AWS-SAP

What are limitations associated with SQS?

- 4d storage of messages, can increase to 14d max. - Optional FIFO - 256kb max message size. Using Java SDK, can increase up to 2GB by creating pointers to S3

What are the limits associated with S3?

- 5TB largest object size (must use multipart upload - use multipart upload if >100MB) - 5GB largest object in single PUT - Only one update to an object can be processed simultaneously (atomic)

What are the defaults for VPCs and subnets in every region?

- A VPC created for every region with 172.31.0.0/16 block (65,536 IPs). - In every AZ, a subnet of size /20 (4,096 IPs) is created - Internet Gateway created for default VPC - Default SG for VPC which allows all outbound, and allows traffic within same SG.

What are the differences between AWS NAT Gateway and Internet Gateway or a manual NAT instance?

- Can create multiple AWS NAT Gateways across subnets for more bandwidth (5GBp/s each scaling to 45 GBp/s) - Internet Gateway has no bandwidth limits - Cannot associate security group on the NAT gateway itself - NAT instance can have SG since it has an ENI - NAT Gateway better than traditional NAT unless you need a bastion anyway, or unless you are cost-conscious as NAT-GW is charged per hour. - NAT Gateway can have only one EIP that cannot be disassociated after creation. - NAT instance has an ENI which can be transferred - Cannot route traffic from VPC peering, Site-to-site VPN, or Direct Connect - NAT instance and gateway cannot handle IPv6, use Egress-only IGW for that.

What is AWS Redshift and how does it relate to regions?

- Data warehouse based on PostgreSQL, PB scale. - Based on PostgresQL - Provision nodes (NOT serverless) in Single AZ. No replication between AZs, need to have separate clusters per AZ. - Use Redshift Spectrum to access data in S3 without loading into Redshift.

Steps to expand EBS capacity?

- Detach (must stop instance if it's root vol) - Snapshot - Create new EBS from snapshot with bigger size - Remount - OS-level re-partition operation

What is the difference between costs for EBS vs EFS?

- EBS charges for GBs provisioned, EFS charges for GBs used. - EFS is 3x cost of EBS (but can be mounted to diff instances)

How do EBS vs EFS vs Instance stores relate to instances and cost?

- EBS mounted to ONE instance at a time. - EFS can be mounted to multiple using mount points, NFSv4 and NFSv4.1 - EFS costs a lot more than EBS an S3 (3x more than EBS, 20x more than S3) - Instance store is fastest (much much faster) as is on same physical server as VMs, but are ephemeral. - Instance store First write op is slower, need to pre-warm.

How could EFS performance be improved?

- Enable async writes - Throughput mode (Burst vs Provisioned) - General Purpose vs Max IO mode (IO vs latency) - Filesystem usage (Baseline is 50MiB/s per TB)

What are the options for Glacier Retrieval?

- Expedited. Typically available within 1-5minutes unless archive is large (250+MB). May fail unless capacity is provisioned. - Standard. Within 3-5 hours - Bulk. Retrieve PBs of data, within 5-12 hours Expedited is 3x price of Standard Standard is 4x price of Bulk

When using Storage Gateway, what are the interfaces suitable for iSCSI vs SMB?

- File Gateway supports SMB (v1 or v2) and NFS (v3, v4.1). Async to S3, allocate your own cache, doesn't store data. - Storage Gateway supports iSCSI. Stored Mode is write-back async into S3. Cached Mode has primary data on S3 with a local cache. - Tape Gateway (Virtual Tape Lib) supports iSCSI/VTL. Backed by Glacier.

What is the difference between using Kinesis Firehose vs Lambda to process a Kinesis Data Stream?

- Firehose can transform using a Lambda function before processing, and can buffer larger volumes. - Lambdas would be shard-specific and invokes per batch window, which is short and potentially much more Lambda invocations.

Compared to RDS, what does Aurora do?

