Preparing
for AWS Solution Architect - Associate
certification? I prepared these short notes for important services which are
very commonly questioned in the exam. I prepared this in August 2019, so not
sure when you are reading these notes. The exam changes topics, as new services
are introduced, almost every month. So please update yourself with newer
services which are relevant for the time you give the exam.
Topic
|
Details
|
IAM
|
1. IAM
consists of Users, Groups, Roles, Policies - you apply polices to
groups, roles. Users in the group will inherit the policy. Policies
are written in Json.
2. IAM is universal. Root account has complete Admin access. New users created have no permissions as per "principle of least privileges". 3. New users are assigned Access Key ID and Secret Access Keys when first created. You cannot use them as password. This can only be used API and command line. If you lose Access Key ID and Secret Access Keys, then you must regenerate. 4. Use MFA as best practices |
S3
|
1. S3 is object based. Files
can be from 0 bytes to 5TB. Files have unlimited storage, files are
stored in buckets. S3 is universal namespace. Files are stored in
Buckets and Buckets must be unique.
By default, all newly created bucket is Private. All successful
upload will return code 200. Can use ACL to object levels. S3 buckets
can be configured to create access logs, which logs all request made to S3
bucket.
Key fundamentals of S3 are: a) Key - name of the object b) Value - data c) Version Id d) Metadata e) Sub-resources - ACL and Torrents. 2. Consistency Model - a) Read after Write consistency for PUTs of new object. b) Eventual Consistency for overwrite PUTS and DELETES (can take some time) |
S3
|
S3 Classes of Storage:
1. S3 Standard - (99.99% Availability. 99.99999999999% durability). Stored redundantly across multiple devices in multiple facilities. can sustain loss of 2 facilities concurrently 2. S3 - IA - Infrequently accessed - (99.9% Availability. 99.99999999999% durability)- but requires rapid access when needed. Lower fee than S3, but you are charged a retrieval fee. 3. S3 One Zone - IA - (99.5% Availability. 99.99999999999% durability) Lower cost option for infrequently accessed data but do not require the multiple availability zone data resilience. 4. S3 Intelligent Tiering - Optimizes cost - uses machine learning - moves data to the most cost-effective access tier, without performance impact. 5. S3 Glacier - (data archival)- (99.99% Availability-after restore. 99.99999999999% durability) - Secure, durable, low-cost storage class for data archiving. Retrieval times configurable from minutes to hours. 6. S3 Glacier Deep Archive - (99.99% Availability-after restore. 99.99999999999% durability) lowest cost storage class where a retrieval time of 12 hours is acceptable. 7. S3 RRS - (99.99% Availability. 99.99% durability) - |
S3
|
Encryption: In Transit- 1. SSL/TLS (Transport
Layer Security - improved version of SSL) - HTTPS -
At Rest: 1. Client side encryption and 2. Server side encryption 2.1 - Server side encryption with Amazon S3 Managed Keys (SSE-S3) 2.2 - Server side encryption with AWS Key Management Service (SSE-KMS) 2.3 - Server side encryption with customer provided keys (SSE-C) 2.4 - A client library such as Amazon S3 Encryption client. you retain control of the keys and complete the encryption and decryption of objects client-side using an encryption library of your choice. Some customers prefer full end-to-end control of the encryption and decryption of objects. Securing your Buckets 1. By default, buckets are private, and all objects stored inside the buckets are private too. 2. You can setup access control to your buckets using a) Bucket Polices - for entire bucket b) Access control list - on individual items 3. S3 can create access logs which logs all requests made to the S3 bucket. This can be stored in another bucket. 4. Versioning - Stores all version of an object, including all writes and deleted. 2. Great backup tool 3. Once enabled, versioning cannot be disabled, only suspended. 4. MFA can be used as additional layer of security. 5. Integrates with life cycle rules. Customers may use four mechanisms for controlling access to Amazon S3 resources: Identity and Access Management (IAM) policies, bucket policies, Access Control Lists (ACLs), and Query String Authentication. |
S3
|
1. Cross Region Replication -
1. Versioning must be enabled on both the source and destination bucket. 2. Regions must be unique. 3. Files are not replicated automatically at start. Subsequent files will be replicated. 4. Delete marker, deleting versions are not replicated. 2. S3 Lifecycle Management Policy - (IA cannot before 30 days) 1. Can be used in conjunction with versioning. 2. Can be used on current and previous versions 3. Transition of S3 IA-S3 Glacier 4. Even rules to delete permanently. Working with CLI - Go to on command prompt for CLI C:\Program Files\Amazon\AWSCLI (C:\Program Files\Amazon\AWSCLI>aws s3 ls s3://parthamyversioningbucket) 3. Copy files between S3 buckets using CLI Command: 4. S3 Transfer Acceleration - Users will upload the files in Edge location first and then files will go to S3. This increases performance. |
Storage Gateway
|
Storage
Gateway: Connects on-premise IT/Application with cloud-based
storage. A virtual/physical device placed at on-premise which copies data to
cloud. Storage gateway supports either VMware ESXi or Microsoft Hyper-V.
