AWS Solutions Architect
Studied by 3 people
Learn
Practice Test
Spaced Repetition
Match
Flashcards1/182
Earn XP
Description and Tags
Solutions Architect
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
183 Terms
AWS Regions
consist of multiple, isolated, and physically separate Availability Zones within a geographic area.
AWS Availability Zones
Global Infrastructure identity is composed of one or more discrete data centers with redundant power, networking, and connectivity, and are used to deploy infrastructure
IAM Credentials Report
a report that lists all your account's users and the status of their various credentials
works on the accounts level
IAM Access Advisor
it shows the service permissions granted to a user and when those services were last accessed.
• You can use this information to revise your policies.
works on the user level
Amazon EC2
• It mainly consists in the capability of :
• Renting virtual machines (EC2)
• Storing data on virtual drives (EBS)
• Distributing load across machines (ELB)
• Scaling the services using an auto-scaling group (ASG)
• It is possible to bootstrap our instances using this User data script.
user data is used to automate boot tasks such as:
• Installing updates
• Installing software
• Downloading common files from the internet
• Anything you can think of
Security Groups
Can be attached to multiple instances
• Locked down to a region / VPC combination
• Does live “outside” the EC2 – if traffic is blocked the EC2 instance won’t see it
• It’s good to maintain one separate thing of this for SSH access
• If your application is not accessible (time out), then it’s a security group issue
• If your application gives a “connection refused“ error, then it’s an application error or it’s not launched
• All inbound traffic is blocked by default
• All outbound traffic is authorised by default
EC2 Spot Instances
• Can get a discount of up to 90% compared to On-demand
• Instances that you can “lose” at any point of time if your max price is less than the current spot price
• The MOST cost-efficient instances in AWS
• Useful for workloads that are resilient to failure
• Batch jobs
• Data analysis
• Image processing
• Any distributed workloads
• Workloads with a flexible start and end time
• Not suitable for critical jobs or databases
EC2 Dedicated Hosts
(MEANS YOU GET ACCESS TO THE PHYSICAL SERVER ITSELF AND IT GIVES YOU VISIBILITY INTO THE LOWER LEVEL HARDWARE)
• A physical server (ON-PREMISES) with EC2 instance capacity fully dedicated to your use
• Allows you address compliance requirements and use your existing server- bound software licenses (per-socket, per-core, pe—VM software licenses)
• Purchasing Options:
• On-demand – pay per second for active Dedicated Host
• Reserved - 1 or 3 years (No Upfront, Partial Upfront, All Upfront)
• The most expensive option
• Useful for software that have complicated licensing model (BYOL – Bring Your Own License)
• Or for companies that have strong regulatory or compliance needs
Spot Fleets
will try to meet the target capacity with price constraints
• Define possible launch pools: instance type (m5.large), OS, Availability Zone
• Can have multiple launch pools, so that the fleet can choose
• it stops launching instances when reaching capacity or max cost
• Strategies to allocate Spot Instances:
• lowestPrice: from the pool with the lowest price (cost optimization, short workload)
• diversified: distributed across all pools (great for availability, long workloads)
• capacityOptimized: pool with the optimal capacity for the number of instances
• priceCapacityOptimized (recommended):
pools with highest capacity available, then select the pool with the lowest price (best choice for most workloads)
• these allow us to automatically request Spot Instances with the lowest price
placement groups
• Sometimes you want control over the EC2 Instance placement strategy
When you create this, you specify one of the following strategies for the group:
• Cluster—clusters instances into a low-latency group in a single Availability Zone
• Spread—spreads instances across underlying hardware (max 7 instances per group per AZ)
• Partition—spreads instances across many different partitions (which rely on different sets of racks)
within an AZ. Scales to 100s of EC2 instances per group (Hadoop, Cassandra, Kafka)
Elastic Network Interfaces (ENI)
• Logical component in a VPC that represents a virtual network card
• The ENI can have the following attributes:
• Primary private IPv4, one or more secondary IPv4
• One Elastic IP (IPv4) per private IPv4
• One Public IPv4
• One or more security groups
• A MAC address
• You can create ENI independently and attach them on the fly (move them) on EC2 instances for failover
• Bound to a specific availability zone (AZ) / cannot attach an ENI to an EC2 instance in a different AZ
Amazon Machine Image
are a customization of an EC2 instance
• You add your own software, configuration, operating system, monitoring…
• Faster boot / configuration time because all your software is pre-packaged
• they are built for a specific region (and can be copied across regions)
• You can launch EC2 instances from:
• A Public version of this: AWS provided
• Your own version of this: you make and maintain them yourself
• An AWS Marketplace version of this: someone else made this (and potentially sells)
EC2 Instance Store (AKA EPHEMERAL STORAGE)
volumes are network drives with good but “limited” performance
• If you need a high-performance hardware disk, use this
• Better I/O performance
• they lose their storage if they’re stopped
• Good for buffer / cache / scratch data / temporary content
• Risk of data loss if hardware fails
• Backups and Replication are your responsibility
EBS Encryption
• When you create an encrypted EBS volume, you get the following:
• Data at rest is encrypted inside the volume
• All the data in flight moving between the instance and the volume is encrypted
• All snapshots are encrypted
• All volumes created from the snapshot
• Encryption and decryption are handled transparently (you have nothing to do)
leverages keys from KMS (AES-256)
• Copying an unencrypted snapshot allows encryption
