AMAZON WEB SERVICES

AWS DEVELOPER: BUILDING ON AWS

 • EC2
• VPC
• NACLS
• Security Groups

AGENDA • IAM
• S3
• RDS
• Amazon ELB
• AWS Lambda
REGIONS,
AVAILABILITY ZONES,
AND LOCAL ZONES

Amazon cloud computing resources are hosted in

multiple locations world-wide. These locations are
composed of AWS Regions, Availability Zones, and
Local Zones.
AMAZON ELASTIC COMPUTE
CLOUD (EC2)

• Amazon Elastic Compute Cloud (Amazon EC2) provides scalable

computing capacity in the Amazon Web Services (AWS) cloud.
• Using Amazon EC2 eliminates your need to invest in hardware up
front, so you can develop and deploy applications faster.
• You can use Amazon EC2 to launch as many or as few virtual
servers as you need, configure security and networking, and
manage storage.
• Amazon EC2 enables you to scale up or down to handle changes
in requirements or spikes in popularity, reducing your need to
forecast traffic.
AMAZON EC2 -
INSTANCES AND AMIS

• Amazon Machine Image (AMI) is a

template that contains a software
configuration for example, an
operating system, an application
server, and applications.

• An instance is a virtual server in the

cloud. Its configuration at launch is a
copy of the AMI that you specified
when you launched the instance.
 Amazon VPC is the networking layer for Amazon EC2

AMAZON VIRTUAL • Amazon Virtual Private Cloud (Amazon VPC) enables you to
launch AWS resources into a virtual network that you've defined.
PRIVATE CLOUD • This virtual network closely resembles a traditional network that
you'd operate in your own data center, with the benefits of using
(VPC) the scalable infrastructure of AWS.
 • Subnet — A range of IP addresses in your VPC.
• Route table — A set of rules, called routes, that are used to
determine where network traffic is directed.
• Internet gateway — A gateway that you attach to your VPC to
enable communication between resources in your VPC and the
internet.
• VPC endpoint — Enables you to privately connect your VPC to
AMAZON VPC supported AWS services and VPC endpoint services powered by
AWS PrivateLink without requiring an internet gateway, NAT
device, VPN connection, or AWS Direct Connect connection.
• Instances in your VPC do not require public IP addresses to
communicate with resources in the service.
• Traffic between your VPC and the other service does not leave
the Amazon network.
 AMAZON
DEFAULT VPC
NETWORK ACLS

A network access control list (ACL) is an optional layer of security for your VPC
that acts as a firewall for controlling traffic in and out of one or more subnets.

• Inbound Rules.
• Outbound Rules.
 • The default NACL allows all inbound and outbound traffic.
• You can create a custom network ACL and associate it with a subnet.
• Each subnet in your VPC must be associated with a network ACL. If you don't
explicitly associate a subnet with a network ACL, the subnet is automatically
associated with the default network ACL.
NETWORK ACLS • You can associate a network ACL with multiple subnets. However, a subnet can be
associated with only one network ACL at a time.
CONCEPTS • A network ACL contains a numbered list of rules. ACL evaluates the rules in order,
starting with the lowest numbered.
• A network ACL has separate inbound and outbound rules, and each rule can either
allow or deny traffic.
• Network ACLs are stateless, which means that responses to allowed inbound traffic
are subject to the rules for outbound traffic (and vice versa).
NETWORK ACLS
SECURITY GROUPS

A security group acts as a virtual firewall for your EC2 instances to control
incoming and outgoing traffic.

• Inbound Rules.
• Outbound Rules.
 • By default, security groups allow all outbound traffic.

SECURITY GROUPS •
•
Security groups are stateful
You can assign multiple security groups to an instance.

CONCEPTS •
•
Security group rules are always permissive; you can't create rules that deny access.
When you associate multiple security groups with an instance, the rules from each
security group are effectively aggregated to create one set of rules. Amazon EC2
uses this set of rules to determine whether to allow access.
SECURITY
GROUPS
Security Group Network ACL

Supports Allow rules only. Supports Allow and Deny rules.

Stateful: This means any changes Stateless: This means any

applied to an incoming rule will be changes applied to an incoming
automatically applied to the rule will not be applied to the
outgoing rule. outgoing rule.

Security groups are tied to an Network ACL are tied to the

instance. subnet.

