AWS Certified Solutions Architect

Associate Exam Prep

Regions, Availability Zones, and

Edge Locations
What we will cover:

o Designing for Reliability and Resiliency

o Designing for Security and High
Availability
o Well Architected Framework
o AWS Regions and Availability Zones
o Edge Locations and Edge Services
Domains of Knowledge SSA-C03

š Design Secure Architectures

š 30 % of exam
š Design Resilient Architectures
š 26 % of exam
š Design High-Performing Architecture
š 24 % of exam
š Design Cost-Optimized Architecture
š 20% of exam
Steps for AWS Certification Success

§ Think like a Cloud Architect

§ Architects “build” “design” “construct
§ Architects propose solutions based on existing
building blocks
§ The Solutions Associated Architect exam is
based on common sense
§ Every question is a “situation” - current or
proposed
§ The correct answer is the best answer based on
suggested answers to the multiple-choice
question
AWS Documentation

§ AWS Free Tier

§ AWS FAQ’s
§ AWS Blueprints– Automated Solutions
implementations
§ Well Architected Framework Self Paced Labs
§ Well Architected Framework PDF’s
Re-Certification

š Every three years you must

recertify
How the Exam is Graded

š Questions are multiple-choice

š Both single selection and multiple
selection
š No penalty for guessing
š 65 questions on the exam
š Only 50 count!
š Mark questions for future review
š Answer all questions
Well Architected Framework Design Principles

Security

Reliability

Performance Efficiency

Cost Optimization

Operational Excellence

Sustainability
Well Architected Framework

š Exam is based on Well Architected

Framework mindset
š Compare your workload against AWS
best practices with the Well
Architected Framework
š Guidance to produce resilient,
stable, and efficient workloads
š AWS Well Architected Tool is a
hosted tool in the AWS Management
Console
Well Architected Framework

š Security – protect data, systems and assets

š Reliability – application stack performs its intended function
correctly and consistently
š Performance Efficiency– use compute resources efficiently
to meet system requirements, and maintain efficiency as
demand changes
š Cost Optimization – Business value at the lowest price point
š Operational Excellence – support development and
development of workloads efficiently, gain insights into
operations, and continually improve
š Sustainability – reducing energy consumption and
increasing efficiency. Maximizing benefits minimizing total
resources
General Design Principles

š Stop guessing capacity needs at AWS

š Improve your workload operation by monitoring
at all levels
š Automate (Everything)
š Monitor (Everything)
Designing Secure Architecture

š Identity and Access Management

š Detective Services for specific monitoring
š Infrastructure Protection
š Data Protection
Design Resilient Architecture Concepts

š Design Foundations
š Quotas of resources
š Constraints to design
š Network speeds
š Workload architecture High availability
š Change management – Monitor, when to scale, when
changes are made
š Failure management – Backups, fault isolation,
managing component failures, Disaster Recovery
Design High-Performance Architecture

š Compute - EC2 instances, Containers, Lambda

functions
š Storage – Object, block, file system, shared
š Network speeds for web, applications, database
š Monitor everything
Designing for Reliability and
Resiliency
High Availability (HA)

š Automate the recovery of system components that are

part of the application stack
š High Availability designs lower the Recovery Time
Objective and the Restore Point Objective
š RTO – How long until recovery?
š RPO – How much data was lost?
Fault Tolerance

o When infrastructure components fail, no

interruption to the application stack occurs
Hard Dependencies

š An interruption in system components cause

interruption of the application stack
š Desired workload availability: 99.9 %
98.81 %
š System 1 – 99.95 %
š System 2 – 99.0 %
Redundant Components

š Use independent redundant components such as Availability

Zones
š Availability equals 100 % minus the product of the
independent component failure rates
š (AZ failure rate = 99.9 %)
š The resulting system availability with 2 AZ’s is 99.9999 %

Availability
Dependency 99.9%

Availability
Dependency 99.9%
 SLA Required: 99.5%

Web Server Web Server Web tier Availability:

