Section 2: AWS Global Infrastructure

Name Description
Region A geographical area with 2 or more AZs, isolated from other
AWS regions
Availability Zone (AZ) One or more data centers that are physically separate and
isolated from other AZs
Edge Location A location with a cache of content that can be delivered at low
latency to users – used by CloudFront
Regional Edge Cache Also part of the CloudFront network. These are larger caches
that sit between AWS services and Edge Locations
Global Network Highly available, low-latency private global network
interconnecting every data center, AZ, and AWS region
Section 2: AWS Global Infrastructure
Region – eu-west-1
Every region is connected
via a high bandwidth, full
Region – us-east-1
redundant network Availability Availability Availability
Zone Zone Zone

Availability Availability Availability

Zone Zone Zone

There are 23 regions

around the world
Region – ap-southeast-2
Each region is
completely
independent
Availability Availability Availability
Zone Zone Zone
Section 2: AWS Global Infrastructure
Section 2: CloudFront Edge Locations
There are 11
Regional Edge
Caches
Region Users

CloudFront Origins
Edge location

Amazon EC2 Regional

Edge Cache

Amazon S3 Edge location Users

Regional
Edge Cache

Edge location

There are 176

Edge locations
Users
Section 2: CloudFront Edge Locations
Section 2: VPC Overview

Region

VPC Main Route Table

Destination Target
Availability Zone 172.31.0.0/16 Local

0.0.0.0/0 igw-id
Public subnet
Subnets are
created within AZs
EC2 Instance

Availability Zone
Router Internet
Public subnet gateway
A VPC is a logically isolated
portion of the AWS cloud
EC2 Instance within a region
Section 2: VPC Overview Each VPC has a
different CIDR block

Region

VPC VPC
CIDR 172.31.0.0/16 CIDR 10.0.0.0/16

Availability Zone Availability Zone Availability Zone Availability Zone

Public subnet Public subnet Public subnet Public subnet

Private subnet Private subnet Private subnet Private subnet

You can create

multiple VPCs
within each region
Section 3: Launch an EC2 Instance

Region
Main Route Table
Destination Target
VPC 172.31.0.0/16 Local

0.0.0.0/0 igw-id
Availability Zone
Public subnet

EC2 Instance

Availability Zone
Router Internet Internet Client
Public subnet gateway

EC2 Instance
Section 3: Security Group Slide 1

Availability Zone
Public subnet

SG: SecGroupA SG: SecGroupA

ICMP
SG: Web-Access Ping SG: Web-Access

EC2 Instance A EC2 Instance B

Section 3: Security Group Slide 2

Availability Zone
Public subnet

SG: SecGroupA SG: SecGroupB

ICMP
SG: Web-Access Ping SG: Web-Access

EC2 Instance A EC2 Instance B

Section 3: Public, Private, and Elastic IP addresses

Name Description
Public IP address Lost when the instance is stopped

Used in Public Subnets

No charge

Associated with a private IP address on the instance

Cannot be moved between instances

Private IP address Retained when the instance is stopped

Used in Public and Private Subnets

Elastic IP address Static Public IP address

You are charged if not used

Associated with a private IP address on the instance

Can be moved between instances and Elastic Network Adapters

Section 3: Public, Private and Elastic IPs - Slide 1

Data Packets
EC2 Instance
Src: 3.104.75.244

Dest: 172.31.10.10

Linux OS
Association
IGW performs
1:1 NAT
eth0 Private-IP – e.g. 172.31.5.8 Public / Elastic IP – e.g. 3.104.75.244
Internet
gateway
eth1 Private-IP – e.g. 172.31.10.10
Section 3: Public, Private and Elastic IPs - Slide 2

Data Packets
EC2 Instance
Src: 3.104.75.244

Dest: 172.31.10.10

Linux OS

IGW performs
1:1 NAT
eth0 Private-IP – e.g. 172.31.5.8
Internet
eth1 Private-IP – e.g. 172.31.10.10 Public / Elastic IP – e.g. 3.104.75.244 gateway

Association
Section 3: Private Subnets and Bastion Hosts

Region

VPC Public Subnet Route Table

Destination Target
Availability Zone
172.31.0.0/16 Local
Public subnet
0.0.0.0/0 igw-id
Public-IP
EC2 Instance

Private-IP

Private subnet Internet Internet Client

Private-IP
gateway

Private Subnet Route Table

EC2 Instance
Destination Target
172.31.0.0/16 Local
Section 3: NAT Instance vs NAT Gateway

NAT Instance NAT Gateway

Managed by you (e.g. software updates) Managed by AWS

Scale up (instance type) manually and use enhanced Elastic scalability up to 45 Gbps
networking

No high availability – scripted/auto-scaled HA possible Provides automatic high availability within an AZ and can be
using multiple NATs in multiple subnets placed in multiple AZs

Need to assign Security Group No Security Groups

Can use as a bastion host Cannot access through SSH

Use an Elastic IP address or a public IP address with a Choose the Elastic IP address to associate with a NAT gateway at
NAT instance creation

Can implement port forwarding through manual Does not support port forwarding
customisation
Section 3: Private Subnet with NAT Gateway

Region

VPC Public Subnet Route Table

Destination Target
Availability Zone
172.31.0.0/16 Local
Public subnet
0.0.0.0/0 igw-id
NAT gateway
Elastic-IP

Private-IP

Private subnet Private-IP Internet

gateway Private Subnet Route Table

Destination Target
172.31.0.0/16 Local
EC2 Instance
0.0.0.0/0 nat-gateway-id
Section 3: Private Subnet with NAT Instance

Region

VPC Public Subnet Route Table

Destination Target
Availability Zone
172.31.0.0/16 Local
Public subnet
0.0.0.0/0 igw-id
NAT Instance
Elastic-IP

Private-IP

Private subnet Private-IP Internet

gateway Private Subnet Route Table

Destination Target
172.31.0.0/16 Local
EC2 Instance
0.0.0.0/0 nat-instance-id
Section 4: Amazon S3 Overview

Amazon S3
S3 Bucket
http://bucket.s3.aws-region.amazonaws.com
http://s3.aws-region.amazonaws.com/bucket

VPC

Public subnet

Object
Public Internet
EC2 Instance
• Key Internet
• Version ID
gateway
• Value
• Metadata
Private subnet
• Subresources
• Access control information

EC2 Instance

Internet Client
Section 4: IAM Roles

VPC

Public subnet

Assume role

IAM Role
S3 Bucket EC2 Instance

Public subnet

Policy
Section 4: Elastic Load Balancing Concepts
Client 3 is re-routed
to another instance
Availability Zone
Public subnet
Client 1 A single endpoint
(address) for your
application

Client 3

EC2 Web Servers

Client 1
Health checks are dctlabs.com
used to determine
if instances are Availability Zone Client 2
Elastic Load Balancer
available (EC2 or
Public subnet
ELB)
Client 3

Client 2

Connections are
Client 3
distributed across
targets in multiple
EC2 Web Servers AZs (HA/FT)
Section 4: Elastic Load Balancing (ELB) Types
Application Load Balancer

• Operates at the request level

Instance Protocol: Load Balancer Protocol: • Routes based on the content of the request (layer 7)
HTTP, HTTPS HTTP, HTTPS
• Supports path-based routing, host-based routing, query string
parameter-based routing, and source IP address-based
routing
Internet Client
Application Load Balancer • Supports IP addresses, Lambda Functions and containers as
targets

