AWS Cloud Practitioner

Carlos Cruzado|Arturo Diaz

 Course Agenda

AWS Cloud & Core Services

WelcomeandIntroductions
Module 1: Understanding the AWS Cloud
Module 2: Security and Compliance
Module 3: AWS Services
Module 4: Pricing, TCO and Cost Optimization
Module 5: AWS Well Architected Framework

2
 Welcome

• Guide for the AWS Certified Cloud Practitioner.

• Should not betaken as the sole source of study to perform the exam AWS CCP.

• Consider supporting material to further your studies.

4
Knowledge Check
 Question 1
Which of the below mentioned services is equivalent to hosting
virtual servers on an on-premise location?
A) Amazon EC2
B) AWS Regions
C)AWS IAM
D) AWS Server

7
 Question 2
You have a set of EC2 Instances and get a DDos attack from the
internet which of the following can help in reducing the overall
threat to your EC2 Instances. Choose 2 answers from the options
given below

A) Usage of AWS Config

B) Usage of Internet Gateway
C)Usage of Security Groups
D) Usage of Network Access Control Lists

8
 Question 3
Which service allows for the collection and tracking of metrics for
AWS services?

A) Amazon CloudFront
B) Amazon CloudSearch
C)Amazon CloudWatch
D) Amazon Machine Learning (Amazon ML)

9
 Question 4
Which service should an administrator use to register a new
domain name with AWS?

A) Amazon Route 53
B) Amazon CloudFront
C)Elastic Load Balancing
D) Amazon Virtual Private Cloud (Amazon VPC)

10
 Question 5
Which of the following services uses AWS edge locations?

A) Amazon Virtual Private Cloud (Amazon VPC)

B) Amazon CloudFront
C)Amazon Elastic Compute Cloud (AmazonEC2)
D) AWS Storage Gateway

11
 Question 6
Which AWS services can be used to store files? Choose 2 answers
from the options given below

A) Amazon CloudWatch
B) Amazon Simple Storage Service (Amazon S3)
C)Amazon Elastic Block Store (Amazon EBS)
D) AWS Config
E) Amazon Athena

12
 Question 7
Who has control of the data in an AWS account?

A)AWS Support Team

B) AWS Account Owner
C)AWS Security Team
D) AWS Technical Account Manager (TAM)

13
AWS Certified Cloud Practitioner
.
AWS Certified Cloud Practitioner
Multiple-responses:
About the Exam What are AWS services? :
• 90 minutes
( • ) IAM
• US$ 100,00 ( • ) CloudFront
• Immediate Result ( ) AWSGames
( ) ForCloud
• Score : 100 to 1000 (Minimum 700 PASS) ( ) Discovery Tiers

• 65 questions
Multiple-Choice:
CloudFront Service Infrastructure:

( • ) EdgeLocations
( ) Data Centers
( ) AWSTransceivers
( ) Cloud Content
( ) External DNS

15
 AWS Certified Cloud Practitioner
Exam Topics

https://aws.amazon.com/certification/certified-cloud-practitioner/

16
 How to add30min (1/2)

Non-native English speaking countries are eligible to add 30min to exam time.

Standard Time: 90min

Extended Time: 120min

✓ Must be done before exam scheduling.

✓ Auto approval process.
✓ 1 time only.

How to do this?
Go to certification portal (aws.training/Certification)

17
 AWS Certified Cloud Practitioner
Resources apn-portal.com
• AWS Training (aws.amazon.com/training)
– AWS Business Professional (Digital)
– AWS TCO and Cloud Economics(Digital)

• Whitepapers on AWS
– Overview of Amazon WebServices
– Architecting for the Cloud: AWS Best Practices
– How AWS Pricing Works
– Cost Managementin the AWS Cloud
– AWS support plan comparison

19
.
AWS Certified Cloud Practitioner
To Do
• Review this material.
• Goto AWS site and read about the main services https://aws.amazon.com
• Understand Cloud AWS value proposition, principles andadvantages.
• Security in the cloud:AUP, SRM, Compliance,IAM,MFA.
• Global AWS Infrastructure, multi-AZ architectures, services scope.
• Pricing models and organizational structure.

20
Module 1:
Understanding the AWS Cloud
 What is Cloud Computing

Cloud computing is the on-demand delivery of compute power, database storage,

applications, and other I T resources through acloud services platform via the internet
with pay-as-you-go pricing.

22
 Why Customers are Moving to AWS
Trade Capital
Expense for Variable
Expense
ScaleGlobally

IncreaseSpeed
& Agility
Increase
Streamline & Innovation
Enhance
Infrastructure
Decisions Accelerate Time
to Business
Reduce Value
Expenses
23
 Transitioning from aSelf-Managed to aFully ManagedService

Amazon EC2 Fully Managed

Self-Managed
Service Service

Database DB on EC2 DB on RDS

instance instance

Corporate data AWS Data AWS Data

center Center(s) Center(s)

24
 What Sets AWS Apart?

EnterpriseLeadership Service Breadth and Depth Pace of Innovation Global Presence

Building and 69 Availability Zones in 22

managing the cloud Over 165 services 1957 featuresin geographic regions
since 2006 2018 around the world

AmazonCulture Security Largest PartnerEcosystem Hybrid Cloud

Broadest set of hybrid

+70 proactive price #1 Priority AWS Marketplace capabilities of any
reductions and APN cloud provider

25
 AWS Global Infrastructure
22 Geographical Regions, 1 Local Region, 69 Availability Zones, 160+ PoPs
Region & Number of Availability Zones (AZs)
GovCloud (US) Europe
US-East (3), US-West (3) Frankfurt (3)
Ireland (3)
US West London (3)
Oregon (4) Paris (3)
Northern California (3) Stockhol m (3)

US East Asia Pacific

N. Virginia (6), Ohio (3) Singapore (3), Sydney (3),
Tokyo (4), Osaka-Local (1)*
Canada Seoul (2), Mumbai (2)
Central (2) H ong Kong SAR (3)

South America China

São Paulo (3) Beijing (2), Ningxia (3)

Middle East
Bahrain (3)

Announced Regions
F ourRegions and 12 AZs in Bahrain, Cape Town, Jakarta and Milan
26
 AWS Region Design
AWS Regions are comprised of multiple AZs for high availability, high scalability, and
high fault tolerance. Applications and data are replicated in real time and consistent in
the different Azs
AWS Availability Zone (AZ)

AWS Region

Transit AZ

AZ AZ

Transit AZ

ARegion is aphysical location in the Availability Zones consist of one or more discrete data
world where wehavemultiple Availability centers, eachwith redundant power, networking, and
Zones. connectivity, housed in separate facilities.

27
 Amazon CloudFront
Content Delivery Network (CDN)
• Netflix

• Content close to users = less

latency
• Static content (webpages, texts,
images, movies)

Edge Location = Point of presence where the content cacheis performed.