All rules in a security group are

applied.
Rules are applied in their order
(the rule with the lower number
SECURITY GROUPS
gets processed first) VS
NETWORK ACLS
IDENTITY AND ACCESS
MANAGEMENT (IAM)

IAM provides the infrastructure necessary to control

authentication and authorization for your account.
AWS IAM (CONCEPTS)

• IAM Users
• IAM Groups
• IAM Roles
 An AWS IAM user is an IAM entity that you create in AWS to
IAM USERS represent the person or application that uses it to interact with
AWS. A user in AWS consists of a name and credentials.
 You can access AWS in different ways depending on the user
credentials:
• Console password: A password that the user can type to sign in
to interactive sessions such as the AWS Management Console.

IAM USERS • Access keys: A combination of an access key ID and a secret

access key. You can assign two to a user at a time. These can be
ACCESS POLICY used to make programmatic calls to AWS. For example, you
might use access keys when using the API for code or at a
command prompt when using the AWS CLI or the AWS
PowerShell tools.
• SSH keys: An SSH public key in the OpenSSH format that can be
used to authenticate.
 An IAM group is a collection of IAM users. Groups let you specify
IAM GROUPS permissions for multiple users, which can make it easier to manage
the permissions for those users.
IAM GROUPS
 An IAM role is an IAM identity that you can create in your account
that has specific permissions policy.
• An IAM role is similar to an IAM user (AWS identity with
permission policies)
IAM ROLES • Instead of being uniquely associated with one person, a role is
intended to be assumable by anyone who needs it.
• A role does not have standard long-term credentials such as a
password or access keys associated with it.
HOW IAM
WORKS
SIMPLE STORAGE SERVICE (S3)

• Amazon S3 provides virtually limitless storage on the internet.

• It is designed to make web-scale computing easier for developers.
• Amazon S3 has a simple web services interface that you can use to store
and retrieve any amount of data, at any time, from anywhere on the web.
AWS S3 (CONCEPTS)

• Buckets
• Objects
• Keys
 A bucket is a container for objects stored in Amazon S3.
Buckets serve several purposes:
• Organize the Amazon S3 namespace at the highest level.
S3 BUCKETS • Identify the account responsible for storage and data transfer
charges.
• Play a role in access control.
 • Objects are the fundamental entities stored in Amazon S3.​
• Objects consist of object data and metadata.​
S3 OBJECTS • The metadata is a set of name-value pairs that describe the
object. These include some default metadata, such as the date
last modified.​
S3 KEYS • A key is the unique identifier for an object within a bucket.
• Every object in a bucket has exactly one key.
• The combination of a bucket, key, and version ID uniquely
identify each object.
 AMAZON RELATIONAL DATABASE SERVICE
(AMAZON RDS)

• Web service to set up, operate, and scale a relational database in the AWS Cloud.
• Provides cost-efficient, resizable capacity for an industry-standard relational database and manages common
database administration tasks.
• Useful in case of multi-server apps.
 • The basic building block of Amazon RDS is the DB instance.
• A DB instance is an isolated database environment in the AWS
Cloud.
• You can create and modify a DB instance by using the AWS
Command Line Interface, the Amazon RDS API, or the AWS
Management Console.
RDS DB INSTANCES • Each DB instance runs a DB engine. Amazon RDS currently
supports the MySQL, MariaDB, PostgreSQL, Oracle, and
Microsoft SQL Server DB engines.
• You can run a DB instance on a virtual private cloud (VPC) using
the Amazon Virtual Private Cloud (Amazon VPC) service.
• Can use security groups to control the access to a DB instances.
 • AWS Lambda is a serverless compute service that runs your code
in response to events and automatically manages the underlying
compute resources for you.
AWS LAMBDA • You can use AWS Lambda to extend other AWS services with
custom logic, or create your own back-end services that operate
at AWS scale, performance, and security.
AWS LAMBDA EXAMPLE
AMAZON ELASTIC LOAD BALANCING
(ELB)
• Elastic Load Balancing automatically distributes incoming application
traffic across multiple targets, such as Amazon EC2 instances, containers,
IP addresses, and Lambda functions.
• A load balancer distributes workloads across multiple compute resources,
such as virtual servers.
• Using a load balancer increases the availability and fault tolerance of your
applications.
CROSS-ZONE LOAD
BALANCING
DEMO
THANK YOU!
TEAM CUSTOM REPORT