Network Load Balancer

Instance Protocol: Load Balancer Protocol: • Operates at the connection level
TCP, TCP_UDP TCP, TLS, UDP, TCP_UDP • Routes connections based on IP protocol data (layer 4)
• Offers ultra high performance, low latency and TLS offloading
at scale
Network Load Balancer Internet Client • Can have static IP / Elastic IP
• Supports UDP and static IP addresses as targets

Classic Load Balancer

Instance Protocol: Load Balancer Protocol:
TCP, SSL, HTTP, HTTPS TCP, SSL, HTTP, HTTPS
Classic Load Balancer
• Old generation; not recommended for new applications
• Performs routing at Layer 4 and Layer 7
• Use for existing applications running in EC2-Classic
Internet Client
Section 4: Classic Load Balancer (Internet-Facing)

Region

VPC

Availability Zone

Private subnet Public subnet

Private-IP

EC2 Instance 1
Public-IPs
TCP, SSL,
HTTP, HTTPS

Availability Zone
Classic Internet Internet Client
Private subnet Public subnet Load gateway
Balancer
Private-IP
Public-IPs

EC2 Instance 2
Section 4: Classic Load Balancer - Multi-tier

Region

VPC

Availability Zone

Private subnet Public subnet

Private-IPs Private-IP

EC2 Instance 3 EC2 Instance 1

Private-IPs Public-IPs
TCP, SSL,
HTTP, HTTPS

Internal CLB
Private-IPs Internet- Internet Internet Client
Private subnet Public subnet Facing CLB gateway
Public-IPs
Private-IPs Private-IP

EC2 Instance 4 EC2 Instance 2

Availability Zone
Section 4: Classic Load Balancer (Internal)

Region

VPC

Availability Zone

Private subnet Public subnet

Private-IPs TCP, SSL,

HTTP, HTTPS

EC2 Instance 1
Private-IPs
Internal Client

Internal CLB
Private-IPs
Private subnet Public subnet

Private-IPs

EC2 Instance 2

Availability Zone
Section 4: Network Load Balancer (Internet-Facing)

Region

VPC

Availability Zone

Private subnet Public subnet

Private-IP

Public-IPs /
EC2 Instance 1
Elastic IP
TCP, TLS

Availability Zone
Network Load Internet Internet Client
Private subnet Public subnet Balancer gateway
Public-IPs /
Private-IP Elastic IP

EC2 Instance 2
Section 4: Application Load Balancer (Internet-Facing)

Region

VPC

Availability Zone

Private subnet Public subnet

Private-IP

EC2 Instance 1
Public-IPs
HTTP, HTTPS

Availability Zone
Application Internet Internet Client
Private subnet Public subnet Load gateway
Balancer
Private-IP
Public-IPs

EC2 Instance 2
Section 4: Application Load Balancer – Path-based Routing

Application Load Balancer

HTTP, HTTPS

Internet Client

Listener

Rule (default) Rule (/orders)

Instance 1 Instance 2 Instance 3 Instance 4

Target Group 1 Target Group 2

Section 4: Application Load Balancer – Host-based Routing

Application Load Balancer

HTTP, HTTPS

Internet Client

Listener

Rule
Rule (default) (shop.dctlabs.com)

Instance 1 Instance 2 Instance 3 Instance 4

Target Group 1 Target Group 2

Section 4: Auto Scaling Overview

3. ASG launches
ASG replaces failed extra instance
instance

Availability Zone Availability Zone

EC2 Status Public subnet Public subnet
Checks fail

Auto Scaling group

2. CloudWatch
notifies ASG to
scale

Metrics Metrics
EC2 Instances EC2 Instances

1. Metric reports CPU

> 80% Amazon CloudWatch
Section 4: Auto Scaling Group with ALB

Region

VPC

Availability Zone

Private subnet Public subnet

HTTP, HTTPS
Auto Scaling
group
Availability Zone
Application Internet Internet Client
Private subnet Public subnet Load gateway
Balancer
Section 4: EC2 and ELB Health Checks
If ELB Health Checks
are enabled in ASG,
ELB Health Checks ELB Health Checks
both types are used

Availability Zone Availability Zone

Elastic Load Balancing
Public subnet Public subnet

Amazon EC2 Auto Scaling

EC2 Status Checks EC2 Status Checks

By default, ASG uses
EC2 Status Checks Amazon EC2
ELB Health Checks are an
optional (recommended
setting in ASG)
Section 4: Auto Scaling Termination Policies – Default Policies

4. Determine whether any 2. Determine which instance to

of the instances use the terminate so as to align the remaining
oldest launch configuration instances to the allocation strategy for
the On-Demand or Spot Instance that is
terminating and your current selection of
Availability Zone instance types

5. After applying all of the criteria in 2 Public subnet

through 4, if there are multiple
unprotected instances to terminate,
determine which instances are closest
to the next billing hour

Auto Scaling
group
Availability Zone
Public subnet 1. Determine which AZ
has the most instances

3. Determine whether any of the

instances use the oldest launch
template
Section 4: Cross-Zone Load Balancing - Disabled

VPC

Availability Zone A
Public subnet
16.6%

16.6%

16.6% 50%
ELB Node

Availability Zone B
Elastic Load Balancing Internet Client
Public subnet
25%

25% 50%

ELB Node
Section 4: Cross-Zone Load Balancing - Enabled

VPC

Availability Zone A
Public subnet
20%

20%

20% 60%
ELB Node

Availability Zone B
Elastic Load Balancing Internet Client
Public subnet
20%

20% 40%

ELB Node
Section 4: Cross-Zone Load Balancing - Enabled

VPC

Availability Zone A
Public subnet
33.3%
Selina

33.3%
Santos
66.6%
ELB Node

Availability Zone B
Elastic Load Balancing Internet Client
Public subnet

33.3% 33.3%
Ava

ELB Node
Section 4: Cross-Zone Load Balancing - Disabled

VPC

Availability Zone A
Public subnet
25%
Selina

25%
Santos
50%
ELB Node

Availability Zone B
Elastic Load Balancing Internet Client
Public subnet

50% 50%
Ava

ELB Node
Section 4: Cross-Zone Load Balancing

Name Created through Created through Can be

Console CLI/API enabled/disabled?
ALB Enabled Enabled No

NLB Disabled Disabled Yes

CLB Enabled Disabled Yes

Section 4: ELB Sticky Sessions
Client 1 connects
and is bound to
Availability Zone Instance 1 for the
cookie lifetime
Public subnet
Cookie expires and
New request from ELB routes client to
Client 3 is routed to Instance 1
Instance 4
Instance 3
Instance 2

Instance 3
EC2 Web Servers
Client 1

Availability Zone Client 2

Elastic Load Balancer
Public subnet
Client 3
Instance 6 becomes Instance 4
unhealthy
Instance 5 Client 3 connects
and is bound to
Instance 6 Instance 6 for the
cookie lifetime
EC2 Web Servers
Section 4: Sticky Sessions