90% 90% 99%

Database Server
95%

Total Availability: 0.95 *0.99 = 94.%

 SLA Required: 99.5%

Web Server Web Server Web Server

Web tier Availability: 99%
90% 90% 90%

Data tier Availability: 99%

Database Database Database
Replica Master Replica
99% 99% 99%

Total Availability: 0.999 *0.999 = 99.8.%

RPO and RTO at the Application Tier

o RTO – Recovery time

o RPO – Recovery point
o Load balancing and Auto Scale provides
acceptable RTO for the web or application tier
compute layers
o Store the application state outside the web or
application tier using the Simple Queue Service (SQS)
o Use ElastiCache for Redis to store user session state
Redundant Application Design

š Amazon Route 53 provides DNS services for

traffic control within and across regions
š Amazon CloudFront provides caching at edge
locations for high-speed caching
š (ELB) Load balancing sends incoming traffic to
healthy web servers within regions
š EC2 Auto Scaling Groups scale application
compute providing application availability and
redundancy
š Amazon RDS hosts primary and alternate
database servers updated with synchronous
replication
š Amazon S3 buckets store static objects in
multiple physical locations
AWS Global Infrastructure
AWS Global Infrastructure

Online Regions Availability Zones Wavelength Zones

Direct Connect
Local Zones Points of Presence
Locations
AWS Regions

o Areas of the world where Amazon offers AWS cloud services

o Each region is a geographical location
o Where do you operate? Region

o Where your customers?

o Where are you allowed to operate?
o Each region is completely independent and isolated
o Pricing differences depending on geographical location
o AWS services are not initially replicated across regions
o Traffic sent across AWS regions faces additional charges for ingress and
egress traffic flow
STANDARD
SERVICE ICON

AWS
ALTERNATE
SERVICE ICON
Regions

RESOURCES
Regional Cloud Services
Region

Availability Zone Availability Zone

Private subnet Private subnet

Edge Services
Instance Instance
Elastic Block Elastic Block
Storage Storage

CloudFront Route 53

RDS DynamoDB Elastic Elastic S3 S3

File Load Glacier
System Balancing
Availability Zones

Region

o Each availability zone contains at least one data

center dedicated to customer workloads
o Most availability zones contain multiple data centers
Availability Zone A

o Each availability zone has inexpensive low latency

network connectivity to the other availability zones Availability Zone B

within the same AWS region

o Designing with two AZ’s is a best practice to
consider Availability Zone C
Multi-AZ Design

AWS Region

VPC Application
load balancer

Availability Zone Availability Zone Availability Zone

EC2 EC2 EC2

Availability Zones in Operation

o EC2 instances can launch across multiple subnets

hosted in multiple availability zones
o ELB can target EC2 instances across multiple
availability zones
o EC2 Auto Scaling can scale EC2 instances across
multiple availability zones
o RDS solutions are replicated across multiple availability
zones
o RDS Aurora is multi-AZ (and multi-region DB)
o DynamoDB is multi-AZ (and multi-region global table)
 Single Availability Zone

š No recovery or failover when disaster happens in a single datacenter

š No high availability for instances
š No failover in single datacenter
 Multiple Availability Zones

š Better high availability design options

š Designing applications hosted across AZ’s provides HA options
š Load balancing (ELB) supports EC2 instances in multiple availability zones
š EC2 auto scaling supports multiple AZ’s
š RDS multi-AZ deployments
š Route 53 balances across multiple AWS regions
 Local Zones

š Local Zones allow you to use compute and storage services with single-digit
millisecond latency access to applications running locally
š You can extend any VPC from the parent region into AWS Local Zones by creating a
new subnet and assigning it to the AWS Local Zone
š When you create a subnet in AWS Local Zone, your VPC is extended to include the
Local Zone
 Region

VPC

Availability Zone Availability Zone

Local Zone

Local Zone Architecture

AWS Local Zones
 Low Latency Solutions at AWS

o AWS Local Zones provide single-digit millisecond latency for video rendering and cad
services
o AWS Outposts allow you to run AWS compute and storage on premises
o Wavelength provides low latency applications for 5G devices by extending AWS
infrastructure to 3rd party telco 5G datacenters
Edge Locations
Each edge location has a
local caching data center
directly connected to the
AWS cloud using high-
speed private network
links
Edge Locations @ AWS
Services at the Edge

Caches your static Delivers your request Filters incoming

and dynamic from closest edge public traffic at
content location the edge

CloudFront Route 53 WAF

Filtering rules
Without CloudFront
With CloudFront
 Website

Origin Server (U.S.A.)

