Professional Documents
Culture Documents
Default VPC
172.31.0.0/16
Subnet 2 Subnet 5
VPC A
Component Description
VPC Isolated virtual network in AWS cloud
Subnet Isolated segment of your VPC
Internet Gateway VPC side of connection to internet
NAT Gateway AWS managed Network Address Translation
Service to make outbound internet connection from
your private subnet (IPv4)
NAT Instance Customer managed NAT (IPv4)
Egress-only Internet IPv6 outbound internet access
Gateway
Component Description
Router Routes traffic inside VPC
Security Group Instance level stateful firewall. Supports only Allow
rules
Network Access Control ACLs are subnet level stateless firewall. Supports
List Allow and Deny rules
Component Description
Internet Suitable for Internet accessible resources
Hardware VPN Connection Secure connection between your datacenter and
VPC (over internet or over direct connect)
Virtual Private Gateway AWS side of VPN connection
Customer Gateway Customer side of VPN connection
Direct Connect Dedicated Private connectivity between customer
on-premises network/Offices to AWS
Instance Size
Copyright © 2017 Chandra Lingam
General Purpose – T2 instances
• Lowest cost general purpose instance type - Balance of
compute, memory and network resources
• T2. micro eligible for free tier
• Baseline CPU performance with ability to burst
• Burst is governed by CPU credits - Accrue CPU credits
when idle and use it when needed
• Good choice for workloads that doesn’t use full CPU but
burst occasionally
• Suitable for Webserver, development environments and
databases
Copyright © 2017 Chandra Lingam
General Purpose – M4 instances
Instance Size
Copyright © 2017 Chandra Lingam
Compute Optimized – C4
Instance Size
Copyright © 2017 Chandra Lingam
Memory Optimized – X1
Instance Size
Copyright © 2017 Chandra Lingam
Accelerated Computing – P2
SSD HDD
Instance Size
Copyright © 2017 Chandra Lingam
Storage Optimized – I2
HTTP HTTP/HTTPS
HTTPS HTTP/HTTPS
EC2
Classic EC2
EC2
LB EC2
EC2
TCP TCP/Secure TCP
EC2
Target Group 3
/video
EC2 or Containers or Private IP address
HTTP/HTTPS
Load Balancer Types
Network Load Balancer
• Target: EC2 instances, Containers, private IP Addresses
(based on IP Protocol data)
• Very high performance, handles millions of requests per
second at very low latencies
• Optimized for handling sudden and volatile traffic patterns
• Long lived TCP Connections (websocket)
• One Static IP or Elastic IP per Availability Zone
• Preserves Source IP Address
• OSI Layer 4 (Transport) Load Balancer
Network Load Balancer
Rule Based Mapping
TCP Port
EC2 or Containers or Private IP address
Static IP
Target Group 2
TCP
Port
EC2 or Containers or Private IP address
Static IP
Network LB
Which Load Balancer To Use?
Permissions Policy
Permissions Role
AWS
Temporary User EC2
Service
Federation
Role has two parts: 1. Who can assume the role and 2. What permissions
does a role have
Permissions Policy
Inline Managed
Types (embedded) (reusable)
• In-transit protection
• HTTPS endpoints for AWS Services
• Client side encryption
• Data at rest
• S3 Server Side Encryption – S3 encrypts object when storing
and decrypts when retrieving
• Client Side Encryption – Encrypt data on your side and
upload encrypted data to S3. Encryption process, keys, and
tools are managed by client
Cold Storage
Low Cost
Durable
Standard – 3 to 5 hours
Terminology Description
Generic Top Level Domain Last part of a domain name (.com, .org, .cloud).
(TLD)
Geographic Top Level Domains associated with geographic areas.