Name Supported? Load Balancer Generated Cookie Application Generated

Cookie
ALB Yes Yes, “AWSALB” Not supported

NLB No N/A N/A

CLB Yes Yes Yes

Section 4: Application Load Balancer – Listeners and SSL/TLS

Application Load Balancer

HTTP, HTTPS

Internet Client

Listeners HTTPS:443 HTTP:80

Rules Default = TG1 shop.dctlabs = TG2 Default = TG3

HTTP: 80 HTTP: 80 HTTPS: 443

Target type: Instance ID,

IP or Lambda function

Instance 1 Instance 2 Instance 3 Instance 4

Target Group 1 Target Group 2 Target Group 3

Section 4: Public ALB with Private Instances

Region

VPC

Availability Zone

Private subnet Public subnet

NAT gateway

HTTP, HTTPS
Auto Scaling
group
Availability Zone
Application Internet Internet Client
Private subnet Public subnet Load gateway
Balancer
Section 4: Public ALB with Private Instances– Security Groups
VPC Public subnet(s)

Security group – PublicALB

Inbound: Protocol/Port HTTP/80 Source: 0.0.0.0/0
Outbound: Protocol/Port HTTPS:80 Destination: PrivateEC2 Internet-facing
ALB

Private subnet(s)

Security group – PrivateEC2

Inbound: Protocol/Port HTTP/80 Source: PublicALB

Web Front-End
Section 4: Multi-Tier Web Architecture
Region

VPC

Availability Zone NAT Gateway

Private subnet Public subnet

Internal ALB

HTTP, HTTPS
Auto Scaling Auto Scaling
group group
Availability Zone Internet Client
Internet
Private subnet Public subnet gateway

Application Layer Web Front-End

Section 4: Multi-Tier Web Architecture – Security Groups
VPC Public subnet(s)

Security group – PublicALB

Inbound: Protocol/Port HTTP/80 Source: 0.0.0.0/0
Outbound: Protocol/Port HTTPS:80 Destination: PublicEC2 Internet-facing
ALB

Security group – PublicEC2

Inbound: Protocol/Port HTTP/80 Source: PublicALB

Outbound: Protocol/Port HTTPS/80 Destination: PrivateALB Web Front-End

Private subnet(s)

Security group – PrivateALB

Inbound: Protocol/Port HTTP/80 Source: PublicEC2
Outbound: Protocol/Port HTTPS/80 Destination: PrivateEC2 Internal ALB

Security group – PrivateEC2

Inbound: Protocol/Port HTTP/80 Source: PrivateALB
Application
Layer
Section 4: ELB Connections and Logging

Region

VPC

Availability Zone

Public subnet

Dest: 172.31.0.101 Src: 172.31.0.5 Dest: 3.56.121.25 Src: 42.104.51.204

Elastic Load Internet Client

EC2 Instance
Balancer

Logs on EC2 (Apache) Server access logs

may not contain client IP are stored in S3 and
contain client IPs

Bucket
Section 4: CLB - Proxy Protocol and X-Forwarded-For

Region

VPC

Availability Zone

Public subnet

HTTP, HTTPS (L7) HTTP, HTTPS (L7)

X-Forwarded-For (L7)

EC2 Instance Classic Load Internet Client

Balancer

TCP (L4) TCP (L4)

Proxy Protocol (L4)

EC2 Instance Classic Load Internet Client

Balancer
Section 4: ALB/NLB - Proxy Protocol, X-Forwarded-For and Access Logging

Region

VPC

Availability Zone

Public subnet

HTTP, HTTPS (L7) HTTP, HTTPS (L7)

X-Forwarded-For (L7)

EC2 Instance Application Internet Client

Load
Balancer

TCP (L4) TCP (L4)

Sends client IP
+ Proxy Protocol
EC2 Instance support (L4) Internet Client
Network Load
Balancer
Section 5: Creating a Custom VPC
Region
Public Route Table
VPC
Destination Target

Availability Zone 10.0.0.0/16 Local

0.0.0.0/0 igw-id
Private subnet Public subnet

NAT gateway

Availability Zone
Private subnet Public subnet

Internet
Route table Route table gateway Private Route Table

Destination Target
Availability Zone 10.0.0.0/16 Local

Private subnet Public subnet 0.0.0.0/0 nat-gateway-id

Section 5: Security Groups
Default Security Group
VPC
Inbound:
Security group – PublicALB
Source Protocol Port
Inbound: Protocol/Port HTTP/80 Source: 0.0.0.0/0 Security Group ID All All
Outbound: Protocol/Port HTTPS:80 Destination: PublicEC2 Internet-facing
ALB
Outbound:
Destination Protocol Port
Security group – PublicEC2
0.0.0.0/0 All All

Inbound: Protocol/Port HTTP/80 Source: PublicALB ::/0 All All

Outbound: Protocol/Port HTTPS/80 Destination: PrivateALB Web Front-End

Custom Security Group

Inbound:
Security group – PrivateALB Source Protocol Port

Inbound: Protocol/Port HTTP/80 Source: PublicEC2

Outbound: Protocol/Port HTTPS/80 Destination: PrivateEC2 Internal ALB Outbound:
Destination Protocol Port
0.0.0.0/0 All All
Security group – PrivateEC2
::/0 All All
Inbound: Protocol/Port HTTP/80 Source: PrivateALB
Application
Layer
Section 5: Network Access Control Lists (NACLs)
Default NACL
VPC
Inbound:
Protocol Port Source Action
Availability Zone All All 0.0.0.0/0 ALLOW

All All ::/0 ALLOW

Private subnet Public subnet
Security Security
Outbound:
Group B Group A
Protocol Port Source Action
All All 0.0.0.0/0 ALLOW

Network ACL Network ACL All All ::/0 ALLOW

Custom NACL

Inbound:
Availability Zone
Protocol Port Source Action
Router
All All 0.0.0.0/0 DENY
Private subnet Public subnet
Security Security All All ::/0 DENY
Group B Group A
Outbound:
Security
Group A Protocol Port Source Action

Network ACL Network ACL All All 0.0.0.0/0 DENY

All All ::/0 DENY

Section 5: Security Groups vs Network ACLs

Security Group Network ACL

Operates at the instance level Operates at the subnet level

Supports allow rules only Supports allow and deny rules

Stateful Stateless

Evaluates all rules Processes rules in order

Applies to an instance only if associated with a group Automatically applies to all instances in the subnets its
associated with
Section 5: VPC Peering
Account 1 Account 2

VPC CIDR: 10.1.0.0/16 VPC CIDR: 10.0.0.0/16

Public subnet Public subnet

Private subnet Private subnet

Peering

Security Group Security Group

Inbound: Inbound:
Source Protocol Port Source Protocol Port
Security Group ID All ICMP v4 All 0.0.0.0/0 TCP 22

Route Table Route Table

Destination Target Destination Target
10.0.0.0/16 peering-connection-id 10.1.0.0/16 peering-connection-id
Section 5: VPC Endpoint Services

Default VPC Custom VPC – Provider

VPC VPC

Public subnet Public subnet

EC2 Instance
Endpoint

Private subnet Private subnet

Web Server
Network Load
Balancer

Endpoint Service
Section 5: VPC Flow Logs

VPC
Public subnet

Flow logs

Private subnet Flow logs

EC2 Instance Flow logs

Section 5: Virtual Private Networks (VPN)