User (Singapore)

Amazon CloudFront

Edge Location
CloudFront Distribution Design

CloudFront
Toronto edge
S3
Bucket

CloudFront
Mumbi edge Instance

Origin server

CloudFront
Paris edge
 Serving Private Content

š You can configure CloudFront to require that users

access your files using either signed URLs or signed
cookies
š Signed URLs restrict access to individual files
š Signed cookies provide access to multiple restricted files
š Secure content in your S3 bucket so that users can
access only through CloudFront by creating an Origin
Access Identity (OAI)
Lambda@Edge

Request Lambda@EDGE function Lambda@EDGE function Request

Origin
Server
Response Lambda@EDGE function Lambda@EDGE function Response

CloudFront Cache
WAF and Shield
Protecting the Application Perimeter

Filtering rule

AWS Shield AWS Shield AWS WAF

Standard Advanced

Protects against Enhanced visibility Web app protection

DDOS attacks and economic with custom or
protection managed rules
Web Application Firewall Protection

§ Pre-configured rules
§ Cover common attack vectors and threats
§ Influenced by OWASP Top 10 Application
Security Risks
§ Customized rule engine
§ Regular or rate-based rules
§ Actions to take (block, allow, count)
 App 1 App 2 App 3 App 4
(EC2 instances / VPC Security Groups -Back-end applications)

Application CloudFront CloudFront

API Gateway
load balancer Distribution Distribution
AWS
WAF
Web ACL Rules

Web ACL Rule Web ACL Rule Web ACL Rule Web ACL Rule

Internet
Route 53 Traffic Flow
Failover Routing Policy

Highly available ELB load balancers US- East Region

ACTIVE
ACTIVE Paris Region

Amazon
Route 53

Create health check status; health of ELB, health of entire site/ region
Geo- Load Balancing

Amazon
Route 53
Region Region

Availability Zone Availability Zone Availability Zone Availability Zone

Web App Web App Web App Web App

Latency Based Routing

Route traffic based on the lowest US- East Region

network latency for your end user

38 msec
300 msec Paris Region

Amazon
Route 53

Create latency resource record set in each region that hosts your resource

Route 53 selects the latency resource record for the region with the lowest latency
Weighted Routing Policy

Split traffic based on different weights US- East Region

assigned to resources

80 %%
20 % Paris Region

Amazon
Route 53

Assign 20% of your traffic to one AZ and 80% to the other AZ

 Disaster Strategies Compared

Active / Passive

Backup/Restore Pilot Light Warm Standby Multi-Site Active-Active

RPO / RTO RPO / RTO RPO / RTO RPO / RTO

Hours < 1hour Minutes Real-time

Low priority Data live – Services smaller No downtime

Provision services idle Scale after Near-zero data loss
resources after Provision and failure Mission critical
failure scale after Business critical $$$$
$ failure $$$
$$
Multi-Region Backup

US – West Region

App Server

App Server DB instance

Backup
Server

AP-Southeast Region

S3: AMI,
Snapshots
S3: Backups
 Multi-Region Pilot Light Setup

Route 53
US – West Region AP-Southeast Region

Multi-region Synchronization Web Server

Web Server EC2 instances off
Snapshots AMI’s (Web, App, DB)

App Server
App Server

Database Synchronization
DB Primary DB Replica
 Multi-Region Pilot Light Response

DNS redirected

Route 53
US – West Region AP-Southeast Region

Multi-region Synchronization Web Server

Web Server EC2 instances on and
Snapshots AMI’s (Web, App, DB)
scaled

App Server
App Server

DB Primary New DB Primary

 Warm Standby with Aurora Global Database
Route 53

Active Inactive for production traffic

Region Region

VPC VPC
Elastic Load Balancing Elastic Load Balancing

Availability Zone Web Tier Availability Zone Availability Zone Web Tier Availability Zone

Auto Scaling group Auto Scaling group

App Tier App Tier

Auto Scaling group Auto Scaling group

Aurora Primary Shared cluster Aurora Replica Aurora Replica Aurora cluster
data volume Snapshot

Database Synchronization – Asynchronous replication – Aurora Global Database

 DynamoDB Deployed as a Global Table
Route 53

Active Active

Region Region

VPC VPC
Elastic Load Balancing Elastic Load Balancing

Availability Zone Web Tier Availability Zone Availability Zone Web Tier Availability Zone

