1
Q
What is an Availability Zone?
A
- one or more discrete data centers with redundant power, networking, and connectivity
- They’re separate from each other, so that they’re isolated from disasters
- They’re connected with high bandwidth, ultra-low latency networking
2
Q
What is a Region?
A
- has many availability zones
- min is 2, max is 6, usually 3
3
Q
What is IAM?
A
Identity Access Management is global Made up of - Users (start off with no access) - Groups - Policies (JSON scripts) - Roles
4
Q
What is Federation?
A
A way to integrate IAM with your own repository of users (AD Groups) via SAML
5
Q
How many Roles can be applied to an application?
A
One
6
Q
What are Root Credentials?
A
- The original user created that has full rights to everything.
- should never be used except for initial setup
7
Q
What is EC2?
A
a rented virtual machines (EC2 – Elastic Compute Cloud)
8
Q
What systems and tools can use SSH?
A
- Mac: SSH, EC2 Instance Connect
- Linux: SSH, EC2 Instance Connect
- < Win 10: Putty, EC2 Instance Connect
- > = Win 10: SSH, Putty, EC2 Instance Connect
9
Q
What are Security Groups?
A
- They control how traffic is allowed into or out of our EC2 Machines like “a firewall”
- They can be attached to multiple instances but only one region/VPC combination
- They can access IPs, IP ranges or other security groups
10
Q
What are the most common ports used?
A
SSH = port 22 HTTP = port 80
11
Q
How do i resolve a permission issue when using SSH?
A
execute “chmod 0400” to add appropriate permission
12
Q
What kind of problem is it when an application is not accessible due to timeout?
A
It is a security group issue
13
Q
When will i get a “connection refused” error?
A
When it is an application error or application is not launced
14
Q
What are the default values for inbound and outbound traffic?
A
Inbound traffic is blocked
Outbound traffic is authorized
15
Q
What are the two kinds of IPs?
A
IPv4: [0-255].[0-255].[0-255].[0-255] is most common
IPv6: 3ffe:1900:4545:3:200:f8ff:fe21:67cf solves for IOIT
16
Q
What is an Elastic IP?
A
- A static IPv4 that you own as long as it is not deleted
- It can mask the failure of an instance or software by rapidly remapping the address to another instance in your account
- Only 5 per account (but can ask AWS to increase if needed)
- Not recommended, better to use random IP with Load Balancer that has a DNS name
17
Q
What is EC2 User Data?
A
A bootstrap script which runs as the root user
Can be used to…
- Install updates
- Install software
- Download common files from the internet
- and anything else you can think of
18
Q
What are the EC2 Launch Types?
A
- On Demand Instances (short timeframe, static, pay for what you use)
- Reserved Instances (long timeframe, flexible sizing, 54% discount)
- Scheduled Reserve Instances (recurring timeframe, static, pay for what you use)
- Spot Instances (short timeframe, static, bid price as long as it is >= spot price) most cost efficient
- Spot Fleet is a set of Spot Instances + (optional) On-Demand Instances
- Dedicated Instance is a dedicated physical server for you only, can be shared with others in same account, per instance billing and possible region fee
- Dedicated Host is a dedicated physical server where we have full control and visibility to underlying sockets/cores, 3 year reservation, pricing per host
19
Q
What are the main EC2 Instance Types?
A
R for Ram intensive C for CPU intensive M for Medium loads I for I/O intensive G for GPU intensive T2/T3 for burstable loads (uses credits built up during non bursting, can become BAD if all credits used up)
Billing typically by the second (except for t2.micro which is free)
20
Q
What is an AMI?
A
- Amazon Machine Image are images of an EC2 instance which can be private or public
- they are region specific
- they live on S3
- only charged for actual space used on S3
21
Q
How do i share an AMI with another region?
A
Owner of the source AMI must grant read permissions to the s3 bucket or EBS snapshot
22
Q
What is a placement group?
A
Provides control over the EC2 Instance strategy…
- Cluster: clusters instances into a low-latency group in a single AZ, pro:great bandwidth, con:one fails all fail
- Spread: spreads instances across underlying hardware, pro:reduced failure risk con:max 7 instances per group per AZ
- Partition: spreads instances across many different racks within AZ. pro:7 partitions per AZ and 100s of EC2 instances per group (Hadoop, Cassandra, Kafka) con: partition failures effect all EC2s in that partition
23
Q
What is an ENI?
A
Elastic Network Interface in a VPC that represents a virtal network card
- contains one primary private IP and one or more secondary IPs
- can have one or more security groups
- attaches on the fly to EC2 instances for easy failover
- bound to a single AZ
24
Q
What are the EC2 states?
A
Stop - retains data for next start
Start - first start OS boots and User Data script run, second start only OS boots
Terminate - all data and volumes destroyed
Hibernate - RAM state (<150GB) is written to file in the root EBS volume which must be encrypted. Available in (C3-5, M3-5, & R3-5), 60 day limit
25
What does vertical scalability mean?
Increasing the size of the instance (i.e t2.micro to t2.large)
26
What does horizontal scalability mean?
Increasing the number of instances for your application (i.e. 1 t2.large to five t2.large)
27
What is High Availability?
Running your application in at least 2 data centers (AZs) with a goal to survive a data center loss. Usually associated with horizontal scalability (ASG) and/or just Multi-AZ(ELB, ALB)
28
What is Load Balancing?
A way to spread loads across multiple instances and expose a single point of access through a DNS. Also known as an Elastic Load Balancer (ELB).
It can also...
- do regular health checks of your instances
- provide SSL termination (HTTPS) for your websites
- enforce stickiness with cookies
29
What are the ELB Types?
