Beginner / Foundations / Fundamentals AWS, Products, services…etc

Install / configure / modify / implement bp, sysops administrator / assocaite

Design / solutions architect
CloudOps
EC2 Elastic Cloud Compute
Elastic Compute Cloud - Virtualization plaftorm
11th consecutive year - AWS is the leader in the market for IaaS and PaaS workloads

Ec2 - IaaS
Customer - Deploy the OS, patching, backup, monitoring, integration - ITSM (CMDB…etc)
Operating system

Priced per hour

https://console.aws.amazon.com/ec2

Amazon Linux 2

GUI
CLI
Templates
REST API / SDK's

Hard disks
 Instances = VM's or VS's 400+ instance types avaialble for your workload (busines
Secure and resizable compute capacity
in the market for IaaS and PaaS workloads

Infrastructure - Managed by AWS Virtual Machine, Virtual Servers in the AWS cloud
up, monitoring, integration - ITSM (CMDB…etc) Install the apps, middleware.. Upgrade the OS & Apps
Windows, Linux (Amazon Linux, RHEL, SLES, Ubuntu..etc), MAC OS
x86 and ARM processor
Billed per minute
Only 64-bit OS
AWS Management console - console.aws.amazon.com

Amzon Linux 1 - around in Dec 2020

Free tier only -

AWS Nitro (Amzon's proprietary virtualuzation tech) Hypervisor

Xen, KVM, Vmware..etc

Portal
Amazon CLI Powershell
CloudFormation YAML, JSON

Compute CPU, Memory, Network transactions,

Storage
e for your workload (business apps, utility apps..etc)

ers in the AWS cloud

. Upgrade the OS & Apps

Any IAAC Terraform

Server Hardware
Storage Hardware
AMI Amazon Machine Image Create instance
Templates, Images Images will help you to reduce the manual effort of redoi
Single deployment, mass deployment
Hardening - Best practices, legal /compliance requirements

Amazon Marketplace
Hardened in accordance with the associated CIS Benchmark that has been developed by consens
Reduce cost, time, and risk by building your AWS solution with CIS AMIs.

My AMI's How to create your own AMI's

Community AMI's

AMI is tied to a region

Copy the AMI to the destination region

Launch Permissions
Public All AWS accounts
Explicit specific aws account, organization or OU
Implicit Owner only

Plain image
 Combination of OS + Apps + Tools / Services + configuration
he manual effort of redoing the installation of tools, enabling services and making config changes
An AMI is a template that contains the software configuration
Gold disk / Golden image -
HIPAA, ISO, CIS…etc

en developed by consensus to be the industry best practice for secure configuration.

Windows Image + oS + App + Drivers..etc

ains the software configuration (operating system, application server, and applications) required to launch your instance
Windows Monthly
Linux Quarterly Nonprod QA Prod
EC2 provides you a comobination of resources (CPU, Memory, Network, Storage…etc)
Optimized instance types
They have varying combinations of CPU, memory, storage, and networking capacity, and give you th
General purpose Balanced CPU, Memory and Storage
Web servers
code repositories
T-

Compute optimized © starts with c Application servers, small gaming servers

CPU ratio is higher Mid size web servers
Batch jobs, processing
network appliances
Memory optimized ® RAM Relational DB servers
Memory ratio is higher starts with r SAP HANA, Netweaver, Hekaton
r3 (3 - Technology / Vesion)
.large, .2x, .4x - T-shirt size r3.large
Storage (iops) starts with i metrics - iops
starts with d - disk / dense storage Bigdata
Data warehousing
NOSQL DB

Graphics optimized starts with g Visualization

3D application requirements
ML workoads
Accelerated computing Weather patterns, chemical labs
APACHE Spark, MPI Applications

F - FPGA (Field Programmable Gate ArraHardware acceleration

Micro instances are eligible for the AWS free usage tier. For the first 12 months following your AWS
t2.micro Free Tier eligible
750 hours per month of Linux, RHEL, or SLES t2.micro or t3.micro instance dependent on region

750 hours per month of Windows t2.micro or t3.micro instance dependent on region
 r5.large to r5.xlarge downtime is required
Current generation is recommended
ing capacity, and give you the flexibility to choose the appropriate mix of resources for your applications
Baseline Burstable
test, POC dev Intel AVX, AVXx, Intel turbo
small db servers Intel broadwell
small app