• Snapshots of encrypted volumes are encrypted
Elastic File System
(it is a network file system)
• Managed NFS (network file system) that can be mounted on 100s of EC2
•it works only with Linux EC2 instances in multi-AZ
• Highly available, scalable, expensive (3x gp2), pay per use, no capacity planning
ELB (Elastic Load Balancer)
) is a managed load balancer
• AWS guarantees that it will be working
• AWS takes care of upgrades, maintenance, high availability
• AWS provides only a few configuration knobs
• It costs less to setup your own load balancer but it will be a lot more effort on your end (maintenance, integrations)
It is integrated with many AWS offerings / services
• EC2, EC2 Auto Scaling Groups, Amazon ECS
• AWS Certificate Manager (ACM), CloudWatch
• Route 53, AWS WAF, AWS Global Accelerator
Network Load Balancer – Target Groups
• EC2 instances
• IP Addresses – must be private IPs
• NLB IS IN FRONT OF Application Load Balancer
• Health Checks support the TCP, HTTP and HTTPS Protocols
OFFERS THE HIGHEST PERFORMANCE AND LOWEST LATENCY IF YOUR APPLICATION NEEDS IT
(IE, IF YOUR APPLICATION RECEIVES MILLIONS OF REQUESTS PER SECOND
Gateway Load Balancer
• Deploy, scale, and manage a fleet of 3rd party network virtual appliances in AWS
• Example: Firewalls, Intrusion Detection and Prevention Systems, Deep Packet Inspection Systems, payload manipulation, …
• Operates at Layer 3 (Network Layer) – IP Packets
• Combines the following functions:
• Transparent Network Gateway – single entry/exit for all traffic
• Load Balancer – distributes traffic to your virtual appliances
• Uses the GENEVE protocol on port 6081 (anything with GENEVE THINK GATEWAY LOAD BALANCER
Their Target Groups
• EC2 instances
• IP Addresses – must be private IPs
Sticky Sessions (Session Affinity)
• It is possible to implement stickiness so that the same client is always redirected to the same instance behind a load balancer
• This works for Classic Load Balancer, Application Load Balancer, and Network LoadBalancer
• For both CLB & ALB, the “cookie” used for stickiness has an expiration date you control
• Use case: make sure the user doesn’t lose his session data
• Enabling stickiness may bring imbalance to the load over the backend EC2 instances
Sticky Sessions –
Cookie Names (aids a client/customer not having to reauthenticate between pages)
ensures traffic for the same client is always redirected to the same target (ec2) instance, which helps the client not lose his session data.
• Application-based Cookies
Custom cookie
• Generated by the target
• Can include any custom attributes required by the application
• Cookie name must be specified individually for each target group
• Don’t use AWSALB, AWSALBAPP, or AWSALBTG (reserved for use by the ELB)
• Generated by the load balancer
• Cookie name is AWSALBAPP
Duration-based Cookies
• Cookie generated by the load balancer
• Cookie name is AWSALB for ALB, AWSELB for CLB
Load Balancer
uses an X.509 certificate (SSL/TLS server certificate)
• You can manage certificates using ACM (AWS Certificate Manager)
• You can create upload your own certificates alternatively
• HTTPS listener:
• You must specify a default certificate
• You can add an optional list of certs to support multiple domains
• Clients can use SNI (Server Name Indication) to specify the hostname they reach
• Ability to specify a security policy to support older versions of SSL / TLS (legacy clients)
Server Name Indication (SNI)
• SNI solves the problem of loading multiple SSL certificates onto one web server (to serve multiple websites)
(ALLOWS YOU TO LOAD MULTIPLE SSL CERTIFICATES ON ONE LISTENER)
FOR EXAMPLE users.example.com, api.external.example.com, and checkout.example.com
• It’s a “newer” protocol, and requires the client to indicate the hostname of the target server in the initial SSL handshake
• The server will then find the correct certificate, or return the default one
• Classic Load Balancer (v1)
Support only one SSL certificate
• Must use multiple CLB for multiple hostname with multiple SSL certificates
Application Load Balancer (v2)
Supports multiple listeners with multiple SSL certificates
• Uses Server Name Indication (SNI) to make it work
Provides a static DNS name. But not a static IP,
Network Load Balancer (v2)
Supports multiple listeners with multiple SSL certificates
• Uses Server Name Indication (SNI) to make it work
Provides both a static DNS name and static IP.
Auto Scaling Groups - Scaling Cooldowns
• After a scaling activity happens, you are in the cooldown period (default 5 minutes or 300 seconds)
• During the cooldown period, it will not launch or terminate additional instances (to allow for metrics to stabilize)
• Advice: Use a ready-to-use AMI to reduce configuration time in order to be serving request fasters and reduce the cooldown period
Amazon RDS Relational Database Service
• It’s a managed DB service for DB use SQL as a query language.
• It allows you to create databases in the cloud that are managed by AWS
• Postgres
• MySQL
• MariaDB
• Oracle (DOES NOT SUPPORT IAM DATABASE AUTHENTICATION)
• Microsoft SQL Server
• IBM DB2
• Aurora (AWS Proprietary database)
IT IS A MANAGED SERVICE
Helps you increase storage DYNAMICALLY
it also creates an SSL certificate and installs the certificate on the DB instance when the instance is provisioned.
RDS Read Replicas
is ASYNC, so reads are eventually consistent /
HAVE ASYNCHRONOUS REPLICATION THEREFORE IT WIILL ONLY READ EVENTUAL CONSISTENCY
Use Cases
• You have a production database that is taking on normal load
• You want to run a reporting application to run some analytics
are used for SELECT (=read) only kind of statements (not INSERT, UPDATE, DELETE)
Amazon Aurora
is a proprietary technology from AWS (not open sourced)
• PostgreSQL and MySQL are both supported as Aurora DB
• It is “AWS cloud optimized” and claims 5x performance improvement over MySQL on RDS, over 3x the performance of Postgres on RDS
• The storage automatically grows in increments of 10GB, up to 128 TB
• It can have up to 15 replicas and the replication process is faster than MySQL (sub 10 ms replica lag)
• Failover in this is instantaneous. It’s HA (High Availability) native.
