Cloud Practitioner Certification Exam
What is cloud computing?
on-demand delivery of compute power; database storage, apps, and other IT resources
pay-as you-go pricing
provision EXACTLY the right configurations of resources needed
instant access to necessary resources
Deployment Models of the Cloud
Private Cloud: complete control, meets specific business needs, security for sensitive apps
Public Cloud: six advantages of cloud computing; cloud resources and owned and operated by a third party cloud services delivered over the internet
Hybrid Cloud: control over sensitive assets in private infrastructure
5 characteristics of cloud computing
On-demand self service
users can provision resources and user them without human interaction from the service provider
Broad network access
resources available over the network can be accessed by diverse client platforms
Multi-tenancy and resource pooling
multiple customers can share the same infrastructure and applications with security and privacy
multiple customers are serviced from the same physical resources
Rapid elasticity and Scalability
Automatically and quickly acquire and dispose
Quickly and easily scale based on demand
Measured service
usage is measured, users pay correctly for what they have used
6 Advantages of Cloud Computing
trade CapEx for OpEx
pay on-demand: RENTING from AWS
reduced Total Cost of Ownership (TCO) & OpEx
benefit from massive economies of scale
prices are reduced as AWS is more efficient due to large scale
stop guessing capacity
scale based on actual measured usage
increase speed and agility
no blockers to be efficient
less $ spent on maintaining data center
can go global in mins
Problems solved by the cloud
flexibility, cost-effectiveness, scalability, elasticity, high-availability + fault tolerance, and agility
Types of Cloud Computing
Infrastructure as a Service (IaaS)
provide building blocks for cloud IT (like legos)
provides networking, computers, data storage space
highest level of flexibility
easy parallel with traditional on-premises IT
examples
amazon EC2, GCP, Azure, rackspace, digital ocean, linode
Platform as a Service (PaaS)
removes the need for your organization to manage the underlying infrastructure
focus on the deployment and management of your applications
examples
heroku, google app engine (GCP), windows azure (microsoft)
where you ONLY want to manage APPS and DATA
Software as a Service (SaaS)
completed product that is run and managed by the service provider
examples
many AWS services (rekognition for ML)
google apps (gmail), dropbox, zoom
Pricing of the Cloud
AWS has 3 pricing fundamentals, following the pay-as-you-go pricing model
compute: pay for compute time
storage: pay for data stored in the cloud
data transfer OUT of the cloud: data transfer IN is free
solves the expensive issue of traditional IT
AWS Cloud Use Cases
enables you to build sophisticated, scalable apps
applicable to a variety of industries
applications are endless!!!!
AWS Global Infrastructure
each region is connected through networks
within each region, there are availability zones
can leverage the infrastructure of AWS to make an app GLOBAL
AWS has regions all around the world
names can be us-east-I, er-west-3…
region is a cluster of data centers
most AWS services are region-focused
How to choose an AWs region?
if you need to launch a new app, which region should you deploy it at?
