Missed Questions
What must the name of a fifo queue end with?
.fifo suffix. This also counts towards the 80-character name limit. To determine if a queue is fifo, check whether it ends with this suffix
What does an AMI include?
1+ EBS snapshots for instance-store-backed AMIs, a template for the root volume of the instance Launch permissions to control which aws accounts can use the ami to launch instances block device mapping that specifies the volumes to attach to the instance when its launched
ECS features
1. AWS - specific platform that supports Docker containers 2. considered simpler to learn and use 3. leverages AWS services like Route 53, ALB, and CloudWatch 4. "tasks" are instances of containers that are run on underlying compute but more or less isolated 5. limited extensibility
2 types of rebalancing activities in an ASG
1. AZ rebalancing 2. Capacity rebalancing
DynamoDB use cases
1. AdTech keyvalue store for marketing data like user profiles, user events, clicks, etc. Any use cases that require high request rate (millions per second), low predictable latency (10-20ms) and reliability such as Real-time bidding (RTB), ad targeting, and attribution 2. Gaming store game state, player data, session history, leaderborads, all with <9ms latency. 3. Retail great for extreme scaling use cases such as Prime Day. Shopping carts, workflow engines, inventory tracking/fulfillment, customer profiles 4. Banking/Finance User transactions, event-driven transaction processing, fraud detection
What is an optimal workflow to automate the analysis of multi-speaker audio files?
1. Audio file placed in S3 raw bucket 2. Upload of file triggers lambda function which leverages Transcribe 3. Output of Transcribe lambda is placed into a processed bucket 4. Athena can be used to analyze files in this processed bucket with SQL
A silicon valley based startup focused on the advertising technology (ad tech) space uses DynamoDB as a data store for storing various kinds of marketing data, such as user profiles, user events, clicks, and visited links. Some of these use-cases require a high request rate (millions of requests per second), low predictable latency, and reliability. The startup now wants to add a caching layer to support high read volumes. As a solutions architect, what AWS services would you recommend as a caching layer?
1. DynamoDB Accelerator (DAX). a. fully managed b. highly available c. in-memory cache for dynamodb d. 10x performance from ms to microseconds at millions of requests per second) e. does not require devs to manage cache invalidation 2. ElastiCache for Memcached ideal front-end for data stores like RDS or DynamoDB Provides high performance middle tier for apps with extremely high request rates or low latency reqs
Best practices for deploying Lambda functions
1. Lambda functions operate out of an AWS-owned VPC. VPC-enable a lambda if it needs to interact with private resources 2. If you are reusing code for multiple functions, consider creating a Layer and deploying your function there 3. Keep package size and dependencies to a minimum to decrease cold-start time 4. Since Lambda scale extremely fast, monitor concurrency with CloudWatch alarms to prevent downstream impacts. 5. Over-provision memory but not function timeout.
When to use SQS instead of Kinesis Data Streams
1. Messaging semantics such as message-level acknowledge/fail, and visibility timeout. 2. individual message delay 3. dynamically increasing concurrency/throughput at readtime (KDS can do this but must provision the shards ahead of time)
What 2 types of message queues can we use with SQS?
1. Standard queues - best effort ordering (may be delivered in different order from which they were sent) 2. FIFO queues - order in which messages are sent is strictly preserved
One of the biggest football leagues in Europe has granted the distribution rights for live streaming its matches in the US to a silicon valley based streaming services company. As per the terms of distribution, the company must make sure that only users from the US are able to live stream the matches on their platform. Users from other countries in the world must be denied access to these live-streamed matches. How can the company enforce these streaming restrictions?
1. Use georestriction to prevent users in specific geographic locations from accessing content that you're distribuing through a CF web distribution 2. Use Route53 based geolocation rouing policy to restrict distribution of content to only the locations in which you have distribution rights
Cognito user pools vs. Identity pools
1. User pools are for authentication (identity verification). With a user pool, your app users can sign in through the user pool or federate through a 3rd party id provider 2. ID pools are for authorization (access control). You can use identity pools to create unique identities for users and give them access/temporary credentials to other aws services such as s3/dynamodb
When is AZ rebalancing necessary?
1. You change the AZs for your ASG 2. you explicitly terminate/detach instances and group becomes unbalanced 3. an AZ that previously had insufficient capacity recovers and has additional capacity 4. an AZ that previously had a sport price above your max price now has a spot price below your price
When to use Kinesis Data Streams instead of SQS
1. ability for multiple apps to consume the same stream concurrently. 2. ability to consume records in the same order a few hours later.