A VM image which is installed on on-prem datacentre, once connected, from AWS
console can create gateways.
1. File Gateway - (NFS) Flat files, stored directly on S3. Uses NFS Mount point. 2. Volume Gateway - (iSCSI) - uses iSCSI block protocol. 2.1. Stored Volumes - Entire Dataset is stored on-site and is asynchronously backed up to S3 as EBS snapshots. (1GB -16TB in size for Stored volumes) 2.2. Cached Volumes - Entire Dataset is stored on S3 and the most frequently accessed data is cached on site. (1GB -32TB in size for Cached volumes) 3. Gateway Virtual Tape Library - Used for backup and uses popular backup applications like NetBackup, Backup Exec, Veeam etc. |
S3
|
1. Amazon S3 offers a range of
storage classes designed for different use cases. These include S3 Standard
for general-purpose storage of frequently accessed data; S3
Intelligent-Tiering for data with unknown or changing access patterns; S3
Standard-Infrequent Access (S3 Standard-IA) and S3 One Zone-Infrequent Access
(S3 One Zone-IA) for long-lived, but less frequently accessed data; and
Amazon S3 Glacier (S3 Glacier) and Amazon S3 Glacier Deep Archive (S3 Glacier
Deep Archive) for long-term archive and digital preservation.
2. The S3 Standard storage class is designed for 99.99% availability, the S3 Standard-IA storage class is designed for 99.9% availability, and the S3 One Zone-IA storage class is designed for 99.5% availability. 3. use four mechanisms for controlling access to Amazon S3 resources: Identity and Access Management (IAM) policies, bucket policies, Access Control Lists (ACLs), and Query String Authentication. IAM enables organizations with multiple employees to create and manage multiple users under a single AWS account. With IAM policies, customers can grant IAM users fine-grained control to their Amazon S3 bucket or objects while also retaining full control over everything the users do. With bucket policies, customers can define rules which apply broadly across all requests to their Amazon S3 resources, such as granting write privileges to a subset of Amazon S3 resources. Customers can also restrict access based on an aspect of the request, such as HTTP referrer and IP address. With ACLs, customers can grant specific permissions (i.e. READ, WRITE, FULL_CONTROL) to specific users for an individual bucket or object. With Query String Authentication, customers can create a URL to an Amazon S3 object which is only valid for a limited time. |
S3
|
4. You
can choose to encrypt data using SSE-S3, SSE-C, SSE-KMS, or a client library.
SSE-S3 provides an integrated solution where Amazon handles key management
and key protection using multiple layers of security. You should choose
SSE-S3 if you prefer Amazon manage your keys. SSE-C enables you to leverage
Amazon S3 to perform the encryption and decryption of your objects while
retaining control of the keys used to encrypt objects. SSE-KMS enables you to
use AWS Key Management Service (AWS KMS) to manage your encryption keys.
5. An Amazon VPC Endpoint for Amazon S3 is a logical entity within a VPC that allows connectivity only to S3. The VPC Endpoint routes requests to S3 and routes responses back to the VPC. 6. Amazon Macie is an AI-powered security service that helps you prevent data loss by automatically discovering, classifying, and protecting sensitive data stored in Amazon S3. |
S3
|
7. You
can use Amazon Macie to protect against security threats by
continuously monitoring your data and account credentials. Amazon Macie gives
you an automated and low touch way to discover and classify your business
data. .