• It costs more than RDS (20% more) – but is more efficient
• Not in the free tier
OFFERS REPLICATION+SELF-HEALING + AUTO-EXPANDING
• Automatic fail-over
• Backup and Recovery
• Isolation and security
• Industry compliance
• Push-button scaling
• Automated Patching with Zero Downtime
• Advanced Monitoring
• Routine Maintenance
• Backtrack: restore data at any point of time without using backups
Offers machine learning that supposts sagemaker & comprehend
Babelfish
Babelfish for Aurora PostgreSQL
• Allows Aurora PostgreSQL tounderstand commands targeted forMS SQL Server(e.g., T-SQL)
• Therefore Microsoft SQL Serverbased applications can work onAurora PostgreSQL
• Requires no to little code changes(using the same MS SQL Server clientdriver)
• The same applications can be usedafter a migration of your database (using AWS SCT and DMS)
Amazon RDS Proxy
• Fully managed database proxy
• Allows apps to pool and share DB connections established with the database
• Improving database efficiency by reducing the stress on database resources (e.g., CPU, RAM) and minimize open connections (and timeouts)
• Serverless, autoscaling, highly available (multi-AZ)
• Reduced RDS & Aurora failover time by up 66%
• Supports RDS (MySQL, PostgreSQL, MariaDB, MS SQL Server) and Aurora (MySQL, PostgreSQL)
• No code changes required for most apps
• Enforce IAM Authentication for DB, and they are securely store credentials in AWS Secrets Manager
So again, if you need to see a way to enforce IAM authentication for your database, think this
is never publicly accessible (must be accessed from VPC)
Amazon ElastiCache
THINK IN MEMORY DATABASES)
• The same way RDS is to get managed Relational Databases…
is used to get managed Redis or Memcached
• Caches are in-memory databases with high performance, low latency
• Helps reduce load off databases for read intensive workloads
• AWS takes care of OS maintenance / patching, optimizations, setup, configuration, monitoring, failure recovery and backups
• Using this involves heavy application code changes
Amazon Route 53
A highly available, scalable, fully managed and Authoritative DNS
• Authoritative = the customer (you) can update the DNS records
it’s name is also a Domain Registrar
• Ability to check the health of your resources
• The only AWS service which provides 100% availability SLA
Elastic Beanstalk
PAAS
k is a developer centric view of deploying an application on AWS
• It uses all the component’s we’ve seen before: EC2, ASG, ELB, RDS, …
• Managed service
• Automatically handles capacity provisioning, load balancing, scaling, application health monitoring, instance configuration, …
• Just the application code is the responsibility of the developer
• We still have full control over the configuration
• it is free but you pay for the underlying instances
Supported Platforms
• Go
• Java SE
• Java with Tomcat
• .NET Core on Linux
• .NET on Windows Server
• Node.js
• PHP
• Python
• Ruby
• Packer Builder
• Single Container Docker
• Multi-container Docker
• Preconfigured Docker
Amazon S3
is one of the main building blocks of AWS
• It’s advertised as ”infinitely scaling” storage
• Many websites use this as a backbone
• Many AWS services use this as an integration as well
HAVE A VPC GATEWAY ENDPOINT
• Backup and storage
• Disaster Recovery
• Archive
• Hybrid Cloud storage
• Application hosting
• Media hosting
• Data lakes & big data analytics
• Software delivery
• Static website
After you enable Replication, only new objects are replicated
Amazon S3 Encryption sse-c
• Server-Side Encryption using keys fully managed by the customer outside of AWS
• Amazon S3 does NOT store the encryption key you provide
• HTTPS must be used
• Encryption key must provided in HTTP headers, for every HTTP request made
Amazon S3 Encryption – Client-Side Encryption
use client libraries
• Clients must encrypt data themselves before sending to Amazon S3
• Clients must decrypt data themselves when retrieving from Amazon S3
• Customer fully manages the keys and encryption cycle
Amazon S3 Encryption in transit/flight (SSL/TLS)
• Amazon S3 exposes two endpoints:
• HTTP Endpoint – non encrypted
• HTTPS Endpoint – encryption in flight
• HTTPS is recommended
• HTTPS is mandatory for SSE-C
• Most clients would use the HTTPS endpoint by default
To Force this you should use a Bucket Policy
• Cross-Origin Resource Sharing (CORS)
Origin = scheme (protocol) + host (domain) + port
• example: https://www.example.com (implied port is 443 for HTTPS, 80 for HTTP)
• Web Browser based mechanism to allow requests to other origins while visiting the main origin
• Same origin: http://example.com/app1 & http://example.com/app2
• Different origins: http://www.example.com & http://other.example.com
• The requests won’t be fulfilled unless the other origin allows for the requests, using these type of headers
S3 – Access Points
simplify security management for S3 Buckets
• Each one of these has:
• its own DNS name (Internet Origin or VPC Origin)
• a version of this policy (similar to bucket policy) – manage security at scale
S3 – Access Points – VPC Origin
We can define the access point to be accessible only from within this
• You must create a VPC Endpoint to access theAccess Point (Gateway Interface Endpoint)
• The VPC Endpoint Policymust allow access to the target bucket and Access Point
Amazon CloudFront