28
 AWS Platform Services
Over 165 Services

Advanced
Services
Analytics Artificial Internetof Game AWS
Intelligence Mobile Things Development Marketplace

Business Process
Services
Technical and
Developer Management Business Application Desktop and App
Streaming Business Support
Tools Tools Productivity Services

Foundational
Services
Compute Storage Databases Networking/ HybridCloud Messaging
Cont.Delivery Architecture

29
 Introducing Amazon Enterprise Applications
WorkMail WorkDocs

Productivity

WorkSpaces AppStream 2.0

Desktop & Apps

Amazon Chime Amazon Connect

UC and Customer Service

30
.
Services Availability per Region

Region Table

• Take into account

the availability of
services in each
region.

• Service values
vary by region.
https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/
31
 AWS Marketplace Overview

AWS Marketplace is an
online store that supports:

0
Over 1,400 participatingISVs
1
0
190,000+ activecustomers
2
0
4,200+ softwarelistings
3
0 Over 570M hours of software per
4 month

32
 AWS Hybrid Architecture Support
79%
Almost every AWS customer with on-premises
01. of existing Enterprise
infrastructure is running ahybrid architecture.
workloads run on VMware*

AWS offers seamless integration with existing on-

02. premises data centers - customers canleverage
existing investments

03. Easily run on VMWare workloads on AWS with

seamless deployment and management

AWS offers the only VMWare-delivered, sold and

04.
supported service available on aleading publiccloud

* IDC Worldwide Cloud System Software 2015 Share Snapshot

33
Module 2:
Security and Compliance
 Customers Benefit from AdvancedSecurity Controls

Over 50 global compliance

certifications and
accreditations
Powerful native
functionality and tools at
little or no cost
Leverage security
enhancements gleaned from
1M+ customer experiences
Security infrastructure built to
satisfy military, global banks,
and other high-sensitivity
organizations
Benefit from AWS industry
leading
security teams 24/7,
365days ayear

36
 AWS Built-In Security
Security Focus
Infrastructure Security
Identity and Access Control
Monitoring and Logging
Inventory and Configuration
DDoS Mitigation
Data Encryption
40
Security Services and Features
Amazon VPC
AWS WAF
Encryption in-transit with TLS with all services
AWS Artifact
AWS Identity and Access Management (IAM)
AWS Multi-Factor Authentication
AWS Directory Service
AWS Trusted Advisor
AWS CloudTrail
Amazon CloudWatch
Amazon Macie
Amazon Inspector
AWS Config
AWS CloudFormation
AWS Shield
Auto Scaling
Amazon CloudFront
Amazon Route 53
Encryption with all AWS storage and database services
AWS KMS
AWS CloudHSM
 AWS Trusted Advisor

How it works

https://aws.amazon.com/premiumsupport/technology/trusted-advisor/
41
 AWS Organizations
Root Organization
Master
Root

Master account
BU1_Prod BU2_Prod SS_Prod
(member accounts)

Member accounts
BU1_Test BU2_Test SS_Dev
Organizational unit

BU1_Dev BU2_Dev Service control policy

42
 Amazon Inspector
Vulnerability Assessment Service

• On-Demand Pricing model

Inspector
• CVE & CIS Rules Packages Service

• AWS AppSec Best Practices Report Security Findings

per severity

Inspector Inspector
Agent Agent

EC2 Instance EC2 Instance

https://aws.amazon.com/inspector/
44
 AWS Shield and AWS Shield Advanced
DDoS : Distributed Denial of Service.
Botnets, massive attacks

Provides DDoS protection service

that safeguards your customers’
web applications running on AWS.
• Always-on Detection
• Defend against commonattacks
• No Cost for Standard

• DDos Response Team 24x7

• DDos cost protection
• Global availability

45
 AWS Assurance Programs:
58+ Certifications

46 https://aws.amazon.com/compliance/
 On-Demand Access to Compliance Reports

Download Compliance Reports on Demand

AWS Artifact

47
Module 3:
AWS Architecture and Services
 Mapping On-premises Services to AWS

Elastic Load
Balancing

LDAP server
AWS Directory
Service
Web Web
server server

Elastic Load
Balancing

SAN
App server App server App server
Amazon
Elastic
Block Store

DB RDS
Amazon DB RDS
Amazon Back-ups on
(Master)
(Master) (Slave)
(Standby) Backups
tapes to
Amazon S3 or
Amazon Glacier

50
 AWS Cloud Hierarchy
Global Services >Regional >VPC >AZ >Host

Route 53 – DNS
CloudFront

Buckets S3
Region
AMI Images

Instances EC2/RDS
AZ Volumes EBS
Conteiners

Host Host applications

Anti-virus, Licenses

51
 Use Multi-AZ Patterns to Increase Reliability

Web app Web server Microsoft

proxy (IIS) SQL Server
Remote
desktop Application
GW server

Publicsubnet Private subnet

AZ A
Corporate
services
Application 1

Web app Web server Microsoft

proxy (IIS) SQL Server
Remote
desktop Application
Corporate GW Server
network
Publicsubnet Private subnet
AZ B

52
 Tools for Migrations
• Server Migration
Service
VMware AWS

• Database Migration
Service
Source DB Target DB

• Secure, Fast, Offline transfer

• Snowball • Size: 50TB, 80TB, 100TB.
• Low bandwidth uplinks.
53
 AWS Compute Services
Compute Storage Networking Databases Security Management

Amazon Amazon ECS Amazon Amazon EBS Elastic Load Amazon Amazon Amazon IAM AWS WAF Amazon AWS
EC2 Glacier Balancing* Route 53 RDS Aurora CloudWatch CloudTrail

Amazon
Auto Scaling AWS Amazon Application Amazon Amazon Amazon AWSKMS AWS Shield AWS AWS
EFS
Lambda S3 Load VPC* DynamoDB ElastiCache CloudFormation Config
Balancer

AWS Direct VPN Amazon Amazon EC2

Amazon
Connect connection Redshift SystemsManager
Storage
Gateway

54
 AWS Compute Services
How will you deliver the application executables?
• Instances
– Amazon EC2
• Containers
– Amazon ECS, AmazonEKS
– AWS Fargate
• Serverless
– AWS Lambda

55
 Amazon EC2
Amazon Elastic Compute Cloud (Amazon EC2)
• Virtual machine instance running on an AWS hypervisor
• Support numerous distributions of Linux or Microsoft Windows
• Complete control of your host operating system with root and administrator accounts
• Responsible for all installed applications
• Multiple types and sizes of instances
• Remote access via SSH or Remote Desktop

https://aws.amazon.com/ec2/

56
 Amazon Machine Image(AMI)
AMI Content
– Defines which OS to use (Linux, Windows)
– Public and private AMI’s
– Defined at instance launch process

EC2 AMI

57
 Amazon EC2 - Instance Types
General Compute Storage and I/O GPU Memory
purpose optimized optimized enabled optimized

M5d C5d D2 P3
H1 X1 & X1e

I3
P2 R5 & R5d
M5 t3 C5

G2 z1d
M4 t2 C4
F1 R4

Burst CPU
58
 AWS Instance Access
Amazon EC2 Instance Launch:

AWS CLI

AWS SDK

59
 AWS CLI
How to use the AWS CLI tool:

• Canbe installed on : Windows, Linux, macOS, or Unix

• Requires : Python 2 version 2.6.5+ or Python 3 version 3.3+
• Easy installation method using ‘pip’

Created into an IAM user

programmatic key

IAM > Users > ‘user’ > Security Credentials > Access keys

60
 Amazon EC2 –Remote Access
At the moment of creation of the instance it is defined which key-
pair will be used to access the instance.
AWS
“A key pair consists of a public key that AWS
stores, and a private key file stored by the user.”

