificate- Directive Service - using Active Directive - - WAF - Web Application Firewall - Application level protection - SQL injection..Cross- Artifacts - Compliance Reports - ISO Certification

11.1 Management Tools - Cloud Watch - monitor performance of AWS environment- Cloud Formation - Infrastructure to document - - Cloud Trail - Auditing Results - - Ops Works - - Config - monitor Environment & Set Alert - Detect and alert- Service Catelog - - Trusted Advisor - Automated scanning environment and advise

12.1 Application Services - Step Functions- SWF - Simple work flow - Automated manual - API Gateway - Publish API Doorway to access AWS services- AppStream- Elastic Transcoder - upload vdeo for different devices

13.1 Developer Tools - Code Commit - Store code securely- CodeBuild - Compiling code- CodeDeploy - Depoying code-CodePipeline - OS

14.1 Mobile Services Mobile Hub - Console providerCognito - Sign inDevice Farm - Mobile AnalyticsPinpoint - Google Analytics

15.1 Business Productivity - WorkDocs-Work

16.1 iOT - iOT

17.1 Desktop & App Streaming - Workspaces- AppStream

18.1 Artificial Intelligence - Nick Bostrom (Super Intelligence)- Alexa - Amazon Voice Services - Echo - Talking to Lambda - Lex- Polly - - Machine Learning - AWS Dataset - Analyse and future decision- Rekognition - Picture recognition - Face recognition

19.1 Messaging - SNS - Simple Notfication Services - Notify email, text- SQS - Simple Queue Services - - SES - simple Email Services

3 IAM - Identity & Access Management

Authentication & Authorization Services - Use IAM to control who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization)

In Identity Access Management, you can use SAML (Security Assertion Markup Language 2.0) to give your federated users single sign-on (SSO) access to the AWS Management Console.

A user can be an individual, system, or application requiring access to AWS services Federated Users – Users Outside of AWS

Manage users and level of access to AWS console- Centralized Control of AWS account- Shared Access- Multifactor- Granular level permission- Identity Federation- Temp Access to users/device/services- Pwd rotation policy- Integrate with many services- PCI DSS compliance Payment Card Industry (PCI) Data Security Standard (DSS).

Users are global entities, No region is required to be specified when you define user permissions Access IAM - through AWS Management Console or AWS Command Line IAM HTTPS API - Provide secure connection from program to access IAM No Price to use IAM service Root Access - Root Access -

- The one logged in with Email Id- Complete, unrestricted access to all resources in your AWS account, including access to your

billing information and the ability to change your password

For providing access for Web Identity Providers(FB, Gooogle..). Call AssumeRolewithWebIdentity API to pass WebIdentity token to AWS

AssumeRolewithSAML API - Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific credentials or configuration.

20.1 STS (Security Token Services) Provide Temp access to AWS resources. Users from three sources

- Federation - Uses SAML 2.0 (Security Assertion Markup Language) for SSO authentication- Provide access based off the usres AD credentials. No need the user should be in IAM- Create Identity Broker Application and provide SSO login with no IAM access

- Federation with Mobile Apps- Uses other OpenID provider domain to login (FB, Amazon, Google)

- Cross Account Access- One AWS account user access other user AWS account

Federation - Combine/Join list of users from IAM to other domain users (FB, AD, Google)

Identity Broker - a service that takes identity from point A to Point B Identity Store - services like AD, FB, Google etc Identities - a user of a service using FB etc STS API - AssumeRole, AssumeRoleWithWebIdentity, and AssumeRoleWithSAML - These APIs

return a set of temporary security credentials that applications can then use to sign requests to AWS service APIs

o AssumeRole - cross-account access or federationo AssumeRoleWithSAML - for users who have been authenticated via a SAML

authentication response. provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific credentials or configuration.

o AssumeRoleWithWebIdentity - authenticated in a mobile or web application with a web identity provider, such as Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider

AD Authentication- Always authenticate AD first and get STS or SAML to access AWS resources- SAML - Security Assertion Markup Language

Web Identity Federation with Mobile App- First Authenticate with Idp (Identity Provider), then get Security credential- Call AssumeRolewithWebID – return temp token- Should able to access AWS resources for few hours

ARN - Amazon Resource Name - Unique ID for a role AWS Role is helpful - without you having to copy AWS access keys to access every instance.

Temporary Token(access key ID, secret access key, and security token) – for IAM users or federated users for temporary access –

- For extending existing internal authentication methods to access AWS services. Example, SSO, AD

- For federated users – when they try to access it from mobile devices

21.1 Identity Federation - With identity federation, external identities are granted secure access to resources in your

AWS account without having to create IAM users.- These external identities can come from your corporate identity provider (such as Microsoft

Active Directory or from the AWS Directory Service) or from a web identity provider (such as Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible provider).

- Amazon Cognito – Identity Broker – best for mobile devices to take care all federation

22.1 Determining Whether a Request is Allowed or Denied

When a request is made, the AWS service decides whether a given request should be allowed or denied. The evaluation logic follows these rules:

By default, all requests are denied. (In general, requests made using the account credentials for resources in the account are always allowed.)

An explicit allow overrides this default. An explicit deny overrides any allows.

The order in which the policies are evaluated has no effect on the outcome of the evaluation. All policies are evaluated, and the result is always that the request is either allowed or denied.

4 EC2 (Elastic Compute Cloud) Web Service Provide resizable compute Capacity Quickly scale capacity both up and down Allow to Pay what you use - - Changes the economics of computing - Pay only actually use build resilient applications With EC2, you can have 2 types of storage: EBS or Instance Store. EBS is persistent, and if an EC2

instance is stopped with an EBS volume attached, there will be no data lost. Instance Store is ephemeral and if the EC2 instance is stopped, all data will be lost.

You can share an AMI with specific AWS accounts without making the AMI public. All you need are the AWS account IDs.

AMIs are a regional resource. Therefore, sharing an AMI makes it available in that region. To make an AMI available in a different region, copy the AMI to the region and then share it. For more information, see Copying an AMI.

23.1 Pricing options

On Demand- Pay a Fixed rate by the hour used- Low cost-no long term commitment- Short term, spiky or unpredictable workloads applications- Developed or tested on Amazon EC2 for short term

Reserved - Reserved Capacity for use - discount for long term commitment- Reserved Instances are assigned to a specific Availability Zone, they provide a capacity reservation, giving you additional confidence in your ability to launch instances when you need them. - Applications with steady state or predictable usage reserved capacity- reserved capacity - know the baseline- It is possible to transfer a reserved instance from one Availability Zone to another

Spot - bid whatever price - applications have flexible start and end times- if bid price goes above the spot price, contract terminate.- Urgent computing needs for large additional capacity – quickly- bid price > spot price - use instance- spot price > bid price - Amazon terminate

- urgent computing with LARGE capacity- If Amazon terminate - will not be charged for partial hours of- if you terminate - charged for remaining hours

Dedicated Hosts - Dedicated Physical EC2 server- Allows to use existing software licenses- EC2 instances that run in a VPC on hardware that's dedicated to a single customer- Regulatrory requirements- Mostly Governement - Don't want in public cloud- Not for Multi tenant virtualization- useful for regulatory requirements

You are limited to running up to at total of 20 On-Demand instances across the instance family, purchasing 20 Reserved Instances

Billing start when you “start” boot sequence initiates. Billing stops when “Stop” or “Terminate” the instance.

Data Transfer between Availability Zone are charged.

24.1 EC2 Instance Types

1. D - Dense Storage - File Servers/Data Warehousing2. R - Memory Optimized - Memory Intensice Apps3. M - General Purpose - mostly for production4. C - Compute Optimized - CPU intensive5. G - Graphics Intensive - Video Encoding6. I - High IOPS7. F - FPGA - Field Programmable Gate Array - Hardware Accelated8. T - General Purpose - DEV/Test - T2 Micro9. P - Grpahics - MAchine Learning10. X - Xtream memory - Big Data/DataWarehousing - SAP HANA/SPARK

25.1 EBS (Elastic Block Storage)

Storage Volume Attach with EC2 Can install all type of software replicate AZ all regions

26.1 Elastic IP Address When you launch an EC2 instance, you receive a Public IP address by which that instance is

reachable. Once you stop that instance and restart the you get a new Public IP for the same instance's. So, Public IP get's changed everytime for an instance after stop/start.

