AWS

Web server

NewKart.com June 2022

Login ID

User platform to host

Database

Data Center March 2022 Middleware

Web Server

Nginx/Apache
network
Load balancer

Virtualization software
security
Compute CPU,
RAM,

DIsk

App Server
AC

Java on
Security
100000 customers
Tomcat/Jboss
Routers Challenges -

Switches 1. Cost
Internet connect ISP
2. Power failure
Network cables 3. Unplanned outage
Physical servers
4. scalability
Server Racks disaster recovery

Infrastruture
Database
DNS name

SSL certificate
AWS

Domain name Text

Azure

Google Cloud

Linux
Oracle

(ubuntu)
Benefits
IBM

Challenges -
1. Cost - pay for what you use
Alibaba

1.Overhead
2. Speed -Provision in minutes and start using

X customer
Adobe Base Machine
2. Cost
3. Scale
5X customer (windows)
3. Capcity Planning
4. Performance

4. Time to production
5. Security -

5. Reliability
6. Reliability
Linux
6. Presence
7. Time
(Centos)
7. Security
8. Reduces manpower

8. Manpower is needed

On-Premises IAAS PAAS SAAS

Application Application Application Application

Data Data Data Data

Runtime Runtime Runtime Runtime

Middleware Middleware Middleware Middleware

O/S O/S O/S O/S

Virtualization Virtualization Virtualization Virtualization

Server Machines Server Machines Server Machines Server Machines

 Networking Networking Networking Networking

Infrastructure Infrastructure Infrastructure Infrastructure

RDS
Ready to useApplication

EC2 Gmail
AWS Lambda

responsibity decreases

Hybrid Cloud

Data center Public Cloud

Private Cloud

AWS, Azure, GCP Airtel

Amazon Web services

Netflix

Dropbox

NASA

2002
2007

2004
Airbnb

Internally Launched
SQS Mcdonalds
launched in Europe

2003

idea of 2006

selling Publicly

infra SQS, S3,

EC2

NewKart.com 2 VMs on cloud

Apache web servers / Nginx

Region -

25 regions

Zone-1 Zone-2
AZ -
Availability
Zones

Mumbai Region
82

Zone-3
How to choose a region

1. Latency

2. Compliance

3. Available Services

4. Pricing
 1. Root Account - It can create other IAM accounts, All Owner (root-account)
permissions
2. IAM Account - Have permissions to the service that root
user will assign to it

Account - 309390439193

my-iam-user iam - user dev-1

Dev-1 QA

group - group -name=testers

name=developers

User enters password

1. Always enable MFA

Asked for additional ionformation

2. Create 1 IAM user for every person

3. Use groups to assign permissions

Allowed to login
4. Create a strong pasword policy
5.Assign only the permissions which is required

Minimum priovilege rule

Virtual Machines  EC2

1. OS - AMIs (Linux, Windows, MACos )

EBS
2. CPU

ELB 3. RAM

ASG 4. Storage (disk)

Spot Instances

reserved instances- up to 75% discount

Offer you up to 90% compared on-demand
0.045$Per hour
Reserrve for 1 year

reserver for 3 year

Batch jobs

Image procssing

Convertible reserve instance

distributed

Scheduled reserved instance

Laptop

VM

Dedicated host

Dedicated instances
3 year reservation
 #!/bin/bash

yum -y update

yum -y install httpd

SG systemctl start httpd

systemctl enable httpd

echo "This is VM with IP $(hostname -i)" >>

1. USER DATA
/var/www/html/index.html
2. Security group with a rule to  allow port 80

EC2 instance in US

VM outside AWS
Pool of Public IPs
Elastic ip -54.205.208.65 EC2 instance in US

172.31.24.135

port 80

Stop instance

terminate instance
Elastic IP

Public IP for you

5 such IPs

Partition2
Placement
Groups

us-east-1a
Partition

Bigdata
Partiotion1
Apache kafka

Partiotion3

us-east-1b

Automate installtion of web server on the VM

10 minutes

Custom AMI
Centos 7
VM wth additonal nov 2021
VM
Configurations

Public package or config

user-data
1. Web server

AMI index.html
(172.31.94.98) 2. xyz package (172.31.94.98)
3. configution Centos 7