8. Amazon S3 uses a combination of Content-MD5 checksums and cyclic redundancy checks (CRCs) to detect data corruption. Amazon S3 performs these checksums on data at rest and repairs any corruption using redundant data. 9. Amazon S3 Intelligent-Tiering (S3 Intelligent-Tiering) is an S3 storage class for data with unknown access patterns or changing access patterns that are difficult to learn. It is the first cloud storage class that delivers automatic cost savings by moving objects between two access tiers when access patterns change. One tier is optimized for frequent access and the other lower-cost tier is designed for infrequent access. It is ideal for data sets where you may not be able to anticipate access patterns. S3 Intelligent-Tiering can also be used to store new data sets where, shortly after upload, access is frequent, but decreases as the data set ages. 10. S3 Intelligent-Tiering is designed for the same 99.999999999% durability as S3 Standard. S3 Intelligent-Tiering is designed for 99.9% availability. In addition to using lifecycle policies to migrate objects from S3 Intelligent-Tiering to S3 One Zone-IA, you can also set up lifecycle policies to archive objects to S3 Glacier. |
CDN
|
Cloud
Front Distribution - 1. Edge location - where the content will be cached 2.
Origin - (origin can be out of AWS) Origin
of files which CDN will distribute, this can be S3, EC2, ELB, Route53. 3. Distribution - Name given to CDN
which consists of a collection of Edge locations 3a. Web distribution 3b.
RTMP (used for media streaming).
4. Edge location is not only READ, you can write to them too. 5.
Objects are cached for life of TTL (Time to Live). 6. Clearing cache is
chargeable. 6. Snowball - a big/large amount of data storage. 1. Transfer
files to and from S3.
|
EC2
|
EC2 - Resizable compute on cloud.
There are 4 pricing model. You are limited to running up to 20 on-demand instances.
1. On Demand - pay a fixed rate by the hour with no commitment. 2. Reserved - Capacity reservation, contract term 1 to 3 years. More the contract term lesser is the cost. 3. Spot - Can bid for the price. If AWS terminates the EC2, no payment required. However, if you decide to terminate then must pay for the time of usage. 4. Dedicated Host - Dedicated Physical EC2. Used to reduce cost by allowing existing server bound software licenses. Regulation where multi-tenant virtualization is not permissible. |
EC2
|
EC2
Instance Types -
Numonic for all the instance types is FIGHT DR MC PXZ AU.
1. t, m type for general purpose. 2. c-type for compute optimized 3. r, x, z-type for memory optimized 4. d, h, i-type for storage optimized 5. f, g, p-type for accelerated computing. There is data transfer charge while copying AMI from one region to another. |
EBS
|
1. On an
EBS-backed instance, the root EBS volume will be deleted when the
instance is terminated. 2. The root volumes and additional volumes can be
encrypted.
3. Volumes exist on EBS, think as a virtual hard disk. 4. Snapshots are point in time copies of Volumes. 5. Snapshots are incremental - this means that only the blocks that have changed since your last snapshots are moved to S3. 6. Incase of 1st snapshots, it may take some time to create. 7. Snapshot for root EBS volumes, you should stop the instance before taking the snapshot. 8. AMI can be created both from Volumes and Snapshots. 9. You can change EBS volume sizes on the fly, including changing the size and storage type. 10. Volumes will be in the same AZ where the instance is. 11. To move an EC2 volume from one AZ to another, take a snapshot, create an AMI from the snapshot and then use the AMI to launch instance in new AZ. 12. If want to move across region, copy AMI from one region to another region. |
Security Groups
|
1. All
Inbound traffic is blocked by default. 2. All outbound traffic is
allowed. 3. Changes to SG takes effect immediately. 4. Any number of
EC2 can have same SG. 5. SG is STATEFUL - a port once opened is open
for both inbound and outbound traffic, NACL on other hand are stateless.
6. Cannot block specific IP using SG, instead use NACL. 7. You can specify
allow rules but not the deny rules.