Use cases for Amazon EventBridge
1. accelerate/modernize architecture with decoupled services and apps. 2. monitor/audit AWS environments and respond to operational changes in your app in realtime 3. extend functionality of your apps by connecting them to other SaaS apps via EventBridge 4. enrich your events from SaaS apps using AWS AI/Machine Learning services to gain valuable insights
What 2 types of last accessed info does Access Advisor provide for IAM?
1. allowed AWS service information 2. allowed action information (available ONLY FOR S3 MANAGEMENT ACTIONS)
UNsupported lifecycle transitions for S3
1. any storage class to S3 standard 2. any storage class to the Reduced Redundancy class 3. S3 Intelligent-Tiering to S3 Standard-IA 4. S3 One Zone IA to S3 standard or S3 Intelligent tiering
NAT Instance characteristics
1. associate a SG with your NAT instance and the resources behind your NAT instance to control traffic 2. use a NACL to control traffic to and from the subnet in which your NAT instance resides 3. use flow logs to capture traffic 4. Manually customize the configuration to support port forwarding 5. can be used as a bastion server 6. when a connection times out, a NAT instance sends a FIN packet to resources behind the NAT
Steps to enable access from the internet for instances in a subnet in a vpc
1. attach an IGW to your vpc 2. add route to your subnet's route table directing internet-bound traffic to your IGW 3. ensure isntances in your subnet have globally unique IP 4. ensure that your NACLs and SG rules allow relevant traffic to/from your instance
EKS features
1. compatible with upstream kubernetes so easy to lift/shift from other kubernetes deployments 2. considered more feature-rich and complex with a steep learning curve 3. a hosted kubernetes platform that handles many things internally 4. "pods" are containers collocated with one another and have shared access to each other 5. extensible via wide array of 23rd party and community addons
Redshift use cases
1. complex analytic queries against petabytes of structured data 2. query optimization 3. massively parallel query execution 4. processing large amnts of data for business intelligence
What are the key characteristics of an ASG configuration?
1. data is not automatically copied from existing instances to a new dynamically created instance 2. If you have an ec2 ASG with running instances and you delete the ASG, the instances will be terminated and the ASG will be deleted 3. EC2 ASGs can span AZs but not Regions
AWS recommendation for subnet groups
1. each subnet group should have subnets in 2+ AZs in a region 2. Configure a subnet group with subnets in each AZ 3. During creation of an RDS instance, select the DB subnet group and AZ within the group to place the RDS db instance in
What rule statements can WAF use to filter traffic
1. geo match 2. IP set match 3. Regex pattern set 4. size constraint 5. SQLi attack 6. String match 7. XSS scripting attack
cognito identity pool use cases
1. give users access to aws resources 2. generate temporary aws credentials for unauthenticated users
What steps must be taken before an instance can receive requests from a load balancer?
1. it must be registered w/target group 2. its target group must be specified in a listener rule 3. the AZ of the target must be enabled for the LB. 4. instance must pass the initial health checks so that its status shows as Healthy
benefits of authenticating with RDS via IAM db auth?
1. network traffic to/from db is encrypted using SSL 2. Use IAM to centrally manage access to db resources instead of managing access individually on each instance 3. for apps running on ec2, you can use profile credentials specific to your ec2 instance to access your db instead of a pw
2 purposes of an internet gateway (IGW)
1. provide target in your vpc route tables for internet-routable traffic 2. perform network address translation (NAT) for instances that have been assigned public ipv4 addresses
What is Kinesis Data Streams
1. real-time processing of streaming big data 2. ordering of records 3. ability to read/replay records in the same order to Kinesis apps 4. Kinesis Client Library (KCL) delivers all records for a given partition key to the same record processor 5. recommended when you need multiple apps to consume the same stream concurrently and independently (e.g. one app updates a realtime dashboard and another app archives data to Redshift)
which s3 storage classes have a minimum storage charge?