SSH – Command Line

TCP port 22

Private Key Public Key

RDP – Remote Desktop
Administrator TCP port 3389

61
 Auto Scaling
Automatically launch or terminate Amazon EC2 instances
• User-defined policies driven by CloudWatch
• Health status checks
• Schedules
• Manually using set-desired-capacity in the CLI

Scale out to meet demand, scale in to reduce costs.

62
 How Does Auto Scaling Work?
What Where When
Auto Scaling
AMI EC2
policy

1 2 Specifies when to increase or

3 decrease Amazon EC2
Launch Auto Scaling instances based on
configuration group CloudWatch alarms.
Auto Scaling group defines:
• Name Scheduled
• Launch configuration name
action
• Min and Max
• AZ or subnet Tells Auto Scaling to perform a
• Load balancer scaling action at a certain time
• Desired capacity
in the future (minimum,
• Etc.
maximum, and desired size for
the ASG).
63
 Auto Scaling: Maximum Capacity Size
Auto Scaling group: CPU utilization triggers the alarm: capacity is doubled until
CPU utilization drops below 60% or max capacity is reached.
• Minimum = 2
• Maximum = 12

Auto Scaling policy:

• When CPU utilization is
greater than 60%
• Add 100% of group Auto Scaling group
= double the capacity
Availability Zone 1 Availability Zone 2

64
 Amazon Container
Elastic Container Service (ECS)
Elastic Container Service for Kubernetes (EKS)
• AWS runs the EC2 cluster management
• Eliminates the complexity of operating container infrastructure
• Microservices

65 https://aws.amazon.com/ecs/
 AWS Lambda: Serverless Compute

No servers to manage Continuous Scaling Pay only for compute time used

AWS Lambda Video https://www.youtube.com/watch?v=eOBq h4OJ4 (3:01)

66
 AWS Lambda
Use Cases:
• Building modular, scalable, lightweight applications
• Serverless data processing on demand
• Perform data validation, filtering, sorting, or other transformations.
• Imagethumb-nailing, in-app activity, website clicks, or output from devices

67 https://aws.amazon.com/lambda/
Compute – KnowledgeCheck
 Question 1
You are currently hosting an infrastructure and most of the EC2
instances are near 90 - 100% utilized. What is the type of EC2
instances you would utilize to ensure costs are minimized?

A. Reserved instances
B. On-demand instances
C.Spot instances
D. Regular instances

72
 Question 2
You work for acompany that is planning on using the AWS EC2
service. They currently create golden images of their deployed
operating system. Which of the following correspond to agolden
image in AWS?
A.EBS Volumes
B. EBS Snapshots
C.Amazon Machines Images
D. EC2 Copies

73
 Question 3
Which of the following services relates the concept of "scaling up
resources based on demand"?

A. Auto Scaling
B. Elastic Load Balancer
C.VPC
D. Subnet

74
 AWS Storage Services
Compute Storage Networking Databases Security Management

Amazon Amazon ECS Amazon Amazon EBS Elastic Load Amazon Amazon Amazon IAM AWS WAF Amazon AWS
EC2 Glacier Balancing* Route 53 RDS Aurora CloudWatch CloudTrail

Amazon
Auto Scaling AWS Amazon Application Amazon Amazon Amazon AWSKMS AWS Shield AWS AWS
EFS
Lambda S3 Load VPC* DynamoDB ElastiCache CloudFormation Config
Balancer

AWS Direct VPN Amazon Amazon EC2

Amazon
Connect connection Redshift SystemsManager
Storage
Gateway

75
 Storage Options

Amazon EC2
Amazon EFS Amazon EBS Instance Store Amazon S3 Amazon Glacier
File Block Object

Data Transfer

AWS Direct AWS S3 Transfer Storage Amazon ISV Connectors

Connect Snowball Acceleration Gateway Kinesis
Firehose
76
 What is Amazon Elastic Block Storage (EBS)?

• Block storage as aservice

• Create,attach volumes through anAPI
EC2 • Service accessed over the network
instance • Volume and instance must bein the
same AZ
• Detach and attach betweeninstances

EBS
Availability Zone
volume

AWS region
77
 EBS Volume Types

SSD HDD

gp2 io1 st1 sc1

General Purpose Provisioned IOPS Throughput Optimized Cold
SSD SSD HDD HDD

78
 EBS Encryption

• Boot and data volumes canbe

encrypted
• Attach both encrypted and Encryption
unencrypted
• No volume performance impact
• Supported by all Amazon EBS volume
types
• Snapshots also encrypted

79
 Amazon EBS Snapshot

• Point-in-time backup
• Stored in Amazon S3 (low cost and
high durability backup of data)

Amazon EBS • Snapshots canbeused to create new

volume volumes

Amazon EBS
snapshot
80
 Amazon EFS
Amazon Elastic File System
• Fully managed EC2-Inst1 EC2-Inst3
EC2-Inst2
• No hardware, network, file layer
• No needto provision storage in
advance
• Create ascalable file system in
seconds!
• Simple pricing = Pay for actual storage
consumed
• Multiple EC2 instances accessing at File System
the same time as a Service

81
 Amazon S3 – Simple Storage Service
99.999999999% durability and 99.99% availability of objects over agiven year

• Storage of any type of file (objects).

• There is no limit on the number of objects or total space.

• Redundantly store your objects on multiple devices

across aminimum of 3 Availability Zones (AZs).

• Uses abucket concept.

82
 Amazon S3 Features
S3 Features

Event Cross-region S3 Transfer VPC endpoint

notifications replication Acceleration for Amazon S3

Amazon CloudWatch Incomplete multipart

Lifecycle policy Expired object
AWS CloudTrail support upload expiration
delete marker
83
 Faster upload over long distances S3 Transfer Acceleration

Change your endpoint, not your code

No firewall changes or client software Optimized

Throughput!
Longer distance, larger files, more benefit

Faster or free S3 Bucket

AWS Edge
Location
166 global edge locations

Try it at S3speedtest.com Uploader

84
 How fast is S3 Transfer Acceleration?
S3 Transfer Acceleration Public Internet

The longer the distance,

the larger the file
➔ more benefit
Time [hrs.]