To overcome with this problem, we attach an Elastic IP to an Instance which doesn't change after you stop / start the instance as many times.

If you have Elastic IP in your account and it's not in use, then you will be charged for it. All accounts are limited to 5 Elastic IP addresses per region

27.1 EBS Volume Types

General Purpose (SSD-GP2)- Balance both performance and price- 3 IOPS/GB - till 10K IOPS

Provisioned IOPS SSD (IO1)- if application need more than 10K IOPS - Suitable for IO intensive apps - NoSQL

Spinning Disc - Magnetic Storage Throughput Optimized HDD - ST1

- Large sequence data- Big Data, Datawarehousing- Cannot be boot volume

Cold HDD (SC1)- Lowest cost storage- forfrequest access- Cannot boot volume- file server

Magnetic (Standard)- Lowset cost- Bootable-

Cannot mount 1 EBS volume to multiple EC2 instance - use EFS While you are able to attach multiple volumes to a single instance, attaching multiple instances

to one volume is NOT supported at this time.

28.1 EC2 Lab

AMI - Amazon Machine Image - Virtual Machines HVM - High Virtual - PV - Para Virtual what is micro, nano ?

VPC - Virtual Private Cloud 1 subnet = 1 availability zone CloudWatch - Monitoring

Termination Protection by default off - Manually turn it on Security Groups - Virtual Firewall

EBS backed instance, the default deleted when instance terminated By default root volume cannot be encrypted - you can use 3rd part tool Additional EBS volume can be encrypted

29.1 Security Groups

Implementing changes to SG reflect immediately Security group is stateful - Outbound will be added by default when inboud added All inbound traffics are blocked default. Multiple EC2 instances can be mapped to one SG. Multiple SG can be added into EC2 Not possible to deny any specific Inbound traffic (SSH, HTTP...)..Only Allow traffic All default SG source is common in all default VPC across all EC2 instance - communicate each

other

30.1 Upgarding EBS Volume

It is possible to change the volume type(from SSD to magnetic) without lose of data Snapshot - Taking Copy of Volume Best practice is to stop EC2 and make EBS volume change, take snapshot EBS volume can be changes on fly - except magnetic Changing volume on the fly - takes 6 hrs to make another change you can scale EBS volumes up only..you cannot decrease it Volume should be in the same EC2 instance to attach it

Unix Common Command====================

31.1 EFS (Elastic File System)

storage capacity is elastic growing and shrinking automatically as you add or remove files supports NFSv4 pay only what you use scale upto petabytes Data is stored across multiple AZs with in a region EFS file storage not object based storage All Linux AMI supports EFS. Not Windows. You have to mount it in linux EC2 instance.

32.1 AWS CLI Command

Format : aws<service name><command> --<sub-command> aws configure - set up credentials aws s3 ls - List all buckets in S3 aws<service> help aws ec2 describe-instances - describe all instances

aws ec2 terminate-instances --instance-ids <instance id> Better to remove access key by removing users Assign roles to the EC2 instances - no need to configure access key and secret keys explicitly. Require to specify region parameter to run few aws s3 related commands when you are out of

yur regiono ex: aws s3 cp --recursive s3://acloudguru-useast2 /home/ec2-user --region << your

region>> aws ec2 describe-images - List all images created aws ec2 run-instances --image-id <<>> --count <<>> --instance-type <<>> --key-name <<>> --

security --group-ids <<>> --subnet-id <<>>o This is to create or launch new EC2 instance from the AWS CLI.

aws ec2 terminate-instances --instance-ids : Terminate the EC2 instance

33.1 Bash Scripting

Command to execute at the time of EC2 instance starts

34.1 Instance Meta Data

Instance Metadata is data about your EC2 instance AWS CLI command for Getting Public IP Address for your EC2 instance

- curl http://169.254.169.254/latest/meta-data/- curl http://169.254.169.254/latest/meta-data/public-ipv4-

35.1 Serverless Computing Serverless computing allows you to build and run applications and services without thinking

about servers. It is NOT running apps with no servers server management is done by AWS

36.1 Lambda – Serverless Computing

AWS Lambda lets you run code without provisioning or managing servers. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability.

You pay only for the compute time you consume there is no charge when your code is not running Compute Service upload code and create lambda function Lambda takes care of provisioning and managing the servers to run the code no need to worry about OS, patching, scaling.. Event driven - lambda runs code based on the event Http requests - run code in response to http requests using Amazon API Gateway or API calls it automatically scales out (increasing the resource - load balancer), no scale up

Event Driven - An event (uploading an image to s3) trigger a lamdba function. One lambda function triggers another lambda function.

AWS Lambda stores code in Amazon S3 and encrypts it at rest. Lambda function code must be written in a “stateless” style AWS Lambda automatically monitors Lambda functions on your behalf AWS Lambda automatically integrates with Amazon CloudWatch logs. lifecycle event log entries,

including logging the resources consumed. You can set your memory in 64MB increments from 128MB to 1.5GB All calls made to AWS Lambda must complete execution within 300 seconds

o default timeout is 3 secondso but you can set the timeout to any value between 1 and 300 seconds

AWS Lambda functions are typically ready to call within seconds of upload AWS Lambda will attempt execution of your function three times in the event of an error

condition in your code CodePipeline - automate deployment for a serverless application You can enable your Lambda function for tracing with AWS X-Ray by adding X-Ray permissions

to your Lambda function’s execution role and changing your function’s “tracing mode” to “active. ”

limit to the number of AWS Lambda functions I can execute at once. By default, AWS Lambda limits the total concurrent executions across all functions within a given region to 1000

429 error code - On exceeding the throttle limit, AWS Lambda functions being invoked synchronously will return a throttling error

You grant permissions to your Lambda function to access other resources using an IAM role.

Http Requests- one Http Req invoke one lampda function- N Http Req invoke N lamda functions

Languages supported- Node.js (JavaScript), Python, Java (Java 8 compatible), and C# (.NET Core)

Prices - Depends on number requests ( first 1 million reqs are free, $0.02/mil after that)- Duration - calculated based on the code execution time

Cool factors - No servers, Continous scaling, cheap

AWS X-ray to allows debug architecture issues Events Triggers Lambda Function : Amazon S3 Amazon DynamoDB Amazon Kinesis Streams Amazon Simple Notification Service Amazon Simple Email Service Amazon Cognito AWS CloudFormation Amazon CloudWatch Logs Amazon CloudWatch Events AWS CodeCommit Scheduled Events (powered by Amazon CloudWatch Events) AWS Config

Amazon Alexa Amazon Lex Amazon API Gateway Other Event Sources: Invoking a Lambda Function On Demand Sample Events Published by Event Sources

37.1 Elastic Load Balancers

Spread the load traffics across different web services Two types

- Application Load Balancer - new, works on layer 7 (application layer), prefer for http, https

- Classic Load Balancer - layer 4 balancer (TCP Layer) we don't get public ipaddress for Load Balancer-only DNS - Not viewable - As it is public - it will

change Instances monitored by ELB are inservice or outservice You cannot have multiple SSL certificates (for multiple domain names) on a single Elastic Load

Balancer It uses DNS and Route53 technologies for request routing.

o When using ELB, you are given an DNS name. requests which are reaching the DNS will be routed to all mapped EC2 instances. Route 53 is Amazon DNS service that handles DNS on the backend

o

Read Classic ELB-

Sticky Session (Session Affinity)Default – ELB route request independently to any instances which are configuredBut, you can enable sticky session in the instance level which helps the ELB to send users request to same instanceElastic Load Balancing creates a cookie, named AWSELBRequirements : Http/Https session , atleast one healthy insance in each AZKey is managing stiky session duration

1. Set your own expiration2. Take Application Cookie session expiration

38.1 SDK Exam Tips

Supporting SDK- Andriod, IOS, Javascript (Browser)- Java, .Net, C++- Node.JS, PHP, Python, Ruby, Go

Default Region for setting up SDK - US-EAST-1

39.1 Volume vs Snapshots

Volumes exist on EBS Snapshot exist on S3 Take snapshot of a volume, this will be stored on s3 Snapshots are incremental Snapshots of encrypted volume are encrypted automatically Volumes restored from encrypted snapshots are encrypted automatically It is recommended to Stop instance before take snapshots of ROOT volume. AWS support

realtime snapshot, but may not cover cached content.

