Professional Documents
Culture Documents
ISSUED BY
Zeal Vora
REPRESENTATIVE
instructors@kplabs.in
Module 1: End to End VPC Creation
Understand the exact step by step approach to create VPC based infrastructure
Be very thorough with each step and concept related to the above topics.
Make sure NAT Gateways are deployed in Multiple AZ for high availability.
Module 3: Internet Gateway
.
Module 4: EC2 Instance Types
Other approaches like PrivateLink endpoint with NLB can be used if there are a lot of accounts
and services that need to communicate with each other across accounts.
Unsupported VPC Peering Configurations - 1
You cannot create a VPC peering connection between VPCs with matching or overlapping IPv4
CIDR blocks.
.
Module 7: Transit Gateways
A transit gateway is a network transit hub that you can use to interconnect your virtual private
clouds (VPC) and on-premises networks.
You can attach all your hybrid connectivity (VPN and Direct Connect connections) to a single
Transit Gateway— consolidating and controlling your organization's entire AWS routing
configuration in one place
For a use-case where consistent dedicated throughput is required, DX is the right answer.
The two sites can be AWS and on-premise data-center or even two different VPC’s.
Traffic is encrypted.
If a consistent and dedicated connection is required, AWS Direct Connect is a better option.
● Public IP changes. It is not locked to your AWS account. Instance stop and starts bring
new IP.
● EIP is static as well as movable.
By default, the IAM user does not have any permission associated with it.
AWS evaluates the policies, and depending on that, the permission is granted or denied.
.
Module 14: Deny in IAM Policy
Any deny in IAM Policy always sets preference over allow.
IAM policy attached to the group is associated with all the users that are part of the group.
Module 16: IAM Role
An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that
determine what the identity can and cannot do in AWS.
The Condition element lets you specify conditions for when a policy is in effect.
Module 18: Example Use-Case - IAM
Alice has created a Lambda function that monitors for CPU Utilization of EC2 instances. If CPU
utilization is less than 10%, the Lambda function will stop the instance.
Final Decision: Alice can set up Lambda, but it will not be able to stop the EC2.
AWS Organizations allow us to set “Service Control Policies” to control access to the linked
accounts.
Two available feature sets: Consolidated Billing Features and All Features (SCP + Billing)
To “Allow Access”, you can make use of IAM Policies and not SCP Policies.
● Standard
● Intelligent-Tiering
● Standard-IA
● One Zone-IA
● Glacier
● Glacier Deep Archive
● Reduced Redundancy
Module 12: S3 Pointers
S3 Versioning allows users to keep multiple variants of an object in the same S3 bucket. Can
protect against accidental deletion.
Lifecycle policies allow you to automatically review objects within your S3 Buckets and have
them moved to different S3 storage classes or have the objects deleted from S3.
While uploading data via multi-part, we need to specify the part number and its position in the
uploaded object. This will help AWS reconstruct data.
Module 14: S3 Transfer Acceleration
S3 Transfer Acceleration utilizes the CloudFront edge network to accelerate your uploads to S3.
Instead of uploading directly to S3, you can use a unique URL to directly upload to the edge
location which will then transfer the file to S3.
S3 Encryption - Use-Case
For use-cases where you want the encryption keys to be highly available and also requirement
where control of keys on per-user-basis is required, the following options can be used:
AWS SSE with Customer Managed Keys. These keys can be stored in CloudHSM.
For use-cases where data must be encrypted at transit (HTTPS), you can make use of bucket
policy to enforce HTTPS connections only.
Module 16: Presigned URLs
All objects in S3 are ‘Private’ by default.
However, the Object owner can optionally share objects with others by creating a pre-signed
URL to grant time-limited permission to download the object.
EC2 instances need to periodically backup all the data to S3 bucket in Account A.
To get access to the object, the object owner must explicitly grant you (the bucket owner)
access.
Recovery Point Objective (RPO) is concerned with data and the maximum tolerance period to
which data can be lost.
Module 20: Route53 Health Checks
Amazon Route 53 health checks monitor the health of your resources, such as web servers.
If the health check fails, you can configure to route traffic to a static S3 bucket.
You can also copy the AMI to a different AWS Region and share it across AWS accounts.
