AWS Tech Essentials

What we will • Regions and Availability Zones

cover: • EC2 – Compute and EBS storage

• Cloud storage – S3, EFS and FSx

• VPC – Networking

• RDS – Relational Database service

• IAM – Security

• Monitoring – CloudWatch, Trusted

Advisor
NIST Cloud Definitions
IaaS

• IaaS – Infrastructure as a Service

• Network, storage, and compute

• AWS is mostly IaaS

PaaS
• PaaS – Platform as a Service – create and run
applications without managing cloud infrastructure

• Example: Heroku, Cloud Foundry

• AWS has Cloud 9 IDE (Source code editor, automation

tools, debugger)

• Continuous deployment / integration tools (CI / CD)

• CodePipeline, CodeBuild, CodeCommit, and CodeDeploy
SaaS
• SaaS – Software as a Service – application written,
hosted and managed by the service provider

• Example: Office 365

• AWS has WorkDocs, WorkMail and Amazon Chime

Cloud Deployment
Models
• Private – All on-prem

• Cloud – all in public cloud

• Hybrid – some on premise, some in cloud

• Multi-cloud – Using multiple cloud services

AWS Management
Services

Storage

Databases Networking

Compute

Monitoring Security

Scaling
 AWS Administration

Management AWS CLI CloudFormation

Portal Linux, Win, MAC Automation
Demo: AWS
Administration
 Global Infrastructure
Regions, Availability Zones and Edge locations
AWS Regions
• Each region is a separate geographical area

• Region should match your compliance requirements

• Each region has multiple availability zones

• A special region called AWS GovCloud (US) is for US

government agencies

• Adheres to (ITAR) regulations

• Provides FIPS 140-2 endpoints
• Accessed using separate account
 Regions and Availability Zones # of
AZ

Ireland Sweden 2
Canada 3 3 Beijing 6
3 Seoul
Oregon 4 3 Frankfurt
London 3 Ningxia 3
N. California 3 Ohio 3 4 Tokyo
6 N. Virginia Paris 3 2 Mumbai
Milan 3 3 Hong Kong
2
Bahrain 3
Singapore 2
Indonesia
3 Sao Paulo
3 Sydney
2
Cape Town
Case Study
Please open your copy of the Terra Firma

use case for this class

1st question
What AWS region would you suggest for
Terra Firma ?
Possible Answer
The closest region is going to be US West Northern
California Region.
 Availability Zones (AZ)
• Each region at AWS has a minimum of two availability zones

• An availability zone contains one or more data centers that host EC2 instances
and EBS storage
• Other regional data centers contain other AWS services (S3 Buckets, ELB,
etc.)
• Applications hosted in multiple AZ’s have high availability and reliability

Availability Zone Availability Zone

 Availability Zones

Availability Availability
Zone Zone

AWS
Region Availability
Zone
Demo: Regions
and Availability
Zones
Choosing an AWS Region
Compliance: Rules and regulations you must
follow

Cost: Different for each AWS region and AZ

AWS services are not always available in

each region when they are first introduced

Customer location: Private hybrid design

Edge Locations
• Deliver data, videos, applications, and APIs to your
customers globally

• CloudFront peers with thousands of Tier 1/2/3

telecom carriers globally

• Signed URLs and cookies, restrict access to only

authenticated viewers.

• CloudFront is AWS’s content distribution network

(CDN)
• S3 buckets can be cached at edge locations
• Static and dynamic content can also be cached
• Edge locations are both egress and ingress
 Website / Data / Hosted at AWS
API

CloudFront (CDN)
User (Singapore)

High speed
private network

Edge Location in
Singapore
Demo: Global
AWS Services
Compute Services at AWS
Compute, Families, Security groups and Pricing
Compute Services

EC2 ECS
Instance Containers

Lambda LightSail
Serverless Blueprints
EC2 Instances (and Migration)

Instances are Linux or Hypervisors:

virtual servers Windows Xen, Nitro

Server migration Snowball - Xfer Snowmobile –

tools terabytes Xfer exabytes
EC2 Instances
• Instance families – vCPU’s, Memory, Storage (type and
size), Network speed
• Enhanced storage
• Enhanced networking
• Many instance types

• Performance build families

• Compute c4 Extreme processing
• Memory r3 Memory intense
• Storage i2 Fast SSD storage
• GPU g2 Graphic workloads
2nd question
What type of EC2 instance should be considered for the
human resources software system?