Domain (.uk, .fr, .io, .in)
Domain Name System Worldwide network of servers that maintains
(DNS) domain names to IP Addresses
Name Servers (NS) Servers in DNS that respond to DNS queries
Authoritative Name Server NS that has definitive information about one part
of a domain name
At-Least-Once Delivery
• On rare occasions, you might receive duplicate
messages with Standard Queues
• Design your application to handle duplicate messages
Figure: Sampling
Exactly-Once Processing
• No duplicate messages sent to receivers
Deduplication
• Helps you avoid sending duplicate messages during 5-
minute interval
• Content based Deduplication ID or Producer provided
Deduplication ID
Message Group ID
• Ordering is preserved within a message group
• Multiple message groups within a single FIFO Queue
• Only one consumer can have an inflight message in a
message group
• Multiple consumers can access messages in different
message groups – one consumer per message group
• Improve throughput and latency
Figure - Components
Replication
Primary Standby
AZ 1 AZ 2
Aurora
Overview
• MySQL and PostgreSQL compatible
• Performance: 5X MySQL, 3X PostgreSQL
• Six way data replication across 3 Azs
• For Writes, four copies must be stored safely before
transaction is successful
• In case of primary crash, a read replica is promoted as
primary – typically under 60 seconds
• Low latency read replicas (up to 15)
• Support for Cross Region Replication
Aurora
• Cluster Endpoint
• Points to Current Primary Instance
• Suitable for Writes and Reads
mydbcluster.cluster-123456789012.us-east-1.rds.amazonaws.com:3306
• Reader Endpoint
• Points to Read Replicas
• Suitable for Reads
• Multiple Read Replicas are load balanced at connection level
mydbcluster.cluster-ro-123456789012.us-east-1.rds.amazonaws.com:3306
• Instance Endpoint
• Points to Individual Aurora Instance
Aurora Serverless (GA as of Aug 2018)
• Aurora Serverless - Suitable for use cases that are
intermittent or unpredictable
• Specify Minimum, Maximum Aurora Capacity Units
(ACU)
• 1 ACU is ~2 GB of Memory with corresponding
CPU/Network
• Pricing 1 ACU is $0.06 per hour + Storage + I/O
• Aurora Serverless automatically scales up and down
based on load
• Scaling is rapid – uses a pool of warm resources
Aurora Serverless
Tables
Items
Attributes
Primary Key
Partition Key
Partition Key and Sort Key
Secondary Indexes
Global Secondary Index
Local Secondary Index
DynamoDB Streams
• Captures data modification events in DynamoDB Tables
• Ordered Set of events
• Near real-time
• Lifetime of 24 hours
• Figure: Lambda functions to process stream events
Examples: New customer – welcome email, Add new
product to ElastiCache or ElasticSearch
Auto assigned. A
Port 80 Port 80 container port can map
Host Host to completely different
Port A A
Port ports across EC2
32500 38000 Instance
Port 80 Port 80
Host Host Multiple containers of a
B B particular image can be
Port Port
32501 37501 deployed in a host
Port 80 Port 80
Host Host Application Load
B B Balancer hides all this
Port Port
32502 32502 complexity from end
Host 1 Host 2 users
Copyright © 2017 Chandra Lingam
ECS - Application Load Balancer – Dynamic Mapping
Pricing
• Per CPU $0.05/hr,
• Per GB Memory $0.0127/hr
• Per Second billing with 1 minute minimum
• Time starts from image download and ends when task is
terminated
• Supported CPU and Memory Configuration
Comparison
• Elastic Beanstalk - Easy Solution for web apps and web
services
• CloudFormation
• Building-block Service that allows you to build and manage any
AWS resource
• Require you to author a template in JSON/YAML
• Application deployment can be cumbersome
• OpsWorks
• Powerful end-to-end solution. Scripting in Ruby
• Complete application lifecycle from resource provisioning,
configuration management, deployment, updates, monitoring,
access control Copyright © 2017 Chandra Lingam
Elastic Beanstalk Concepts
Concept Description
Application Logical Collection of Elastic Beanstalk components
Application Version Labeled version of a deployable code
Environment Resources provisioned to run a single application
version
Environment Tier Two types of environments:
• Web server environment to handle http requests
• Worker Environment to process SQS messages
Environment Collection of parameters and settings to manage the
Configuration resources
Configuration Starting point for creating a new environment
Template configuration