40.1 EBS vs Instance Store

Instance Store - Ephemeral Volume Instance Store backed instances cannot be stopped - if stop, data will be lost EBS backed instances can be stopped - data will not be lost Can be rebooted both - no data loss EBS Root volume has option to say not to delete ROOT volume, but no option for Instance Store CloudWatch - for performance monitoring CloudTrail - for Auditing Terminate – Both will get data lost (unless you enable to option in EBS) Stop – EBS – no data loss; Instance Store – data loss Restart – no data loss

Import Points

For private key you have to change the permission to protect from anyone to read or write. Otherwise you get an error message “unprotected private key file”. By default it is allowable to read or write anyone. You have to run the command in linux

$ chmod 0400 key.pem

Registers an AMI. When you're creating an AMI, this is the final step you must complete before you can launch an instance from the AMI. RegisterImage

For Amazon EBS-backed instances, CreateImage creates and registers the AMI in a single request, so you don't have to register the AMI yourself.

DescribeImages – Command to describe or list all images

5 S3 - Simple Storage Service Backbone of AWS Provides secure, durable and highly scalable storage

Using simple Web service interface to store and retrive data from anywhere on the web Object based storage - NOT BLOCK storage Object based - Flat files (photos, videos..) cannot be installed OS, DB Spread across multiple devices and facilities - design to withstand failure Files size - 0 bytes to 5 TB The largest size file you can transfer to S3 using a PUT operation is 5 GB unlimited storage Files are stored in buckets (Folder) s3 universal namespace - unique globally DNS name - https://S3-eu-west-1.amazonaws.com/aloudguru 200 http code for successful upload Built for 99.99% availability 99.99999999999% (11 9's) durability Tiered Storage Available Lifecycle Management Versioning Encryption - Different Methods By default, you can create up to 100 buckets in each of your AWS accounts. Virtually any kind of data in any format can be stored in S3

41.1 Data Consistency PUT new object - Read and write immediatly - Consistently UPDATE and DELETE - takes time to reflect - not immediate - Atomic - old or new file get

42.1 S3 Object based consists Key

o FileName - Design Consideration - make it unique/adding some randomness at the beginning of the file

Values Version id Metadata - data about the data Subresources

- ACL - Access Control List- Torrent

43.1 Storage Tier/Classes S3 - 99.99% durability - stored multiple facilities and devices - sustain loss of 2 facilities S3 - IA - Infrequently Accessed - Data accessed less frequently - but rapid access when needed -

low fee<s3 - add retrieval feeo Example - preferable for storing not frequent access files

RRS - Reduced Redundancy Storage - 99.99% durability - 99.99% availabilityo Example - Preferable for recreating the object -

Glacier - Very Cheap, but used for archival only. takes 3-5 hrs to retrieve for data archival

44.1 S3 - Charges

Charged for- Storage - Volume- Requests - Number of requests- Storage Management Pricing

Tags - different groups ex..developer/finance/HR- Data Transfer Pricing

Replication one region to other- Transfer Acceleration

easy, fast way of data transfer instead of uploading to s3 directly which is in remote location. (user from

Austrlia to London S3) user upload it in near s3 edge location which transfer it to S3 using high

transmission mechanism

45.1 S3 Static Website

URL structure - http://mykavithaigal.s3-website.us-east-2.amazonaws.com https://s3.us-east-2.amazonaws.com/myaaraychi/index.html http://myaaraychi.s3-website.us-east-2.amazonaws.com/index.html http://myaaraychi.s3-website.us-east-2.amazonaws.com

46.1 S3 Versioning

Stores all versions of an object - including deleted Once enabled, versioning cannot be disabled, only suspended integrates with life cycle rules Enable MFA to avoid accidental delete - add more security removing files from the version control system directly cannot be get it back removing delete marker will put the files back to bucket Objects stored in your bucket before you set the versioning state have a version ID of null.

47.1 Cross Region Replication

Cross-region replication is a bucket-level feature that enables automatic, asynchronous copying of objects across buckets in different AWS regions

versioning must be enabled on the both the source and destination buckets The source and destination buckets must be in different AWS regions Replication not happen automatically. all susequent updated files will be replication

automatically not possible to replicate multiple buckets - You can replicate objects from a source bucket to

only one destination bucket. delete markers are replicated

48.1 S3- Life Cycle Management

The configuration is a set of one or more rules, where each rule defines an action for Amazon S3 to apply to a group of objects.

Can be used conjunction with versioning You can enable versioning before or after set the lifecycle rules if you enable versioning after set the lifecycle rule, then versioning applies to only those files

which are uploaded/updated after that applied both current or previous version Rules

- Transition to S3 IA - after minimum 30 days (30 days after the object creation date)- Transition to Glacier - minimum after 30 days in standard IA

- Expire current version or permanently delete previous version ( min 1 day after moved to Glacier. Which after >=61 days)

49.1 CDN (Content Delivery Network)

CDN - collection of Edges system of distributed servers deliver webpages and other content to users who are accessing

from multiple geographical locations if a webserver which stores all web pages/movie files/other things reside in different location

and when user access it from different region or geographical locations, they face latency issues due to locations..

Edge Locations - location where content will be cached- Separate from AZ/region- more than 50 locations

Origin - Origin of all the files that CDN distribute- can be EC2, s3, ECL or route53

50.1 How CDN works o edge location spreaded different locationso when request to access the website which is in remote location, the request goes to

edge location.o edge location check whether the content is cached or not, if not access it from the

server and cache itfirst time it takes time and not quick one o when other users access the same content, it takes it from edge location, it is very quick

51.1 Amazon CloudFront

Amazon CloudFront is a global content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to your viewers with low latency and high transfer speeds.

CloudFront speeds up the distribution of your content by routing each user request to the edge location that can best serve your content.

Can be used to deliver web pages, static or dynamic and movie streaming Requests are routed to the nearest edge location - so content will be delivered quicklywork with

other amazon web services s3, ecl, ec2.. work with non aws origin server also

Webpage Distribution from Orgin server – S3 bucket or Http web server- used for websites If you're serving content over HTTP, your origin server is either an Amazon S3 bucket or an

HTTP server, such as a web server If you distribute media files on demand using the Adobe Media Server RTMP protocol, your

origin server is always an Amazon S3 bucket.

52.1 Edge location Supports both READ and Update content - put file - put it back to origin Objects cached for the life of the TTL (TTL - Time To Live)

- set TTL - how lng can be cached- you can clear cached object manually if it is not require - there is a charge to clear

-

53.1 S3 - Encryption

Describe How to encrypt S3 bucket to secure default all buckets are PRIVATE set up access control

- Bucket Policies - bucket wide - permission to apply entire bucket- Access Contraol List - for indivual object level

Can be configured access log - to track who is accessing

54.1 Encryption Methods- S3

In Transito when you send data to s3 or read from s3 - from PCo using SSL/TLS - Https to encrypt data in transit

At Resto Server Side Encryption

- SSE-S3- S3 Managed Keys - SSE-S3- each object encrypted with unique key - MFA- AWS will encrypt the key with master key- Regularly change the master key- AES 256 - advanced encryption standard

- SSE-KMS - Key Management Service- Similar with SSE-S3- provide additional benefits and charges- Envelop key - key protection of encryption key- Provide Audit Trail - who is accessing / decrypting?

- SSE-C - Customer provided keys

- you manage encryption keys - - Amazon will encrypt/decrypt only

o Client Side Encryption - You encrypt the data and upload it into S3

55.1 Storage Gateway

AWS Storage Gateway is a hybrid storage service that enables your on-premises applications to seamlessly use storage in the AWS Cloud.