1. s3 intelligent tiering 2. standard IA 3. one zone IA
s3 encryption options
1. server-side encryption with s3 managed keys (SSE-S3). 2. Serverside encryption with AWS KMS managed keys (SSE-KMS). Can use kms managed keys or customer master keys. 3. Serverside encryption with client provided keys (SSE-C). Client manages adn stores their own keys. AWS handles the encryption/decryption 4. client-side encryption - client managed keys OR AWS KMS CMK
Route53 routing policies
1. simple 2. failover 3. geolocation 4. geoproximity 5. latency 6. multivalue answer 7. weighted
How to setup a vpc Gateway endpoint
1. specify the vpc in which to create the endpoint, and the service to which your connecting. 2. attach an endpoint policy to your endpoint that allows access to some or all of the service to which you're connecting 3. specify one or more route tables in which to create routes to the service. Each subnet thats associated with one of these route tables has a
SQS encryption
1. supports HTTPS and TLS in-transit 2. Uses serverside encryption (aes-256 KMS) to encrypt messages as soon as SQS receives them. 3. DOES NOT encrypt queue metadata, message metadata, per-queue metrics
redshift encryption
1. supports ssl in transit 2. Encryption at rest using AES 256 redshift can take care of key management or you can use HSM / KMS
AWS recommendations for EC2 origins
1. use AMI that automatically installs the software for a web server 2. use ELB to handle traffic across multiple EC2 instances 3. specify URL of your load balancer as the domain name of the origin server
2 ways to enable client side encryption in s3
1. use a customer master key (CMK) stored in AWS key management service 2. Use master key you store within your own app
2 types of CF distribution
1. web distribution 2. RTMP distribution
How does an Auto Scaling Group determine health status of instances?
1.status checks provided by EC2 to id issues that may impair an instance. Default health checks for an ASG are ec2 status checks only 2. can use health checks provided b the ELB. Disabled by default but can be enabled. ASG considers the instance unhealthy if it fails either EC2 status checks OR ELB health checks. If ANY load balancer reports an instance as unhealthy, the ASG replaces it even if other LBs report it as healthy. 3. custom health checks
capacity of a Snowmobile
100 PB
max visibility timeout for SQS messag
12 hrs
minimum storage duration before transitioning S3 objects from Standard to IA or One Zone IA
30 days
Max messages per second in FIFO queues?
300 send, receive, or delete operations per second. Can increase this by batching messages (up to 10 messages per operation). Max of 3,000 messages per second if 10 messages are batched.
What is a shard in Kinesis?
A uniquely identified sequence of data records in a stream. Each record has a sequence number assigned by Kinesis Data Streams.
cognito user pool use cases
A user pool is a user directory in Cognito. 1. design sginup and signin webpages for your app 2. access and manage user data 3. track user device, location, and IP 4. use custom authentication flow for your app Application Load Balancer can be used to authenticate users for accessing our apps so that we don't have to handle authentication in our app logic. After creating a Cognito user pool, in API Gateway you must then create a COGNITO_USER_POOLS authorizor
What load balancer type is REQUIRED to be enabled in at least 2+ AZs?
ALB
Default settings for Cross zone load balancing for each LB type
ALB - always enabled NLB/GLB - disabled by default. Can be enabled at any time CLB - depends on how created. If created with API or CLI, disabled by default. If created with Console, option to enable is selected by default.
What happens during RDS OS maintenance
After OS maintenance is scheduled, it can be postponed by adjsuting preferred maintenance window or by choosing Defer Upgrade. In a Multi-AZ deployment, OS maintenance is applied to secondary instance first, then the instance fails over and the primary instance is updated. Downtime is duration of the failover. To minimize downtime, modify your RDS db instance to a multi-AZ deployment.
What is ACID-compliance
All RDS transactions are acid-compliant Atomic, Consistent, Isolated, Durable Atomicity - requires that transaction as a whole is successfully executed. If part fails, entire transaction is invalidated. Consistency - data written to db as part of the transaction must adhere to all defined rules and restrictions including constraints, cascades, and triggers. Isolation - makes sure each transaction is independent unto itself Durability - requires that all changes to db be permanent once a transaction is completed.
What is SNI?
Allows you to host multiple TLS secured apps, each with its own TLS cert behind a single LB. To use SNI, you must bind multiple certs to the same secure listener on your load balancer. ALB will automatically choose the optimal TLS cert for each client
what can be endpoints with Global Accelerator?
An endpoint is the resource that Global Accelerator directs traffic to. Can be: NLB, ALB, EC2, Elastic IPs
Difference between ASG scaling vs. load balancer rebalancing
Auto Scaling creates a new scaling activity for terminating the unhealthy instance. LATER, another scaling activity launches a new instance to replace the terminated one. With rebalancing, the new instance is launched before any termination.
when to use S3 as db
BLOBs static websites
which is better for availability and durability - EFS or File Gateway?
Both can be mounted using NFS from on-premise apps. However File Gateway hass much higher availability and durability
How is DynamoDB encryption handled?
By default, all DynamoDB tables are encrypted under an AWS owned Customer Master Key (CMK), which do not write to CloudTrail logs All dynamodb tables are encrypted. This can't be enabled/disabled. You can select an option to encrypt some or all of your tables under a customer-managed CMK or the AWS managed CMK for DynamoDB in your account
What runtimes does Lambda support?