Try it at s3speedtest.com

1 2 3 4 5 6 7 8 9 10 11 12

500 GB upload from these edge locations to a bucket in Singapore

85
 Amazon S3 Storage Classes

Standard – One Zone – Amazon

Standard Infrequent Access Infrequent Access Glacier

Active data Infrequently accessed data Archive data

86
 Storage Tiered to Your Requirements
Durable
“Hot” Data 99.999999999
Active and/or %
TemporaryData
$0.023/GB per month > 0K ≥ 0 Days
S3-Std Available
S3: 99.99%
≥ 128K ≥ 30 Days S3-IA: 99.9%
“Warm” Data $0.0125/GB per month
S3-IA-1Z: 99.5%
Infrequently
Accessed Data $0.01/GB retrieval
S3-IA Performant
Low Latency
$0.0100/GB permonth ≥ 128K ≥ 30 Days High Throughput
“Warm” Data
Infr. Accessed Data
Non-critical Data $0.01/GB retrieval
S3-IA-1Zone Scalable
Elastic capacity
No preset limits
1~5min
“Cold”Data $0.03/GB
3~5hs
Archive and $0.004/GB per month > 0K ≥ 90 Days $0.01/GB
Compliance Data
Glacier
5~12hs
$0.0025/GB

“Cold”Data 3 – 12 Hrs
Archive and $0.00099/GB per
> 0K ≥ 180 Days $0.02/GB
Compliance Data month $0.025/GB

87 Glacier DeepArchive
 Amazon S3 Security

• You cancontrol access to buckets and objects with:

– Access Control Lists (ACLs)
– Bucket policies
– Identity and Access Management (IAM)policies
• You canupload or download data to Amazon S3 via SSL encrypted endpoints.
• You canencrypt data using AWS SDKs.

88
 Amazon S3 Glacier
Long term storage solution
• Long term archiving, backup
• Low cost
• Data are extracted by executing retrieval jobs

Ready to download!

✓ Object ID 001
✓ Object ID 025 ID ID
ID150
✓ Object ID 150 001 025
✓ Object ID 400 Archive retrieval job
….
❑ Expedited: 1~5min
ID400
❑ Standard: 3~5hs
❑ Bulk: 5~12hs
89
99.999999999% durability of objects over agiven year
 What is AWS Storage Gateway?
Service connecting an on-premises software appliance
with cloud-based storage

Works with your existing applications

Secure and durable storage in AWS

Low-latency for frequently used data

Scalable and cost-effective on-premises storage - $125 per

gateway per month + S3/Glacier storage fees
90
 Storage GatewayVTL (Enterprise Backup Use Case)
• Replaceor augment your aging tape infrastructure with durable object storage
• Virtual tapes stored in AWS. Frequently accessed data cachedon-premises

Customer data center

AWS Storage
CHANGER

Gateway VM
MEDIA

VT
S
INITIATOR

Backup AWS Gateway-VTL VTS storage

DRIVE
TAPE

Server Cache Upload Storage Gateway storage backed backed by

Storage Buffer
service by Amazon S3 Amazon Glacier

91
Storage – Knowledge Check
 Question 1
Which AWS services can be used to store files? Choose 2 answers

A. Amazon CloudWatch
B. Amazon Simple Storage Service (Amazon S3)
C.Amazon Elastic Block Store (Amazon EBS)
D. AWS Config
E. Amazon Athena

94
 Question 2
A company wants to store data that is not frequently accessed.
What is the best and cost-efficient solution that should be
considered?

A. Amazon Storage Gateway

B. Amazon Glacier
C.Amazon EBS
D. Amazon S3

95
 Question 3
There is arequirement for storage of objects. The objects should be
able to be downloaded via aURL. Which storage option would you
choose?

A. Amazon S3
B. Amazon Glacier
C.Amazon Storage Gateway
D. Amazon EBS

96
 Question 4
Which of the following is the amount of storage that can bestored
in the Simple Storage service?

A.1 TB
B. 5 TB
C.1 PB
D. Virtually unlimited storage

97
 Question 5
A company is deploying atwo-tier, highly available web application
to AWS. Which service provides durable storage for static content
while utilizing lower Overall CPU resources for the web tier?

A. Amazon EBS volume

B. Amazon S3
C.Amazon EC2 instance store
D. Amazon RDS instance

98
 AWS Networking Services
Compute Storage Networking Databases Security Management

Amazon Amazon ECS Amazon Amazon EBS Elastic Load Amazon Amazon Amazon IAM AWS WAF Amazon AWS
EC2 Glacier Balancing* Route 53 RDS Aurora CloudWatch CloudTrail

Amazon
Auto Scaling AWS Amazon Application Amazon Amazon Amazon AWSKMS AWS Shield AWS AWS
EFS
Lambda S3 Load VPC* DynamoDB ElastiCache CloudFormation Config
Balancer

AWS Direct VPN Amazon Amazon EC2

AWS
Connect connection Redshift SystemsManager
Storage
Gateway

99
 Amazon VPC
Provision a logically isolated section of the AWS cloud
• Control your virtual networking environment
– Subnets
– Route tables
– Security groups
– Network ACLs
• Connect to your on-premises network via VPN or Direct
Connect
• Control if and how your instances accessthe Internet

Router Internet Customer Virtual VPN VPC

gateway gateway private connection peering
100
gateway
https://aws.amazon.com/vpc/
 Security in Your VPC
Security groups instance instance instance instance

• Virtual Firewalls / stateful

• Network accesscontrol lists Security Security Security Security
(ACLs) group group group group

Security Group Inbound Rules Subnet Subnet

10.0.0.0/24 10.0.1.0/24
Protocol Port Range Source
Inbound
443
TCP
Rule #
<SSoouurcrcee_IPs>
Protocol Po Allow/ Network ACL Network ACL
IP rt Deny
100 0.0.0.0/0 All All ALLOW
Routetable Routetable
* 0.0.0.0/0 All All DENY
VPC Router
10.0.0.0/16
Outbound
Po Allow/
Rule # Dest IP Protocol
rt Deny

100 0.0.0.0/0 all all ALLOW

VPN Gateway Internet gateway
102 * 0.0.0.0/0 all all DENY
 Amazon Virtual Private Cloud Corporate Datacenter Connectivity

103
 Amazon Elastic Load Balancing (ELB)
ELB increases application resiliency
• Automatically distributes incoming applicationtraffic
• Health Checks for application highavailability
• Integrates with other AWS services
– Route 53 Load balancer
– Internet Gateway
– Identity and AccessManagement Rule Listener