Intel Skylake

MS SQL, MYSQL, Oracle… AMD EYPCTM

X Intel broadwell
IN Memory analytics, caching…etc

latency R/W 2x NVMe SSD -

AWS Nitro SSD
AI ML OLTP
Redis Caching EFA Elastic Fiber Adapter

Video streaming Live streaming GPU NVIDIA A100 Tensor Core GPU's
Video Rendering
BitCoin mining..etc
Genomic research
X

months following your AWS sign-up date, you get up to 750 hours of micro instances each month. When your free usage tier expires or if
ce dependent on region

ent on region
e is required

ur free usage tier expires or if your usage exceeds the free tier restrictions, you pay standard, pay-as-you-go service rates.
On Demand Pricing Pay as you go pricing Pay as per usage / consumption model
No long term commitment Short term workloads

Long term workloads

Compute Savings plan

Savings Plan
EC2 Savings plan
offering savings up to 72%
Reserved Instances Standard RI
Commitment Convertible RI Flexibility

Scheduled instances based on the particular workload Particular day, particular time of aday
particular month

Spot instances unused capacity free capacity

Bidding option
NO SLA, No Commitment, NO contract
Testing, POC…
Tenancy Tenants - You can choose to run your instances on physical servers fully dedicated for your use. The u
Dedicated Host (Hardware) Legal / compliancy requirements
Licensing requirements
Physical server hardware is dedicated
Shared instances

Dedicated instance Dedicated VM's VPC on a haridware - Dedicated

They are physical isolated ; phys
mption model

99.99 SLA EDP

MAP
Capacity reservations
1 year 3 year term Tied to commitment
Upfront investment Monthly / yearly costs Tied to a region
Payment option - All Upfront, Partial upfront, monthly
1 year term 3 year term Early deletion / termination charges
Pro-rata charges

time of aday

free capacity 6 web server 4 web servers

Market price - Fair value 0.5$ to 0.8$ 2 web servers in spot
Supply / Demand / Fluctuation
Spot instance runs as long as capacity is available and your maximum prrice is higher than the spot price (AWS Market price)
ully dedicated for your use. The use of host tenancy will request to launch instances onto Dedicated hosts
Business apps Pay for a physical host - dedicated fully to a customer for runnign their own multiple EC2 instance
You have visibility over physical host usage
is dedicated

VPC on a haridware - Dedicated to a single customer

They are physical isolated ; physical host hardware…
 Capacity reservations

ot price (AWS Market price)

n multiple EC2 instance

Configure the instance to suit your requirements. You can launch multiple instances from the same AMI, request Sp
Number of instances

Request spot option Bidding option

Default network - VPC, Subnet , Public IP

create hostname Dynamic A (DNS Record) record

Stop instance Reduce compute costs

Shutdown behavior
Terminate instance delete instance

Domain join directory Join to AD domain AD directory

IAM role Service account / Managed identity

Hibernation Perform Hibernation (Suspend to the disk) Save the contents from Instance Mem

Avoid accidential deletion Protect against accidental termination

Monitoring Cloudwatch Basic Free of Cost

Detailed Additional cost - Enabling the service +
After you enable detailed monitoring,
Tenancy Dedicated host
Dedicated instance
Shared instance

Instance ID
om the same AMI, request Spot instances to take advantage of the lower pricing, assign an access management role to the instance, and m

ompute costs still pay for storage costs

L&D

contents from Instance Memory (RAM) to your Amazon EBS disk / Root Volume

l cost - Enabling the service + storing additional data for the new metrics
enable detailed monitoring, the Amazon EC2 console displays monitoring graphs with a 1-minute period for the instance.
ent role to the instance, and more

the instance.
Placement strategy Affinity
Anti-Affinity

Cluster
Affinity
Same rack
same hardware
Same AZ
Low latency
High perf - Interactions
High network throughput

Tightly coupled apps

3 Tier apps - Web/App/DB

10 Gbps
Keep the systems that are related together Web/App/DB
Separate the systems that are identical in purpose 2 domain controllers

Partition Spread
Anti-Affinity Span across multiple AZ (DC's)
Different Rack
Different Hardware

Up to 7 Partitions in an AZ (Datacenter)

Not supported for dedicated hosts

Not supported for dedicated Instances
3 Web servers
Availabilty set
 Operating system
Application
Data
Database

EC2 Elastic Block Store (EBS) Permanent / Persistent storage

Instance Store Temporary store

SSD - Solid state drive - Flash drive

General Purpose Provisioned IOPS
GP2 GP3 IO1
Web servers Business critical
code repositories
test, POC Video rendering
small db servers Memory instensive
small app
dev

OS Volume
Always go for latest gen

Latest generations are cheaper

and perform well

Min: 1 GiB, Max: 16384 GiB Min: 4 GiB, Max: 16384 GiB

25% cheaper than GP2

If you are increasing the size of the volume, you must extend the file system to the new size of the
You can only do this when the volume enters the optimizing state

Windows device names: xvdf through xvdp

The size of a volume can only be increased, not decreased.