You can use the service for backup and archiving, disaster recovery, cloud bursting, storage tiering, and migration.

Your applications connect to the service through a gateway appliance using standard storage protocols, such as NFS and iSCSI

Back up data in enterprise environment Two ways

- Write back up data to s3 directly using API calls- Write back up to Storage Gateway, which securelytransfer to S3

56.1 Storage Gateway Types File Interface

o NFSo Provide virtual file servero Available as mount point

Volume Interface (new name)o Gateway-Cached Volume (old name)o iSCSI based block storageo Gateway-Stored Volume (old name)o iSCSI based block storage

Tape Interface (new name)o Gateway-Virtual Tape Library (old name)o iSCSI based tape solutiono Store data either in virtual tape library or glaciero Glacier data retrieval takes 24 hrs

57.1 Snowball

Snowball is a petabyte-scale data transport solution that uses secure appliances to transfer large amounts of data into and out of the AWS cloud.

before snowball amazon offered a service import/export feature using hard disk to upload huge data to S3

sending external hard disk to amazon, then they will move those data to s3 problem was different type of hard disk, so not able to manage then amazon released these appliances

- Snowball- Petabyte scale data transport solution- transfer large amount of data from or to AWS- Address issues- high network costs, transfer times and security- uses mutiple layer of security to protect data

- Snowball Edge- transfer 100TB- Compute Capabilities- like small data center-

- Snowmobile- Container in a truck- transfer Exabyte scale of data-

58.1 S3 Transfer Acceleration

UtiliseCloudFront Edge network to accelarate uploads to S3 instead of uploading files to S3 directly, upload it near byCloudFront Edge location using distint

URL

59.1 Build a Serverless Webpage

Serverless Webpage can be created using AWS Gateway and Lambda functions AWS Gateway trigger an envent which invoke the lambda function The sequence flow is

o User Request calls ->S3 - call AWSGatway using URL -> trigger lambda function (written in java, node.js..) -> Return response back to S3 -> return back to User request

Set up lambda function for AWSGateway DNSName can be buy in Route53 service - Bucketname should be available

60.1 CORS (Cross Origin Resource Sharing)

Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain.

With CORS support in Amazon S3, you can build rich client-side web applications with Amazon S3 and selectively allow cross-origin access to your Amazon S3 resources.

To configure your bucket to allow cross-origin requests, you create a CORS configuration, an XML document with rules that identify the origins that you will allow to access your bucket, the operations (HTTP methods) will support for each origin, and other operation-specific information.

<CORSConfiguration> <CORSRule> <AllowedOrigin>http://www.example1.com</AllowedOrigin>

<AllowedMethod>PUT</AllowedMethod> <AllowedMethod>POST</AllowedMethod> <AllowedMethod>DELETE</AllowedMethod>

<AllowedHeader>*</AllowedHeader> </CORSRule></CORSConfiguration>

61.1 Restricting Access to a Specific HTTP Referrer

Suppose you have a website with domain name (www.example.com or example.com) with links to photos and videos stored in your S3 bucket, examplebucket. By default, all the S3 resources are private, so only the AWS account that created the resources can access them. To allow read access to these objects from your website, you can add a bucket policy that allows s3:GetObject permission with a condition, using the aws:referer key, that the get request must originate from specific webpages. The following policy specifies the StringLike condition with the aws:Referer condition key.

"Resource":"arn:aws:s3:::examplebucket/*", "Condition":{

"StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}

}

62.1 Multipart API

Upload Large Objects (More than 5GB) though API

The Multipart upload API enables you to upload large objects in parts. You can use this API to upload new large objects or make a copy of an existing object (see Operations on Objects).

Multipart uploading is a three-step process: You initiate the upload, you upload the object parts, and after you have uploaded all the parts, you complete the multipart upload. Upon receiving the complete

multipart upload request, Amazon S3 constructs the object from the uploaded parts, and you can then access the object just as you would any other object in your bucket.

The Multi-Object Delete operation enables you to delete multiple objects from a bucket using a single HTTP request. If you know the object keys that you want to delete, then this operation provides a suitable alternative to sending individual delete requests (see DELETE Object), reducing per-request overhead.

The Multi-Object Delete request contains a list of up to 1000 keys that you want to delete.

Common Elements in S3 bucket policy

Resources – Which S3 bucket or object that require access

Actions – what actions are allowed (list, get, delete)

Effect – What the effect when the user perform the action (allow/deny) permission-

Principal - Who can access – User account – ARN

S3 Event notification - receive notifications when certain events happen in your bucket

Currently, Amazon S3 can publish the following events:

A new object created event –

An object removal event - object is deleted or a versioned object is permanently deleted by

A Reduced Redundancy Storage (RRS) object lost event

Destinations to

SNS

SQS

AWS Lambda

S3 Bucket Naming Convention

- 3 -63 characters long- Contain lower case chars, numbers, dashes and periods- Starts with lower case chars or numbers- No – underscore, end with dash, consecutive period, use dash next to period- Cannot be formed as an IP Address (121.23.34.534)

A bucket is owned by the AWS account that created it

you can create up to 100 buckets in each of your AWS accounts. Additional contact AWS

Bucket ownership is not transferable

After a bucket is deleted, the name becomes available to reuse, but the name might not be available for you to reuse for various reasons

There is no limit to the number of objects that can be stored in a bucket

You can store all of your objects in a single bucket, or you can organize them across several buckets

You cannot create a bucket within another bucket.

6 AWS-Database Basics RDS - Relational Database System OLTP- OnlineTransaction Processing RDS=OLTP AWS Supports these below DBs

o SQL Servero Oracleo MySQLo Aurorao MariaDBo PostgreSQL

OLAP - Online Analytical Processing - Datawarehousing Databases (Cognos, Jaspersoft, JSON-NoSQL

Elasticache - Web Service - Caches frequently used data - improves performance- Supports two open source in-memory cache engine- Memcached- Redis- For maintaining application session state; in-memory key value

DMS - Database Migration Services- Migrate Prod database to AWS- AWS takes care of all migration complexity- Schema conversion tool (from Oracle to MySQL) - Avoid license cost- Converts schema, procedure, functions

63.1 DynamoDB-Introduction =====================

Read FAQ - MUST

push button scalability - can sclale table quickly by clicking a button Fast and fexible No-SQL Database service Single digit millisecond latency Fully managed Supports both document (XML, JSON, HTML) and key-value data models Great fit for mobile, web gaming, IoT and ad-tech Stored on SSD storage - So, super fast Data will be stored in three different locations data center - Replicated automatically other two

locations - for back up It consists of

o Tableo Items - Row in a tableo Attributes - a column in a row

It can have 256 tables per region. It is an initial limit and it can be increased by sending the request

64.1 Types of consistency Eventual Consistent Read (Default)

o Read after a short time from other data center to get the updated datao Take second to reflect in other data center

Strongly Consistent Readso immediately reflect in other two data center as wello get updated data when you read

Depend upon the need of application we can choose anyone of the read

65.1 PricingModel Provisioned Throughput Capacity

- Write - $0.0065/hr - for every 10 Units- Read - $0.0065/hr - for every 50 Units

Storage- First 25GB is free per month- After that $0.25 per GB per Month

66.1 DynamoDb Table Creation Lab Create a DynamoDB Full Access role in IAM Create an EC2 and attach the Role Connect and execute PHP script to create tables and upload data

67.1 Dynamo DB Indexes and Streams

Two Types of Primary Keys Single Attribute

o Partition Key in AWS. old name was HashKeyo Only one unique column or attribute set as unique id

Composite Attributeo Two column or attributes combined togther form a unique keyo Partition Key and Sort Key - Old Name was - Hash Key & Range Keyo Partition Key - Uniuq id - Example - UserIdo Sort Key - Any attribute which can be sorted - Example : Date Created/Modified in a

Forum siteo Example : UserId + Date Posted a response in the Forum site

DynamoDb uses the Partitionkey value for internal hash functions The has function gives results which gives the exact partition location where the data stored Composite Key - Two items in a table can have the same values in the partition column. but, the

sort key should be different All items with the same partition key are sorted together in sorted order by sort key value