Roles: 1. Roles are more secure than storing your access key and secret access key on individual EC2 instance. 2. Roles are easy to manage 3. Roles can be assigned after EC2 is created 4. Roles are universal. |
EBS Types
|
1. Solid State Drives (SSD) -
a. General Purpose SSD - Balances price & performance - Most Work Loads - gp2 - 1GiB-16TiB - 16,000 IOPS/volume b. Provisioned IOPS SSD - Highest performance for mission critical apps - Database - io1 - 4GiB-16TiB - 64,000 IOPS 2. Hard Disk Drives (HDD) - a. Throughput Optimized HDD - Low cost HDD volume for frequently accessed, throughput intensive workload - Big Data & Data WH - st1 - 500GiB - 16TiB - 500 IOPS b. Cold HDD - Lowest cost HDD volume for less frequently accessed workload - File Servers - sc1 - 500GiB - 16TiB - 250 IOPS c. EBS Magnetic - Previous generation HDD - Workloads where data is infrequently access - Standard - 1GiB - 1TiB - 40-200 IOPS |
EBS
|
EBS vs
Instance Store:
1. Instance store volume cannot be stopped. If the underlying host fails, you will lose the data, in EBS you will not (sometimes called as Ephemeral Storage). 2. EBS - Incase of reboot, no data loss. 3. On termination, both root volumes will be deleted. However, AWS can keep root device volume post termination, on request for EBS. |
CloudWatch
|
1. CW is
used for monitoring performance. 2. CW can monitor most of the AWS as
well as your application that runs on AWS. 3. Will monitor 5 minutes by
default which can be changed to 1 min too. 4. Can create CW alarms. 5. CW is
all about performance, Cloud Trail is all about auditing. CT
monitors all API calls made in AWS platform. 6. Can create CW dashboard 7.
Monitor events 8. CW logs.
|
CLI
|
1. Setup
access in IAM - need Access key ID and Secret Access key.
Amazon EC2 uses public–key cryptography to encrypt and decrypt login
information. Public–key cryptography uses a public key to encrypt a piece of
data, such as a password, then the recipient uses the private key to decrypt
the data. The public and private keys are known as a key pair.
|
Metadata
|
Instance
Meta Data & User Data
bootstrap scripts are incredibly useful as well. So, it's used to get information about an instance such as a public IP and to do it you just run a curl curl http://169.254.169.254/latest/meta-data/ and then curl http://169.254.169.254/latest/user-data/ |
EFS
|
1.
Supports Network File System version 4.1 protocol. 2. You only pay for
the storage you use. 3. Can scale up to petabytes 4. Can support thousands of
concurrent NFS connections. 5. Data is stored in multiple AZ's within a
region. 6. Read after Write Consistency.
|
Placement Groups
|
1. Clustered Placement Group - This is
where you need very high network throughput or low latency or
both. And it's available in a single availability zone.
2. Spread Placement Group - This is where if you've got critical EC2 instances and you don't want them on the same hardware Only certain types of instances can be launch into a placement group, so this will be - Compute Optimized, GPU, Memory Optimized, Storage Optimized. AWS always recommends homogenous instances within placement groups. You cannot merge placement groups. |
Database
|
1.
RDS (OLTP) -This is used for online transaction processing. This comes in
six different flavours 1. SQL 2. MySQL 3. PostgreSQL 4. Oracle 5. Aurora 6.
MariaDB
2. DynamoDB - This is a no sequel database service available. a) Stored on SSD storage b) Spread across 3 geographically distinct data centres c) Eventual consistency Reads as Default if not reading after writing within 1second. d) Otherwise Strongly consistent reads. 3. Redshift (OLAP) - Amazon's Data Warehousing solution. a) Used for BI b) only available in 1 AZ c) Backups - retention default 1 day, Maximum retention 35 days d) Always attempts to keep 3 copies of data - the original and replica on the compute nodes and backup in S3. e) Remember that redshift can also asynchronously replicate your snapshots to S3 in another region for DR 4. Aurora - (serverless) Always going to have 2 copies of your data contained in each AZ, with a minimum of 3 availability zones. 6 copies of your data. 2copies x 3 AZ = 6 copies. b) Can share Aurora Snapshots with other AWS accounts c) 2 types of replicas available. Aurora and MySQL replicas. Automated failover is only available in Aurora replicas. d) Automated backup by default, can take snapshot too. 5. Backups - There are two types of backups for RDS: 1. Automated Backup - 2. Database Snapshot - Multi AZ is 1. For DR 2. U can force a failover from one AZ to another by rebooting the RDS instance. Encryption - Encryption at rest is supported by MySQL, Oracle, SQL Server, PostgreSQL, MariaDB & Aura. Encryption is done using the AWS Key Management Service (KMS) service. Once the RDS is encrypted, the data stored at rest in underlying storage is also encrypted, as are its automated backup, read replicas and snapshots. |
Elastic Cache
|
Used to
increase database and web application performance
1. Memcached - Simple. Scale horizontally 2. Reddis - Advance - span across AZs. B) You can do Backup and Restore of Reddis |
Read Replicas
|
Read
Replicas - 1. Can be Multi-AZ 2. Used to
increase performance 3. Must have backup turned on 4. Can be in
different regions 5. Can be Aurora or MySQL 6. Can be promoted to
master, but this will break the Replication with the Read Replica.
|
Route53
|
1. ELB s
do not have pre-defined IPv4 addresses; you resolve to them using a DNS
name.