Paravirtual

HVM Hardware Virtual Machine

 Delete on Termination By default Linux
Windows
Your instance will be launched with the following storage device settings. You can attach additional EBS volumes and instance
Instance OS, Page file (Virtual Memory)

rsistent storage
Software, binaries..executables

ive Hard disk drive - Magnetic drive -

Provisioned IOPS Throuput Optimized Cold Storage
IO2
Mission critical
Frequently accessed Archived data
Live streaming Long term retention
Cassandra, Vertica, Hbase..etc Data warehousing Auditing data
Apache spark, Hadoop Cluters Bigdata historical data
MYSQL, MS SQL Audit log - SIEM
Oracle Event hub Rarely used data
SAP HANA… Infrequently used data
IBM DB2
125 GiB to 16 TiB

Provisioned IOPS SSD (io2)

volumes with a size greater than
16 TiB, IOPS greater than 64,000,
or IOPS:GiB ratio greater than
500:1 are supported with R5b
instances only.
Min: 125 GiB, Max:
Min: 125 GiB, Max: 16384 GiB. The value
Min: 4 GiB, Max: 65536 GiB 16384 GiB must be an integer.

must extend the file system to the new size of the volume.
this when the volume enters the optimizing state

ume can only be increased, not decreased.

/dev/sda to sdz

/dev/xvdb [a-z]
/dev/sda to sdz

/dev/nmve [0-26] NVMe SSD

 Min - 8 GiB
Min - 30 GiB
You can attach additional EBS volumes and instance store volumes to your instance, or edit the settings of the root volume. You can also a
Temp files

SIEM

- Magnetic drive - Decimal Binary

Magnetic
Less critical workloads 1000 KB 1024 KiBi
Backup 1000 sq MB 1024 sq MeBi
GB GiBi
TB

Min: 1 GiB, Max: 1024 GiB.

the root volume. You can also attach additional EBS volumes after launching an instance, but not instance store volumes.
A security group is a set of firewall rules that control the traffic for your instance.
On this page, you can add rules to allow specific traffic to reach your instance.
For example, if you want to set up a web server and allow Internet traffic to reach your instance
You can create a new security group or select from an existing one below

Security Group Virtual Firewall Instance Level First Line of Defense

Operating system Windows Firewall

Linux IPTables

Rules with source of 0.0.0.0/0 allow all IP addresses to access your instance. We reco

There can be multiple SG attached to the same EC2 instance - Union of rules from different SG
One SG can be attached to muliple EC2 instances

SG are stateful Allowing inbound, automatically allows outbound traffic on the specific port/protoco
net traffic to reach your instance, add rules that allow unrestricted access to the HTTP and HTTPS ports.
n existing one below

Rule - Inbound /Outbound Specific port

Security Rules Access from a specific range of IP - Jump server on RDP; Client Range of IP - Web si

Any rule you create or edit will have immediate effect

Allow traffic using SG There is no DENy By default, all traffic is denied

Permissive rules

o access your instance. We recommend setting security group rules to allow access from known IP addresses only.

ffic on the specific port/protocol

DP; Client Range of IP - Web sites
A tag consists of a case-sensitive key-value pair. For example, you could define a tag with key = Name and value = Webserver.
A copy of a tag can be applied to volumes, instances or both.
Tags will be applied to all instances and volumes. Learn more about tagging your Amazon EC2 resources.
A tag is a custom label that you assign to an AWS resource. You can use tags to help organize and identify your insta
For Identification
KEY VALUE Key:Value store
Name xyzindweb001
Department M&S
Environment Prod Dev Test
Business Owner
Application owner
Purpose Web - XYZ

50 Tags per resource

Tag - Instances, Volumes & Network interfaces

 Better Goverannce
Better Categorization
C2 resources. Better Administration
elp organize and identify your instances.
Better identification

Patching write a query Add the systems - Tag for env : Prod; role:w
Monitoring
Backup
Billing
indexing
ystems - Tag for env : Prod; role:web
Status checks Info
Status checks detect problems that may impair i-004a67efb3fb9ba84 (awswebapp1) from running your applications.