Target Target
Target Group Health
Check
https://aws.amazon.com/elasticloadbalancing/

104
 Amazon CloudFront

• Content delivery network (CDN) with optimization

• Distribute content to end users with low latency and high data transfer rates
• Broad, geographic presence beyond AWS Regions
• Accelerate data uploaded from endusers
• Use cases:
– Accelerating webapplicationperformance
– Caching static webcontent and frequent databasequeryresults
– Offloading TLS termination

https://aws.amazon.com/cloudfront/
107
 How You Configure CloudFront to Deliver Content

Developer

2 Edge
1 3 locations
Objects/ http://d111111abcdef8.cloudfront.
data net
Web 4
distribution
Your
distribution’s
configuration

CloudFront
S3 bucket or HTTP
108
server
 Amazon Route 53

• Global Domain Name System

(DNS) service
• Highly available andscalable
– 100% availabilitySLA
• Critical tool integrated with
many AWS services

https://aws.amazon.com/route53/

109
Network – Knowledge Check
 Question 1
Which of the following services helps provide adedicate connection
from on-premise infrastructure to resources hosted in the AWS
Cloud?

A. AWS VPC
B. AWS VPN
C.AWS Direct Connect
D. AWS Subnets

114
 Question 2
You are planning on deploying avideo-based application onto the
AWS Cloud. These videos will be accessed by users across the world.
Which of the below services canhelp stream the content in an
efficient manner to the users across the globe?

A. Amazon SES
B. Amazon CloudTrail
C.Amazon CloudFront
D. Amazon S3

115
 Question 3
Which of the following service is most useful when aDisaster
Recovery method is triggered in AWS?

A. Amazon Route53
B. Amazon SNS
C.Amazon SQS
D. Amazon Inspector

116
 Question 4
Which of the following networking component can be used to host
EC2 resources in the AWS Cloud?

A. AWS Trusted Advisor

B. AWS VPC
C.AWS Elastic Load Balancer
D. AWS Autoscaling

117
 Question 5
Which of the following can be used to protect EC2 Instances hosted
in AWS? Choose 2 answers from the options givenbelow:

A. Usage of Security Groups

B. Usage of AMI's
C.Usage of Network Access Control Lists
D. Usage of the Internet gateway

118
 AWS Database Services
Compute Storage Networking Databases Security Management

Amazon Amazon ECS Amazon Amazon EBS Elastic Load Amazon Amazon Amazon IAM AWS WAF Amazon AWS
EC2 Glacier Balancing* Route 53 RDS Aurora CloudWatch CloudTrail

Amazon
Auto Scaling AWS Amazon Application Amazon Amazon Amazon AWSKMS AWS Shield AWS AWS
EFS
Lambda S3 Load VPC* DynamoDB ElastiCache CloudFormation Config
Balancer

AWS Direct VPN Amazon Amazon EC2

AWS
Connect connection Redshift SystemsManager
Storage
Gateway

119
 Amazon RDS

• Relational databases
• Fully managed and secure
• Fast, predictable performance
Amazon
• Simple and fast to scale Aurora
Amazon
• Low cost, pay for what you use
RDS

https://aws.amazon.com/rds/
120
 Amazon Aurora
Delivered as a managed service on top of RDS

 Speed and availability of high-end commercial databases

 Up to 64TiB of auto-scaling SSD storage
 Automatic Backup (1 – 35 days)
 Automatic Upgrade
 Drop-in compatibility with MySQL and PostgreSQL
 Simple pay as you go pricing

122
 Amazon DynamoDB
Fully managed NoSQL database
Fast, consistent performance
Highly scalable

Flexible
Event-driven programming
Fine-grained access control

123
 Amazon Redshift: Data Warehousing
Amazon Redshift is afast, scalable data warehouse

124
 Amazon ElastiCache
A fully-managed in-memory data store or cache environment in
the cloud.
• Improves performance by retrieving data from high-throughput and low-latency, in-
memory data stores.
• Use Cases:
– Gaming
– Ad-Tech
– Financial Services
– Healthcare
– IoT

https://aws.amazon.com/elasticache/

125
Databases – KnowledgeCheck
 Question 1
Which of the following is afully managed NoSQL databaseservice
available with AWS?

A. AWS RDS
B. AWS DynamoDB
C.AWS Redshift
D. AWS MongoDB

129
 Question 2
Which AWS service automates infrastructure provisioning and
administrative tasks for an analytical data warehouse?

A. Amazon Redshift
B. Amazon DynamoDB
C.Amazon ElastiCache
D. Amazon Aurora

139
 Question 3
Which of the following is acompatible MySQL database which also
cangrow in storage size on its own?

A. Aurora
B. DynamoDB
C.RDS Microsoft SQL Server
D. RDS MySQL

131
 Question 4
Which of the following features of Amazon RDS allows for better
availability of databases. Choose 2 answers from the options given
below:

A. VPC Peering
B. Multi-AZ
C.Read Replicas
D. Multi-Region

132
 AWS Security Services
Compute Storage Networking Databases Security Management

Amazon Amazon ECS Amazon Amazon EBS Elastic Load Amazon Amazon Amazon IAM AWS WAF Amazon AWS
EC2 Glacier Balancing* Route 53 RDS Aurora CloudWatch CloudTrail

Amazon
Auto Scaling AWS Amazon Application Amazon Amazon Amazon AWSKMS AWS Shield AWS AWS
EFS
Lambda S3 Load VPC* DynamoDB ElastiCache CloudFormation Config
Balancer

AWS Direct VPN Amazon Amazon EC2

AWS
Connect connection Redshift SystemsManager
Storage
Gateway

133
 The Layered Security Approach

• Secured Infrastructure
– Secured endpoints
– Compliance alignments and
frameworks
– Certifications and attestations Instance

• VPC Firewall

– Workload isolation
Security group
• Security Group
– Port/protocol filtering Subnet
• Instance Firewall VPC
– Rule-based protection at the OS
level
134
 AWS Identity & Access Management
A core AWS securityservice.

Defines administrative profiles.

Who cando what on the AWS console or by the additional management tools.

Admin Group SupportGroup Policy

"Action": [
✓ Mike "support:*",
✓ Travis Support Group "acm:DescribeCertificate",
✓ John "acm:GetCertificate",
✓ Mike "acm:List*",
"apigateway:GET",
✓ Sup1 "appstream:Get*",
Administ ratorAccess
✓ Theresa "autoscaling:Describe*",
"aws-marketplace:ViewSubscriptions",
"cloudformation:Describe*",
SupportUsers ...

https://aws.amazon.com/iam/
135
 AWS Principals
Account Owner ID (RootAccount)
• Access to all subscribedservices.
• Access to billing.
• Access to console andAPIs.
• Access to Customer Support.