68.1 Indexes Two types

o Local Secondary Indexo It an item values are = Same Partition Key + Different Sort Key (101 - 08/19/2017 12:38)o Can ONLY be created when creating a table - Not removed or modified later

Global Secondary Indexo Has Different Partition Key and different sort keyo Created at the time of table creation or added later

69.1 DynamoDB Stream Capture any kind of modification of the DYDB tables Add new item - captures an image of entire item - all attributes update an item - before and after image of an attributes that were modified delete an item - capture an entire item before deleted Stores image only for 24 hrs - after that it lost It can be used to trigger an event in lambda

70.1 Query & Scan

Queryo find items in a table using primary key attribute valueso Give Partition attribute name and a value to search foro optionally provide sort key

ex - Give user id and date between 18 and 19o by default return all attributeso Use ProjectionExpression parameter to list only specified attributeso By default it use the sort key to sort ascendingo make ScanIndexForward false to display descendingo by default - Eventual Consistent - Change if you want to Strong Consistent

Scan

o Scan all items in a tableo returns all attributes by defaulto use ProjectionExpression return only some of the attributes

Scan vs Query- Query is efficient- Scan takes lot of times - slowness- take throughput

71.1 Provisioned Throughput

Provisioned Read Throughput- All reads are rounded up to increments of 4KB- Eventually Consistent Read - default 2 reads per sec- Strongly Consistent Read - Default 1 read per sec

Write Provisioned throughput- All writes are 1 KB- All writes cosis of 1 write per sec

Read from PC :o Formula : (Size of Read rounded to nearest 4 KB chunk/4KB) * no of items = Read

Throughputo Divide by 2 if eventually consistent

Write PCo Formula : (Size of Write) * No of items = Write Throuput

Return 400 error code if user exceed the throuput and ProvisionedThrouputExceededException. you exceeded your maximum allowed provisioned throughput for a table or for one or more global secondary indexes.

72.1 Web Identity Provider to connect DynamoDB Web Identity Provider - Facebook, Googgle, etc.. Using their authentication method to connect DynamoDB it works as follow

- Login into any WIP from Smartphone and other device- It returns a token- Send the token and ARN for the IAM role to AWS using AssumeRolewithWebIdentity

API- AWS send a temporary credentials (AccessKey, SecretAccessKey, SessionToken,

Expiration time limit, AssumeRoleID) to access DynamoDB. This uniqueId will be appeared in IAM policy.

- This credentials valid only 15 to 1 hr

73.1 DynamoDB-Other Key Points

Conditional Writeso By default, the DynamoDB write operations (PutItem, UpdateItem, DeleteItem) are

unconditional: each of these operations will overwrite an existing item that has the specified primary key.

o Conditional writes are helpful in cases where multiple users attempt to modify the same item.

o Conditional writes are idempotent. This means that you can send the same conditional write request to DynamoDB multiple times, but the request will have no further effect on the item after the first time DynamoDB performs the update

o As DynamoDB Data Center located in three data center, there might be a chance the read and update operation change the data which is not acceptable by the business logic.

o If business logic require data accuracy and update the users value based on some condition, then we should use condition writes

Atomic Counterso All write requests are applied in the order in which they were receivedo Ex : Website visit countero It is not idempotent. Update twice and no conditional increment

o Item collection maximum size is 10 GBo CreateTable, UpdateTable, DeleteTable, ListTables, PutItem, GetItem, UpdateItem, DeleteItem,

BatchGetItem, BatchWriteItem, Query, Scan – APIo Optimistic Locking - strategy to ensure that the client-side item that you are updating (or

deleting) is the same as the item in DynamoDB. With optimistic locking, each item has an attribute that acts as a version number. If you retrieve an item from a table, the application records the version number of that item. You can update the item, but only if the version number on the server side has not changed. If there is a version mismatch, it means that someone else has modified the item before you did; the update attempt fails, because you have a stale version of the item. If this happens, you simply try again by retrieving the item and then attempting to update it.

74.1 Batch Operations

For applications that need to read or write multiple items, DynamoDB provides the BatchGetItem and BatchWriteItem operations.

Using these operations can reduce the number of network round trips from your application to DynamoDB.

o BatchGetItem - Can retrieve update 1MB of data - contain 100 itemso Single BatchGetItem can retrieve items from multiple tables

Update Table - does not consume capacity units - Modifies the provisioned throughput settings, global secondary indexes, or DynamoDB Streams settings for a given table.

7 SQS (Simple Queue Service) Read and understand MQ and Message Queue – Basics Used by distributed application and used to decouple sending and receiving components. SQS was the first service from Amazon It is a Web Service that gives you access to a message queue - to store messages It is a temp repository for messages that are awaiting for processing SQS makes it simple and cost-effective to decouple and coordinate the components of a cloud

application it is a distributed queue system Enable quickly and reliably queue message to be processed by the application server

o Example : Web Application Way of decoupling the environment - Loosly coupling the envi If Webserver is down, the message still there in the app server decouple the components of an application - run independently Message can contain upto 256KB of text in any format

o Minimum 1 KBo Maximum – 256 KBo To send more than 256 KB, use the Amazon SQS Extended Client Library for Java

Any component can retrieve message programmatically from the queue using SQS API Acts as buffer between WebSErver (produce and save) and Application Server (recieve and

process)- This resolve issues like

- WebServer work faster than Appserver which create messages and put it in a queue- WebServer and AppServer intermittently connected to the network

SQS ensures delivery of each message at least once support multiple reader and writers Single queue can be used by many application components - no need of coordination SQS Standard does not guarantee FIFO delivery Application should be designed messages should stand on its own - no need of order if order requires then, - apply sequencing - order it after recived

SQS does not PUSH message - AppServer should poll regularly and PULL message from the queue

Parallel, Asynchronous processing

75.1 SQS Visibility Timeout

The visibility timeout is a period of time during which Amazon SQS prevents other consuming components from receiving and processing a message.

how long the message stays in the queue Web Server put the message in the queue

The Visibility Timeout starts the moment when the Application server start read/process it from the queue

Once it is completed, the app server delete it from the queue For some reason, the app server goes down, the message stays in the queue and will be read

from other app server Amazon SQS message retention period to a value from 1 minute to 14 days. The default is 4

days. Once the message retention limit is reached, your messages are automatically deleted. Only it completely delete it from the queue it will be considered as complete Maximum retention time of message is 14 days The maximum visibility timeout for an Amazon SQS message is 12 hours. Default is 30 seconds and minimum 0 and maximum is 12 hrs visibility timeout If you want to extend the timeout inorder to process the mesage then extend it using

ChangeMessageVisibility and specify new value - SQS restarts the timeout period You create any number of message queue in SQS. There is no limit You can configure an access policy that allows anonymous users to access a message queue If you try to extend the visibility timeout using ChangeMessageVisibility beyond 12 hours, your

request is rejected.

76.1 SQS Autoscaling Can configure autoscalling When the number of message in the queue exceeds the threshold, the AWS automatically

increase the number of app server to process the queue. It is called auto scaling

77.1 SQS Pricing

256 KB message size - Initially it was 64 KB size First 1 million SQS reqs per month are free $0.50 per 1 million Amazon SQS reqs per month A single requests can have 1 to 10 messages - max 256 KB size Each 64 KB size chunk of messages is billed as 1 request

78.1 SQS Delivery Messages can delivered multiple times in any order.

- If you need set the prioritize your message- set two queues - one for high pri queues, another one for low priority

79.1 SQL Long Polling In a standard way or short polling, server poll the queue and return empty when there is no

messages There is a charge for every polling In order to avoid the expense, AWS SQS offer Long Polling mechanism which makes the request

wait maximum amount of time and return as soon as the message reached the queue Maximum Long Poll Timeout - 20 Secs; Minimum – 0 sec Set the Long Polling value ReceiveMessageWaitTimeSeconds – set between 0 to 20 secs

80.1 SQS Fanning Out Create multiple SQS queue and attach it with SNS topic As soon as any message comes to the SNS it fanned out the message to all SQS queue

81.1 SNS - Simple Notification Service

Amazon SNS is a fully managed pub/sub messaging service that makes it easy to decouple and scale microservices, distributed systems, and serverless applications.