System status checks Host Server Hardware

 System reachability check passed

Instance status checks Virtual Machine Guest VM / OS

 Instance reachability check passed

Public IP Address Connecting from Interet / WAN

Private IP Address Internal to AWS or you can connect from your onpremises - VPN or jump se
ur applications.

remises - VPN or jump servers

KEY PAIRS A key pair consists of a public key that AWS stores, and a private key file that you store.
Together, they allow you to connect to your instance securely.
For Windows AMIs, the private key file is required to obta
For Linux AMIs, the private key file allows you

Key pair is valid for a specific region

Public key Stored in AWS platform
Private key stored in customer side

You have to download the private key file (*.pem file) before you can continue. Store it in a secure
Private exchange mail
Creating security groups Successful (sg-097d94d0640c36a81)
Authorizing inbound rules Successful
Initiating launches Successful

SSH Linux SSH Client Putty Browser based embedde

RDP Windows

Putty .ppk Convert .pem to .ppk

Putty Private Key

Amazon Linux default user account ec2-user

You can connect to your Windows instance using a remote desktop client of your choice, and by do
You need to have the private key (pem) file to decrypt the password
n&uzBdB7vy6VWDkjmTa*VoK6!X7-WI3K
that you store.
ur instance securely.
key file is required to obtain the password used to log into your instance. administrator
private key file allows you to securely SSH into your instance. Amazon EC2 supports ED25519 and RSA key pair types.

ntinue. Store it in a secure and accessible location. You will not be able to download the file again after it's created.

Browser based embedded clietn

puttgen
Putty Key Generator

t of your choice, and by downloading and running the RDP shortcut file below
Machine
Operating system

CLOUD INIT
Startup Script Add some drivers, packages.
Login SCript

#!/bin/bash
yum update -y
yum install httpd -y
systemctl start httpd
systemctl enable httpd
cd /var/www/html
echo "Welcome to Azure with Stan - Apache Web Server 2" > index.html
Add some drivers, packages..etc
EC2 Isntance connect Doesn’t key pair
 Load Balancer
High Availabilty / Redundancy
Elastic Load balancers Network Load balancer Distributing load
Distributing Traffic
Virtual IP / Virtual FQDN The Network Load Balancer distributes incoming TCP
Routing decisions Algorithm - Round Robin
stanlb1-ab9fc223b35b2b8a.elb.us-east-1.amazonaws.com
Application LB Layer 7

Health Checks Verify whether the backend systems are online - Ping
Health checks - The associated load balancer periodi
Hash Routing Algorithm

Naming convention Name must be unique within your AWS account and cannot be changed after the load balancer
A maximum of 32 alphanumeric characters including hyphens are allowed, but the name must n

Internet Facing Public Internet

Scheme
Internal Intranet / VPN / Within Cloud

This setting of scheme cannot be changed later

Mapping Select at least one Availability Zone and one subnet for each zone.
We recommend selecting at least two Availability Zones.
The load balancer will route traffic only to targets in the selected Availability Zones.
Zones that are not supported by the load balancer or VPC cannot be selected. Subnets can be a

Listener A listener is a process that checks for connection requests, using the protocol and port you con
 Target Group < Register Can be EC2 instances, IP Addresses, Container, ALB
Instance 1 Physical IP 1 A
Instance 2 Physical IP 2 P
Instance 3 Physical IP 3
r distributes incoming TCP and UDP traffic across multiple targets such as Amazon EC2 instances, microservices, and containers. When the

HTTP/HTTPS

d systems are online - Ping + HTTP Healthy / Unhealthy

ated load balancer periodically sends requests, per the settings below, to the registered targets to test their status
5-Tuple Source IP Source Port

3-Tuple
ed after the load balancer is created.
wed, but the name must not begin or end with a hyphen.

Web Application Firewall

lability Zones.
elected. Subnets can be added, but not removed, once a load balancer is created.

protocol and port you configure. Traffic received by the listener is then routed per your specification.
and containers. When the load balancer receives a connection request, it selects a target based on the protocol and port that are specified

DestinationDestionation Port Protocol

otocol and port that are specified in the listener configuration, and the routing rule specified as the default action.
Launch more like this
Create Template
Create Image Image Name Maximum 127 characters. Can't be modified after creation
Description Maximum 255 characters
No Reboot By default it is disabled
Change the OS / Root volume size is supported
t be modified after creation.

ze is supported
Elastic IP Address Permanent Public IP Static Public IP
Dynamic Public IP Get released when instance is not running / rebooted..
 Chargeable - even if the instance is stopped
nning / rebooted..
AWS Auto Scaling