 Security patch
Dec 2021

Private

VM

AMI

index.html
( ami-with-
(172.31.94.98)
httpd-setup)

New VM

(private IP - fixed
Pool of public IPs

Public IP ) 3.84.149.11

54.152.61.162

54.157.215.209

Outside VM/Server 52.204.125.68

10000 of other IPs
AWS Network

Elastic IP

EBS Volume
Huge Disk storage
Boot volume (ami)

50GB

VM

CPU
EBS Volume

RAM Blank
2000 GB

Physical Machine

VM

ESB Volume
EBS Volume

CPU

50GB
RAM
1. Network drive, not
a physical drive

2. Locked to a Zone

1:00 PM

2:00 PM

Snapshots 3 PM

4 PM

5PM Newkart.com
13:22

5:30 PM

EBS volume
EBS Volume
50 GB

us-east1-a us-east1-a

Snapshot Snapshot
 EBS volume EBS Volume

"Hi This is AWS"

unencrypted encrypted

data security

1. Data in transit

2. Data at rest
Copy
Snapshot Snapshot (encrypted)
(Unencrypted)

NFS -Network File system

protocal that allows you to Mount Storage over

network

VM-1

/dev_files_from_EFS/readme.txt
EFS

Elastic File System

50 GB

/dev_files/email_templates/
VM-2

/dev_files_from_EFS/readme.txt

- Used for Web sharing, content mgmt

VM-3
- Used NFS protocal

/dev_files_from_EFS/readme.txt Uses security groups to control Access

Available for Linux AMIs

- Encrypted by default

1. Load balancing to Backend instances

2. Expose a single point for the front-end

3. Handle failure of backend instances

Load balancer 4.Health-check

5. Stickiness

6. HA across Zones

7. SSL termination

VM1
Database
port 80

HTTP Load
Load balancer

HTTPS balancer (private IP)

(Public IP) VM-10

User ABC
VM2
Port 8080

port 80
Username,

Password - 123456 AWS CLOUD NETWORK

VM-11

VM3
Port-8080
Managed Load balancer

port 80
1. It will be up and running

2 AWS will make sure of all upgrades, maintenance, HA

UDP/TCP

Health Check HTTP/HTTPS

IP Protocol
 Scaling

1. Horizontal

Types of Load balancers on AWS

2. Vertical
VM

1. CLB ( Classic Load balancer) - Old one - 2009

2CPU, 2GB
HTTP, HTTPS, TCP

2. Application load baancer - ALB - 2016

HTTP, HTTPS

3. network Load balancer - NLB 2017

TCP, UDP

4. Gateway Load balancer - GWLB (2020)

IP Protocol

VM1

Launch Template ASG - Auto scaling Group

VM2
BIG IP - F5

Netscalar - CISCO

VM3

ASG

VM4

VM5

VM -1 

Public-IP 3.110.215.238

172.31.35.5

CLB

Actor

VM-2

3.6.41.14

172.31.43.13
Application Load balancers

 1. Balancing the load over different target groups

2. Path pased routing

newcart.com/shopping , newkart.com/admin
3. hostname based routing

newkart.com,  shopping.newkart.com

4. Routing on based on query string

counttry=india
Target-group-1
/

ALB

Actor
Target-group-2 172.31.15.245

/testing.html
 SNI - Solves the problem for loading multiple ssl certificates onto one web server

Network Load balancer

1. Works on Layer 4 - TCP/UDP

2. Less latency(~100ms) compared to ALB (~400ms)

NLB
NLB NLB

Target Gourp ( ALB)

Target Gourp ( IP
EC2 Instances Addresses)