- For MySQL and PostgresQL only. For MySQL: replication requires InnoDB - Faster storage. Max of 128TiB. - Automated read replica (have write/read endpoints) and autoscaling of read replicas - Multi-AZ by default, synchronously replicates across AZs into 6 storage nodes. - Create writer-reader endpoints - Backtracking

What are the redundancy and security differences between AWS Managed VPN and Direct Connect?

- Managed VPN has two endpoints on AWS for redundancy and supports multiple gateways on user (but uses only 1 at a time) - VPN works using IPsec VPN (encrypted) on EXISTING Internet connection - DX has no redundancy or encryption (Encouraged to have VPN for redundancy)

Feature difference between NACL and Security Groups?

- Only one NACL per subnet. - For NACL, traffic is processed BEFORE entering or leaving subnet. - NACL is stateless (must open outbound ephemeral ports) - Security groups are stateful (return traffic is always allowed) - NACL defaults to allow all inbound/outbound. - NACL can specify allow/deny rules. Rules processed in order. - Security groups can only specify allow rules - Security groups default to allow all outbound, allow inbound within group.

What does a NAT Gateway do?

- Provides public connectivity for private subnets - Update private subnet route table to point to NAT gateway alias/id

How does AWS Batch run workloads?

- Runs containerized jobs. - EC2 or ECS (on EC2 or Fargate). - Define Jobs and Job definitions, which get placed in Job Queue.

What are resources associated with ENIs?

- Security groups are actually associated with ENIs, not the instance - Auto-generated external IP that is lost on stop, reboot, terminate. - Can attach EIP - Can have more than 1 internal IP depending on instance type. - Has primary IPv4 address, MAC address - ENIs belong to subnets.

What's the advantage of attaching multiple ENIs to an instance?

- Security groups belong to ENIs. Can separate public and private SGs. - Can separate public and private subnet. One connected to private VGW and one to public IGW. - Separate VPC flow logs to differentiate public and private traffic.

How to improve ENI bandwidth?

- Single-flow bandwidth is limited to 5Gbps. - Can use Jumbo Frames (9001 MTU instead of 1500) but only within VPC/DirectConnect, otherwise too fragmented. - Can get 10Gbps by using cluster placement group+Enhanced networking, for instances in cluster. - Up to 25Gbps using Enhanced Network Adapter (ENA) - Up to 10Gbps using Intel 82599 Virtual Function (VF) - CANNOT use NIC teaming by having multiple ENIs.

What are the storage classes for S3 and their min storage durations?

- Standard (No min) - Standard-IA (30d) - One Zone-IA (30d) - RR [not recommended] (No min) - Intelligent Tiering (30d) - Glacier (90d) - Glacier Deep Archive (180d)

What are features, limitations and costs for AWS Snowball?

- Up to 80TB (8x10). Service fee per job - Has self-contained power and network connections - Snowball@Edge comes with Lambas to process before storage, e.g. in Arctic - HIPAA compliant, KMS encryption.

What are the CIDR mask ranges allowed by AWS VPCs?

/16 (2^16=65,536 IPs) to /28 (2^4=16 IPs)

What's the min billable object size for S3 IA storage classes?

128kb

What are the 3 most common CIDR ranges (as per RFC1918)

172.16.0.0/16 192.168.0.0/16 10.0.0.0/16

What are the limitations and costs associated with Glacier?

40TB limit per archive 5% of monthly storage can be retrieved for free Data is immutable After Glacier Vault Lock is set, the policy is immutable (e.g. require MFA)

What are the capacities and limits associated with Kinesis Data Streams?

500 shard limit 1000 requests/s per shard OR 1MB/s 1MB per record Defaults to 24h retention, can be increased up to 7 days or 365 days Output 2MB/s entire stream, 2MB/s per consumer with enhanced fanout

What is a preferred way to run Lambdas on a schedule?

AWS Eventbridge. Recommended over Cloudwatch Events

What can EFS attach to?