(anytime you see CDN on the exam think this
• Content Delivery Network (CDN)
• Improves read performance, content is cached at the edge
• Improves users experience
• 216 Point of Presence globally (edge locations)
• DDoS protection (because worldwide), integration with Shield, AWS Web Application Firewall
can have three origins S3 BUKET, VPC AND custom HTTP oRIGIN
Global Edge network
• Files are cached for a TTL (maybe a day)
• Great for static content that must be available everywhere
• S3 Cross Region Replication:
• Must be setup for each region you want replication to happen
• Files are updated in near real-time
• Read only
• Great for dynamic content that needs to be available at low-latency in few regions
AWS Global Accelerator
• Works with Elastic IP, EC2 instances, ALB, NLB, public or private
• Consistent Performance
• Intelligent routing to lowest latency and fast regional failover
• No issue with client cache (because the IP doesn’t change)
• Internal AWS network
• Health Checks
• Global Accelerator performs a health check of your applications
• Helps make your application global (failover less than 1 minute for unhealthy)
• Great for disaster recovery (thanks to the health checks)
• Security
• only 2 external IP need to be whitelisted
• DDoS protection thanks to AWS Shield
AWS Snowball
• Highly-secure, portable devices to collect and process data at the edge, and migrate data into and out of AWS
• Helps migrate up to Petabytes of data
Snowball Edge Storage Optimized
210 TB
Snowball Edge Compute Optimized
28 TB
Amazon FSx for Windows (File Server)
• FSx for Windows is a fully managed Windows file system share drive
• Supports SMB protocol & Windows NTFS
• Microsoft Active Directory integration, ACLs, user quotas
• Can be mounted on Linux EC2 instances
• Supports Microsoft's Distributed File System (DFS) Namespaces (group files across multiple FS)
Performance specs
• Scale up to 10s of GB/s, millions of IOPS, 100s PB of data
• Storage Options:
• SSD – latency sensitive workloads (databases, media processing, data analytics, …)
• HDD – broad spectrum of workloads (home directory, CMS, …)
• Can be accessed from your on-premises infrastructure (VPN or Direct Connect)
• Can be configured to be Multi-AZ (high availability)
• Data is backed-up daily to S3
Amazon FSx for Lustre
• Lustre is a type of parallel distributed file system, for large-scale computing
• The name Lustre is derived from “Linux” and “cluster
• Machine Learning, High Performance Computing (HPC)
• Video Processing, Financial Modeling, Electronic Design Automation
• Scales up to 100s GB/s, millions of IOPS, sub-ms latencies
• Storage Options:
• SSD – low-latency, IOPS intensive workloads, small & random file operations
• HDD – throughput-intensive workloads, large & sequential file operations
• Seamless integration with S3
• Can “read S3” as a file system (through FSx)
• Can write the output of the computations back to S3 (through FSx)
• Can be used from on-premises servers (VPN or Direct Connect)
FSx Lustre - File System Deployment Options
• Scratch File System
• Temporary storage
• Data is not replicated (doesn’t persist if file server fails)
• High burst (6x faster, 200MBps per TiB)
• Usage: short-term processing, optimize costs
• Persistent File System
• Long-term storage
• Data is replicated within same AZ
• Replace failed files within minutes
• Usage: long-term processing, sensitive data
Amazon FSx for NetApp ONTAP
• Managed NetApp ONTAP on AWS
• File System compatible with NFS, SMB, iSCSI protocol (not FTP)
• Move workloads running on ONTAP or NAS to AWS
• Works with:
• Linux
• Windows
• MacOS
• VMware Cloud on AWS
• Amazon Workspaces & AppStream 2.0
• Amazon EC2, ECS and EKS
• Storage shrinks or grows automatically
• Snapshots, replication, low-cost, compression and data de-duplication
• Point-in-time instantaneous cloning (helpful for testing new workloads)
Amazon FSx for OpenZFS
• Managed OpenZFS file system on AWS
• File System compatible with NFS (v3, v4, v4.1, v4.2)
• Move workloads running on ZFS to AWS
• Works with:
• Linux
• Windows
• MacOS
• VMware Cloud on AWS
• Amazon Workspaces & AppStream 2.0
• Amazon EC2, ECS and EKS
• Up to 1,000,000 IOPS with < 0.5ms latency
• Snapshots, compression and low-cost (DOESN’T SUPPORT DATA DE-DUPLICATION)
• Point-in-time instantaneous cloning (helpful for testing new workloads)
Amazon S3 File Gateway
• Configured S3 buckets are accessible using the NFS and SMB protocol
• Most recently used data is cached in the file gateway
• Supports S3 Standard, S3 Standard IA, S3 One Zone A, S3 Intelligent Tiering
• Transition to S3 Glacier using a Lifecycle Policy
• Bucket access using IAM roles for each File Gateway
• SMB Protocol has integration with Active Directory (AD) for user authentication
Amazon FSx File Gateway
• Native access to Amazon FSx for Windows File Server
• Local cache for frequently accessed data
• Windows native compatibility (SMB, NTFS, Active Directory...)
• Useful for group file shares and home directories
Volume Gateway
• Block storage using iSCSI protocol backed by S3
• Backed by EBS snapshots which can help restore on-premises volumes!
• Cached volumes: low latency access to most recent data
• Stored volumes: entire dataset is on premise, scheduled backups to S3
Tape Gateway
• Some companies have backup processes using physical tapes (!)