IAM Users, Groups and Roles

• Access to specific services.
• Access to console and/or APIs.
• Access to Customer Support (Business and Enterprise).

Temporary Security Credentials

• Access to specificservices.
• Access to console and/or APIs.

136 https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
 IAM Root Account Best Practices

• 1st account created (email + password)

• Do not use the root user for your everyday tasks

• Securely lock awaythe root user credentials

– Delete any programmatic keys

– Enable MFA on Root Account

– Changethe Root password to astrong password

https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
137
 IAM Roles Best Practices
IAM identity that canbe assumable by anyone who needs it.
Ex.: users, applications, services, federated users

Long term passwords

Long term access keys

Temporary security credentials

API Call
Apps. Assuming IAM Role [credentials]
codes Create, delete, change bucket

138 EC2 instance S3 bucket

 AWS Directory Service
1. Sign In to AWS Applications and
Services with AD Credentials

2. Manage Amazon EC2Instances

3. Provide Directory Services to Your

AD-Aware Workloads

4. SSO to Office 365 and OtherCloud

Applications

5. Extend Your On-Premises AD to the

AWS Cloud

6. Share Your Directory to Seamlessly

Join Amazom EC2 Instances to a
Domain Across AWS Accounts

139
 AWS Key Management Service (AWS KMS)
Data encryption with KMS
• Managedservice to use encryption keys
• Integrated with many AWS services
• Integrated with AWS CloudTrail
– provide auditable logs of key usage

140 https://aws.amazon.com/kms/
 AWS Web Application Firewall (AWS WAF)

• Protects web applications

• Filter traffic basedon custom rules
• Easy to deploy as part of Amazon CloudFront or ELB
• Provides real-time metrics and detailed requestdata
• Configure manually or via an AmazonAPI
• Integrate third-party. workload-optimized, AWS WAF configuration rules
• AWS Firewall Manager synchronizes AWF WAF rules across multiple-accounts

https://aws.amazon.com/waf/
141
 AWS Shield (Standard or Advanced)

• Guards against distributed denial of service (DDoS) attacks

• AWS Shield Standard
– Addresses common layer 3-4 DDoS incidents
– Monitors network flows for quick attackdetection
– Mitigates service impacts automatically
• AWS Shield Advanced
– Enhanced DDoS detection and response
– Supports customized rules against sophisticated attacks
– Includes AWS DDoS Response Team 24x7
– Covers cost of increased resource utilization due to attack

https://aws.amazon.com/shield/
142
Security – Knowledge Check
 Question 1
Which service allows an administrator to create and modify AWS
user permissions?

A. AWS Config
B. AWS Cloud Trail
C.AWS Key Management Service (AWS KMS)
D. AWS Identity and Access Management(IAM)

144
 Question 2
Which of the following is the responsibility of the AWS customer
according to the Shared Security Model?

A. Managing AWS Identity and Access Management(IAM)

B. Securing edge locations
C.Monitoring physical device security
D.Implementing service organization Control (SOC)
standards

145
 Question 3
Which of the following security requirements are managed by AWS
customers? Select 2 answers from the options given below.

A. Password Policies
B. User permissions
C.Physical security
D. Disk disposal
E. Hardware patching

146
 Question 4
How can the AWS Management Console be secured against
unauthorized access?

A. Apply Multi-Factor Authentication (MFA)

B. Set up asecondarypassword
C.Request root access privileges
D. Disable AWS console access

147
 Question 5
When giving permission to users via the AWS Identity and Access
Management tool, which of the following principles should be
applied when granting permissions?

A. Principle of least privilege

B. Principle of greatest privilege
C.Principle of most privilege
D. Principle of lower privilege

148
 AWS Management Services
Compute Storage Networking Databases Security Management

Amazon Amazon ECS Amazon Amazon EBS Elastic Load Amazon Amazon Amazon IAM AWS WAF Amazon AWS
EC2 Glacier Balancing* Route 53 RDS Aurora CloudWatch CloudTrail

Amazon
Auto Scaling AWS Amazon Application Amazon Amazon Amazon AWSKMS AWS Shield AWS AWS
EFS
Lambda S3 Load VPC* DynamoDB ElastiCache CloudFormation Config
Balancer

AWS Direct VPN Amazon Amazon EC2

AWS
Connect connection Redshift SystemsManager
Storage
Gateway

149
 AWS CloudWatch

• Monitoring service for AWS cloud resources and applications

• Collect and track metrics, monitor log files, and set alarms
• Gain visibility into resource utilization, application performance, and
operational health
• Set alarms to send notifications or take other automated actions
• Supports custom dashboards
• Use cases:
– Cost management; billing alerts

https://aws.amazon.com/cloudwatch/

150
 AWS CloudWatch Alarms

Amazon
CloudWatch

AWS resources Amazon Amazon SNS

that support CPUUtilization CloudWatch email
alarm notification
CloudWatch
StatusCheckFailed

PageViewCount
Available
statistics
Custom CloudWatch Metrics
Auto Scaling
Application-
Specific Metrics

AWS Statistics
Management Consumer
Console
151
 CloudWatch Metrics Examples

152
 AWS CloudTrail
CloudTrail provides the event history of AWS account activity
• Permits governance, compliance,audit. Who did
that?!
• Logs API calls.
• Security analysis.
• Tracking of resource changes.
• Problems solution.

153
 Benefits of AWS CloudFormation

• Create stacks in multiple

regions from the same
template.
• Update and delete stackseasily.
• Document your infrastructure.
• Maintain your infrastructure as
acodeartifact
– Use acoderepository such
as AWS CodeCommit or
GitHub
• Sample templates available for
multiple workloads.

154
 AWS CloudFormation Designer
• Visualize template resources

• Modify template with drag-and-

drop gestures

• Customize sample templates

155
 AWS Config
Managed service for tracking AWS inventory and configuration, and
configuration change notification.

AWS Config
Amazon Amazon
EC2 EBS

Amazon AWS
VPC CloudTrail

Security Audit Change

Troubleshooting Discovery
analysis compliance management

156
Management Services – KnowledgeCheck
 Question 1
You want to monitor the CPU utilization of an EC2 resource in AWS.
Which of the below services canhelp in this regard?

A. AWS CloudTrail
B. AWS Inspector
C.AWS Trusted Advisor
D. AWS CloudWatch

160
 Question 2
Which of the following services helps in governance, compliance,
and risk auditing in AWS?

A. AWS Config
B. AWS CloudTrail
C.AWS CloudWatch
D. AWS SNS

161
 Question 3
A company needs to know which user was responsible for
terminating several critical Amazon Elastic Compute Cloud (Amazon
EC2) Instances. Where canthe customer find this information?