Anything that is NFS v4-compatible and can access the IP privately. Note that the VPC must be private subnet - EC2 - ECS - EKS - CodeBuild - Fargate - Lambda - On-prem via VPN/DX

What are options for Data Warehouse/Data Lake in AWS?

Athena (S3-based, SQL compatible). Serverless, on-demand pricing Redshift (based on Postgresql). Provisioned pricing Redshift Spectrum (Works off S3 like Athena, but Redshift-based) AWS EMR

What does ACID stand for?

Atomic Consistent Isolated Durable

Why would you detach ENIs?

Attach licensing to an ENI (using EIP) and move between instances. Assign to diff server temporarily for maintenance

How is S3 Intelligent Tiering different from Lifecycle Management?

Automatic with small charge for evaluations of lifecycle change. Moves between IA and Standard tiers per object depending on per-object usage Minimum 30d billable Minimum 128kb object size, otherwise cannot apply Access by Athena/Redshift moves objects back to Standard

What are the default metrics for ASG target tracking?

Avg CPU, network bytes in, network bytes out. Custom metrics can be added but must be directly related to # of instances in ASG.

What is Storage Gateway Virtual Tape Library backed by and its compatibility?

Backed by Glacier, compatible with iSCSI

What does BASE stand for?

Basic Availability (even if stale) Soft-state Eventual Consistency

What are the throughput modes available for EFS?

Burst (default) vs Provisioned throughput mode - Base scales with file system size (50MiB/s per 1 TiB of data) - Bursting throughput mode has baseline rate and credit system. - Billed by MiB/s capacity per month. Default is 50MiB/s per 1 TiB of data, burstable up to double that up to 12h a day. - Can switch between throughput modes (24h). - Monitor BurstCreditBalance in CW and TotalIOBytes

What are the languages supported by Lambda?

C# Golang Java NodeJS Powershell Python Ruby

What are ways Cloudfront can sign resources?

CF signed cookies, CF signed URLs

What does AWS Backup do?

Central platform to manage backups on EC2, EBS, RDS/Aurora, DynamoDB, EFS, Amazon FSx, AWS Storage Gateway.

What does S3 NOT bill against?

Data transfer out to Cloudfront Data transfer IN from Internet Intra-region transfer

What are encryption considerations for EBS vs EFS?

EBS and EFS support encryption (EFS also encryption in transit). AES-256. EFS separates filesystem encryption (option to have customer keys) vs metadata encryption (always AWS managed keys) Encrypted EBS snapshots cannot be shared across accounts natively (need to share the key or decrypt first)

How do EBS vs EFS relate to AZs and regions?

EBS is tied to single AZ (but Snapshots are regional) EFS is regional, create mount target per AZ (but common mount target is available now)

What are possible consumers of Kinesis Data Stream?

FLICKK - Firehose - Lambda (has more limitations compared to Firehose) - IoT Analytics - Custom consumer using AWS SDK (Java) - KDA - Kinesis Client Library. KCL takes care of things like checkpointing, responding to failures etc.

What are the considerations for EFS mounting?

FQDN is generated for a region. Format: http://[file-system-id].efs.[aws-region].amazonaws.com/. Needs to be mounted in every AZ. If using One Zone storage class, can only have one mount target. Linux-only

What is Cloudfront Origin Shield?

For multi-CDN, multi-region cases as an additional caching layer to share cache keys in front of CDNs.

How many nines of availability is S3 associated with?

Four 9s for Standard (99.99%) Three 9s for IA

What are the performance modes for EFS?

GP vs Max IO - Default to GP - Max IO to be used when >7k IOPS. - Max IO supports more FS IOPS, but higher latency. - No price diff between the two - Monitor PercentIOLimit CW metric

In DynamoDB, what is the difference between capacity provisioning for a GSI vs an LSI?

GSI has separate capacity (WCU/RCU). LSIs share from base table.