Gateway Load balancer

1. Works on Layer 3

2. Usually used for Firewalls, Intrusion detection, other

security systems 
Actor
GLB

target group of
VM 

3rd Party
security software

StickySessions /
Session affinity

Application based Cookies -

Custom Cookie - AWSALB, AWSLBAPP, AWSALBTG

Second one is created by the LB - AWSALBAPP

coockie - jgdjskjbxkjb-vm-1
vm-1
ALB

vm-2
coockie - kjjkdjkks - app2
Cross-zone load Balancing

ALB - Always enabled 

SSL Certificate 
NLB - Disabled by default

CLB - Supports only 1 SSL certificate

ALB - Supports multiple listeners with Multiple SSL certificates

CLB - Disabled by default

NLB - Supports multiple Listeners with multiple SSL certificates

 Connection Draining - CLB

Deregistration Delay - ALB, NLB

ASG 

Auto-scaling Groups

1. Maintain  Minumum number of instances 

2. Auto scaling based on policy

3. Maximum Size 

4. Failure detection and resolution - Healin

CPU Utilization   - Average CPU usage on all instances in

the group

Configurations 1. A Launch Configuratuon  -

RequestCount  - per instance 

AMI + Instance Type

Average Network In/Out 

EC2 User data

Any custom Metric

EBS VOlume

SG

SSH key pair

2. Min size, Max Size, Initial Capacity

3. Netowrk config

4. Scaling Policy

192.168.1.1 192.168.1.5 192.168.2.1 192.168.2.5

Subnet
192.168.1.7 192.168.2.7

Building

NAT Gateway
Gateway

202.173.124.52
google.com

172.217.160.238 CIDR Range

VPC -
Virtual private Cloud

VPS is a regional resource

Subnets are within a zone

 VPC

us-east1 Region
65536

VPC
Zone -a
Route Table
Subnet-2
ap-south-1 Region 10.0.0.0/16
Subnet-1

(public)
Subnet-3
65536 (Private) Internet Gateway

Route table

(Public Route)
NAT
Instance

Internet Gateway

For private IPs -

Internet

10.0.0.0/8 

192.168.0.0/16

172.16.0.0/12
Server

50.60.70.80
Private Subnet /

Public subnet 

Dest = 50.60.70.80

DEST = 12.13.14.15

SRC = 12.13.14.15
SRC = 50.60.70.80

NAT INSTANCE
Bastion Host
Public Subnet
12.13.14.15
ssh-keys
ssh-keys
Vivek

Dest = 50.60.70.80

DEST = 10.0.0.28
SRC = 10.0.0.28
SRC = 50.60.70.80

EC2 INSTANCE
EC2 INSTANCE

Private Subnet 10.0.0.10 10.0.0.28

Internet

google.com
 IGW

Public
Bastion host
Subnet (Jump Server)
SSH

NAT GW
ssh
Actor

AWS network

EC2-Instance,
Private
EC2-Instance,

Private IP Subnet Private IP

NAT Gateway 

- AWS managed NAT, Highly available, higher b/w

- No administration

- NATGW is created in a specific AZ, have to assign a Elastic IP

- Cannot be used by EC2 instances in the same subnet

- Needs an Internet Gateway to work
- 5 GBPS , it can scale to 45GBPS 

- No SG to manage

NACL ( network Access Control List)

- Acts just like Firewall which controls the traffic

to and from the subnets

- You Can define your own NACL Rules 

- Every Rule has a precedence with it. value of

precedence -> 1- 32766. 