A. AWS Trusted Advisor

B. Amazon EC2 instance usage report
C.Amazon CloudWatch
D. AWS CloudTrail logs

162
 Question 4
You have aDevOps team in your current organization structure.
They are keen to know if there is any service available in AWS which
canbe used to manage infrastructure as code. Which of the
following canbe met with such arequirement?
A.Using AWS CloudFormation
B. Using AWS Config
C.Using AWS Inspector
D. Using AWS Trusted Advisor

163
Module 4:
Pricing, TCO and Cost Optimization on
AWS
 Cloud ValueFramework

Cost Savings Staff Operational Business

(TCO) Productivity Resilience Agility

What is it? Infrastructure cost

savings / avoidance from
Efficiency improvement
by function on atask by
Benefit of improving
SLAs & reducing
Deploying new features /
applications faster and
moving to the Cloud. task basis. unplannedoutage. reducingerrors.

Examples 50%+ reductionin

TCO (GE)
Over 500 hours peryear
of server configuration
Critical workloads run in
multiple AZs & Regions
Launch of new
products 75% faster
time saved (Sage) for robust DR (Expedia) (Unilever)

T ypical Most Compelling

Focus CloudBenefits

165
 TCO the way customers typically see it
illustrative
Software - OS, Virtualization Licenses
1 Server Costs Hardware – Server, (+Maintenance)
(+Maintenance)

2 Storage Costs Hardware – Storage Disks

Network Hardware – LAN Switches, Load Balancer

3 Network Costs Bandwidth costs

4 IT LaborCosts Server Admin Virtualization Admin

166
 TCO the way it really is Overhead
On-prem.
Colocation
illustrative
Hardware – Server, Rack Software - OS, Facilities Cost
1 Server Costs Chassis PDUs, ToR Switches Virtualization Licenses
(+Maintenance) (+Maintenance) Space Power Cooling

Hardware – Storage Disks, Facilities Cost

2 Storage Costs SAN/FC Switches
Software - Backup
Space Power Cooling Business Value:

Network Hardware – LAN Facilities Cost Cost of delays

Software – Network
3 Network Costs Switches, Load Balancer
Monitoring
Risk premium
Competitive abilities
Bandwidth costs Space Power Cooling
Governance
Etc.

4 IT LaborCosts Server Admin, Virtualization Admin, Storage Admin, Network Admin, Support Team

Project planning, Advisors, Legal, Contractors, Managed Services,

5 Extras Training, Cost of capital

167
 Resources to get started

AWS TCO Calculator

https://awstcocalculator.com

AWS Economics Center

http://aws.amazon.com/economics/

CaseStudies and Research

http://aws.amazon.com/solutions/case-studies

168
 Tools for Cost Visibility
Cost Explorer T AGs

• Monthly Spend by Service View • Identify and organize your AWSresources

• Monthly Spend by Linked Account View • Integrated with multi AWSServices
• Daily Spend View • EC2, RDS, S3, Glaciers, Redshift, etc...

169
 AWS Pricing Philosophy

01 02 03

Pay Only for Low Cost No Up-Front

What You Use Capital Expense

170
 On-Demand and Reserved

Instance Type Benefits When to Position Workloads

On-Demand Billing by the second Customer seeking to Short-Term/Fluctuates

(new as of 10/2/17) avoid long contracts Desired to Run to
and upfront payments Completion
Modify compute Dev/Test
capacity

Standard - 50%-70% less than Customer able to Steady-state

Reserved On-Demand instances commit to 1yr, 3 year applications
Instance term

172
 Convertible Reserved Instances

Instance Type Benefits When to Position Workloads

Convertible – Reserved Reduced price during For customers lacking Steady-state but can
Instance Reserved Instance understanding of future change
term workloads
Change Reserved
Instance family, type,
Example
OS, or tenancy

C3 RI C4 RI

173
 Spot Instances

Instance Type Benefits When to Position Workloads

Spot Fleet Discounts compared to When workloads can Batch processing,

Unused EC2 instance that is
available for less than the On-
Demand price.
on-demand pricing continue after Hadoop workflow, HPC
Run continuously for interruptions; for grid
a set duration at lower diversification across Encoding, rendering,
pricing multiple instance types modeling, analysis, or
and AZs continuous integration

174
.

Dedicated Instances and DedicatedHosts

Instance Type Benefits When to Position Workloads

Dedicated Instance
Instances run on For workloads that Data isolation required
hardware dedicated to require dedicated
you only hardware to meet
unique security and
compliance needs

Customer must pay an hourly instance fee Customer must pay a dedicated per region fee

Dedicated Host Instances run on For existing server- Data isolation required
hardware dedicated to bound software License dependent
you only licenses that are bound applications or
License portability to VMs, sockets, or services
physical cores
Fine grain control of
hardware

175
 Billing Comparison
N.Virginia, 30thJan2019.

Reserved

Convertible

176
 Estimating Cost Savings
Simple Monthly Calculator

177
Module 5:
AWS Well-Architected Framework
 The AWS Well-Architected Framework

Design Principles
• Stop guessing your capacityneeds
• Test systems at productionscale
• Automate to make architectural experimentationeasier
• Allow for evolutionary architectures
• Data-Driven Architectures
• Improve through gamedays

179
 Pillars of AWS Well-Architected

Operational Security Reliability Performance Cost

Excellence Efficiency Optimization

189
 Operational Excellence

The ability to run and monitor systems to deliver business value and continually improve supporting
processes and procedures.

Principles
•Perform operations with code
•Align operations processes to business objectives
•Make regular, small, incremental changes
•Test for responses to unexpectedevents
•Learn from operational events and failures
•Keep operations procedures current
Coverage Area
• Preparation
• Operation
• Response

181
 Operational Excellence: AWS Services

Prepare
• AWS Config rules
Operate
• Amazon CloudWatch
Evolve
• Amazon ElastiSearch Services (AmazonES)

182
 Applying Operational Excellence
Availability Zone A
Public Web Tier App Tier Data Tier 2. Use of CodeStar
1. Use of (Private (Private
Subnet
Subnet) Subnet)
Amazon to deploy
CloudWatch to users
x.x.x.x/x
Aurora
x.x.x.x/x x.x.x.x/x Infrastructure as
achieve visibility Example
Services: Code
in the cloud RDGW Reserved Reserved
NAT
ISD/W AF

On-Demand On-Demand

Auto

replication
Auto
Scaling Scaling
Group Group

internet
Public Web Tier App Tier Data Tier
Subnet (Private (Private
x.x.x.x/x Subnet) Subnet) Amazon
x.x.x.x/x x.x.x.x/x Aurora
Example
Services:
RDGW Reserved Reserved
NAT
IDS/W AF
admin
W eb App DB
On-Demand Security On-Demand Security Security
Group Group Group