VPC
CIDR: 10.0.0.0/16
Public subnet

Corporate data center

CIDR: 192.168.0.0/16

Private subnet VPN gateway VPN connection Customer

gateway
Route Table
Destination Target
192.168.0.0/16 vgw-id
Section 5: AWS Direct Connect
AWS Cloud

Region

VPC
Corporate data center
AWS Direct Connect location
Public subnet

Private VIF AWS cage Customer /

partner cage
VPN gateway
Private subnet

Public VIF AWS Direct Customer / Customer Router

Connect partner router
endpoint

Amazon Simple Storage

Amazon EC2
Service (S3)
Section 5: AWS Direct Connect Gateway
Region

VPC
Public subnet

Corporate data center

AWS Direct Connect location
Private VIF
Private subnet VPN gateway AWS cage Customer /
partner cage
Private VIF

Direct Connect
Gateway
AWS Direct Customer / Customer Router
Connect partner router
Region endpoint

VPC Private VIF

Public subnet

Private subnet VPN gateway

Section 6: Route 53 Overview

Amazon Route 53

Health Checks Traffic Flow

Domain Registration Hosted zone

.net example.com
.com dctlabs.com
.org
EC2 Instances
Section 6: Route 53 DNS Record Types
Supported DNS records
• A (address record)
• AAAA (IPv6 address record)
• CNAME (canonical name record)
• Alias (an Amazon Route 53-specific virtual record)
• CAA (certification authority authorization)
• MX (mail exchange record)
• NAPTR (name authority pointer record)
• NS (name server record)
• PTR (pointer record)
• SOA (start of authority record)
• SPF (sender policy framework)
• SRV (service locator)
• TXT (text record)
CNAME
Route 53 charges for CNAME queries
You can’t create a CNAME record at the top
node of a DNS namespace (zone apex)
A CNAME can point to any DNS record that is
hosted anywhere
Alias
Route 53 doesn’t charge for alias queries
to AWS resources
You can create an alias record at the zone
apex (however you can’t route to a CNAME
at the zone apex)
An alias record can only point to a
CloudFront distribution, Elastic Beanstalk
environment, ELB, S3 bucket as a static
website, or to another record in the same
hosted zone that you’re creating the alias
record in
Section 6: Route 53 - Simple Routing Policy

Name Type Value TTL

simple.dctlabs.com A 1.1.1.1 60

2.2.2.2
simpler.dctlabs.com A 3.3.3.3 60
Amazon Route 53

2
Region

DNS query
Section 6: Route 53 - Weighted Routing Policy

Name Type Value Health Weight

weighted.dctlabs.com A 1.1.1.1 ID 60 Optional Health

Checks
weighted.dctlabs.com A 2.2.2.2 ID 20
Region
weighted.dctlabs.com A 3.3.3.3 ID 20
Amazon Route 53

1.1.1.1
60%
1

2
Region

20%
3
2.2.2.2
20%

DNS query 3.3.3.3

Section 6: Route 53 - Latency Routing Policy Region – ap-southeast-1

Optional Health
Name Type Value Health Region Checks
latency.dctlabs.com A 1.1.1.1 ID ap-southeast-1

latency.dctlabs.com A 2.2.2.2 ID us-east-1 1.1.1.1

latency.dctlabs.com A alb-id ID ap-southeast-2 Amazon Route 53

Region – us-east-1
Singapore

DNS query 2.2.2.2

New York
Region – ap-southeast-2
Sydney

DNS query

ALB
DNS query
Section 6: Route 53 - Failover Routing Policy Corporate data center

Name Type Value Health Record Type

failover.dctlabs.com A 1.1.1.1 ID Primary

Health Check
required on Traditional
failover.dctlabs.com A alb-id Secondary
server
Primary
Amazon Route 53

Region – us-east-1

1.1.1.1

Region – ap-southeast-2

DNS query

ALB
Section 6: Route 53 - Geolocation Routing Policy Region – ap-southeast-1

Optional Health
Name Type Value Health Geolocation Checks
geolocation.dctlabs.com A 1.1.1.1 ID Singapore

geolocation.dctlabs.com A 2.2.2.2 ID Default 1.1.1.1

geolocation.dctlabs.com A alb-id ID Oceania Amazon Route 53

Region – us-east-1
Singapore

DNS query 2.2.2.2

Mexico
Region – ap-southeast-2
New Zealand

DNS query

ALB
DNS query
Section 6: Route 53 - Multivalue Routing Policy
Name Type Value Health Multi Value

multivalue.dctlabs.com A 1.1.1.1 ID Yes

multivalue.dctlabs.com A 2.2.2.2 ID Yes

multivalue.dctlabs.com A 3.3.3.3 ID Yes Amazon Route 53

Health Checks:
returns healthy
records only

2
Region

DNS query
Section 6: Route 53 Resolver – Outbound Endpoints

VPC
1
Amazon Route 53
Public subnet
2

3 Corporate data center

EC2 Instance Outbound
Endpoint

DNS server
Private subnet VPN gateway VPN connection Customer
gateway

EC2 Instance Outbound

Endpoint
Section 6: Route 53 Resolver – Inbound Endpoints

VPC

Amazon Route 53
Public subnet
3

2 Corporate data center

EC2 Instance Inbound
Endpoint
1
DNS server
Private subnet VPN gateway VPN connection Customer
gateway

Inbound Client
EC2 Instance
Endpoint
Section 7: S3 Gateway Endpoints

Default VPC

VPC

Public subnet

EC2 Instance Internet Client

Endpoint

Private subnet

EC2 Instance S3 Gateway

Endpoint Amazon Simple Storage
Service (S3)

Route Table
Destination Target
pl-6ca54005 (com.amazonaws.ap-southeast-2.s3, 54.231.248.0/22, 54.231.252.0/24, 52.95.128.0/21) vpce-ID
Section 7: Block, Object and File Storage

Amazon Elastic Block Amazon Elastic File

Amazon S3 System
Store (EBS) Corporate data center
http://s3.aws-region.amazonaws.com/bucket/object
Availability Zone

HDD/SSD On-premises
File system client
REST API: GET, PUT,
POST, SELECT, DELETE Volume

Note: Linux only

NFS v1

Object
Availability Zone Availability Zone
/efs-mnt /efs-mnt
/dev/xvdf

Internet Client EC2 Instance EC2 Instance EC2 Instance

Section 7: Amazon S3 Overview

Private Connection
Amazon S3
Bucket
http://bucket.s3.aws-region.amazonaws.com
http://s3.aws-region.amazonaws.com/bucket

VPC
S3 Gateway Endpoint
Public subnet

Object
Public Internet
EC2 Instance
• Key Internet
• Version ID
gateway
• Value
• Metadata
Private subnet
• Subresources
• Access control information

EC2 Instance

Internet Client
Section 7: Identity-Based and Resource-Based Policies

Example Policy
{
Identity-based policies
"Version": "2012-10-17", Resource-based policy
"Statement": [
{
"Sid": "SeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
} IAM Role Inline Policy Bucket Policy
]
}

IAM User Inline Policy IAM Group Policy

Section 7: Cross-Account Access

Account A (DCTLabs) Account B

Assume role
Role
ACL John Allow assume
role

Bucket
Section 7: Access Control Lists
• Authenticated Users
S3 Predefined
• All Users
Example ACL Group • Log Delivery Group