Compute optimized ?
Possible
Answer
The EC2 instance that is chosen should be
matched to a compute option where the
CPU cores, storage size and speed, the
amount of required RAM, and networking
speeds match your requirements.
3rd question

What type of EC2 instance should be considered for the

SQL database?

Storage optimized ?
Possible Answer
The database instance could use a storage optimized
EC2 instance with high provisioned IOPS (input output
per second).
EC2

Instances share
Instance size can be Secure logon uses
bare-metal server
changed after launch public / private key pair
hardware by default

Instances can also utilize Instances can utilize

local block storage block storage volumes
volumes (temporary) (persistent)
EC2 Images: AMI
• AMI – Amazon Machine Image
• Initial software installed when instance launched (O/S,
System software)
• Block device mapping specifies the EBS volumes to attach
to the instance

• AMI types:
• Custom – created by the customer
• Published – AWS marketplace
• Pre-created by AWS – Linux and Windows

• Amazon Linux 2 AMI – Can be downloaded for testing /

dev
AMI Lifecycle Management
• After an AMI is created it can be used to launch many
instances
• A finalized AMI should be your “Golden Image”

• No editing a production AMI!

• AMI’s can also be copied to different AWS region

AMI
Create AMI # 1
Template

AMI # 3
Launch
EC2
Instance AWS Region

Launch AMI # 2
EC2
Instance
Demo: Create
an AMI
Security Groups
EC2 instance firewall
Securing Access : Security Groups

Security groups
Security group are
allow access to the
firewalls
EC2 Instance

You must have a Protects network

security group interface of EC2
assigned Instance
Security Group Operation
Five security groups can be associated with an EC2 Instance

Security groups use Allow rules

Rules allow traffic in or out from EC2 Instances

Each rule specifies the allowed port range

Each rule specifies the source or destination

Service Quotas
• All resources at AWS have default quotas

• Quota examples:
• EC2 instances default limit: 20 per region
• Elastic Load Balancer: default limit: 20
• Virtual Private Cloud: default limit: 5

• Unchangeable quota examples:

● IPv4 CIDR blocks per VPC : 5
● Route tables per VPC: 200
EC2 Instance Pricing
AWS Billing
Charges
• AWS charges are complicated!

• Use the AWS Simple Pricing or Simple

Monthly Calculator

• Compute charges – by the second

(Linux)

• Storage charges – by the month

• Management service charges – usage

(compute and storage)

• Data transfer charges – egress charges

Purchasing Options
Scheduled Instances
On-demand Reserved Instances
Instances 1 or 3 - year terms

Spot Requests
Dedicated Hosts Dedicated Instances
Unused instances
Physical host Single tenant
(Hibernate, 1 to 6
dedicated to you hardware
Hour)
Saving Plans
• Savings Plans provides savings of up to 72% on
your AWS compute usage
• Applies to all Amazon EC2 instances and, or AWS
Fargate and AWS Lambda usage
• Commit to use a specific amount of compute
power (measured in $/hour) for a one, or
three-year period
Controlling
Costs at AWS
• AWS Budgets – manage usage

• Cost Explorer – visualize usage

• Cost allocation tags

Demo:
Purchasing
Options
4th question
What type of purchasing option should be considered for
the human resources EC2 instances for their
applications?
Possible Answer
The application EC2 instances should take advantage of
reserved instance pricing or a savings plan.
5th question
What type of purchasing option should be considered for
the human resources SQL database EC2 instances?
Possible Answer
The database EC2 instance should be using reserved
instance pricing.
Storage Services at AWS
EBS, S3, S3 Glacier, EFS and FSx
Storage Services

S3
EBS
Object and
Block storage
archive

FSx EFS
WIN shared Linux shared
storage storage
EBS: Elastic Block Storage
Elastic Block Storage

• General purpose: (Boot volumes,

SSD low latency applications)

• Provisioned IOPS: (Databases
with sustained IOPS)

• Throughput optimized:

HDD High-throughput sequential

workloads
• Cold: Logging and backup
EBS Volumes
• EBS volumes can be stopped and restarted without
data loss
• Root / boot drives
• Data drives
• Can be encrypted

• Persistent data storage

● Change volume type
● Change volume size
● Increase or decrease provisioned IOPS

• Replicated with multiple copies within the AZ where the

EC2 instance is deployed
EBS Snapshots
• Backups of EBS volumes are called snapshots

• Snapshots can aid in disaster recovery

• A snapshot can also be:

• Copied to another region
• Used to create a new EBS volume

• Automatically maintain snapshots using

• Data Lifecycle Manager
• AWS Backup
Demo: EBS
Administration
Simple Storage Service (S3)
S3 Buckets
• Simple Storage Service (S3) is object storage

• 99.999999999 % durability

• 99.99 % availability

• Maximum object size: 5 TB

• Unlimited number of objects can be stored

• Replicated to three facilities within the AWS region

• Objects are stored in buckets

• Bucket names are globally unique (DNS names)

• S3 buckets are set to private by default

S3 Storage Classes
• S3 Standard - no minimum

• S3 Intelligent-tiering - monitor and move - min. 30 days

• S3 Standard 1A - min. 30 days

• S3 One Zone-1A - One AZ - min. 30 days

• S3 Glacier - min. 90 days

• S3 Glacier Deep Archive - min. 180 days

S3 Versioning
• Versioning allows you to store multiple versions of the
same object in one bucket

• Protect yourself from unintended overwrites or deletions

• Versioning is enabled at the bucket level

• Once enabled, versioning can’t be disabled but can be

suspended
Lifecycle Rules
• Rules defines an action for S3 to apply to
a selected group of stored objects

• Rules control the retention of objects

• Change storage tier, archive, or delete
• Stored logs: delete after 90 days
• Documents less frequently accessed:
archive to S3 Glacier
• Delete objects not required after certain
date
S3 Glacier
S3 Glacier
• Archive with S3 Glacier storage

• Vaults, archives and lock policy

• Objects transition from S3 to glacier

using lifecycle management

• Once archived, objects must be restored

before they can be accessed

• Objects are automatically encrypted

6th question
What cloud storage option would you choose for archived
records?

S3 or S3 Glacier?
Possible Answer
S3 Glacier or S3 Glacier Deep Archive.
7th question
Would a lifecycle rule help
manage office records moved to
S3 cloud storage?
Possible Answer
A lifecycle rule could control the movement of records
stored in an S3 bucket to S3 glacier archive storage.
EFS and FSx: Shared Storage Services
Elastic File System - Linux storage
• Fully managed storage service providing shared file storage for Linux EC2
instances
• Highly available
• Highly durable
• Petabyte scale
• High-performance options Single Namespace

• Transparent encryption Mount Targets

• Integrates with AWS KMS
FSx - Windows Storage
• Fully managed storage service providing shared file storage for Windows
Server EC2 instances
• Highly available

• Highly durable

• Petabyte scale

• High-performance options SMB 3.0

• Transparent encryption
Shares
• Integrates with AWS KMS
Networking Services at AWS
Networking Services

VPC IP Addresses
Subnets Public / Private

Access VPN
Internet Gateway Connectivity
Virtual Private
Cloud (VPC)
• Launch EC2 Instances into a private
virtual network

• Layer 3 Network: Subnets

• You configure:
• IP address ranges
• Subnets
• Route tables
• Network Gateway’s
• Security settings
• Endpoints
Subnets
• Instances and AWS services are launched
into subnets

• Public subnets used for resources that need

Internet access (IGW, ELB)

• Private subnets host resources that don’t

directly connect to the Internet (Web
servers, RDS)

• Protect subnets using optional network

access control lists (NACLs)

• Security: Network ACLs support allow and

deny rules both inbound and outbound
Route Tables
• A route table is a set of rules that
determine where subnet traffic is
allowed to go
• All route tables have a mandated
entry for local communication within Subnet 1 Subnet 2
the VPC
• Subnets can only be associated with
one route table
Route table 1 Route table 2
Internet
Gateway (IGW)
• Allows communication between
instances or services hosted on public
subnets and the Internet