• With Tape Gateway, companies use the same processes but, in the cloud
• Virtual Tape Library (VTL) backed by Amazon S3 and Glacier
• Back up data using existing tape-based processes (and iSCSI interface)
• Works with leading backup software vendors
Storage Gateway
Hardware appliance (pictured below)
• Using Storage Gateway means you need on-premises virtualization
• Otherwise, you can use a Storage Gateway Hardware Appliance
• You can buy it on amazon.com
• Works with File Gateway, Volume Gateway, Tape Gateway
• Has the required CPU, memory, network, SSD cache resources
• Helpful for daily NFS backups in small data centers
AWS Transfer Family
• A fully-managed service for file transfers into and out of Amazon S3 or Amazon EFS using the FTP protocol (any of the three below
• Supported Protocols
• AWS Transfer for FTP (File Transfer Protocol (FTP))
• AWS Transfer for FTPS (File Transfer Protocol over SSL (FTPS))
• AWS Transfer for SFTP (Secure File Transfer Protocol (SFTP))
• Managed infrastructure, Scalable, Reliable, Highly Available (multi-AZ)
• Pay per provisioned endpoint per hour + data transfers in GB
• Store and manage users’ credentials within the service
• Integrate with existing authentication systems (Microsoft Active Directory, LDAP, Okta, Amazon Cognito, custom)
• Usage: sharing files, public datasets, CRM, ERP, …
AWS DataSync
• Move large amount of data to and from
• On-premises / other cloud to AWS (NFS, SMB, HDFS, S3 API…) – needs agent
• AWS to AWS (different storage services) – no agent needed
• Can synchronize to:
• Amazon S3 (any storage classes – including Glacier)
• Amazon EFS
• Amazon FSx (Windows, Lustre, NetApp, OpenZFS...)
• Replication tasks can be scheduled hourly, daily, weekly
• File permissions and metadata are preserved (NFS POSIX, SMB…)
• One agent task can use 10 Gbps, can setup a bandwidth limit
SQS – Message Visibility Timeout
• After a message is polled by a consumer, it becomes invisible to other consumers
• By default, the “message visibility timeout” is 30 seconds
• That means the message has 30 seconds to be processed
• After this is over, the message is “visible” in SQS
Amazon SQS - Long Polling
• When a consumer requests messages from the queue, it can optionally “wait” for messages to arrive if there are none in the queue
decreases the number of API calls made to SQS while increasing the efficiency and reducing latency of your application
• The wait time can be between 1 sec to 20 sec (20 sec preferable)
it is preferable to Short Polling
it can be enabled at the queue level or at the API level using WaitTimeSeconds
Amazon SQS – FIFO Queue
• Limited throughput: 300 msg/s without batching, 3000 msg/s with
• Exactly-once send capability (by removing duplicates using Deduplication ID)
• Messages are processed in order by the consumer
• Ordering by Message Group ID (all messages in the same group are ordered) – mandatory parameter
Amazon Kinesis Data Streams
• Collect and store streaming data in real-time
• Retention between up to 365 days
• Ability to reprocess (replay) data by consumers
• Data can’t be deleted from Kinesis (until it expires)
• Data up to 1MB (typical use case is lot of “small” real-time data)
• Data ordering guarantee for data with the same “Partition ID”
• At-rest KMS encryption, in-flight HTTPS encryption
• Kinesis Producer Library (KPL) to write an optimized producer application
• Kinesis Client Library (KCL) to write an optimized consumer application
has two capacity modes provisioned and on-demand mode
is useful for rapidly moving data off data producers and then continuously processing the data, be it to transform the data before emitting to a data store, run real-time metrics and analytics, or derive more complex data streams for further processing.
Amazon Data Firehose
Note: used to be called “Kinesis Data Firehose”
• Fully Managed Service
• Amazon Redshift / Amazon S3 / Amazon OpenSearch Service
• 3rd party: Splunk / MongoDB / Datadog / NewRelic / …
• Custom HTTP Endpoint
• Automatic scaling, serverless, pay for what you use
• Near Real-Time with buffering capability based on size / time
• Supports CSV, JSON, Parquet, Avro, Raw Text, Binary data
• Conversions to Parquet / ORC, compressions with gzip / snappy
• Custom data transformations using AWS Lambda (ex: CSV to JSON)
cannot be used to process and analyze the streaming data in custom applications.