- Classic Load Balancer (CLB)
- Application Load Balancer (ALB)
- Network Load Balancer (NLB) new generation TCP, TLS (secure TCP), UDP
- can be private (internal) or public(external)
30
What is an ALB Routing Table?
A table used for routing traffic to target groups based on
- path in URL (example.com/users & example.com/posts)
- hostname in URL (one.example.com & other.example.com)
- query string, headers (example.com/users?id=123&order=false)
31
What are Target Groups?
- EC2 instances (can be managed by ASG)
- ECS tasks
- Lambda functions
- IP Addresses (must be private)
32
What is a Classic Load Balancer?
- An old generation load balancer for HTTP, HTTPs and TCP traffic
- contains a fixed hostname
- supports only one SSL certificate
33
What is an Application Load Balancer?
- a new generation load balancer for HTTP, HTTPS, and WebSocket traffic
- contains a fixed hostname
- uses target groups for identifying the target hostname
- client details can be found in the header using ...
X-Forwarded-For (IP Address)
X-Forwarded-Port (Port)
X-Forwarded-Proto (Proto)
- supports SNI for using multiple SSL certificates
34
What is a Network Load Balancer?
- a new generation load balancer for TCP & UDP traffic
- has one static IP per AZ
- can use an Elastic IP
- used for extreme performance (~100ms vs 400ms for ALB)
- supports SNI for using multiple SSL certificates
35
What is stickiness?
Ability to control what instance a client is routed to using a "cookie" and can be set to expire on a date we set. One way to ensure session data is not lost.
36
What is cross zone balancing?
Traffic is distributed evenly across all registered instances in all AZs. Without this set traffic is only distributed across instances in the same AZ.
- Always on for ALB
- Disabled by default for CLB (no fee is enabled) & NLB (pay $ if enabled)
37
What is an SSL Certificate?
Secure Socket Layer that allows traffic between your clients and your load balancer to be encrypted in-flight (i.e. Comodo, Symantec, GoDaddy, etc)
38
What is a TLS Certificate?
Transport Layer Security which is a new version of SSL (used more than SSL now)
39
What is ACM?
AWS Certificate Manager which is used to manage the creation or upload of SSL and TLS certificates
40
What is an SNI?
Server Name Indication requires the client to indicate the hostname of the target server in the initial handshake which will allow the server to find the correct certificate or return the default one. Only works with ALB or NLB.
41
What is connection draining?
When an ELB stops sending new request to an instance which is de-registering (being stopped) as this may take some time. Therefore the user does not get an error.
- Can be disabled by setting wait time to zero
- Can set wait time up to 3600 seconds (default 300)
42
What is an ASG?
Auto Scaling Group that scales out (adds) or in (removes) EC2 instances to match a desired min and max instance count.
- uses launch configuration (old, must be recreated every time) or launch templates to configure the settings (new, can have multiple versions and can be inherited from other templates)
- security by IAM roles
- no cost to use, only pay for underlying resources launched
- a cool down period can be applied before launching or terminating additional instances
43
What are Scaling Policies?
Policies that determine when to scale in/out.
- Target Tracking (i.e. CPU to stay around 40%)
- Simple Step (i.e. CPU > 70% add 2 units and <30% then remove 1 unit)
- Scheduled (i.e. at 5PM on Fridays increase min capacity to 10 units)
44
How does the default termination policy work?
Find the AZ which has the most number of instances and delete the one with the oldest launch configuration.
45
What is a Lifecycle hook?
This is the ability to perform extra steps before the instance goes into service or is terminated.
46
What does stateless architecture mean?
It means the AWS service is fully managed.
47
How can i instantiate an EC2 instance quickly?
- Use a Golden AMI
- Use a Bootstrap script in the User Data
- Use a hybrid approach by mixing AMI and User Data
48
What is a typical 3 tier Web Architecture?
- Public Subnet using Route53 & ELB
- Private Subnet for EC2 instances
- Private Subnet for Data (RDS, ElastiCache)
49
What does Serverless mean in AWS?
It is a new paradigm in which the developers do not have to manage servers anymore. They just deploy code. It can include databases, messaging, storage, etc.
50
Which AWS Services can be considered Serverless?
* Lambda
* DynamoDB
* Cognito
* API Gateway
* S3
* SNS
* SQS
* Kinesis Firehose
* Aurora Serverless
* Step Functions
* Fargate
51
Why use Lambda?
* No servers to manage
* Limited by time - best for short executions
* Is run on demand, so not continuously running
* Scaling is automatic
* Pay per request and compute time (First 1m requests are free and .20cents thereafter/m)
* Integrated with whole AWS suite of services and programing languages (Node.js, Python, Java, C3, Golang, Powershell, Ruby, etc)
* Easy to monitor through CloudWatch
Note: Docker cannot be used with Lambda
52
What are the limitations of Lambda?
* Memory allocation is limited 128mb -3008MB in 64mb increments
* Max execution time is 15min
* Function container (/tmp) is 512mb
* Concurrent connections are set to 1000 (can be increased)
* Function deployment size 50mb (zipped), 250mb (unzipped)
* Environment variables 4kb
53
What is Lambda@Edge?
Lambda@Edge lets you run Node.js and Python Lambda functions to customize content that CloudFront delivers, executing the functions in AWS locations closer to the viewer. You can use Lambda functions to change CloudFront requests and responses at the following points:
After CloudFront receives a request from a viewer (viewer request)
Before CloudFront forwards the request to the origin (origin request)
After CloudFront receives the response from the origin (origin response)
Before CloudFront forwards the response to the viewer (viewer response)
Decks in class (11)
# Cards