• To enable access to the Internet you

must:
● Order an IGW
● Attach the IGW to your VPC
● Add route table entry pointing to the IGW
NAT Gateway
Service
• NAT services enable EC2 instances in a
private subnet to indirectly connect to the
Internet to get updates

• Traffic requests from the instance are

forwarded to the NAT service hosted in
the public subnet

• Internet response is sent back to the

private instance that made the request
Gateway
Connections
• Internet access to a VPC through an Internet Gateway

• Corporate access to a VPC through a Virtual Private

Gateway

• Transit Gateway – hub connecting VPC’s , IGW, and

Direct Connect Connections
Direct Connect
• Fiber connection from your corporate
location to your VPC at AWS

• Speeds up to 10 Gb

• Two-way communication

• Overlay a VPN connection on top of your

Direct Connect connection
8th question
Does Terra Firma require a
secure connection to AWS?
Possible
Answer
Any secure connectivity
from Terra Firma to AWS
could use a VPN or Direct
Connect connection.
9th question
Does Terra Firma require a fast and secure connection to
AWS?
Possible
Answer
Terra Firma needs secure connections.

VPN connections max out at 1.2 Gbps.

Security Services
Security Management

IAM
Root User
User security
Identity and Access Management
The Root User
• When you order an AWS account, the
first administrative account is called the
Root user

• The root user account is not controlled by

IAM

• The root user account should not be

used for daily administration
Identity and Access Management
• IAM controls who is authenticated and
authorized to use AWS resources in
your AWS account

• IAM users and groups are controlled by

IAM permission policies

• After authentication and authorization

an IAM user or role provides access to
the requested resource
Identity-based
Policy
• There are two types of IAM policies

• Identity-based policy
• AWS provides pre-created policies called
managed policies

• Resource based policy

• Attached directly to the resource (FSx,
EFS, S3 bucket)
Database Services
Database Services

RDS
DynamoDB
SQL, MySQL
NoSQL
Oracle
Relational
Database Service
• Managed service for creation,
management, and scaling of relational
databases

• RDS manages the following:

• Initial setup, replication between AZ’s,
backups, failover, and recovery
Relational
Database Service
• CPU, memory, storage and IOPS can be
scaled up and down at any time

• Read replicas can be added for MySQL,

PostgreSQL, and Aurora to reduce load
on the master DB instance

• Supports MySQL, MariaDB, PostgreSQL,

Oracle, Microsoft SQL Server and
MySQL compatible Aurora DB engines
10th question
Do you think it’s a good idea for the SQL
database servers to be hosted in separate
availability zones?
Possible
Answer
Yes. Data records, are kind of valuable
11th question
Do you think the replication between the
SQL master and standby replicas is worth
the additional costs?
Possible
Answer
Can you go to your boss and say, “ we lost
all of our data” ?
12th question
Should Terra Firma consider
using RDS instead of building
their own database
infrastructure?
Answer
If RDS has a database solution that
matches Terra Firma’s needs, then yes ,
they should consider this option.
Management Tools at AWS
Monitoring

Trusted Advisor

CloudTrail
Log API calls

CloudWatch
Monitor
Trusted Advisor
• Trusted Advisor analyzes your AWS
account against best practices

• Analyzes cost optimization, security fault

tolerance, and performance
● Insecure security groups
● Service limits

• Alert criteria:
● Red ( Action recommended )
● Yellow ( Investigation recommended )
● Green ( No problem detected )
CloudTrail
• View all AWS account activity for 90 days

• Enabled by default and applied to all

AWS regions

• Analyze actions taken by a user, role or

AWS service

• Identify who or what service performed a

particular action (API call)
CloudWatch
• Monitoring service: Metrics for all AWS services

• Metrics monitored via timeframe, minimum, maximum and

average

• When a metrics state changes, CloudWatch alarms or

alerts can automatically initiate actions on your behalf

• CloudWatch agent is installed on AWS instances by

default
What we
covered:
• Regions and Availability Zones

• EC2 – Compute and EBS

storage

• Cloud storage – S3, EFS and

FSx

• VPC – Networking

• RDS – Relational Database

service

• IAM – Security

• Monitoring – CloudWatch,
Trusted Advisor