compliance
data governance and legal requirements; data never leaves a region without your explicit permission
proximity to customers
reduced latency
available services within a region
new services and features aren’t available in every region
pricing: varies between regions and is transparent in the service pricing page
AWS Availability Zones
each region has availability zones (AZ)
one or more discrete data centers with redundant power, networking, and connectivity
they’re separate from each other, so that they’re isolated from disasters
connected with high bandwidth, ultra-low latency networking
AWS Points of Presence (edge locations)
400+ points of presence in 90+ cities across 40+ countries
Tour of AWS Console
AWS has global services
Identity and Access Management (IAM)
Route 53 (DNS service)
CloudFront (Content Delivery Network)
WAF (Web Application Firewall)
AWS has region-scoped services
Amazon EC2 (IaaS)
Elastic Beanstalk (PaaS)
Lambda (FaaS)
Rekognition (SaaS)
Shared Responsibility
customer = responsibility for the security IN the cloud
AWS = responsibility for the security OF the cloud
IAM Users & Groups
IAM = Identity and Access Management, Global service
Root account created by default, shouldn’t be used or shared
Users are people within your organization, and can be grouped
Groups only contain users, not other groups
Users don’t have to belong to a group and users can belong to multiple groups
IAM: Permissions
Users or Groups can be assigned JSON documents called policies
these policies define the permissions of the users
in AWS, you apply the least privilege principle: don’t give more permissions than a user needs
IAM Policies inheritance
policies are separated in categories and users can inherit multiple depending on what groups they are part of
IAM Policies structure
consists of
lololol
IAM Password policy
Strong passwords = higher security for your account
in AWS, you can setup a password policy
prevents password re-use and requires users to change their passwords after some time
Multi-Factor Authentication
users have access to your account and can possibly change configurations or delete resources in your AWS account
MFA = password you know + security device you
device options
Virtual MFA device
google authenticator and authy (phone only)
Universal 2nd Factor (U2F) Security Key
yubikey (third party)
Hardware Key Fob MFA device
provided third party
Hardware Key Fob MFA device for AWS GovCloud (US)
SurePassID
IAM Roles for Services
some AWS services will need to perform actions on your behalf
to do so, we will assign permissions to AWS services with IAM Roles
Common Roles
EC2 Instance Roles
Lambda Function Roles
Roles for CloudFormation
IAM Credentials Report (account-level)
a report that lists all your acc’s users and the statuses of their various credentials
IAM Access Adviser (user-level
shows the service permissions granted to a user and when those services were last accessed
you can use this information to revise your policies
IAM Guidelines + Best Practices
one physical user = one AWS user
use Access Keys for Programmatic Access (CLI/SDK)
audit permissions of your account using IAM Credentials Report & IAM Access Advisers
assign users to groups and assign permissions to groups
don’t use root acc except for AWS acc setup
NEVER share IAM users & Access Keys
Shared Responsibility Model for IAM
AWS - responsible for the infrastructure
infrastructure (global network security)
configuration and vulnerability analysis
compliance validation
You - HOW you use the infrastructure
users, groups, roles, policies management and monitoring
enable MFA
rotating your keys often
using IAM tools to apply appropriate permissions
analyze access patterns and review permissions
IAM Summary
Users: mapped to a physical user, has a password for AWS Console
Groups: contains users only
Policies: JSON doc that outlines permissions for users or groups
Roles: for EC2 instances or AWS services
Security: MFA + password policy
AWS CLI: manage your AWS services using the command line
AWS SDK: manage your AWS services using a programming language
Access Keys: access AWS using the CLI or SDK
Audit: IAM Credential Reports & IAM Access Advisor
EC2 - Elastic Compute Cloud
Basics
EC2 is one of the most popular offerings
IaaS
Mainly consists of:
renting virtual machines (EC2)
storing data on virtual drives (EBS)
distributing load across machines (ELB)
scaling the services using an auto-scaling group (ASG)
EC2 Sizing and Configuration Options