2. Alias Record (A Record) - (Given the choice, always choose and Alias Record over a CNAME). 3. Cname - |
DNS
|
Common DNS
Types - 1. Start of Authority Record (SOA) - contains all details
about the DNS entries such as name, administrator, version, time to live file
on resource records.
2. NS Records - Name Server records. They are used by top level domain servers to direct traffic to content DNS which contains authoritative DNS records. 3. A Record 4. CNAME 5. MX Records 6. PTR Record. 4. Types of Routing or Routing Policies - 1. Simple 2. Weighted 3. Latency-Based 4. Failover 5. Geolocation 6. Geopromixity Routing (Traffic Flow Only) 7. Multivalue Answering 5. Health Checks - 1. You can set health checks on individual record set. 2. Record set failing health check will be removed from Route 53 until it passes health check. 3. You can set SNS notification to alert in case of check failure. |
DNS
|
1. Simple
routing - Can't have health check.
2. Weighted routing - Can divide route traffic such as 80% to one and 20% to another server. 3. Latency based - Decides which route has more latency and then routes to lesser one. 4. Fail over - Active fails over to passive 5. Geo location routing - Europeans to Servers in EU and US users to US based server for faster access. 6. Multivalue - ? |
VPC
|
1. Virtual Private Cloud - can create
public facing subnets - place your backend systems such as database or
application server in a private facing subnet with no internet access.
Leverage multiple layers of security, including security groups and network
access control lists. Can create Hardware Virtual Private Network (VPN) to
connect between corporate DC to AWS VPC as extension of corporate DC.
1. Internet Gateway or Virtual Private Gateway - need a gateway to our VPC. This at region level and then VPC - myVPC 10.0.0.0/16 2. Both will connect to a Router 3. Route Table - Sends traffic thru Route Table 4. Network ACL - These are stateless - Allow or Block rules - 5. Public & Private Subnet - These are under AG - 6. Public subnet (10.0.1.0/24)-> Security Group - these are stateful - Has access to internet. Here we have Bastion host to access EC2 inside private subnet. 6a. Instance EC2 7. Private subnet (10.0.2.0/24) -> Security Group - these are stateful - No access to internet. For internet access, it has to access thru public subnet using NAT Gateway or Instance. 7a. Instance EC2 7b. Reserved IP address for private subnets - (a) 10.0.0.0 - 10.225.225.225(10/8 prefix) (b) 172.16.0.0 - 172.31.225.225(172.16/12 prefix) (c) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix). Amazon does not allow /8 prefix, biggest subnet you can have is /16 prefix. We can get the subnet ranges CIDR.xyz site. We will practise using 10.0.0.0/16 which is commonly used subnet. |
VPC
|
1. Bastion
server - a server in public subnet to access servers in private subnet
2. Network Address Translation - NAT - don't want to make all subnet public, so use NAT Instance or Gateway. NAT Gateways are highly available offering and better to use over NAT Instance. 3. When creating NAT instance, disable source/destination check on the instance. NAT instance must be in a public subnet. 4. There must be route in Route Table out of the private subnet to the NAT instance/gateway, in order to access internet. NAT instances are behind of Security Groups. 5. NAT Gateways are redundant insite the AZ. NAT Gateways are not associated with security groups. Automatically assigned a public IP address. Hands on - 1. VPC 2. Multiple Subnet public or private. 3. Public and private Route Table - Route - Public 10.0.0.0/16 within the subnets and 0.0.0.0/0 for Internet Gateway. Route-Private Public 10.0.0.0/16 within the subnets and 0.0.0.0/0 for NAT Gateway. 4. Internet Gateway is independent for public subnet to access internet 5. NAT Gateways need Elastic IP and associated with Private Subnet for one-way internet access. 6. One NACL for all subnets 7. Security Group for Public as web DMZ - Inbound RDP, HTTP 0.0.0.0/0 , outbound - All Traffic 0.0.0.0/0. For Private - Inbound -RDP from required subnet - RDP 10.0.1.0/26, outbound - All Traffic 0.0.0.0/0. |
VPC
|
1. NACL vs Security Groups -
VPC comes with a default NACL, allowing all outbound and inbound traffic
2. We can create custom network ACL. By default, each NACL denies all inbound & outbound traffic until you add rules. 3. Each subnet in a VPC should be associated with a NACL. If we don't explicitly associate a subnet with a NACL, the subnet is automatically associated with the default NACL. 4. Can Block specific IP address with NACL, which we cannot with Security Groups. 5. Can associate a NACL with multiple subnet, however a subnet can be associated with only one NACL at a time. 6. NACL contains numbered list of rules is evaluated in order, starting with lowest number rule. 7. NACL are stateless, responses to allow or deny are subject to rules. |
Flow Logs
|
1. Flow Logs - Captures
information about the IP traffic going to and from network interfaces in VPC.