Amazon MQ
• SQS, SNS are “cloud-native” services: proprietary protocols from AWS
• Traditional applications running from on-premises may use open protocols such as: MQTT, AMQP, STOMP, Openwire, WSS
• When migrating to the cloud, instead of re-engineering the application to use SQS and SNS, we can use this
it is a managed message broker service for RabbitMQ & ActiveMQ
it doesn’t “scale” as much as SQS / SNS
it runs on servers, can run in Multi-AZ with failover
it has both queue feature (~SQS) and topic features (~SNS)
• Docker
is a software development platform to deploy apps
• Apps are packaged in containers that can be run on any OS
• Apps run the same, regardless of where they’re run
• Any machine
• No compatibility issues
• Predictable behavior
• Less work
• Easier to maintain and deploy
• Works with any language, any OS, any technology
• Use cases: microservices architecture, lift-and-shift apps from onpremises to the AWS cloud, …
some containers management tools on aws for this is • Amazon Elastic Container Service (Amazon ECS)
• Amazon’s own container platform / NOT OPEN SOURCE
• Amazon Elastic Kubernetes Service (Amazon EKS)
• Amazon’s managed Kubernetes (open source)
• AWS Fargate
• Amazon’s own Serverless container platform
• Works with ECS and with EKS
• Amazon ECR:
Amazon ECR Elastic Container Registry
• Store and manage Docker images on AWS
• Private and Public repository (Amazon ECR Public Gallery https://gallery.ecr.aws)
• Fully integrated with ECS, backed by Amazon S3
• Access is controlled through IAM (permission errors => policy)
• Supports image vulnerability scanning, versioning, image tags, image lifecycle, …
Amazon Elastic Kubernetes Service
• It is a way to launch managed Kubernetes clusters on AWS
• Kubernetes is an open-source system for automatic deployment, scaling and management of containerized (usually Docker) application
• It’s an alternative to ECS, similar goal but different API
it supports EC2 if you want to deploy worker nodes or Fargate to deploy serverless containers
• Use case: if your company is already using Kubernetes on-premises or in another cloud, and wants to migrate to AWS using Kubernetes
it’s cloud-agnostic (can be used in any cloud – Azure, GCP…)
• For multiple regions, deploy one of these clusters per region
• Collect logs and metrics using CloudWatch Container Insights
AWS App Runner
• Fully managed service that makes it easy to deploy web applications and APIs at scale
• No infrastructure experience required
• Start with your source code or container image
• Automatically builds and deploy the web app
• Automatic scaling, highly available, load balancer, encryption
• VPC access support
• Connect to database, cache, and message queue services
• Use cases: web apps, APIs, microservices, rapid production deployments
AWS App2Container (A2C)
• CLI tool for migrating and modernizing Java and .NET web apps into Docker Containers
• Lift-and-shift your apps running in on-premises bare metal, virtual machines, or in any Cloud to AWS
• Accelerate modernization, no code changes, migrate legacy apps…
• Generates CloudFormation templates (compute, network…)
• Register generated Docker containers to ECR
• Deploy to ECS, EKS, or App Runner
• Supports pre-built CI/CD pipelines
Serverless in AWS
• AWS Lambda
• DynamoDB
• AWS Cognito
• AWS API Gateway
• Amazon S3
• AWS SNS & SQS
• AWS Kinesis Data Firehose
• Aurora Serverless
• Step Functions
• Fargate
Amazon Lambda
• Virtual functions – no servers to manage!
• Limited by time - short executions
• Run on-demand
• Scaling is automated
Easy Pricing:
• Pay per request and compute time
• Free tier of 1,000,000 AWS Lambda requests and 400,000 GBs of compute time
• Integrated with the whole AWS suite of services
• Integrated with many programming languages
• Easy monitoring through AWS CloudWatch
• Easy to get more resources per functions (up to 10GB of RAM!)
• Increasing RAM will also improve CPU and network!
AWS Lambda language support
• Node.js (JavaScript)
• Python
• Java
• C# (.NET Core) / Powershell
• Ruby
• Custom Runtime API (community supported, example Rust or Golang)
it’s own Container Image
• The container image must implement the version of this Runtime API
Lambda SnapStart
Improves your Lambda functions performance up to 10x at no extra cost for Java, Python & .NET
• When enabled, function is invoked from a preinitialized state (no function initialization from scratch)
• When you publish a new version:
it initializes your function
• Takes a snapshot of memory and disk state of the initialized function
• Snapshot is cached for low-latency access
Lambda@Edge
a functions written in NodeJS or Python
• Scales to 1000s of requests/second
• Used to change CloudFront requests and responses:
• Viewer Request – after CloudFront receives a request from a viewer
• Origin Request – before CloudFront forwards the request to the origin
• Origin Response – after CloudFront receives the response from the origin
• Viewer Response – before CloudFront forwards the response to the viewer
• Author your functions in one AWS Region (us-east-1), then CloudFront replicates to its locations
Amazon DynamoDB
• Fully managed, highly available with replication across multiple AZs
• NoSQL database - not a relational database - with transaction support
• Scales to massive workloads, distributed database
• Millions of requests per seconds, trillions of row, 100s of TB of storage
• Fast and consistent in performance (single-digit millisecond)
• Integrated with IAM for security, authorization and administration
• Low cost and auto-scaling capabilities
• No maintenance or patching, always available
• Standard & Infrequent Access (IA) Table Class
HAVE A VPC GATEWAY ENDPOINT
AWS proprietary technology, managed serverless NoSQL database, millisecond latency
• Capacity modes: provisioned capacity with optional auto-scaling or on-demand capacity
• Can replace ElastiCache as a key/value store (storing session data for example, using TTL feature)
• Highly Available, Multi AZ by default, Read and Writes are decoupled, transaction capability
• DAX cluster for read cache, microsecond read latency
• Security, authentication and authorization is done through IAM
• Event Processing: DynamoDB Streams to integrate with AWS Lambda, or Kinesis Data Streams
• Global Table feature: active-active setup
• Automated backups up to 35 days with PITR (Point-in-time recovery) (restore to new table), or on-demand backups
• Export to S3 without using RCU within the PITR window, import from S3 without using WCU
• Great to rapidly evolve schemas
• Use Case: Serverless applications development (small documents 100s KB), distributed serverless cache
DynamoDB Accelerator (DAX)
• Fully-managed, highly available, seamless in-memory cache for DynamoDB
• Help solve read congestion by caching
• Microseconds latency for cached data
• Doesn’t require application logic modification (compatible with existing DynamoDB APIs)
• 5 minutes TTL for cache (default) (you can also change this)
USED to prevent throttles and reduce costs efficiently
AWS API Gateway
No infrastructure to manage
• Support for the WebSocket Protocol
• Handle API versioning (v1, v2…)
• Handle different environments (dev, test, prod…)
• Handle security (Authentication and Authorization)
• Create API keys, handle request throttling
• Swagger / Open API import to quickly define APIs
• Transform and validate requests and responses
• Generate SDK and API specifications
• Cache API responses
AWS Step Functions
• Build serverless visual workflow to orchestrate your Lambda functions
• Features: sequence, parallel, conditions, timeouts, error handling, …
• Can integrate with EC2, ECS, On-premises servers, API Gateway, SQS queues, etc…
• Possibility of implementing human approval feature
• Use cases: order fulfillment, data processing, web applications, any workflow
Amazon Cognito
• Give users an identity to interact with our web or mobile application
• Cognito Identity Pools (used to be called Federated Identity):
• Provide AWS credentials to users so they can access AWS resources directly
• Integrate with these types of user pools an identity provider
Cognito is gonna be for your web and mobile application users, which sits outside of AWS.