Availability Zone B

183
 Security

The ability to protect information, systems, and assets while delivering business value through risk
assessments and mitigation strategies.
Principles
•Apply security at all layers
• Enable traceability
• Implement aprinciple of least privilege
• Focus on securing your system
•Automate security best practices
Coverage Areas
• Identity and accessmanagement
• Detective controls
• Infrastructure protection
• Data protection
• Incident response
184
 Security: AWS Services

Identity and AccessManagement

•IAM, MFA
DetectiveControls
• Cloud Trail, AWS Config,CloudWatch
Infrastructure Protection
• Amazon VPC
Data Protection
•ELB, Amazon EBS, Amazon S3, Amazon RDS, Amazon Macie,AWS KMS,
Incident Response
• AWS CloudFormation

185
 Applying Security Best Practices
S
3. The use of CloudTrail
1. Public and private Availability Zone A
and Config to maintain
subnets
Public Web Tier App Tier Data Tier a known infrastructure
• ELB and other edge Subnet (Private (Private Amazon
x.x.x.x/x Subnet) Subnet) state
devices are the only users x.x.x.x/x x.x.x.x/x Aurora
things the public can Example
Services:
reach RDGW Reserved Reserved
• The application of NAT
ISD/W AF
WAF, and Shield at On-Demand On-Demand
the edge to control 4. Using IAM to create
traffic Auto

replication
Auto
Scaling Scaling
roles that ensure that
Group Group only the App tier can
talk to the database
internet
Public Web Tier App Tier
Data Tier
Subnet (Private (Private
x.x.x.x/x Subnet) Subnet) Amazon
x.x.x.x/x x.x.x.x/x Aurora
Example
Services:
RDGW Reserved Reserved
NAT
IDS/W AF
admin
W eb App DB
On-Demand Security On-Demand Security Security
Group Group Group
2. The use of IAM (Dive
deep – Understand the Availability Zone B
roles and users.)

186 AWS
CloudFormation
 Reliability

The ability of a system to recover from infrastructure or service failures, dynamically acquire
computing resources to meet demand, and mitigate disruptions such as misconfigurations or
transient network issues.

Principles
•Test recovery procedures
•Automatically recoverfrom failure
•Scale horizontally to increaseaggregate system availability
•Stop guessing capacity
•Managechange in automation
Coverage Areas
• Foundations
• Change Management
• Failure Management

187
 Reliability: AWS Services

Foundations
•AWS Trusted Advisor , IAM, Amazon VPC, DirectConnect
Change Management
• AWS CloudTrail, AWS Config, Auto Scaling, CloudWatch
Failure Management
• AWS CloudFormation, Amazon S3, Amazon Glacier, AWS KMS

188
 Applying Reliability
Availability Zone A 3. Scalable ELB
Public Web Tier App Tier Data Tier instances
Subnet (Private (Private Amazon • Independent
x.x.x.x/x Subnet) Subnet)
users x.x.x.x/x x.x.x.x/x RDS resource scalability.
Example
Services:
• Independent service
1. Multi-AZ
RDGW recovery – when
NAT
ISD/W AF used with auto-
scaling
2. Database • This will be relevant

replication
replication when we talk about
between the “Performance
two AZs Efficiency” as well.
internet
Public Web Tier App Tier Data Tier
Subnet (Private (Private Amazon
x.x.x.x/x Subnet) Subnet)
x.x.x.x/x x.x.x.x/x RDS
Example
Services:
RDGW
NAT
IDS/W AF
admin

Availability Zone B

189
 Performance Efficiency

The ability to use computing resources efficiently to meet system requirements, andto
maintain that efficiency as demandchanges andtechnologiesevolve.

Principles
•Democratize advanced technologies
•Goglobal in minutes
•Use serverless architectures
•Experiment more often
•Mechanical sympathy
Coverage Areas
• Selection
• Review
• Tradeoffs

190
 Performance Efficiency: AWS Services

Selection
• Compute: Auto Scaling
• Storage: Amazon EBS, Amazon S3
• Database: Amazon RDS, Amazon DynamoDB
• Network: Amazon Route 53, Amazon VPC, AWS Direct Connect
Review
• AWS Blog
Monitoring
• Amazon CloudWatch, AWS Lambda
Tradeoffs
• Amazon ElastiCache, Amazon CloudFront, AWS Snowball, Read replicas for RDS

191
 Applying Performance Efficiency
Availability Zone A
Public Web Tier App Tier Data Tier
Subnet (Private (Private Amazon
x.x.x.x/x Subnet) Subnet)
users x.x.x.x/x x.x.x.x/x Aurora
Example
Services:
RDGW
NAT
ISD/W AF

2. CloudFormation

replication
Auto Auto
Scaling Scaling as a tool to
1. Auto Scaling Group Group
facilitate
groups repeatability and
internet
Web Tier App Tier Data Tier
Public
(Private
global
Subnet (Private Amazon
x.x.x.x/x Subnet) Subnet)
x.x.x.x/x Aurora deployment
x.x.x.x/x
Example
Services:
RDGW
NAT
IDS/W AF
admin

Availability Zone B

192 AWS
CloudFormation
 Cost Optimization
The ability to avoid or eliminate unneeded cost or suboptimalresources

Principles
•Adopt aconsumptionmodel
•Benefit from economies of scale
•Stop spending money on data center operations
•Analyze andattribute expenditure
•Use managedservices to reducecost of ownership
Coverage Areas
• Cost-Effective Resources
• Matching Supply and Demand
• Expenditure Awareness
• Optimizing Over Time

193
 Cost Optimization: AWS Services

Cost-Effective Resources
• AWS Well-Architected Framework
Matching Supply and Demand
• Auto Scaling
Expenditure Awareness
• Amazon CloudWatch, Amazon Simple Notification Services(SNS)
Optimizing Over Time
• AWS Blogs, AWS Trusted Advisor, AWS Cost Explorer

194
 Applying Cost Optimization
Availability Zone A
Public Web Tier App Tier Data Tier
Subnet (Private (Private Amazon
x.x.x.x/x Subnet) Subnet)
users x.x.x.x/x x.x.x.x/x Aurora
Example
Services:
RDGW
NAT Reserved Reserved
ISD/W AF

On-Demand On-Demand
2. The use of

replication
Auto Auto
1. combination of Scaling Scaling Aurora as the
reserved and Group Group
relational
on-demand database layer
internet
instances Public Web Tier App Tier Data Tier
Subnet (Private (Private Amazon
x.x.x.x/x Subnet) Subnet)
x.x.x.x/x x.x.x.x/x Aurora
Example
Services:
RDGW
Reserved Reserved
NAT
IDS/W AF
admin
On-Demand On-Demand

Availability Zone B

195 AWS
CloudFormation
 Value Proposition
Help Customers:
• Consistent approachto reviewing architectures
• Understand and reduce risk in yourarchitecture
• Learn best practices
• Influence future architectures
• Generate additional opportunities

196