… <AccessControlPolicy>
<Owner>
<ID> AccountACanonicalUserID </ID>
<DisplayName> AccountADisplayName </DisplayName>
</Owner>
<AccessControlList>
…
<Grant>
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="CanonicalUser">
<ID> AccountBCanonicalUserID </ID>
<DisplayName> AccountBDisplayName </DisplayName> Bucket ACL AWS Account
</Grantee>
<Permission> WRITE </Permission>
</Grant>
...
</AccessControlList>
</AccessControlPolicy> Object ACL
Section 7: Access Control List Permissions

Permissions When granted on a bucket When granted on an object

READ Allows grantee to list the objects in the bucket Allows grantee to read the object data and its metadata

WRITE Allows grantee to create, overwrite, and delete any object Not applicable
in the bucket

READ _ACP Allows grantee to read the bucket ACL Allows grantee to read the object ACL

WRITE_ACP Allows grantee to write the ACL for the applicable bucket Allows grantee to write the ACL for the applicable object

FULL_CONTROL Allows grantee the READ, WRITE, READ_ACP, and Allows grantee the READ, READ_ACP, and WRITE_ACP
WRITE_ACP permissions on the bucket permissions on the object
Section 7: Choosing Access Control Options

• Authenticated Users
S3 Predefined • All Users
Identity-based policies Resource-based policy Group • Log Delivery Group

Bucket Policy
IAM Role Inline Policy

Bucket ACL AWS Account

IAM User Inline Policy

Object ACL

IAM Group Policy

Section 7: Transfer Acceleration

http://bucket.s3.aws-region.amazonaws.com
http://s3.aws-region.amazonaws.com/bucket
http://bucketname.s3-accelerate.amazonaws.com Bucket

http://bucketname.s3-accelerate.dualstack.amazonaws.com

CloudFront Edge location

IAM User
Section 7: S3 Encryption

Server-side encryption with Server-side encryption with Client side encryption

Server-side encryption with AWS
S3 managed keys (SSE-S3) KMS managed keys (SSE-KMS) client provided keys (SSE-C)
• S3 managed keys
• Unique object keys • KMS managed keys
• Master key • Customer master keys
• AES 256 • CMK can be customer generated
Encryption /
decryption

Encryption / Encryption /
decryption decryption

Encryption /
decryption

• Client managed keys

• Not stored on AWS
• Client managed keys
• Not stored on AWS
Section 7: CloudFront Overview

Region Users

CloudFront Origins
Edge location

Amazon EC2 Regional

Edge Cache

Amazon S3 Edge location Users

Regional
Edge Cache

Edge location

Users
Section 7: CloudFront – Points of Presence

Points of Presence:
• 176 Edge Locations
• 11 Regional Edge Caches
• 69 cities
• 30 countries
Section 7: CloudFront Distribution and Origins
S3 Origin

S3 Bucket Distribution

Custom Origin
Users
Distribution Amazon CloudFront

S3 Static
Website
Web Distribution:
Custom Origin • Static and dynamic content
• HTTP/HTTPS
• Add/update/delete objects + webforms
• Real time live streaming
RTMP Distribution:
EC2 Instance
• Uses Adobe Flash Media RTMP protocol
• Can play media file before downloaded
Application • Must use S3 origin
Load Balancer
EC2 Instance
Section 7: CloudFront with S3 Static Website

Region

Custom Origin

Origin Access Identity (OAI)

S3 Bucket configured Bucket Policy Users

as static website Amazon CloudFront
Section 7: CloudFront with ALB and EC2 Custom Origin

Region
Custom Origin

EC2 Instance

Application Users
Load Balancer Amazon CloudFront
EC2 Instance
Section 7: CloudFront wit Lambda@Edge

Region
Custom Origin

EC2 Instance

Application Users
Load Balancer Amazon CloudFront
EC2 Instance
Section 7: EBS and EFS Overview

Amazon Elastic Block Amazon Elastic File

Store (EBS) System Corporate data center

Availability Zone

HDD/SSD On-premises
File system client
Volume

Note: Linux only

NFS v1

Availability Zone Availability Zone

/efs-mnt /efs-mnt
/dev/xvdf

EC2 Instance EC2 Instance EC2 Instance

Section 7: EBS Snapshots
Region

Availability Zone A

Amazon S3

Volume
EC2 Instance
Snap A Snap B Snap CB

Availability Zone B

Volume
EC2 Instance
 • Can change encryption
Section 7: EBS Copying, Sharing and Encryption key
• Can change AZ
• Encryption state retained Encrypted Encrypted
• Same region Snapshot Volume

Volume Snapshot
• Block devices remain encrypted
Copy • Can be encrypted • Cannot be shared with other
• Can change regions accounts if using AWS CMK
Encrypted Encrypted
Snapshot • Cannot be shared publicly
Unencrypted Snapshot AMI
Snapshot
Copy
• Block devices remain encrypted
• Can change regions
• Can be encrypted
Encrypted AMI Encrypted
• Can change AZ
Unencrypted Volume AMI
Snapshot
• Can change encryption
key
• Cannot be encrypted • Can change AZ
• Can be shared with Encrypted AMI
other accounts EC2 Instance
Unencrypted AMI • Can be shared publicly
Snapshot • Can change encryption
state
Copy • Can change encryption • Can change AZ
Unencrypted
key AMI EC2 Instance
• Can change regions
Encrypted Encrypted
Snapshot Snapshot
Section 7: EFS Overview
Region
VPC
Availability Zone

Corporate data center

VPC
Peering

On-premises
EFS File system VPN or Direct client
Note: Linux only Connect connection
NFS v1

Availability Zone Availability Zone

/efs-mnt /efs-mnt

EC2 Instance EC2 Instance

Section 9: Elastic Container Services Overview

Definition of containers (from Docker):

A container is a standard unit of software that packages up code and all its dependencies so the
application runs quickly and reliably from one computing environment to another. A Docker container
image is a lightweight, standalone, executable package of software that includes everything needed to run
an application: code, runtime, system tools, system libraries and settings.
Section 9: Elastic Container Services Overview
Amazon Elastic Container
Registry
Amazon Elastic Container Service
Registry
Availability Zone Availability Zone

ECS Cluster

ECS Service
Image Image
Task Definition
Auto Scaling group
{
"containerDefinitions": [
{ ECS Container ECS Container
"name": "wordpress",
"links": [ instance instance
"mysql"
],
"image": "wordpress",
"essential": true,
"portMappings": [
{
"containerPort": 80, Task Task Task Task
"hostPort": 80
}
],
"memory": 500,
"cpu": 10
}
Section 9: ECS Terminology

Elastic Container Service (ECS) Description

Cluster Logical grouping of EC2 instances

Container instance EC2 instance running the the ECS agent

Task Definition Blueprint that describes how a docker container should launch

Task A running container using settings in a Task Definition

Service Defines long running tasks – can control task count with Auto
Scaling and attach an ELB
Section 9: Launch Types – EC2 and Fargate
Registry: Registry:
ECR, Docker Hub, Self-hosted ECR, Docker Hub

ECS EC2 Cluster ECS Fargate Cluster

ECS Service ECS Service

ECS Container ECS Container

instance instance

Task Task Task Task Task Task Task Task

EC2 Launch Type Fargate Launch Type

• You explicitly provision EC2 instances
• You’re responsible for managing EC2 instances
• Charged per running EC2 instance
• EFS and EBS integration
• You handle cluster optimization
• More granular control over infrastructure
• Fargate automatically provisions resources
• Fargate provisions and manages compute
• Charged for running tasks
• No EFS and EBS integration
• Fargate handles cluster optimization
• Limited control, infrastructure is automated
Section 9: IAM Roles