- There is always a default rule available with *

which denies all the traffic in case of for rule  

-  AWS network

Private

NACL Subnet

Incoming Traffic
EC2 Instance 
EC2 Instance 

SG
Outgoing traffic Private, Publc IP Private IP

Vivek

VPC- Reachability Analyzer

 - A troubleshooting tool to troubleshoot

n/w connectivity b/w 2 endpoints within
the VPC

- Does not send any traffic, creates a

model of nw configuration to check
reachability 

- 0.10$ for every test us-east1 asia-south-1

default VPC 
default VPC 

 de au t C 
de au t C 

EC2

For us-east-1
for Mumbai
172.31.1.194
192.168.1.0/16 172.72.1.0/16
VPC Peering

VPC A AWS network

VPC Peering custom VPC  VPC PEERING

for Mumbai EC2

10.0.0.0/16 10.0.1.42

VPC B

VPC Peering
VPC Peering

VPC C

Hybrid Connectivity 

On-Premises
Customer
Subnet VM
network

Customer

gateway
AWS network

Talk to each other

 using VPN HUB

On-Premises
Customer
Subnet VM Subnet EC2
network

Customer
VPN Gateway
gateway Internet

VPN -

data flows through the internet

data is encrypted

B/w is 1.25 GBPS

DIRECT CONNECT  - DX

Dedicated connection - 1GBPS to 10

GBPS connectivity

Physical ethernet connectivity to a

customer

Request goes to AWS

AWS Direct Connect

On-Premises
Customer
VPC AWS
network
AWS DIrect
Partner Connect

Router Endpoint 

PARTNER
CAGE AWS CAGE

DIRECT CONNECT  - Partner 

S network
Request is made to AWS Direct connect
partners
1,2,5,10 GBPS lines

DIRECT CONNECT  - Gateway

EC2
AWS Direct Connect
VPC-1

On-Premises
Customer
Direct Connect
network Gateway
AWS DIrect
Partner Connect
AWS
VM Router Endpoint 
AWS Direct
Connect
PARTNER
CAGE AWS CAGE

EC2
VPC-2

Direct Connect with high Resiliency

AWS Direct Connect

location-1

On-Premises
Customer

network

AWS network

VM

AWS Direct Connect

Location -2

google.com

Actor
Network interface

IP is assigned

ENI - Elastic Network Interface

- Logical component in a VPC that represent a Virtual Network Card

network
 - ENI Has a private IP address

- One elastic IP per private IPv4 address

- MAC Address

EC2 instance -1

- We can create an ENI independently and attach on any EC2 instance

Primary ENI - 172.31.44.140

AWS network

- Bound to a specific AZ

ENI172.31.4
App

EC2 instance -2 

Primary ENI - 172.31.47.77

AWS PrivateLink

VPC-1
- Helps to securely expose an application to 1000 of VPCs Service/
NLB
within or across accounts and regions
Application AWS network
- Does not need any VPC Peering/IG/NAT Routing tables

- needs a Network Load balancer and ENI

VPC-2 VPC-2

VPC-2 VPC-2

Transit Gateway

- Transitive peering between 1000s

of VPCs and on-prem networks
Direct Connect
- Regional Resource 

- Can also work with Direct

Connect, VPN

- supports IP Multicast

Transit Gateway
43.205

k
 VPC-2

10.10.1.5
AWS network

On-Premises VPC-2
Customer

network
Direct Connect Transit Gateway

VPC-2

VPC-2

AMAZON S3 

serverless offering

Regional resource

Data is stored in Buckets ( Directories)

S3 Bucket
Bucket should have a globally Unique name

naming Concention - 

no uppercase

no underscore

3-63 characters long

Versioning on S3-Bucket
NO IP in name

must start with a lowercase letter or a number

2G
Maximum object size is 5TB

Multi-part upload (>5GB)

s3-linux.iso

Data 

Data in transit

Data at Rest - Encrypted

Encrypted Daya
Encryption
username - salman
jhsgkjnlkcx-=jbcshbcksk

password - 123456 tjdgjhgkjs46j26t72yg

Decryption

Methods of encryption of data on S3 -

 1G 12-dec-2021

s3-linux.iso- 12344232

2G

s3-linux.iso
  

1. SSE - S3- Server Side Encryption 

KM
keys are handled and managed by AWS 
s3-linux.iso s3-linux.iso AWS managed Key

2. SSE-KMS

+
Key Management System

Key is managed & handled by KMS

3. SSE-C
Key is supplied by the customer.

Key is not stored on AWS 

HTTPS must be used

4. Client Side encryption

Client encrypts the data before uploading to the cloud

bucket

Client has to decrypt the data when retrieving from S3

MS

AWS network