Auto Scaling group Auto Scaling group

App Tier App Tier

Auto Scaling group Auto Scaling group

DynamoDB DynamoDB DynamoDB DynamoDB

DynamoDB global tables automatic replication continuous backup
continuous backup
AWS Global Accelerator

o User app requests are moved

onto AWS private network using
global edge locations
What we covered:

o Designing for Reliability and Resiliency

o Designing for Security and High
Availability
o Well Architected Framework
o AWS Regions and Availability Zones
o Edge Locations and Edge Services
 Your hosted application is running in US-EAST-1. You have
selected three availability zones: us-east-1a, us-east-1b,
and us-east-1c. The application design mandates that
five EC2 instances be online and must be available at all
times. Which production deployment will provide the
required high availability and fault tolerance if one
availability zone in us-east-1 fails? (Choose 2 answers)

A. Two EC2 instances in us-east-1a, two EC2 instances in

Question 1 us-east-1b, two EC2 instances in us-east-1C.
B. Four EC2 instances in us-east-1a, four EC2 instances in
us-east-1b, and no EC2 instances in us-east-1C.
C. Three EC2 instances in us-east-1a, three EC2 instances
in us-east-1b, three EC2 instances in us-east-1C.
D. Five EC2 instances in us-east-1a, five EC2 instances in
us-east-1b, and two EC2 instances in us-east-1C.
E. Five EC2 instances in us-east-1a, two EC2 instances in
us-east-1b, and two EC2 instances in us-east-1C.
 Your hosted application is running in US-EAST-1. You have
selected three availability zones: us-east-1a, us-east-1b, and
us-east-1c. The application design mandates that five EC2
instances be online and must be available at all times. Which
production deployment will provide the required high
availability and fault tolerance if one availability zone in us-
east-1 fails?

A. Two EC2 instances in us-east-1a, two EC2 instances in us-

Answer east-1b, two EC2 instances in us-east-1C.
B. Four EC2 instances in us-east-1a, four EC2 instances in us-
east-1b, and no EC2 instances in us-east-1C.
C. Three EC2 instances in us-east-1a, three EC2 instances in
us-east-1b, three EC2 instances in us-east-1C.
D. Five EC2 instances in us-east-1a, five EC2 instances in us-
east-1b, and two EC2 instances in us-east-1C.
E. Five EC2 instances in us-east-1a, two EC2 instances in us-
east-1b, and two EC2 instances in us-east-1C.
 Your SaaS application is specifically designed for two
distinct geographical areas. As a result, your application
was hosted in one region in the United States (Ohio) and
in AWS Europe (Paris). Over time, however, your
application became popular in other parts of the world;
customers are complaining of the slow access speeds
when accessing the application. You need to provide a
solution.
Which option solves your latency problems?

Question 2 A. Deploy Amazon Route 53 traffic policies utilizing

latency-based routing records.
B. Deploy AWS Global Accelerator endpoints in the
deployed regions.
C. Deploy the web server assets using Amazon S3 Cross-
Region replication.
D. Deploy high-speed Amazon Direct Connect
connections.
 Your SaaS application is specifically designed for two
distinct geographical areas. As a result, your application
was hosted in one region in the United States (Ohio) and
in AWS Europe (Paris). Over time, however, your
application became popular in other parts of the world;
customers are complaining of the slow access speeds
when accessing the application. You need to provide a
solution.
Which option solves your latency problems?