What is AWS Neptune?

Graph database

What ecosystem does AWS EMR replace?

Hadoop (Also Spark, HBase, Presto and Flink)

What is VPN Cloudhub good for?

Hub-and-spoke model to link remote offices. Hub is AWS No redundancy

What are the differences between S3 IA and Standard classes?

IA costs more to retrieve IA costs less to store

What are the provisioning considerations for EBS?

IOPS vs Throughput. - IOPS = input/output aka changes made. SSDs are better for this (random access pattern). Boot volumes, NoSQL. - Throughput = amount of data read/written. HDDs better for this: big data, data warehouse, logs - SSD Provisioned IOPS for DBs, SSD General Purpose for boot volumes, HDD throughput for big data.

What is software VPN good for?

If need VPN that is not supported, like OpenVPN

What are features of EBS snapshots?

Incremental (saves cost), can still delete interim snapshots. In-progress snapshots are not affected by ongoing R/W. For app-consistent snapshots, better to pause writes or unmount first.

What are the capacities of Instance Store vs EBS vs EFS?

Instance Store: 6TB SSD, 48TB HDD EBS: 16TB SSD, 16TB HDD EFS: Petabytes

What is the current consistency model of S3?

It is now strongly consistent for read-after-write.

What is the main difference between an ASG Launch Configuration vs an ASG Launch Template?

LCs cannot be modified LTs can be versioned.

What is AWS WorkDocs?

Like Dropbox, shared files. Integrates with AD for SSO. No Linux client. Has Mac/Windows

What is the purpose of EventBridge?

Link AWS and third party services (event bus): OneLogin DataDog PagerDuty Zendesk, etc

What use-cases AWS Timeseries DB?

Machinery, sensors, telemetry. Provides interpolation and smoothing. Integrated with IoT Core

What are the types of scaling for ASGs?

Maintain X instances Scheduled Dynamic (simple, step scaling, target tracking)

What does AWS DataSync do?

Manage migrations. Transfer and keep data in sync from on-prem to EFS or S3.

What is Amazon FSx?

Managed storage for Windows File Server over SMB. Integrates with AD. Low cost HDD storage for Windows.

What is the formula for calculating the number of DynamoDB partitions?

Max of [(RCU/3000 + WCU/1000), Data size/10GB]

Difference between ElasticCache Memcached vs Redis?

Memcached is simple. Sharding but no replication. Single AZ. No encryption. Redis has HIPAA compliance, complex data structures, persistence, Pub/Sub, Multi-AZ replication, backup/restore, encryption.

What is Transit VPC good for?

Multi-cloud and on-prem linking.

What are the DB engines supported by RDS?

MySQL and MariaDB PostgresQL MS SQL Server Oracle

What are the reserved addresses in every VPC?

NRA .0 (first)=Network address .1=VPC Router .2=AWS DNS/DHCP .3 (fourth)=Reserved .255 (last)=Broadcast

How many nines of durability is S3 associated with?

Nine 9s for Standard and IA Four 9s for RR (but RR is not recommended)

On AWS is the HDFS associated with EMR persistent?

No they are ephemeral.

Does DynamoDB scale down if table consumption drops to 0?

No, it doesn't know if low usage or not used. Workaround 1: send requests until it scales down Workaround 2: Manually reduce max capacity equal to min.

What are the ephemeral port ranges and their importance?

On Windows, 1024-65535, on Linux usually 32768=65535 Ephemeral ports are used to communicate back to party who initiated the inbound (e.g. ephemeral outbound should be left open, if the connection is stateless like for NACLs)

What are possible producers for Kinesis Data Stream?

PADS - Producer library KPL (Java). This has additional processing delay of up to RecordMaxBufferedTime. Supports Glue Schema Registry - Kinesis Agent (Standalone Java Agent), monitors files - DMS can be a source - SDK for KDS (Java) custom implementation. Can be faster.