With SNS, you can use topics to decouple message publishers from subscribers, fan-out messages to multiple recipients at once,

eliminate polling in your applications NS supports a variety of subscription types, allowing you to push messages directly to Amazon

Simple Queue Service (SQS) queues, AWS Lambda functions, and HTTP endpoints. AWS services, such as Amazon EC2, Amazon S3 and Amazon CloudWatch, can publish messages

to your SNS topics to trigger event-driven computing and workflows. SNS works with SQS to provide a powerful messaging solution for building cloud applications

that are fault tolerant and easy to scale. SNS is web service send notifications from the cloud cost effective to publish messages from an application Follows publish-subscribe messaging paradigm Supports PUSH mechanism to send message using simple API, developers can build an application for sending message - Pay as you go pricing number of characters for a topic name in sns is 256 Token included in the confirmation message sent to end point on a subscription requests are

valid for 3 days Once a message has been published to a topic it cannot be recalled SNS guarantee the message delivery to sqs at least once

82.1 SNS Topics Topics is an access point

Allows to send the notification to Group of multiple recipients One Topic can support deliveries to multiple end point types (ios, android..)aws takes care of

formatting. Pricing

o - 0.50/ 1 mil Protocol it supports

o Httpo Httpso Emailo Email JSONo Amazon SQSo Application

SNS messages can be customized

83.1 SQS vs SNS

SQS SNSSQS is distributed queuing system SNS is a distributed publish-subscribe systemReceivers have to poll SQS to receive messages

Messages are pushed to subscribers as and when they are sent by publishers

Messages can't be received by multiple receivers at the same time

Messages can be received by multiple receivers at the same time

Polling inherently introduces some latency in message delivery in SQS

SNS where messages are immediately pushed to subscribers

Message size is 256 KB Message size is 256 KB

Both are messaging services SQS - PULL (POLL) SNS - PUSH Push notifications directly to mobile devices and email and SQS and Http endpoint to avoid any message lost, stored in multiple AZ

-

84.1 Important Points

For Amazon SNS to send notification messages to mobile endpoints, whether it is direct or with subscriptions to a topic, you first need to register the app with AWS. To register your mobile app with AWS, enter a name to represent your app, select the platform that will be supported, and provide your credentials for the notification service platform. After the app is registered with AWS, the next step is to create an endpoint for the app and mobile device. The endpoint is then used by Amazon SNS for sending notification messages to the app and device.

SNS Confirmation Message body contains :

o "Type" : o "MessageId" :o "Token" : o "TopicArn" :o "Message" : o "SubscribeURL" : o "Timestamp" : "2012-04-26T20:45:04.751Z",o "SignatureVersion" : "1",o "Signature" : ,o "SigningCertURL" :

SNS Notification Message body contains :o "Type" : o "MessageId" : o "TopicArn" :o Subjecto "Message" : o "Timestamp" : "2012-04-26T20:45:04.751Z",o "SignatureVersion" : "1",o "Signature" : ,o "SigningCertURL" :o UnsubscribeURL

SNS Message Attributeso Message attributes allow you to provide structured metadata items about the message.o optional and separate fromo used by the receiver of the message to help decide how to handle the messageo Name, Type, and value must NOT be empty or null.o message body should NOT be empty or nullo All parts of the message attribute, including name, type, and value, are included in the

message size restriction, which is currently 256 KB

To receive messages published to a topic, you have to subscribe an endpoint to that topic. An endpoint is a mobile app, web server, email address, or an Amazon SQS queue that can receive notification messages from Amazon SNS. Once you subscribe an endpoint to a topic and the subscription is confirmed, the endpoint will receive all messages published to that topic.

Benefits: Instantaneous, push-based delivery (no polling) Simple APIs and easy integration with applications Flexible message delivery over multiple transport protocols Inexpensive, pay-as-you-go model with no up-front costs Web-based AWS Management Console offers the simplicity of a point-and-click interface

8 SWF - Simple WorkFlow Services Amazon SWF webservice is useful for automating workflows that include long-running human

tasks (e.g. approvals, reviews, investigations, etc.) Amazon SWF reliably tracks the status of processing steps that run up to several days or months

Easy to coordinate work across distributed application components Task represent invocations of various processing steps in an application - performed by exe file,

webservice, human acti Worker and Decider

o Workerso Programs that interact with SWF and get tasks, process tasks and return the resultso A workflow starter is any application that can initiate workflow executions. In the e-

commerce example, one workflow starter could be the website at which the customer places an order.

o Decidero A decider is an implementation of a workflow's coordination logic. Deciders control the

flow of activity tasks in a workflow execution.o Humans can perform an activity task, but not a decision task

Program that controls the coordination of tasks Maintaining your application's execution state (e.g. which steps have completed, which ones are running, etc.) is a perfect use case for SWF.

oo Ordering, Concurrency and Schedulingo Kind of changing the flow if the condition not meeting

Amazon SWF brokers the interactions between Workers and Decider. Amazon SWF stores tasks and assign it to workers when they are ready Guarantees delivery order of messages/tasks It ensure the tasks is assigned only once and is never duplicated Long Polling - 60 seconds

85.1 SWF vs SQS - SQS chance of duplicate - SWF - never duplicate- SWF - Task oriented- SQS - Message Oriented- SWF - task assinged only once - no duplicate- SQS - assign if there is an issue - chance of duplicate is high- SWF - keeps track of all tasks and events in an application- SQS - you need to implement

86.1 SWF Domain Domains provide a way of scoping Amazon SWF resources within your AWS account. All the

components of a workflow, such as the workflow type and activity types, must be specified to be in a domain.

kind of container register your domain in AWS Management Console or call RegisterDomain API

Domain = workflow + activity types + workflow execution Parameters are specified in JSON format - Javascript Object Notation Maximum Workflow can be 1 year - measured in seconds

- SQS - 12 Hrs

You can have o Maximum of 10,000 workflow and activity typeso Maximum of 100 SWF domains in your AWS accounto

9 CloudFormation (Infrastructure as Code) AWS CloudFormation gives developers and systems administrators an easy way to create and

manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion

You can use AWS CloudFormation’ssample templates or create your own templates to describe the AWS resources, and any associated dependencies or runtime parameters, required to run your application.

You can deploy and update a template and its associated collection of resources (called a stack) Templates are simple JSON or YAML formatted text files Templated AWS Resource Creation - Script Based Managing AWS resources easily Create template for the services and applications you want to build on AWS AWS CloudFromation use these templates and provision those services or applications quickly -

called stacks You can easily update Currently 20 services you can include..EC2, RDS, VPC You can combine different services Add the desired resources and configuration in a template AWS CF figure out the sequence of steps required for provisioning CF calls lower level API calls Easily can replicate in other account Deve, sysop, n/w architects use these CF template - JSON scripts - or use pre template AWS CF verify whether it create correctly..if there is any issue (JSON syntax is not correct in the

template), it rollback all resources

Steps- Create a new Stack- LAMP Stack is the basic which provides EC2 instance

Fn::GetAtt - function return the name of the components - example EC2 DNS name The default scripting notation for CloudFormation is JSON

The output is also in JSON format Rollback is enabled by default which rollback all the resources in the template if anyone fails Cloud Formation itself is free, however the resources it provisions will be charged at the usual

rates.

Yes. AWS CloudFormation allows you to define deletion policies for resources in the template.

List of Intrinsic functions Fn::GetAtt - returns the value of an attribute from a resource in the template

{ "Fn::GetAtt" : [ "logicalNameOfResource", "attributeName" ] }Exmaple : "Fn::GetAtt" : [ "myELB" , "DNSName" ] - returns a string containing the DNS name of the load balancer with the logical name myELB.