ECS EC2 Cluster ECS Fargate Cluster

ECS Service ECS Service

ECS Container instance

IAM Instance Role

Task Task

IAM Task Role IAM Task Role

Section 9: ECS with Application Load Balancer (ALB)
ECS Cluster

ECS Service
Availability Zone
Private subnet Public subnet

HTTP (80) Host port: 32600

MySQL Wordpress

HTTP (80)
NAT gateway
MySQL Wordpress Host port: 32601

Listener: HTTP (80)

Application Load Balancer

Availability Zone Internet Client
Private subnet Public subnet

HTTP (80)
Host port: 32400
MySQL Wordpress
Section 9: ECS with Application Load Balancer (ALB)
ECS Cluster

Private subnet ECS Service ECS Service

Public subnet

nginx Apache
Container port: 80 Container port: 80
NAT gateway

Host port: 32612 Host port: 32600

Application Load Balancer

Listener: HTTP (80)

Private subnet Internet Client
Host port: 32668 Host port: 32669 Public subnet

Container port: 80 Container port: 80

nginx Apache
Section 9: Elastic Container Registry
Amazon Elastic Container
Registry
Public subnet
Registry

Internet Client Image

EC2 Instance with Docker

Amazon Elastic Container Service

ECS Fargate Cluster

Task
Section 9: Elastic Kubernetes Service
Region

VPC
Availability Zone Availability Zone Availability Zone
Public subnet Public subnet Private subnet

EKS Cluster

AWS Managed Master Nodes

Customer Managed Worker Nodes Amazon Kubernetes

Service
Section 10: Comparing IaaS, CaaS, and FaaS

IaaS (e.g. EC2) CaaS (e.g. ECS) FaaS (e.g. Lambda)

Consumer Managed (VM/instance) Consumer Managed (Container) Consumer Managed (Code)

Functions Functions Functions Functions Functions Functions

App1 App2 App1 App2 App1 App2

Runtime Runtime Runtime Runtime Runtime Runtime

Container Container Container Container

Guest OS Guest OS
Engine Engine Engine Engine

Hypervisor Guest OS Guest OS Guest OS Guest OS

Physical Hardware Physical Hardware Physical Hardware

CPU RAM Disk NIC CPU RAM Disk NIC CPU RAM Disk NIC
Section 10: Comparing Compute Options
EC2 ECS (EC2 Launch Type) ECS (Fargate Launch Type) Lambda
You manage the operating You manage container instance You manage the containers (tasks) You manage the code
system (EC2) and the containers (tasks)
Scale vertically – more Manually add container instances or AWS scales the cluster automatically Lambda automatically scales
CPU/Mem/HDD or scale use ECS Services and EC2 Auto concurrent executions up to default
horizontally (automatic) with Scaling limit (1000)
Auto Scaling
Use for traditional applications Use for microservices and batch use Use for microservices and batch use Use for ETL, infrastructure
and long running tasks cases where you need containers cases automation, data validation,
and need to retain management of mobile backends
underlying platform
No timeout issues No timeout issues No timeout issues Limited to 900 seconds execution
time for single execution (3 second
default)
Pay for instance run time based Pay for instance run time based on Pay for container run time based on Pay only for execution time based
on family/type family/type allocated resources on memory allocation
Section 10: AWS Lambda – Hello World

Region

Event written to
CloudWatch Logs Run test event

Users
Amazon CloudWatch AWS Lambda
Section 10: AWS Lambda – S3 Event Source Mapping
Region

Event written to
CloudWatch Logs
S3 notifies Lambda Jpg image upload

Images Bucket Users

Amazon CloudWatch AWS Lambda

Note: Supported push notification

services include: S3, SNS, SES,
Cognito, CloudFormation,
CloudWatch Logs, CloudWatch
Resized Images
Events, CodeCommit, Scheduled
Bucket
Events, Config, Alexa, Lex, API
Gateway, IoT Button, CloudFront,
Kinesis Data Firehose
Section 10: AWS Lambda – DynamoDB Event Source Mapping

Region

Lambda polls
DynamoDB Item updated

Users
AWS Lambda Amazon DynamoDB

Event written to
CloudWatch Logs
Note: Supported poll-based
services are DynamoDB, Kinesis,
and SQS

Amazon CloudWatch
Section 10: API Gateway Overview
Region
VPC

Private subnet

Mobile AWS Lambda

client Lambda function
REST API over
HTTPS
EC2 Instance

Service Internet Public subnet

Amazon API Gateway

Application Load Balancer

Website
EC2 Instance

Any other AWS service

Any public endpoint

Section 10: API Gateway Endpoint Types

AWS Cloud

Key benefits:
Edge-optimized endpoint: • Reduced latency for requests from
around the world

Amazon CloudFront Amazon API Gateway

Region
Key benefits:
Regional endpoint: • Reduced latency for requests that
originate in the same region
• Can also configure your own CDN
Services in and protect with WAF
Amazon API Gateway
same region

VPC Key benefits:

• Securely expose your REST APIs only
Private endpoint: to other services within your VPC or
connect via Direct Connect
Services in
Amazon API Gateway
same VPC
Section 10: AWS Lambda – Microservice with Lambda, API Gateway and DynamoDB

Region

Request sent to
REST API request
Lambda

Mobile
client or
other client Amazon API Gateway AWS Lambda

DELETE, GET,
POST, PUT

Amazon DynamoDB
Section 11: Database Types – Relational vs Non-Relational
Key differences are how data are managed and how data are stored
Relational
Organized by tables, rows and columns
Rigid schema (SQL)
Rules enforced within database
Typically scaled vertically
Supports complex queries and joins
ACID (Atomicity, Consistency, Isolation,
Durability) compliance typically enforced
Amazon RDS, Oracle, MySQL, IBM DB2,
PostgreSQL
Non-Relational
Varied data storage models
Flexible schema (NoSQL) – data stored in key-value
pairs, columns, documents or graphs
Rules can be defined in application code (outside
database)
Scales horizontally
Unstructured, simple language that supports any
kind of schema
Performance is typically prioritised
Amazon DynamoDB, MongoDB, Redis, Neo4j
Section 11: Types of Non-Relational DB
Key-value – e.g. Amazon DynamoDB

Document – e.g. MongoDB

Graph – e.g. Amazon Neptune

Section 11: Database Types – Operational vs Analytical
Key differences are use cases and how the database is optimized
Operational / transactional
Online Transaction Processing (OLTP)
Production DBs that process transactions. E.g. adding
customer records, checking stock availability (INSERT,
UPDATE, DELETE)
Short transactions and simple queries
Relational examples: Amazon RDS, Oracle, IBM DB2,
MySQL
Non-relational examples: MongoDB, Cassandra, Neo4j,
HBase
Analytical
Online Analytics Processing (OLAP) – the source data comes
from OLTP DBs
Data warehouse. Typically, separated from the customer
facing DBs. Data is extracted for decision making
Long transactions and complex queries
Relational examples: Amazon RedShift, Teradata, HP Vertica
Non-relational examples: Amazon EMR, MapReduce
Section 11: Databases –Architecture Discussion