Operating System: Linux, Windows, or Mac
How much power and cores (CPU)
how much random-access memory (RAM)
How much storage space:
network-attached (EBS & EFS)
hardware (EC2 Instance Store)
Network card: speed of the card, public IP address
Firewall rules: security group
Bootstrap script (configure at first launch): EC2 User Data
EC2 User Data
it is possible to bootstrap our instances using an EC2 user data script
bootstrapping means to launch commands when a machine starts
script is only run once at the instance first start
EC2 user data is used to automate boot tasks such as:
installing updates
installing software
downloading common files from the internet
anything you can think of
EC2 User Data Script runs with the root user
use “http://” to launch an instance
EC2 Instance Types
you can use different types of EC2 instances for different use cases
AWS has the following naming convention
m5.2xlarge
m: instance class
5: generation (AWS improves them over time)
2xlarge: size within the instance class
General Purpose
great for diversity of workloads such as web servers or code repositories
balance between compute, memory, networking
examples: t2.micro, T4g, T3, T3a, M5, M5a, M4, A1
Compute Optimized
great for compute-intensive tasks that require high performance processors
batch processing workloads
media transcoding
high performance web servers
high performance computing
scientific modeling and machine learning
dedicated game servers
examples: C6gn, C5, C5a, C5n, C4
Memory Optimized
fast performance for workloads that process large datasets in memory
use cases
high performance, relational/non-relational databases
distributed web scale cache stores
in-memory databases optimized for BI (Business Intelligence)
Apps performing real-time processing of big unstructured data
examples: R6g, R5, R5a, R5b, R5n, R4, X1e, X1, High Memory, z1d
Storage Optimized
great for storage-intensive tasks that require high, sequential read and write access to large data sets on local storage
use cases
high frequency online transaction processing (OLTP) systems
relational & NoSQL databases
cache for in-memory databases
data warehousing applications
distributed file systems
Security Groups & Classic Ports Overview
security groups are the fundamental of network security in AWS
they control how traffic is allowed in or out of our EC2 instances
security groups only contain allow rules
security groups rules can reference by IP or by security group
security groups deeper dive
security groups are acting as a “firewall” on EC2 instances
they regulate:
access to ports
authorized IP ranges — IP v4 and IPv6
control of inbound network (from other to the instance)
control of outbound network (from instance to other)
good to knows
can be attached to multiple instances
locked down to a region/VPC combination
does live “outside” the EC2 — if traffic is blocked the EC2 instance won’t see it
it’s good to maintain one separate security group for SSH access
if your application is not accessible (time out), then it’s a security group issue
if your app gives a “connection refused” error, then it’s an app error or is not launched
all inbound traffic is blocked and all outbound traffic is authorized by default
referencing other security groups
inbound rules allow only authorized security groups
Classic Ports to know
22 = SSH (Secure Shell) - log into a Linux instance
21 = FTP (File Transfer Protocol) - upload files into a file share
22 = SFTP (Secure File Transfer Protocol) - upload files using SSH
80 = HTTP - access unsecured websites
443 = HTTPS - access secured websites
3389 = RDP (Remote Desktop Protocol) - log into a windows instance
SSH Overview (Mac, Linux)
SSH is one of the most important functions.. it allows you to control a remote machine, all using the command line!
use the public IPv4
EC2 Instance Purchasing Options
on-demand instances — short workload, predictable pricing, pay by second
reserved (1 & 3 years)
reserved instances — long workloads
convertible reserved instances — long workloads with flexible instances
savings plans (1 & 3 years) — commitment to an amount of usage, long workload
short instances — short workloads, cheap, can lose instances (less reliable)
dedicated hosts — book an entire physical server, control instance placement
dedicated instances — no other customers will share your hardware
capacity reservations — reserve capacity in a specific AZ for any duration
EC2 On Demand
pay what you use:
has the highest cost but upfront payment
no long-term commitment
EC2 Reserved Instance
up to 72% discount compared to on-demand
reserve specific instance attributes (Instance Type, Region, Tenancy, OS)
Reservation Period — 1 year (+discount) or 3 years (+++discount)
Payment Options — No Upfront (+), Partial Upfront (++), All Upfront (+++)
Reserved Instance’s Scope — Regional or Zonal (reserve capacity in an AZ)
recommended for steady-state usage applications (e.g. database)
you can buy and sell in the Reserved Instance Marketplace
Convertible Reserved Instance
can change the EC2 instance type, instance family, OS, scope, and tenancy
up to 66% discount
EC2 Savings Plans
get a discount based on a long-term usage (up to 72% - same as RIs)
commit to a certain type of usage ($10/h for 1 or 3 years)
usage beyond EC2 Savings Plans is billed at the On-Demand price
locked to a specific instance family & AWS region
flexible across:
instance size, OS, and tenancy
EC2 Spot Instances
discounts up to 90% compared to On-Demand
instances that you can “lose” at any point of time if your max price is less than the current spot price
the MOST cost-efficient instances in AWS
useful for workloads that are resilient to failure
data analysis, batch jobs, image processing, any distributed workloads, workloads with a flexible start and end time
NOT suitable for critical jobs or databases
EC2 Dedicated Hosts
a physical server with EC2 instance capacity fully dedicated to your use
allows you to address compliance requirements and use your existing server-bound software licenses (per-socket, per-core, pe—VM software licenses)
purchasing options
on-demand - pay per second for active dedicated host
reserved - 1 or 3 years (no upfront, partial upfront, all upfront)
the most expensive option
useful for software that have complicated licensing model (BYOL)
or for companies with strong regulatory or compliance needs
EC2 Dedicated Instances
instances run on hardware that’s dedicated to you
may share hardware with other instances in same account
no control over instance placement (can move hardware after stop/start)
Dedicated Instances: you have your own instance on your own hardware
Dedicated Hardware: you get access to the physical server itself and it gives you visibility on the lower-level hardware
EC2 Capacity Reservations
reserve on-demand instances capacity in a specific AZ for any duration
you always have access to EC2 capacity when you need it
no time commitment (create/cancel anytime), no billing discounts
combine with with regional reserved instances and savings plans to benefit from billing discounts
you’re charged at on-demand rate whether you run instances or not
suitable for short-term, uninterrupted workloads that needs to be in a specific AZ
Which purchasing option is right for me?
on-demand: coming and staying in resort whenever we like, we pay the full price
reserved: like planning ahead and if we plan to stay for a long time, we may get a good discount
savings plans: pay a certain amount per hour for certain period and stay in any room type
spot instances: the hotel allows people to bid for the empty rooms and the highest bidder keeps the rooms. you can get kicked out anytime
dedicated hosts: we book an entire building of the resort
capacity reservations: you book a room for a period with full price even if you don’t stay in it
IP Address Charges in AWS
starting Feb 1st 2024, there is a charge for all public IPv4 created in your account
$0.005 per hour of public IPv4 ($3.6 per month)
for new accounts in AWS, you have a free tier for the EC2 service: 750 hours of public IPv4 per month for the first 12 months
for all other services there is no free tier!!
Shared Responsibility Model for EC2
AWS
infrastructure
isolation on physical hosts
replacing faulty hardware
compliance validation
user
security groups rules
operating system patches and updates
software and utilities installed on the EC2 instance
IAM roles assigned to EC2 & IAM user access management
data security on your instance
EC2 Summary
EC2 instance: AMI (OS) + Instance Size (CPU + RAM) + Storage + security groups + EC2 User Data
Security Groups: firewall attached to the EC2 instance
EC2 User Data: script launched at the first start of an instance
SSH: start a terminal into our EC2 instances (Port 22)
EC2 Instance Role: link to IAM roles
Purchasing Options:
on-demand
spot
reserved (standard + convertible)
dedicated host
dedicated instance
EBS Volume
What is an EBS Volume?