Average

Fleet Management

Launch Configuration

Vertical Scaling - Manual

Fluctuating load - Application load

Automatically scale in and out

Horizontal scaling

Stable, Steady, Predictable performance at low possible cost

Metrics

CPU Utilization > 80

Network connections

< 30

Template with AMI & Settings

Template - Some specific settings - AMI (Operating system, Applications, tools,…)
Auto Scaling groups are collections of Amazon EC2 instances that enable automatic scaling and fleet management features. Th

Instance scale-in protection

If protect from scale in is enabled, newly launched instances will be protected from
scale in by default.
Enable instance scale-in protection

Increase or decrease - Resources (CPU, Memory, Storage..etc)

Failover clustering or DB Clusters
Change the Instance type
There is a downtime involved
 Optimize the network perforamnce
Lower Costs

Pay for what you have used

Scale Out - Add additional EC2 instances
Scale IN - reduce EC2 instances

add 2 EC2 instances

add 2 EC2 instances

Remove 1 EC2 instance

Instance Type Security Group Storage Tag

Amazon Machine Image (AMI)
automatic scaling and fleet management features. These features help you maintain the health and availability of your applications.

Backend instances - DB systems..

 Key pair

y of your applications.
Snapshot Point in time backup Create a point-in-time snapshot of an EBS volume and use it as a b
Restoring to a previous state
First snapshot is full and subsequent is incremental
Delete a snapshot in a series of snapshots - remove
Full snap (File 1) Delta 1

EBS Volumes Volume level

Instance level Multi-volume level
Include / Exclude Volumes
Copy tags

Copy Snapshot from one regtion to another region

Create Image from Snapshot From Image > Create VM

Create Volume from Snapshot Attach the volume to either new VM or existing VM

Snapshots that are enabled for fast snapshot restore enable you t

Recycle Bin Data recovery feature

Min: 1 day, Max 365 days Technology to enable Recycle bin is free
Use Recycle Bin to protect your business-critical EBS Snapshots an
With Recycle Bin, you specify a configurable retention period with
Snapshots/images that are in the recycle bin is the same rate as regular snapshots

While creating new volume - you can create by using existing snapshots

Snapshots cannot be directly attached to a instance

CloudOps Engineer Patching, Monitoring, Alerting, Backup…etc

Systems Manager Automation

Helpdesk L1 / Service Desk

Termination = Deleteion Orchestration Inventory listing will be cleanup in a

an EBS volume and use it as a baseline for new volumes or for data backup. You can create snapshots from an individual volume, or you c
Consistency level
bsequent is incremental - Savings costs
s of snapshots - remove the content only unique to that snapshot

Like Vmware snapshot Crash-consistent snapshot

Object Storage Amazon S3 SSE - 256Bit AES

M or existing VM

snapshot restore enable you to restore volumes that are fully initialized at creation.

Accidentally deleted snsphots or AMI's

siness-critical EBS Snapshots and AMIs from accidental deletion.

figurable retention period within which you can recover these resources after they have been deleted.

Create a volume and only volumes can be attached to a instance

Runbook Playbook
IAM Roles

ntory listing will be cleanup in a duration

m an individual volume, or you can create multi-volume snapshots from all of the volumes attached to an instance.
Application aware Windows VSS
File system consistent

Crash consistent

Snapshot Tier
Archive Tier
Amazon Data Lifecycle Manager Automate the creation, retention, copy and deletion of snapshots and AMIs

Policy 1 Automatically Create/delete snapshots

Policy 2 Automatically Create/delete Images
Policy 3 Copy the contents between regions

Data Transfer Out is chargeable

For storing the contents

Protection against regional outage / disaster

Reduce the storage costs by auto-delete after retention

Auto-creation Daily
Every hourly - 24 hours..

Retain some number of snapshots

You can create another 3 schedules in this policy.

Moving from One Tier to another Tier after a specific duration - To save some cost
Retention period Schedule
Retention period Schedule
For DR / BC
individual volumes / Instances
Run Command - Systems command
Lambda function

Weekly Monthly Custom Cron Expression

1
Lightsail Amazon's Virtual Cloud Server
https://lightsail.aws.amazon.com/ls/webapp/home/instances
Small to Mid sized organizations

Build Apps and websites fast with low-cost, pre-configured cloud resources
Choose Region
Choose Availability zone
Choose OS Flavor

Linux - 3.5 USD to 160 USD

Windows - 8 USD >> 240 USD

3 months free trial

Virtual Private Server VPS

Small business apps

For Custom websites
Simple web apps
Test / POC environment

Windows / Linux
App + OS Blueprint It will have OS & Apps pre-installed

750 hours per month