Answer A. Deploy Amazon Route 53 traffic policies utilizing

latency-based routing records.
B. Deploy AWS Global Accelerator endpoints in the
deployed regions.
C. Deploy the web server assets using Amazon S3 Cross-
Region replication.
D. Deploy high-speed Amazon Direct Connect
connections.
 What AWS services could be considered to improve
the networking performance for a global audience?
Choose two answers. (Choose all that apply)
A. Amazon API Gateway.
Question 3 B. AWS Global Accelerator.
C. Amazon CloudFront.
D. Amazon Route 53 health checks.
 What AWS services could be considered to improve
the networking performance for a global audience?
Choose two answers.
A. Amazon API Gateway.
Answer B. AWS Global Accelerator.
C. Amazon CloudFront.
D. Amazon Route 53 health checks.
 Your web application is hosted on an EC2 instance
located behind a public-facing Application Load
Balancer.
The web tier performance is managed by an EC2 Auto
Scaling group, and instances are hosted across multiple
availability zones. Website data consists of static files
stored on shared Amazon EFS storage.
How can the performance of the web application be
increased for a global audience?
Question 4 A. Use Amazon CloudFront to cache the static web
application images.
B. Move the web application images into an Amazon S3
bucket.
C. Decrease the resolution of the images.
D. Increase the power of the EC2 instances powering
the web application.
 Your web application is hosted on an EC2 instance
located behind a public-facing Application Load
Balancer.
The web tier performance is managed by an EC2 Auto
Scaling group, and instances are hosted across multiple
availability zones. Website data consists of static files
stored on shared Amazon EFS storage.
How can the performance of the web application be
increased for a global audience?
Answer A. Use Amazon CloudFront to cache the static web
application images.
B. Move the web application images into an Amazon S3
bucket.
C. Decrease the resolution of the images.
D. Increase the power of the EC2 instances powering
the web application.
 A web application uses an Amazon RDS MySQL
instance in a single availability zone to store the
application's search index and thousands of JPEG file
images. A cost analysis of the application recommends
deploying a different storage solution for the graphic
files and embracing a high-availability solution. How
can you achieve these goals? (Choose two answers)

Question 5 A. Store the JPEG images in an Amazon S3 bucket and

enable transfer acceleration.
B. Increase the size of the database instance storage.
C. Store the JPEG images in an Amazon S3 bucket
fronted by an Amazon Cloud Front distribution.
D. Add a second availability zone for the Amazon RDS
MySQL deployment.
 A web application uses an Amazon RDS MySQL instance
in a single availability zone to store the application's
search index and thousands of JPEG file images. A cost
analysis of the application recommends deploying a
different storage solution for the graphic files and
embracing a high-availability solution. How can you
achieve these goals? (Choose two answers)

Answer A. Store the JPEG images in an Amazon S3 bucket and

enable transfer acceleration.
B. Increase the size of the database instance storage.
C. Store the JPEG images in an Amazon S3 bucket
fronted by an Amazon Cloud Front distribution.
D. Add a second availability zone for the Amazon RDS
MySQL deployment.
 The application specifications for the data store
hosted at AWS has the following requirements:
The data store will be 12 TB. Data growth will be
approximately 10 GB per day.
There must be three copies of data. Data
compatibility must be MySQL.
The database must be able to be replicated across
multiple regions.
Question 6
Which of the following data store options would meet
this requirement?

A. Amazon Aurora.
B. Amazon DynamoDB.
C. Amazon Redshift.
D. Amazon ElastiCache.
 The application specifications for the data store hosted
at AWS has the following requirements:
The data store will be 12 TB. Data growth will be
approximately 10 GB per day.
There must be three copies of data. Data compatibility
must be MySQL.
The database must be able to be replicated across
multiple regions.
Answer
Which of the following data store options would meet
this requirement?

A. Amazon Aurora.
B. Amazon DynamoDB.
C. Amazon Redshift.
D. Amazon ElastiCache.
 Two years ago, the graphics department moved its
operations to AWS. Last year application development
was moved to AWS. The accounting department is now
moving to AWS. Compliance requirements dictate that
each department must use its own AWS account.
How can the charges for the AWS services used for each
Question 7 AWS account be consolidated into one bill?

A. Use Resource groups to group AWS resources.

B. Use AWS Control Tower.
C. Deploy AWS Organizations.
D. Use tags and AWS Cost Explorer to create custom bills
for each AWS account.
 Two years ago, the graphics department moved its
operations to AWS. Last year application
development was moved to AWS. The accounting
department is now moving to AWS. Compliance
requirements dictate that each department must
use its own AWS account.
How can the charges for the AWS services used for
Answer each AWS account be consolidated into one bill?

A. Use resource groups to group AWS resources.

B. Use AWS Control Tower.
C. Deploy AWS Organizations.
D. Use tags and AWS Cost Explorer to create custom
bills for each AWS account.
 Your company has deployed AWS Organizations to
manage the multiple AWS accounts currently being
used. You want to share specific database resources
deployed in subnets for test and dev environments for
multiple AWS accounts. What utility can help you
achieve this goal?