Under shared responsibility model, what layers is AWS in charge of?

Please Do Not Throw Sausage Pizza Away Physical, Data Link = AWS Network, Transport, Session, Presentation, Application = Customer

How would you test ASG predictive scaling outcomes?

Predictive scaling can be set to forecast first instead of applying changes.

Role of Internet Gateway (IGW) and its conditions?

Provide public internet access A logical connection between VPC and Internet. Not physical device. Resources MUST have public IP. Use NAT Gateway if no public IP. Translates between private and public IPs Should be route target (default route) using alias

How to optimize Glacier Retrieval?

Range Retrieval (retrieve byte ranges at 1MB intervals)

Are VPCs cross-region, regional, or AZ-based?

Regional.

What are IAM/auth security that can be applied to S3?

Resource-based (Object ACL, Bucket Policy) User-based (IAM policies) MFA before deleting or changing version state

When storing Bittorrent objects, which AWS service is used?

S3 (<5GB limit)

What tool to use for recommendations on establishing S3 lifecycle rules?

S3 Storage Class Analysis

How to reliably transfer files over S3 into a centralized bucket?

S3 Transfer Acceleration (Works like CloudFront in reverse)

What is the scope of security groups vs NACLs?

SGs are scoped to VPC (multiple SGs can be combined). SG rules are allow-only. NACLs scoped to subnet. Can be re-used but every subnet can have only one NACL. Allow and deny rules

What are fanout endpoints for SNS?

SHELF - SQS - HTTP(s) - Event fork - Lambda - Firehose

What are possible consumers of Kinesis Firehose?

SHREK 3 - S3 - HTTP endpoints - Redshift - ES - Kinesis Data Analytics - 3rd party providers like Splunk,Datadog etc

What are encryption options for S3?

SSE-S3, use S3's keys. AES-256 SSE-C: Use customer keys SSE-KMS: Use keys from AWS KMS Client-side: Encrypt yourself before uploading.

What is the main difference between Simple Workflow Service and Step Functions?

SWS when there are manual review steps or external processes. SF is recommended when AWS service components are required.

Comparing simple scaling, step scaling, and target tracking, which use cooldown periods vs warmup periods?

Simple scaling uses cooldown before re-evaluating the health check. Step and target use a warmup before including new instances in tracking metrics.

How does AWS Batch consume resources?

Spin up instances/containers to run Jobs, terminate after done.

Storage classes for EFS?

Standard Standard-IA One Zone One Zone-IA

What does S3 bill against?

Storage (according to tier) Requests Lifecycle transition (For Intelligent Tiering) Data retrieval requests (Expedited Glacier retrieval) Data retrieval per GB(Expedited Glacier retrieval) Data transfer out to Internet Data transfer between regions Storage Class Analysis Object Tagging

Diff between TCP, UDP, ICMP?

TCP=Stateful connections, e.g. HTTP, email, file transfer UDP=Stateless connections, e.g. Streaming, DNS ICMP=Exchange info, e.g. traceroute, ping

How often does ASG predictive scaling update its rules and how far ahead does it forecast?

Updated ONCE a day, forecasts for 2 days.

How would EFS work with on-prem servers?

Use Direct Connect to mount (note that DX is insecure), or AWS VPN Ensure the EFS Mount targets (which are ENIs) SGs allow port 2049 For HA, have multiple mount points on-prem pointing to different AZ mount points for EFS. AWS DataSync can keep EFS in sync

How to secure S3 to applications privately within AWS?

VPC endpoints S3 is a Gateway VPC endpoint, point route table with prefix list.

When is DynamoDB DAX not appropriate?

Write-intensive use-cases. Because it's a write-through cache, not efficient (more latency) When read consistency is always required Expense (DAX cluster should run across all AZs)

Does CF have zone apex support? (No www. in front of URL)

Yes, alias it in Route53

Is Amazon MQ regional?

Yes. HA within region