You should know basic auto-scaling concepts like Launch Configuration, Auto-Scaling Groups.
You cannot modify the launch config after it was created. For any updates, create a new launch
config.
For use-cases where you expect large traffic and want to serve things with minimal delays and
latency, you can increase the Read Capacity and Write capacity units of DynamoDB Table.
Amazon RDS Read Replicas enable you to create one or more read-only copies of your
database instance within the same AWS Region or in a different AWS Region.
If database reads are causing high I/O and slowing down the database, you can decide to
launch multiple read replicas.
Module 28: Scalability Aspect - RDS
Multi-AZ
Read replicas:
Aurora Global Database allows a single Amazon Aurora database to span multiple AWS
regions.
It replicates your data with no impact on database performance, enables fast local reads with
low latency in each region, and provides disaster recovery from region-wide outages.
Module 30: EBS and Instance Store Volumes
EBS volumes:
● Persistent Storage.
● Size and Volume Types can be increased while being attached to EC2.
Instance Store:
Amazon FSx provides highly cost-effective, fully managed, shared cloud file storage for
Windows and Linux applications.
It is built to scale on-demand to petabytes without disrupting applications, growing and shrinking
automatically as you add and remove files
Example Use-Case:
Organization has 50 mbps connection and there is 500 TB of data that they want to migrate to
S3 in next 2 weeks. Which services can be used?
● VPN
● S3 Transfer Acceleration
● Direct Connect
● Snowball
i) Internet (Expensive)
ii) Region to Region
iii) Inter Availability Zone
iv) VPC Peering
To minimize data transfer costs between on-premise and AWS, you can decide to host your
application in the same region / AZ as that of AWS resource.
Module 37: Data Sync
AWS DataSync makes it simple and fast to move large amounts of data online between
on-premises storage and Amazon S3, Amazon Elastic File System (Amazon EFS), or Amazon
FSx for Windows File Server.
CloudFront has a feature of “Geo Restriction”. With Geo Restriction, you can choose the
countries where you want Amazon CloudFront to deliver your content.
Module 41: Lambda@Edge
Lambda@Edge is a feature of Amazon CloudFront that lets you run code closer to users of your
application, which improves performance and reduces latency.
For use-cases where you don’t want to modify application code but want to achieve certain
use-cases, Lambda@Edge can be used. For example, adding compression to reduce data
transfer costs.
AWS Shield and AWS Shield Advanced can be used for DDoS protection.
AWS Global Accelerator is a service that improves the availability and performance of your
applications with local or global users.
It provides static IP addresses that act as a fixed entry point to your application endpoints in a
single or multiple AWS Region
Module 44: Global Accelerator
AWS SQS is a fast reliable, scalable, and fully managed message queuing service.
For use cases where first application is faster and the second application is slower, you can
decide to decouple them via SQS queue.
Module 45: S3 Object Notification with SQS
You can configure S3 object notification and integrate it with multiple AWS services including
SQS, SNS.
Example Use-Case:
API developers can create APIs that access AWS or other web services, as well as data stored
in the AWS Cloud.
To specify IAM role for the tasks, if you use the AWS CLI or SDKs, specify your task role ARN
using the taskRoleArn parameter.
Module 49: Miscellaneous Pointers
If you are facing spam or attack by a specific set of IP addresses, you can block them at the
Network ACL level and even WAF.
For increasing security for AWS logins, you can consider using MFA + Strong Passwords.
If you are using CloudFront and want to block a specific set of IPs, you can associate WAF with
CloudFront.
For I/O performance-related use-cases, do note that it is associated at the storage level (EBS)
and not the EC2 level.
Resiliency is the ability of a server, network, storage system, or entire data center, to recover
quickly and continue operating even when there has been an equipment failure, power outage,
or other disruption.
For use-cases where there can be unpredictable growth and burst in traffic, you can prefer
serverless services like DynamoDB, Lambda, API Gateway, and others.
Static websites can be hosted in S3 instead of EC2 instances. This can save a good amount of
costs.
.
Best of Luck for Exams, Rockstar!
We invite you to join our Discord community, where you can interact with our support team for
any course-based technical queries and connect with other students who are doing the same
course.
Joining URL:
http://kplabs.in/chat