a network drive (NOT a physical drive) you can attach to your instances while they run
uses the network to communicate the instance, which means there may be a bit of latency
can be detached from an EC2 instance and attached to another one quickly
it allows your instances to persist data, even after their termination
they can only be mounted to one instance at a time
they are bound to a specific availability zone
analogy: think of them as a “network USB stick”
locked to an AZ
an EBS volume in us-east-1a cannot be attached to us-east-1b
to move a volume across, you need to snapshot it first
have a provision capacity (size in GBs and IOPS)
you get billed for all the provisioned capacity
you can increase the capacity of the drive over time
EBS — delete on termination attribute
controls the EBS behavior when an EC2 instance is being terminated
by default, any other attached EBS volume is not deleted (attribute disabled)
this can be controlled by the AWS console / AWS CLI
use case: preserve root volume when instance is terminated
EBS Snapshots
make a backup of your EBS volume at a point in time
not necessary to detach volume to do snapshot, but recommended
can copy snapshots across AZ or region
you can transfer an EBS to another AZ through a snapshot
EBS Snapshots Features
EBS snapshot archive
move a snapshot to an “archive tier” that is 75% cheaper
takes within 24-72h for restoring the archive
good for no-rush restores
Recycle Bin for EBS Snapshots
setup rules to retain deleted snapshots so you can recover them after an accidental deletion (1 day-1y)
AMI Overview
AMI = Amazon Machine Image
AMI are a customization of an EC2 instance
you add your own software, configuration, OS, monitoring…
faster boot/configuration time because all your software is prepackaged
AMI are built for a specific region (and can be copied across regions)
you can launch EC2 instances from:
a public AMI: AWS provided
your own AMI: you make and maintain them yourself
an AWS marketplace AMI: an AMI someone else made (and potentially sells)
AMI Process (from an EC2 instance)
start an EC2 instance and customize it
stop the instance (for data integrity)
build an AMI — this will also create EBS snapshots
launch instances from other AMIs
EC2 Image Builder
used to automate the creation of virtual machines or container images
⇒ automate the creation, maintain, validate, and test EC2 AMIs
EC2 Instance Store
EBS Volumes are network drives with good but LIMITED performance
if you need a high-performance hardware disk, use EC2 Instance Store
better I/O performance
EC2 Instance Store lost their storage if they’re stopped (ephemeral)
good for buffer / cache / scratch data / temporary content
risk of data loss if hardware fails
backups and replication are your responsibility
EFS — Elastic File System
managed NFS (network file system) that can be mounted on 100s of EC2
EFS works with Linus EC2 instances in multi-AZ
highly available, scalable, expensive, pay per use, no capacity planning
EBS vs EFS
EBS are bound by specific AZs
EBS snapshot → another AZ
EFS drive — shared file system
EFS Infrequent Access (EFS-IA)
storage class that is cost-optimized for files not accessed every day
up to 92% lower cost compared to EFS Standard
EFS will automatically move your files to EFS-IA based on the last time they were accessed
enable EFS-IA with lifecycle policy
e.g. move files that are not accessed for 60 days to EFS-IA
transparent to the apps accessing EFS
Shared Responsibility Model for EC2 Storage
AWS
infrastructure
replication for data for EBS volumes & EFS drives
replacing faulty hardware
ensuring their employees cannot access your data
user
setting up backup/snapshot procedures
setting up data encryption
responsibility of any data on the drives
understanding the risk of using EC2 Instance Store
Amazon FSx — overview
launch 3rd party high-performance file systems on AWS
fully managed services
FSx for Lustre
a fully managed high-performance scalable file storage for High Performance Computing (HPC)
the name Lustre is derived from “Linux” and “cluster”
machine learning, analytics, video processing, financial modeling ….
scales up to 100s GBs, millions of IOPS, sub-ms latencies
FSx for Windows File Server
a fully managed, highly reliable, and scalable Windows native shared file system
built on Windows File Server
supports SMB protocol and Windows NTFS
integrated with Microsoft Active Directory
can be accessed from AWS or your on-premise infrastructure
EC2 Instance Storage Summary
EBS Volume
network drives attached to one EC2 instance at a time
mapped to an availability zones
can use EBS Snapshots for backups / transferring EBS volumes across AZ
AMI
create ready-to-use EC2 instances with our customization
EC2 Image Builder: automatically build, test, and distribute AMIs
EC2 Instance Store
high performance hardware disk attached to our EC2 instance
lost if our instance is stopped/terminated
EFS: network file system, can be attached to 100s of instances in a region
EFS-IA: cost-optimized storage class for infrequent accessed files
FSx for Windows: network file system for windows servers
FSx for Lustre: high performance computing Linus file system
Elastic Load Balancing and Auto Scaling Groups
Scalability and High Availability
scalability means that an app/system can handle greater loads by adapting
there are two kinds of scalability
vertical scalability
can increase the size of the instance
t2.micro → t2.large
very common for non dist systems such as database
there’s usually a limit to how much you can vertically scale (hardware limit)
horizontal scalability (high elasticity)
increasing the number of instances/systems for your app
implies distributed systems
very common for web apps/modern apps
easy thanks to cloud offerings like EC2
scalability is linked but different to high availability
high availability
running app/system in at least 2 AZs
usually goes hand in hand with horizontal scaling
goal of high availability is to survive a data center loss
High availability & scalability for EC2
vertical scaling: increase instance size (up/down)
horizontal scaling: increase number of instances (out/in)
auto scaling group
load balancer
high availability: run instances for the same app across multi AZ
auto scaling group multi AZ
load balancer multi AZ
Scalability vs. Elasticity (vs. Agility)
Scalability: ability to accommodate a larger load by making the hardware stronger (scale up) or by adding nodes (scale out)
Elasticity: once a system is scalable, elasticity means that there will be some “auto-scaling” so that the system can scale based on the load. This is “cloud-friendly”; pay-per-use, match demand, optimize costs
Agility: (not related to scalability - distractor) new IT resources are only a click away, which means that you reduce the time to make those resources available to your developers from weeks to just minutes
What is Load Balancing?