Fn::Join - appends a set of values into a single value, separated by the specified delimiter

{ "Fn::Join" : [ "delimiter", [ comma-delimited list of values ] ] }"Fn::Join" : [ ":", [ "a", "b", "c" ] ] - output is "a:b:c"

"Fn::Select" : [ index, listOfObjects ] returns a single object from a list of objects by index

Fn::FindInMap returns the value corresponding to keys in a two-level map that is declared in the Mappings section

{ "Fn::FindInMap" : [ "MapName", "TopLevelKey", "SecondLevelKey"] }

JSON StructureFomrat Version(Optional)Description(Optional)Meta Data(Optional) – You use intrinsic function hereParameters(Optional)Mappings(Optional)Conditions (Optional)Transform (Optional)Resources (Required) - – You use intrinsic function hereOutput (Required)

ListStackResources – List all resources that belong to a cloudformation stack Use set of application bootstrapping scripts to install software, packages and services You can create number of templates, but you can create only 200 stacks in an account

o Template - is just a file. With condition for SIT/UAT/PRODo Stack – applying template and create a stack in your account – based on the envi it

creates specified resourceso One template for all different envi (SIT/UAT/PROD) – creating different stacks

Number of Parameters and outputo 60 Parameterso 60 outputso

10 Elastic Beanstalk With Elastic Beanstalk, you can quickly deploy and manage applications in the AWS Cloud

without worrying about the infrastructure that runs those applications You simply upload your application, and Elastic Beanstalk automatically handles the details of

capacity provisioning, load balancing, scaling, and application health monitoring. At the same time, you retain full control over the AWS resources powering your application

and can access the underlying resources at any time. Elastic Beanstalk uses highly reliable and scalable services that are available in the AWS Free

Usage Tier. Elastic Beanstalk supports applications developed in Java, PHP, .NET, Node.js, Python, and Ruby,

as well as different container types for each language. You can interact with Elastic Beanstalk by using the AWS Management Console, the AWS

Command Line Interface (AWS CLI), or eb, a high-level CLI designed specifically for Elastic Beanstalk.

There is no additional charge for Elastic Beanstalk. You pay only for the underlying AWS resources that your application consumes.

Elastic Beanstalk provides platforms for programming languages (Java, PHP, Python, Ruby, Go), web containers (Tomcat, Passenger, Puma) and Docker containers, with multiple configurations of each.

Preconfigured- Go, Python, Node.js, Java, Ruby, Tomcat, PHP, Packer, .Net

PreConfigured - Docker - GlassFish, Go, Python

The key difference between Lambda and Elastic Beanstalk is Lambda take care of everything and you don’t get opportunity to get full control of your environment. But, EBT set up everything for you and give full control to modify the resources later. Lambda pricing is much cheaper than EBT. Lambda is just pay what you use. EBT you have to pay whether you are using it or not.

Apache Tomcat for Java applications Apache HTTP Server for PHP applications Apache HTTP Server for Python applications Nginx or Apache HTTP Server for Node.js applications Passenger or Puma for Ruby applications Microsoft IIS 7.5, 8.0, and 8.5 for .NET applications

Java SE Docker Go

11 Shared Responsibility

Shows what responsibility AWS has and what customer has in terms of security There three type of Shared Responsibility Security of the cloud - Security measures that the cloud service provider (AWS) implements and

operates Security in the cloud - Security measures that the customer implements and operates, related

to the security of customer content and applications that make use of AWS services While AWS manages security of the cloud, security in the cloud is the responsibility of the

customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter.

1. Shared Responsibility for Infra services Infra services – EC2, EBS, VPC AWS -takes care - AWS Global Infra(Regions, AZ, Edge Locations) and Foundation Services

(Compute, storage, DB, networking) Customer - Platform, Application mgmt, OS, network, customer data

o Example - If you have EC2 and deployed your customer oriented application Infra Services - AWS Responsible only Hypervisor level only - Rest you have to take care of it.

2. Shared Responsibility for Container services AWS -takes care - AWS Global Infra(Regions, AZ, Edge Locations) and Foundation Services

(Compute, storage, DB, networking) - include OS and networking configuration and Platform & App management

Customer - Customer Data - encryption, key management and databaseo Example - If you have EC2 and deployed your customer oriented application

Infra Services - AWS Responsible Hypervisor + OS + Application Management (patches) level only - Rest you have to take care of it.

Example for Container Services – RDS and EMR . RDS Amazon RDS for Oracle is a managed database service in which AWS manages all the layers of the container, up to and including the Oracle database platform.

For services such as Amazon RDS, the AWS platform provides data backup and recovery tools; but it is your responsibility to configure and use tools in relation to your business continuity and disaster recovery (BC/DR) policy.

3. Shared Responsibility for Abstract services Responsible for customer data encryption

o Example - S3, lambda - If you have EC2 and deployed your customer oriented application

Infra Services - AWS Responsible for everything - Rest you have to take care of it.

EC2 - upto hypervisor – upto OS and App management upto everything except customer data and encryption

12 DNS (Domain Naming Service) DNS - IP Address resolver from the DNS name Two different IPAddress IPv4

o Old oneo 32 bit - 4 billion different ipaddresso No scaling - as the request is growing - no more

IPv6o 128 bitso 340 undecillion addresses

VPCs are IP6 compatible

Domain Nameo Top Level Domain

- .Com, .edu, .govo Second level Domain

- .co.uk, gov.uk, com.au

Domain Registero Domain name must be unique. so, it should be register somewhere and maintain ito A registrar is an authority that can assign domain names directly under one or more top-

level domaino Register with InterNIC

WhoIS - is a central database where all domain names are regsitered- GoDaddy.com, 123-reg.co.uk

87.1 SOA Records - Store of Authority Record- It stores information about who owns the domain

- name of the server, contract admin, email address...

88.1 NS Records - Name Server Records

used by top level domain servers to direct traffic to the content DNS server which contains the authoritative DNS records

Amazon become domain registrar

89.1 A Records is fundamental type of DNS record. A stands for Address used by the computer to translate the name of the domain to IP Address

90.1 TTL (Time to Live) The length that DNS record cached on either Resolving server or user PC TTL value is equal in both resolving server and user PC if you lower the TTL value, then the DNS record propogation happens throughout the internet

91.1 CNAMES (Zone Apex Record) Canonical Name used to resolve one domain name to another m.acloud.guru to mobile.acloud.guru - same IP Address for both domain names

92.1 Alias Records

Alias records are used to map resource record sets to ELB, S3 or CloudFront Work same as CNAMES. Map one DNS name to another target DNS name Difference between CNAME and Alias Records is

o CNAME can't be used for Naked domain names (Zone Apex record)o You can't have a CNAME for http://acould.guru.o It must be either an A record or an Aliaso naked domain - without www

Amazon uses Alias name to map the naked domain names Since ELB ip address keeps on changes, Amazon Route 53 automatically recognize the change

and reflect it

93.1 Routing Policy Types -Lab Register a DNS name in Route53- There is a cost behind Create two EC2 instances and one Elastic Load Balancer Map two EC2 instances to ELB Create one EC2 instance and one ELB in other region. example in Sydney Map that EC2 with ELB

1. Simple Routing Policyo It is simple one. User calls the DNS name which call the ELBo Create Recordset and map your DNS with ELBo It creates a A recordo This has mapped your DNS name with ELB. So, when you access your DNS name in the

browser, it acess the ELB which in turn access any one of the EC2 server.