Cognito User Pools (CUP)
User Features
• Create a serverless database of user for your web & mobile apps
• Simple login: Username (or email) / password combination
• Password reset
• Email & Phone Number Verification
• Multi-factor authentication (MFA)
• Federated Identities: users from Facebook, Google, SAML…
You can leverage this to either provide built-in user management or integrate with external identity providers, such as Facebook, Twitter, Google+, and Amazon. Whether your users sign-in directly or through a third party, all members of the user pool have a directory profile that you can access through a Software Development Kit (SDK).
User pools provide: 1. Sign-up and sign-in services. 2. A built-in, customizable web UI to sign in users. 3. Social sign-in with Facebook, Google, Login with Amazon, and Sign in with Apple, as well as sign-in with SAML identity providers from your user pool. 4. User directory management and user profiles. 5. Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification. 6. Customized workflows and user migration through AWS Lambda triggers.
Micro Services architecture
• We want to switch to a micro service architecture
• Many services interact with each other directly using a REST API
• Each architecture for each micro service may vary in form and shape
• We want a micro-service architecture so we can have a leaner development lifecycle for each service
Amazon Aurora
• Compatible API for PostgreSQL / MySQL, separation of storage and compute
• Storage: data is stored in 6 replicas, across 3 AZ – highly available, self-healing, auto-scaling
• Compute: Cluster of DB Instance across multiple AZ, auto-scaling of Read Replicas
• Cluster: Custom endpoints for writer and reader DB instances
• Same security / monitoring / maintenance features as RDS
• Know the backup & restore options for Aurora
Amazon ElastiCache
• Managed Redis / Memcached (similar offering as RDS, but for caches)
• In-memory data store, sub-millisecond latency
• Select an ElastiCache instance type (e.g., cache.m6g.large)
• Support for Clustering (Redis) and Multi AZ, Read Replicas (sharding)
• Security through IAM, Security Groups, KMS, Redis Auth
• Backup / Snapshot / Point in time restore feature
• Managed and Scheduled maintenance
• Requires some application code changes to be leveraged
• Use Case: Key/Value store, Frequent reads, less writes, cache results for DB queries, store session data for websites, cannot use SQL.
DocumentDB
Aurora is an “AWS-implementation” of PostgreSQL / MySQL …
it is the same for MongoDB (which is a NoSQL database)
• MongoDB is used to store, query, and index JSON data
• Similar “deployment concepts” as Aurora
• Fully Managed, highly available with replication across 3 AZ
storage automatically grows in increments of 10GB
• Automatically scales to workloads with millions of requests per seconds
Amazon Neptune
Fully managed graph database
• A popular graph dataset would be a social network
• Users have friends
• Posts have comments
• Comments have likes from users
• Users share and like posts…
• Highly available across 3 AZ, with up to 15 read replicas
• Build and run applications working with highly connected datasets – optimized for these complex and hard queries
• Can store up to billions of relations and query the graph with milliseconds latency
• Highly available with replications across multiple AZs
• Great for knowledge graphs (Wikipedia), fraud detection, recommendation engines, social networking
Amazon Keyspaces (for Apache Cassandra)
a is an open-source NoSQL distributed database
• A managed Apache Cassandra-compatible database service
• Serverless, Scalable, highly available, fully managed by AWS
• Automatically scale tables up/down based on the application’s traffic
• Tables are replicated 3 times across multiple AZ
• Using the Cassandra Query Language (CQL)
• Single-digit millisecond latency at any scale, 1000s of requests per second
• Capacity: On-demand mode or provisioned mode with auto-scaling
• Encryption, backup, Point-In-Time Recovery (PITR) up to 35 days
• Use cases: store IoT devices info, time-series data, … Amazon QLDB
• QLDB stands for ”Quantum Ledger Database”
• A ledger is a book recording financial transactions
• Fully Managed, Serverless, High available, Replication across 3 AZ
• Used to review history of all the changes made to your application data over time
• Immutable system: no entry can be removed or modified, cryptographically verifiable
Amazon Timestream
• Fully managed, fast, scalable, serverless time series database
• Automatically scales up/down to adjust capacity
• Store and analyze trillions of events per day
• 1000s times faster & 1/10th the cost of relational databases
• Scheduled queries, multi-measure records, SQL compatibility
• Data storage tiering: recent data kept in memory and historical data kept in a cost-optimized storage
• Built-in time series analytics functions (helps you identify patterns in your data in near real-time)
• Encryption in transit and at rest
• Use cases: IoT apps, operational applications, real-time analytics,
Amazon Athena
• Serverless query service to analyze data stored in Amazon S3
• Uses standard SQL language to query the files (built on Presto)
• Supports CSV, JSON, ORC, Avro, and Parquet
• Pricing: $5.00 per TB of data scanned
• Commonly used with Amazon Quicksight for reporting/dashboards
• Use cases: Business intelligence / analytics / reporting, analyze & query VPC Flow Logs, ELB Logs, CloudTrail trails, etc...