load balancers are servers that forward internet traffic to multiple servers (EC2 instances) downstream
Why use a load balancer?
spread load across multiple downstream instances
expose a single point of access (DNS) to your application
seamlessly handle failures of downstream instances
do regular health checks to your instances
provide SSL termination (HTTPS) for your websites
high available across zones
ELB (Elastic Load Balancer) is a managed load balancer
AWS guarantees that it will be working
AWS takes care of upgrades, maintenance, high availability
AWS provides only a few configuration knobs
costs less to set up your own load balancer but it will be a lot more effort on your end (maintenance, integrations)
4 kinds of load balancers offered by AWS
App load balancer (HTTP/HTTPS) - layer 7
HTTP / HTTPS / gRPC
HTTP Routing features
Static DNS (URL)
Network load balancer (ultra high performance, allows for TCP) - layer 4
TCP / UDP protocols
High Performance: millions of request per seconds
Static IP
Gateway load balancer - layer 3
GENEVE protocol on IP Packets (layer 3)
Route Traffic to Firewalls that you manage on EC2 instances
Intrusion detection
What’s an Auto Scaling Group?
irl, the load on your websites and app can change
in the cloud, you can create and get rid of servers very quickly
the goal of an auto scaling group (ACG) is to:
scale out (add EC2 instances) to match an increased load
scale in (remove EC2 instances) to match a decreased load
ensure we have a minimum and a maximum number of machines running
automatically register new instances to a load balancer
replace unhealthy instances
cost savings: only run at an optimal capacity (principle of the cloud)
Auto Scaling Groups — Scaling Strategies
Manual Scaling: update the size of an ASG manually
Dynamic Scaling: respond to changing demand
Simple/Step Scaling
when a cloud watch alarm is triggered (e.g. CPU>70%) then add 2 units
when a cloud watch alarm is triggered (e.g. CPU <30%) then remove 1
Target Tracking Scaling
e.g. I want the avg ASG CPU to stay at around 40%
Scheduled Scaling
anticipate a scaling based on known usage patterns
e.g. increase the min capacity to 10 at 5pm on Fridays
Predictive Scaling
uses ML to predict future traffic ahead of time, forecasting what will happen in the future
automatically provisions the right number of EC2 instances in advance
useful when your load has predictable time-based patterns
ELB & ASG
High availability vs. Scalability (vertical and horizontal) vs. Elasticity vs. Agility in the Cloud
Elastic Load Balancers (ELB)
distribute traffic across backend EC2 instances, can be multi-AZ
supports health checks
4 types:
Classic (old)
Application (HTTP - L7)
Network (TCP — L4)
Gateway (L3)
Auto Scaling Groups (ASG)
implement elasticity for your application across multiple AZ
scale EC2 instances based on the demand on your system, replace unhealthy instances
integrated with the ELB
S3
one of the building blocks of AWS
“infinitely scaling” storage
many websites use