Data Store When to Use

Database on EC2 • Full control over instance and database

• Preferred DB not available under RDS

Amazon RDS • Need traditional relational database for OLTP

• Your data is well-formed and structured

Amazon DynamoDB • Name/value pair data

• Unpredictable data structure

• In-memory performance with persistence

• High I/O needs

• Require dynamic scaling

Amazon RedShift • Data warehouse for large volumes of aggregated data

• Primarily OLAP workloads

Amazon Neptune • Relationships between objects are of high value

Amazon ElastiCache • Fast temporary storage for small amounts of data

• Highly volatile data (non-persistent)

Section 11: Amazon RDS – Multi-AZ and Read Replicas

Multi-AZ Deployments Read Replicas

Synchronous replication – highly durable Asynchronous replication – highly scalable

Only database engine on primary instance is active All read replicas are accessible and can be used for
read scaling
Automated backups are taken from standby No backups configured by default

Always span two Availability Zones within a single Can be within an Availability Zone, Cross-AZ, or
Region Cross-Region
Database engine version upgrades happen on Database engine version upgrade is independent
primary from source instance
Automatic failover to standby when a problem is Can be manually promoted to a standalone database
detected instance
Section 11: Amazon RDS Multi-AZ
Endpoint address:
digitalcloud.cp4nicjx1son.ap-southeast-2.rds.amazonaws.com

Region

VPC

Availability Zone

RDS Master EC2 App Server

Synchronous
replication
Availability Zone

No endpoint address, gets remapped

on failover
RDS Replica
Section 11: Amazon RDS Read Replicas

Region

VPC

Availability Zone

RDS Replica
EC2 App Server EC2 App Server
Synchronous Reads and writes
replication
Availability Zone Reads only

RDS Master RDS Read Replica Endpoint address:

ro-digitalcloud.cp4nicjx1son.ap-southeast-2.rds.amazonaws.com
Section 11: Amazon RDS Aurora Key Features
Aurora Feature Benefit

Offers high performance, self-healing storage that scales up to 64TB, point-in-time

High performance and scalability
recovery and continuous backup to S3

DB compatibility Compatible with existing MySQL and PostgreSQL open source databases

Aurora Replicas In-region read scaling and failover target – up to 15 (can use Auto Scaling)

Cross-region cluster with read scaling and failover target – up to 5 (each can have up to 15
MySQL Read Replicas
Aurora Replicas)

Cross-region cluster with read scaling (fast replication / low latency reads). Can remove
Global Database
secondary and promote

Multi-Master Scales out writes within a region. In preview currently and will not appear on the exam

On-demand, autoscaling configuration for Amazon Aurora - does not support read replicas
Serverless
or public IPs (can only access through VPC or Direct Connect - not VPN)
Section 11: Amazon RDS Aurora Replicas
Feature Aurora Replica MySQL Replica

Number of replicas Up to 15 Up to 5

Replication type Asynchronous (milliseconds) Asynchronous (seconds)

Performance impact on primary Low High

Replica location In-region Cross-region

Yes (potentially minutes of

Act as failover target Yes (no data loss)
data loss)

Automated failover Yes No

Support for user-defined replication delay No Yes

Support for different data or schema vs. primary No Yes

Section 11: Aurora Fault Tolerance and Aurora Replicas
Region
Aurora Fault Tolerance
Availability Zone Availability Zone Availability Zone • Fault tolerance across 3 AZs
• Single logical volume
• Aurora Replicas scale-out read
requests
• Up to 15 Aurora Replicas with sub-
10ms replica lag
Primary Replica Replica Replica • Aurora Replicas are independent
endpoints
Reads Reads Reads • Can promote Aurora Replica to be a
new primary or create new primary
• Set priority (tiers) on Aurora
Reads Writes Writes Writes Replicas to control order of
promotion
• Can use Auto Scaling to add
Single Logical Volume replicas

Data Copies Data Copies Data Copies

Section 11: Cross-Region Replica with Aurora MySQL
Region Primary Region

Availability Availability Availability

Zone Zone Zone Region

Availability Availability Availability

Writes Writes Zone Zone Zone

Asynchronous
replication Reads Reads

Asynchronous
replication

Region

Availability Availability Availability

Zone Zone Zone

Reads Reads
Section 11: Aurora Global Database

Region Region
Primary Region Secondary Region

Availability Availability Availability Availability Availability Availability

Zone Zone Zone Zone Zone Zone

Writes Writes Asynchronous Reads Reads

replication
Section 11: DynamoDB Overview
DynamoDB Feature Benefit

Serverless Fully managed, fault tolerant, service

Highly available 99.99% availability SLA – 99.999% for Global Tables!

NoSQL type of database with Name / Value structure Flexible schema, good for when data is not well structured or unpredictable

Horizontal scaling Seamless scalability to any scale with push button scaling or Auto Scaling

Captures a time-ordered sequence of item-level modifications in a DynamoDB table and durably stores the
DynamoDB Streams
information for up to 24 hours. Often used with Lambda and the Kinesis Client Library (KCL)

DynamoDB Accelerator (DAX) Fully managed in-memory cache for DynamoDB that increases performance (microsecond latency)

Transaction options Strongly consistent or eventually consistent reads, support for ACID transactions

Backup Point-in-time recovery down to the second in last 35 days; On-demand backup and restore

Global Tables Fully managed multi-region, multi-master solution

Section 11: DynamoDB Accelerator (DAX)

AWS Cloud
VPC

Permissions: Permissions:
• Access DynamoDB • Access DynamoDB + DAX

IAM Role IAM Role

Security group

DAX EC2 Instance

Amazon DynamoDB
Inbound rules:
• TCP 8000 (DynamoDB) from 0.0.0.0/0
• TCP 8111 (DAX) from 0.0.0.0/0
Section 11: DynamoDB Global Tables

Region A Region B Region C

App Server App Server App Server

Read Write Read Write Read Write

Asynchronous Asynchronous
replication replication

Amazon DynamoDB Amazon DynamoDB Amazon DynamoDB

Section 11: ElastiCache Overview

Feature Memcached Redis (cluster mode disabled) Redis (cluster mode enabled)

Data persistence No Yes Yes

Data types Simple Complex Complex

Data partitioning Yes No Yes

Encryption No Yes Yes

High availability (replication) No Yes Yes

Yes, place nodes in multiple AZs. Yes, with auto-failover. Uses read replicas (0-5 Yes, with auto-failover. Uses read replicas (0-
Multi-AZ
No failover or replication per shard) 5 per shard)

Scaling Up (node type); out (add nodes) Single shard (can add replicas) Add shards

Multithreaded Yes No No

Backup and restore No (and no snapshots) Yes, automatic and manual snapshots Yes, automatic and manual snapshots
Section 11: ElastiCache Memcached
Region A