A. Use AWS Control Tower to control access to

Question 8 resources for all new administrative accounts.
B. Create AWS IAM policies defining developers with
the ability to create subnets and resources on subnets.
Assign security policies to the associated development
IAM groups.
C. Use AWS Resource Access Manager to share subnet
resources with other member accounts.
D. Create a service control policy and assign it to the
master account in the AWS Organization tree.
 Your company has deployed AWS Organizations to
manage the multiple AWS accounts currently being used.
You want to share specific database resources deployed
in subnets for test and dev environments for multiple AWS
accounts. What utility can help you achieve this goal?

A. Use AWS Control Tower to control access to resources

for all new administrative accounts.
Answer B. Create AWS IAM policies defining developers with the
ability to create subnets and resources on subnets. Assign
security policies to the associated development IAM
groups.
C. Use AWS Resource Access Manager to share subnet
resources with other member accounts.
D. Create a service control policy and assign it to the
master account in the AWS Organization tree.
 A popular web application is hosted in a single AWS
region. The application is hosted behind an
Application Load Balancer. Route 53 is used to
manage the DNS records of the load balancer. What
could be done to reduce disruptions if a natural
disaster were to occur within the region?

A. Use an additional ELB to divert traffic to the

application stack hosted in another region.
Question 9 B. Use an additional ELB to divert traffic to the
application stack hosted in another AZ.
C. Use Amazon CloudFormation to automate the
creation of backup resources in another AZ.
D. Use Amazon Route 53 health policies to direct
requests to the application stack hosted in a
different AWS region.
 A popular web application is hosted in a single AWS
region. The application is hosted behind an
Application Load Balancer. Route 53 is used to
manage the DNS records of the load balancer. What
could be done to reduce disruptions if a natural
disaster were to occur within the region?

A. Use an additional ELB to divert traffic to the

application stack hosted in another region.
Answer B. Use an additional ELB to divert traffic to the
application stack hosted in another AZ.
C. Use Amazon CloudFormation to automate the
creation of backup resources in another AZ.
D. Use Amazon Route 53 health policies to direct
requests to the application stack hosted in a
different AWS region.
 An RDS deployment has worked very well for several
years but is now under constant load with many
database queries. The database has many hotspots,
and queries take 5 to 10 seconds to respond. The
users for the database are in different geographical
areas. What is the best solution to increase the
database and query performance?

Question 10 A. Add a read replica to the Amazon RDS design.

B. Add the database instances to an EC2 Auto
Scaling group.
C. Place the Amazon RDS database instances
behind a load balancer.
D. Subscribe the database instances to the Amazon
Simple Notification Service.
 An RDS deployment has worked very well for several
years but is now under constant load with many
database queries. The database has many hotspots,
and queries take 5 to 10 seconds to respond. The
users for the database are in different geographical
areas. What is the best solution to increase the
database and query performance?

Answer A. Add a read replica to the Amazon RDS design.

B. Add the database instances to an EC2 Auto
Scaling group.
C. Place the d Amazon atabase instances behind a
load balancer.
D. Subscribe the database instances to the Amazon
Simple Notification Service.
Appendix
 Security Pillar

š Protect information, systems, and assets and deliver business

value through risk assessments and mitigation strategies
š Design using the principles of least privilege, and separation
of duties
š Monitor, alert, and audit actions, and any changes to your
environment

š Design using security at all layers

š Defense-in-depth approach with security controls at all layers
Reliability Pillar

š The ability of an application stack to be able to recover

from infrastructure or service disruptions
š Dynamically acquire resources to meet user demand
š Mitigate disruptions such as system misconfigurations or
networking issues
Cost Optimization

š Measure business output against costs

š Increase output while reducing costs
š Analyze the usage and costs of systems
š Measure return on investment (ROI)
š Use Managed and Application-level services to reduce cost
of ownership
Performance Efficiency

š Democratize advanced technologies

š Use cloud hosted service which hides required expertise
š Multi-region application
š Serverless architecture
š Lambda / Automation
š Use the best technology available for your solution
Operational Excellence

š Refine operation procedures frequently

š Always look for ways to improve existing procedures
š Anticipate failure
š Perform testing to identify single point of failure so they can
be removed or mitigated
š Test failure scenarios and response procedures
š Learn from operational failures through lessons learned