2. Weighted Routing Policyo Let you split your traffic based on the different weights assigned between two different

ELB which can be in different regions or in the same regiono Example set 10% of your traffic to go to US 1 and 90% go to US 2o When you create a record set, you have to choose Weighted as the option and mention

the number

3. Latency Routing Policyo Latency based routing - allows to route traffic based on the lowest network latency.

Requests are redirected to low latency region or ELB.o Create a A type Record Sets for each region and specify the regiono Based on the latency, the route53 redirects

4. Failover Routing Policyo This is useful when you want to create Active/Passive set upo When primary server fails, the Route53 redirects all the traffic to secondary servero Based on the health check, it identifies which one is active

5. Geolocation Routing Policyo Based on the user geo location, the Route53 will route traffic to the corresponding ELB

13 VPC Overview (Virtual Private Cloud) Free – no charge VPC is a Virtual/Logical Datacenter AWS region all around - VPC can span AZ Amazon VPC provides logically isolated section of the AWS Cloud In the isolated environment, you can launch your own AWS resources You will get complete control over your virtual networking environment Example, selection of your own IP address range, subnets creation and configuration tables and

network gateways Max 5 VPC's are allowed in each AWS Region by default

You can easily customize ito put Webserver in the internet facing public subneto and put all app server and databases in the private subnet

leverage multiple layers of security - Sec Group and ACL to protect EC2 instances Hybrid Data center Refer the VPC Diagram

94.1 VPC IP Address It is a network IP Address Range

Private subnet has some specific IP address range 10/8 (slash 8) - 10.0.0.0 to 10.255.255.255, 172.16/12, 192.168/16 Amazon gives the private IP Address range - 10.0.0.0/16 Public Subnet - Internet Accessible Private Subnet - Not Internet Accessible One Subnet equal to one Availability Zone - You cannot span across multiple AZ Subnet IP Address are Public - 10.0.1.0/24, Private - 10.0.2.0/24 Security Groups, Network ACL, Route Table are span across multiple AZ. But NOT SUBNET

95.1 What can we do with VPC Launch EC2 instance into a subnet Assign custom IP address ranges Configure route tables Create Internet Gateway - You can assign only ONE Internet Gateway to a subnet. more than

one not possible Create ACLS

-

96.1 DefaultVPC vs Custom VPC Default VPC is for easy deployment - instance quickly All subnets in default VPC have a route to the internet Each EC2 instance has both public and private IP address - by default public ip

97.1 VPC Peering It is allowble to have more than one VPC in a region You can make it communicate each other (peering) connect all VPC using private network. example - connect prod, uat and dev VPC via direct

network Peering is in a star configuration - example - one central VPC peers with 4 others. Transitive Peering is NOT ALLOWED - one VPC cannot peer via cental VPC to other VPC. Refer diagram

98.1 VPC and Subnet creation

1. Create your own VPC (Default is the one AWS created for you to deploy. Dont delete it)o mention private IP Address - 10.0.0.0/16 - CIDRo By default VPC create these also

Route table - Which decide what IP address needs to be routed to where Network ACL Security Groups

2. Create two subnets and assign it to your VPC. Also mention the Availability Zone. Subnet and AZ is One to One mapping. Public Subnet - 10.0.1.0/24 Private Subnet - 10.0.2.0/24

3. Create Internet Gateway and attach it with VPC

One IGY only you can assign it to VPC - One to One mapping4. VPC level Create new Route table and open the incoming traffic.

Don't touch the default route table which is common to all subnets Open all the incoming connection and assign the IGY as the target

5. Associate the public subnet with new route table6. Enable Auto assign public IP address for Public Subnet7. Create two EC2 instances

o Assign one instance with public subnet which allows internet To test the internet connectivity, install httpd and put index.html

o Assign other instance with private subnet which is 10.0.2.0/24 When you assign security groups - give public subnet ipaddress routing range

(10.0.1.0/24)-So, it allows connection from this ipaddress only Open MySQL, SSH and ICMS ports

8. Test the internet connectivity on the public subnet9. Try to ping the private instance from the public instance10. Connect (SSH) the private instance from the public instance, using key pair11. Test whether you are able to access internet by installing any software/ updates12. As it is not exposed to internet, you cannot do anything

99.1 NAT Instances or NAT Gateways

NAT - Network Address Translation

You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the Internet or other AWS services, but prevent the Internet from initiating a connection with those instances.

Using NAT Instance or NAT Gatway, you can provide the internet connectivity to private subnet. Actually the connectivity happens via NAT instance or gateway

NAT Instanceo Create a new NAT instance in EC2o Assign it to public subneto In the NAT instance, disable Source/Destination Check option - under network settings

optiono Go to VPC and edit the default main route table and allow the connectivityo Open the IP 0.0.0.0/0 and connect it with NAT instanceo SSH private instance from public instance and check the internet connectivityo You should be able to access internet

NAT Gateway- Create NAT Gateway and assign it with 0.0.0.0/0 in the route table- Assign Elastic IPAddress

NAT Exam TIPSo NAT instance - disable Source/Destination Check on the instanceo NAT instance must be in a public subneto There must be a route out (adding 0.0.0.0/0 in the route table of VPC) of the private to

the NATo Amount of traffic that NAT instance supports, depends on the instance size.

bottlenecking - increase the sizeo Create high availability using Autoscaling groups, multiple subnets in different AZs-

which is difficulto NAT instance always behind the security groupo NAT Gateways -AWS Owned take care of maintenance

o When you create new subnets within a custom VPC, by default they can communicate with each other, across availability zones.

o Each subnet can be associated with only one route table.

100.1Network ACL vs Security Groups

A network ACL is an optional layer of security that acts as a firewall at the subnet levelfor controlling traffic in and out of a subnet.

VPC create a ACL by default- by default all traffics (inbound and outbound) are allowed

You can create a custom NACL - helps to control traffics- by default custom ACL denies all inbound and outbound traffics

Each subnet must be associated with ACL. if you don't assign, VPC assign on by default ACL can associate with multiple subnets. but each subnet can be associated with one ACL only NACL contains numbered list of rules and evaluated in order, starting with the lowest numbered

rule first NACL can allow or deny any inbound or outbound NACL is stateless. Security Groups are stateful You can block specific IP address in NACL. not possible in Sec Group Each subnet can have only one ACL Security groups act like a firewall at the instance level, whereas NACL are an additional layer of

security that act at the subnet level.

101.1VPC and ELB If you need high availability using ELB, you must select two Public instances in two different AZs It will not take private instances

102.1NAT vs Bastion

NAT - used to provide internet traffic to EC2 instances in private subnets Bastion - used to securly admin EC2 instances (using SSH or RDP) in private subnets.

103.1VPC Flow Logs To log all traffics for VPC it uses CloudWatch to log all incoming traffic for the your VPC

104.1HTTP Status Code

100 - Informational 200 – Success 300 - Redirection 400 – Client Side Error 500 - Server side error

105.1 HTTPS Load Balancer

o If client application use HTTPS, then install SSL/TLS certificate on the Load Balancer o SSL and TLS protocols use an X.509 certificate

106.1ECS (EC2 Container Service) a container consists of an entire runtime environment: an application, plus all its dependencies,

libraries and other binaries, and configuration files needed to run it, bundled into one package Containers can help ensure that applications deploy quickly, reliably, and consistently regardless

of deployment environment Example : You can use containers to create distributed applications by breaking apart your

application into independent tasks or processes (e.g., microservices). For example, you can have separate containers for your webserver, application server, message

queue, and backend workers. Amazon EC2 Container Service (Amazon ECS) is a highly scalable, fast, container management

service that makes it easy to run, stop, and manage Docker containers on a cluster of Amazon Elastic Compute Cloud (Amazon EC2) instances.

o schedule the placement of containerso eliminates

need for you to operate your own cluster management and configuration management systems

worry about scaling your management infrastructure.

107.1Common points

AWS request header formato x-aws-server-side-encryption

x-amz-sns-message-type – specific server SNS

108.1Questions

Elastic IP Address -? Bastian Red Shit RDS

109.1Resources

https://acloud.guru/forums/aws-certified-developer-associate/discussion/-KUdI5f2LNbi4wvK7v4I/how_to_pass_aws_certified_deve

https://www.dennyzhang.com/quiz_questions_aws_exam

Lambda scaling, SNS publishing parameters, CloudFormation reference function syntax, services that interact with Elastic Beanstalk, SWF features,

S3 performance

API gateway, Lambda and component of serverless architecture

performance considerations for services like S3,DynamoDb,SNS,SQS it should be enough

Basic API calls for DynamoDB, SQS, SNS, EC2 and Cloudformation. E.g. ReceiveMessageWaitTimeSeconds, ChangeMessageVisibility, BatchGetItem, "Fn::GetAtt" : [ "MyLB" , "DNSName" ] etc.

b) SNS Evaluation Logic:

c) S3: Cross-Origin Resource Sharing: Use-case Scenarios d) DynamoDB: Common partition key schemas for provisioned throughput efficiency e) S3: Request Rate and Performance Considerations f) EC2 AMIs: DescribeImages ; AMI Sharing methods