Flow logs data is stored using Amazon CloudWatch logs. Flow logs can be
created in 3 levels, VPC, Subnet, Network Interface Level
2. You cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account. 3. You cannot tag a flow log. 4. After you have created FL you cannot change its configuration; ex. can't associate IAM roles once association is done. 5. Not all IP traffic is monitored. a) Traffic from instance to Amazon DNS. b) Traffic by windows intake to Amazon windows license activation c) Traffic to and from 169.254.169.254 for instance metadata. d) DHCP traffic e) Traffic to the reserved IP for the default VPC router. |
Bastion Host
|
Bastion
Host: 1. NAT is used to provide internet
traffic to EC2 instance in a private subnet. 2. A Bastion is used to securely
administer EC2 instances using SSH or RDP. 3. You cannot use a NAT Gateway as
a Bastion host.
|
VPC
|
1. When
you create a VPC, by default Route Table, NACL and SG is created. 2. Any
Sub-net is not created by default, same for IG 3. Availability Zones may be
different in different account 4. Amazon reserves 5 IP in Sub Net. 5. You can
only have one IG per VPC. 6.SG cannot span VPCs.
2. NAT Instance Vs NAT Gateways - |
VPC
|
1. Direct Connect - 1. DC
connects your data centre to AWS 2. Useful for high throughput 3. Or if a
stable and secure connection is required.
2. VPC Endpoints - a) Interface Endpoints - b) Gateway Endpoints - Gateway endpoint currently supports S3 and DynamoDB. 3. VPC Gateway - |
Load Balancers
|
1. Application Load Balancers
- ALB - Layer 7 - Intelligent LB -
2. Network Load Balancers - NLB - Layer 4 - 3. Classic Load Balancers - CLB - Layer 7 - Less cost, less intelligent. If you need IPv address of end user, look for the X-Forwarded-For header. Have sticky sessions. 504 Error code returning - means application not responding within the idle timeout period. Instances monitored by ELB are reported as InService or OutofService. Load Balancers have their own DNS names. You are never given an IP address (mostly for ALB & CLB). Cross Zone Load Balancing - enables to load balance across multiple availability zones. Path Patterns - allow to direct traffic to different EC2 instances based on the URL contained in the request. |
Cloud Formation
|
1. Is a way to script your cloud
environment. 2. Quick Start is a bunch of CloudFormation templates already
built by AWS Solution Architects to create complex environment quickly.
|
Elastic Beanstalk
|
1. You
can quickly deploy and manage application in the AWS Cloud without worrying
about the infrastructure that runs those applications.
2. You simply upload your application, and ElasticBeanstalk automatically handles the details of capacity provisioning, load balancing, scaling, and application health monitoring. |
SQS
|
1. SQS
is a way to de-couple your infrastructure, example meme or travel website.
EC2 will generate the request in queue, resources will pull the request and
send the results back to EC2
2. SQS is pull based messaging system, not pushed based. 3. Messages are 256 KB in size. 4. Messages can be retained in queue from 1 minute to 14days; the default retention period is 4 days 5. There are two types of Queues - a) Standard - Order is not guaranteed and messages can be delivered more than once. b) FIFO - Order is strictly maintained and messages are delivered only once. 6. Visibility Timeout - Amount of time message is visible in the SQS queue after a reader picks up that message. If the message is processed within the visibility timeout, then the message will be deleted from the SQS Queue, else message will be visible again for another reader to pick it up. This could result in the same message getting delivered twice. 7. Visibility timeout maximum is 12 hours. 8. SQS guarantees that message will be delivered at least once. 9. SQS long polling is a way to retrieve message from Queues. While the regular short polling returns immediately even if message queue polled is empty, long polling doesn't return a response until a message arrives in Queue or long polling times out. |
SWF
|
SWF vs
SQS - 1. SQS has retention period of 14
days; with SWF, workflow execution can last up to 1 year.