Availability Zone A Availability Zone B

ElastiCache Memcached Cluster

Each node is a
partition of data

Node 1 Node 3 Node 5

Node 2 Node 4 Node n

Section 11: ElastiCache Redis (Cluster mode disabled)
Region A

Availability Zone A Availability Zone B

ElastiCache Redis Cluster

Shard
Can failover to a
replica

Primary

Replica Replica Replica

Section 11: ElastiCache Redis (Cluster mode enabled)
Region A

Availability Zone A Availability Zone B

ElastiCache Redis Cluster

Shard Shard Shard

Primary Primary Primary

Replica 1 Replica 2 Replica 1 Replica 2 Replica 1 Replica 2

Section 11: Amazon RedShift
Region A

Availability Zone

JDBC/ODBC
SQL Client / BI Tools

Redshift Leader Node

Compute nodes
Leader coordinates Region B
execute queries
query execution

Snapshot

Compute node Compute node Compute node Cross-region

snapshots

Ingestion, backup, restore on Amazon S3 Snapshot

Section 12: Amazon Kinesis Data Streams and Firehose Destinations
Kinesis Data Streams
Stream Consumers (EC2) Amazon S3

Amazon DynamoDB

Analytics Tools
Amazon RedShift
Shards
Producers capture and
Amazon EMR
send data to Kinesis

Kinesis Firehose

Data is captured and

stored for processing
Destinations
Kinesis Firehose
Stream Amazon S3
Optional Lambda
transformation
Amazon RedShift Analytics Tools

Shards
Producers capture and Amazon Elasticsearch
send data to Kinesis

Data is loaded
Firehose captures,
continuously to
transforms and loads
destinations
streaming data
Section 12: Amazon Kinesis Firehose Destinations
Amazon Elasticsearch: delivered to ES and optionally to S3
Amazon S3: delivered to S3 bucket, optional backup

Amazon RedShift: delivered to S3 bucket first, then RedShift Splunk: delivered to Splunk and optionally to S3
Section 12: AWS Lambda and Kinesis Stream

Kinesis Data Streams

Event written to
CloudWatch Logs
Stream

Shards
Upload record to stream
Lambda Function Amazon CloudWatch

Lambda polls stream

Section 12: Amazon EMR
AWS Cloud

Availability Zone
Create cluster: Core Hadoop,
HBase, Presto or Spark
Root access to
cluster instances
Optionally attach Create step execution: streaming,
EBS volumes Hive, Pig, Spark, custom JAR
Amazon EMR

Scale cluster (instances),

or deploy multiple clusters
Each cluster has 1 master
Cluster Cluster Cluster and n core nodes
EBS volume

Data Store options

Amazon Simple Storage Amazon S3 Glacier Amazon Redshift Amazon DynamoDB Amazon RDS HDFS
Service (S3)
Section 13: Application Integration Services
Service
Simple Notification Service
Step Functions
Simple Workflow Service
Simple Queue Service
Amazon MQ
What it does
Set up, operate, and send notifications
from the cloud
Out-of-the-box coordination of AWS
service components with visual
workflow
Need to support external processes or
specialized execution logic
Messaging queue; store and forward
patterns
Managed message broker based on
Apache MQ
Example use cases
Send email notification when CloudWatch alarm is
triggered
Order processing workflow
Human-enabled workflows like an order fulfilment
system or for procedural requests
AWS recommends that for new applications
customers consider Step Functions instead of SWF
Building distributed / decoupled applications
Easy low-hassle path to migrate from existing
message brokers to AWS
Section 13: Simple Notification Service
Subscribers
Transport
Protocols

Lambda
Decoupling

Amazon Simple Queue

Service
HTTP/HTTPS
Amazon Simple Notification Topic
Publisher Service
Web Application
Email/Email-
JSON

Email
SMS

Text
Section 13: Simple Queue Service

Amazon CloudWatch

Event written to
CloudWatch Logs

Lambda function

Queue
Amazon Simple Notification Topic Amazon Simple Queue Lambda
Service Service

Lambda
polls SQS

Application
Section 13: Simple Queue Service Queue Types
Section 14: Infrastructure as Code and PaaS

CloudFormation Elastic Beanstalk

“Template-driven provisioning” “Web apps made easy"

Deploys infrastructure using code Deploys applications on EC2 (PaaS)

Can be used to deploy almost any AWS service Deploys web applications based on Java, .NET, PHP, Node.js,
Python, Ruby, Go, and Docker
Uses JSON or YAML template files Uses ZIP or WAR files (or Git)

CloudFormation can deploy Elastic Beanstalk Elastic Beanstalk cannot deploy using CloudFormation
environments
Similar to Terraform Similar to Google App Engine
Section 14: HA Wordpress using CloudFormation
Section 14: HA WordPress with Elastic Beanstalk and RDS
Region
VPC
Elastic Beanstalk environment

AWS Elastic Beanstalk Developer

EFS Client
Availability Zone
Public subnet
Upload source
code in ZIP file

RDS Master Instance

Auto Scaling
group
Availability Zone
Application
Public subnet Load
Balancer

RDS Standby
Section 15: Monitoring and Logging Overview

CloudWatch CloudTrail
Performance monitoring (operations) Auditing (security)

Log events across AWS services – think operations Log API activity across AWS services – think activities

Higher-level comprehensive monitoring and eventing More low-level granular

Log from multiple accounts Log from multiple accounts

Logs stored indefinitely Logs stored to S3 or CloudWatch indefinitely

Alarms history for 14 days No native alarming; can use CloudWatch alarms
Section 16: IAM Authentication Methods

Consists of an
Access key ID and
secret access key

MFA protection can

be added to API
Access Key operations
API

Can also protect

EJPx!*21p9% with MFA

Password AWS Management Console

IAM User

Signing Certificate Some AWS services

Section 16: IAM Policies – Roles, Users and Groups

Identity-based policies

Roles are “assumed” by

trusted entities and define
a set of permissions for
making AWS service
IAM Role
requests
A group is not an IAM User
identity and cannot
be identified as a
principal in an IAM
policy
IAM Policies:
Inline Policy
• Policies are documents that define permissions and can
be applied to users, groups and roles
• Written in JSON
• All permissions are implicitly denied by default
• With multiple policies the most restrictive policy is
applied
Inline Policy • The Condition element can be used to apply further
conditional logic

IAM Group Policy

Section 16: IAM Best Practices

• Lock away the AWS root user access keys

• Create individual IAM users
• Use AWS defined policies to assign permissions whenever
possible
• Use groups to assign permissions to IAM users
• Grant least privilege
• Use access levels to review IAM permissions
• Configure a strong password policy for users
• Enable MFA for privileged users
• Use roles for applications that run on AWS EC2 instances
• Delegate by using roles instead of sharing credentials
• Rotate credentials regularly
• Remove unnecessary credentials
• Use policy conditions for extra security
• Monitor activity in your AWS account
Section 16: Amazon Cognito

Region

1. Authenticate and get tokens

Cognito User Pool

Token

2. Exchange tokens for AWS credentials

App Cognito Identity Pool

3. Access AWS services

with credentials
Other AWS Services

Amazon DynamoDB Amazon Simple Storage

Service (S3)
Section 16: KMS Customer Master Keys (CMKs)

Type of CMK Can view Can manage Used only for my account
Customer managed CMK Yes Yes Yes

AWS managed CMK Yes No Yes

AWS owned CMK No No No

Section 16: Old and New CloudHSM

”Classic” CloudHSM Current CloudHSM

Device safeNET Luna SA Proprietary AWS

Pricing Upfront cost required ($5000) No upfront cost, pay per hour

High Availability Have to buy a second device Clustered

FIPS 140-2 Level 2 Level 3