Performance Improvement
• Use columnar data for cost-savings (less scan)
• Apache Parquet or ORC is recommended
• Huge performance improvement
• Use Glue to convert your data to Parquet or ORC
• Compress data for smaller retrievals (bzip2, gzip, lz4, snappy, zlip, zstd…)
• Partition datasets in S3 for easy querying on virtual columns
Amazon Redshift
is based on PostgreSQL, but it’s not used for OLTP
• It’s OLAP – online analytical processing (analytics and data warehousing)
• 10x better performance than other data warehouses, scale to PBs of data
• Columnar storage of data (instead of row based) & parallel query engine
• Two modes: Provisioned cluster or Serverless cluster
• Has a SQL interface for performing the queries
• BI tools such as Amazon Quicksight or Tableau integrate with it
• vs Athena: THERE ARE faster queries / joins / aggregations thanks to indexes
Redshift Cluster
• Leader node: for query planning, results aggregation
• Compute node: for performing the queries, send results to leader
• Provisioned mode:
• Choose instance types in advance
• Can reserve instances for cost savings
has “Multi-AZ” mode for some clusters
• Snapshots are point-in-time backups of a cluster, stored internally in S3
• Snapshots are incremental (only what has changed is saved)
• You can restore a snapshot into a new cluster
• Automated: every 8 hours, every 5 GB, or on a schedule. Set retention between 1 to 35 days
• Manual: snapshot is retained until you delete it
• You can configure this to automatically copy snapshots (automated or manual) of a cluster to another AWS Region
Amazon OpenSearch Service
is successor to Amazon ElasticSearch
• In DynamoDB, queries only exist by primary key or indexes…
• With OpenSearch, you can search any field, even partially matches
• It’s common to use OpenSearch as a complement to another database
• Two modes: managed cluster or serverless cluster
• Does not natively support SQL (can be enabled via a plugin)
• Ingestion from Kinesis Data Firehose, AWS IoT, and CloudWatch Logs
• Security through Cognito & IAM, KMS encryption, TLS
• Comes with OpenSearch Dashboards (visualization)
Amazon EMR (Elastic MapReduce)
helps creating Hadoop clusters (Big Data) to analyze and process vast amount of data
• The clusters can be made of hundreds of EC2 instances
• EMR comes bundled with Apache Spark, HBase, Presto, Flink…
• EMR takes care of all the provisioning and configuration
• Auto-scaling and integrated with Spot instances
• Use cases: data processing, machine learning, web indexing, big data…
Amazon QuickSight
• Serverless machine learning-powered business intelligence service to create interactive dashboards
• Fast, automatically scalable, embeddable, with per-session pricing
• Use cases:
• Business analytics
• Building visualizations
• Perform ad-hoc analysis
• Get business insights using data
• Integrated with RDS, Aurora, Athena, Redshift, S3…
• In-memory computation using SPICE engine if data is imported into QuickSight
• Enterprise edition: Possibility to setup Column-Level security (CLS)
AWS Glue
• Managed extract, transform, and load (ETL) service
• Useful to prepare and transform data for analytics
• Fully serverless service
– Convert data into Parquet format
Has Booksmarks: prevent reprocessing old data
Databrew: clean and normalize data using pre-built transformation
Studio: new GUI to create, run and monitor ETL JOBS IN GLUE
Streaming ETL (built on Apache Spark Structured Streaming): compatible with Kinesis Data Streaming, Kafka, MSK (managed Kafka
AWS Lake Formation
• Data lake = central place to have all your data for analytics purposes
• Fully managed service that makes it easy to setup a data lake in days
• Discover, cleanse, transform, and ingest data into your Data Lake
• It automates many complex manual steps (collecting, cleansing, moving, cataloging data, …) and de-duplicate (using ML Transforms)
• Combine structured and unstructured data in the data lake
• Out-of-the-box source blueprints: S3, RDS, Relational & NoSQL DB…
• Fine-grained Access Control for your applications (row and column-level)
• Built on top of AWS Glue
Big Data Ingestion Pipeline discussion
• IoT Core allows you to harvest data from IoT devices
• Kinesis is great for real-time data collection
• Firehose helps with data delivery to S3 in near real-time (1 minute)
• Lambda can help Firehose with data transformations
• Amazon S3 can trigger notifications to SQS
• Lambda can subscribe to SQS (we could have connecter S3 to Lambda)
• Athena is a serverless SQL service and results are stored in S3
• The reporting bucket contains analyzed data and can be used by reporting tool such as AWS QuickSight, Redshift, etc…
Amazon Rekognition
• Facial analysis and facial search to do user verification, people counting
• Create a database of “familiar faces” or compare against celebrities
• Use cases:
• Labeling
• Content Moderation
• Text Detection
• Face Detection and Analysis (gender, age range, emotions…)
• Face Search and Verification
• Celebrity Recognition
• Pathing (ex: for sports game analysis)
also has content moderation
Amazon Transcribe
• Automatically convert speech to text
• Uses a deep learning process called automatic speech recognition (ASR) to convert speech to text quickly and accurately
• Automatically remove Personally Identifiable Information (PII) using Redaction
• Supports Automatic Language Identification for multilingual audio
• Use cases:
• transcribe customer service calls
• automate closed captioning and subtitling
• generate metadata for media assets to create a fully searchable archive