2. SWF is task oriented API, whereas SQS offers a message oriented API. 3. SWF ensures a task is assigned only once and never duplicated. Whereas in SQS have to handle duplicate messages and may have to also ensure the message is delivered at least once. 4. SWF keeps track of all the tasks and events in an application. SQS you need to implement your own application level tracking, especially if the application uses multiple queues. SWF Actors: 1. Workflow starters - An application which can initiate the WF. 2. Deciders - Control the flow of activity tasks in WF execution. If something has finished or failed in WF, a Decider decides what to do next. 3. Activity workers - Carry out the activity tasks. |
SNS
|
SNS
Benefits - 1. Instantaneous, push based delivery (no polling) 2.
Simple API and easy integration with applications 3. Flexible message
delivery over multiple transport protocol. 4. Inexpensive, pay as you go with
no up-front costs. 5. Web based AWS Management console offers the simplicity
of a point and click interface.
SNS vs SQS - 1. Both are messaging services 2. SNS is push and SQS is pull. |
Elastic Transcoder
|
A media
transcoder - converts media files from source format to different formats
that will play on smart phones, tables, PCs etc.,
|
API Gateway
|
1. API
Gateway has caching capability to increase performance 2. Low costs and
scales automatically 3. You can throttle API Gateway to prevent attacks 4. You
can log ur results to cloud watch 5. If you use multiple domain in API then
ensure to enable CORS on API Gateway. 6. CORS is enforced by client's
browser.
|
Kenisis
|
1. Kenisis
Streams - Persistent, can store your data for 24 hours. Data is stored in
shards and then EC2 can analyse the data.
2. Kenisis Firehose - No persistence. Analysis/process the data and find place to store the data such as S3. Instant analysis not required to store data. 3. Kenisis Analytics - uses both firehose and streams for analysis. |
Cognito
|
1.
Allows us to do Web Identity Federation - Federation allows users to
authenticate with a Web Identity Provider (Google, Facebook, Amazon). 2. The
user authenticates first with the Web ID Providers and receives an
authentication token, which is exchanged for temporary AWS credentials
allowing them to assume an IAM role. 3. Cognito is an Identity broker which
handles interaction between your application and Web ID provider.
4. User Pools - is user based, user registration, authentication and account recovery. 5. Identity Pool - authorises access to your AWS resources. |
S3
|
1.
Secure, durable Object based Storage. 2. Files can be from 0 to 5 TB 3.
Unlimited storage, pay by usage. 4. Data consistency model of S3 - a) read
after write consistency (read immediately after PUT) b) Eventual consistency
overwrite PUTS and Deletes (these may take some time to propagate) 5.S3
universal namespace, names must be unique globally. S3 Storage
Tiers/Classes -
1. S3 Standard - 99.99% availability, 99.999999999% (eleven 9) durability, stored redundantly across multiple devices in multiple facilities and design to sustain loss of 2 facilities concurrently. 2. S3 IA (Infrequently Accessed) - lower free than S3, data is accessed infrequently, but required rapid access when needed. 3. S3 One Zone IA - lower cost, do not require multiple AZ data resilience. 4. Glacier - Archival only, comes in 3 models - Expedited, Standard or Bulk. A Standard retrieval time takes 3-5 hours. S3 Charges - Charged for a) Storage b) Requests c) Storage Management Pricing - these are for tagging d) Data Transfer Pricing - for cross region replication e) Transfer Acceleration - fast, easy and secure transfer of long distance - using Cloud Front's globally distributed edge locations. Core fundamental of S3 Objects: Key(name), Value(data), Version ID, Metadata, Sub-resouces - a) ACL b)Torrent. Uploading an object to S3 receive a HTTP 200 Code. Core constituent of S3 - 1. Key (name) 2. Value (data) 3. Version ID 4. Metadata 5. Sub-resources a. ACL, b. Torrent |
If you have queries, do drop in your queries below.
...HaPpY CoDiNg
Partha (BJ)