C#/.NET Go Java Node.js Python Ruby
What is capacity rebalancing?
CAn be enabled when using Spot Instances. Once enabled, Auto Scaling tries to launch a spot instance whenever ec2 notifies that a spot instance is at an elevated risk of interruption. After launching a new instance, it terminates the old one.
Listener options for the LB types
CLB: TCP and HTTP/HTTPS ALB: only HTTP/HTTPS NLB: only TCP
Difference between Alias and CNAME?
Can create an Alias record at the top node of a DNS namespace (the zone apex), but you cannot do this for a CNAME. Route53 doesn't charge for alias queries to AWS resources, but does charge for CNAME queries An alias record can only be redirected to select AWS resources like s3, cloudfront distros, and another record in the same Route53 hosted zone. CNAME can redirect DNS queries to any dns record
What is WAF deployed on
Cloudfront Distribution API Gateway ALB AppSync GraphQL API
How to prevent users from circumventing a CF distribution and accessing content directly through your ELB?
Create a VPC security group on the ELB that only accepts the IPs of CF. As CF IPs are updated from time to time, you can use AWS Lambda to automatically update the addresses. This is done using a trigger that is triggered when AWS issues an SNS topic to update when the addresses are changed
How should we disable GuardDuty so that its findings and configurations don't persist anywhere on the cloud?
Disable the service in General Settings.
What is the EC2 source/destination check?
Disabling enables an instance to handle traffic that isn't specifically destined for the instance. E.g. instances running services such as NAT, routing, or firewall should set this value to disabled.
S3 Intelligent Tiering encryption
Does not support encryption by default for data at rest OR in transit
why choose EFS over EBS for simplicity?
EBS is not fully managed and doesn't grow automatically as your data reqs increase. You'd need to increase volume size
When to use EC2 auto scaling vs AWS Auto scaling
EC2 Auto Scaling use ec2 Auto Scaling if you only need to scale ec2 ASGs or are only interested in maintaining health of your ec2 fleet. Use ec2 auto scaling if you need to create or configure ec2 auto scaling groups Use ec2 auto scaling if you are setting up scheduled / step scaling policies AWS Auto Scaling Manage multiple resources across multiple services create predictive scaling for ec2 resources
If 2 ASG scaling policies are met at the same time, which one is used?
EC2 Auto Scaling chooses the policy that provides the largest target capacity. This is applied to both Scale-out and scale-in.
How does auto scaling work when termminating an unhealthy instance?
EC2 auto scaling creates a new scaling activity for terminating the unhealthy instance and terminates it. Later, another scaling activity launches a new instance to replace the terminated instance.
What is EKS?
Elastic Kubernetes Service managed service that can be used to run kubernetes which is an open-source system for automating the deployment, scaling, and management of containerized applications. Use when need open-source, cloud-agnostic container orchestration
According to the Reliability pillar, how should health checks be conducted on a distributed system?
HC system should send the full snapshot of the current state every time. Whether no servers are failing or all of them are, the health check system is doing constant work so large, rapid changes are not a threat to system stability.
What type of connection termination does ALB provide?
HTTPS termination between clients and LB
What undesirable behavior can occur when using target tracking scaling policy with step scaling policies?
If step scaling policy initiates a scale-in before the target tracking policy is ready to scale in, this scale-in activity will not be blocked. After the scale-in completes, the target tracking policy could instruct the group to scale out again
What is a Lambda Layer?
If you intend to reuse code in more than one function, consider creating a Layer and deploying it there.
What happens during an RDS db engine level upgrade?
In a multi-AZ deployment both primary and standby db instances are upgraded at the same time, resulting in downtime until upgrade is complete. Duration of downtime based on size of your db instance
How does a Gateway Endpoint work?
It is a gateway that's a target for a specific route Uses prefix lists in the route table to redirect traffic Only for S3, DynamoDB
what happens if you dont set desired capacity for your ASG?
It is optional. If you do not define your desired capacity upfront, it defaults to your minimum capacity
What is the easiest way to load streaming data into data stores and analytics tools?
Kinesis Data Firehose.
Routing Algorithm for NLB
LB node that receives the connection uses the following processes: 1. Select target from target group for the default rule using a hash algorithm. 2. Routes each individual TCP connection to a single target for the life of the connection. TCP connections from a client have different source ports and sequence numbers and can be routed to different targets
How does an EC2 instance health check work?
Looks at the status of the instance. If instance is in any state other than "running" or if the system status is "impaired". This includes the following states: stopping stopped shutting-dow
difference between Redis and Memcached
Memcached supports multithreaded architecture while redis does not Redis supports advanced data structures, replication, and backups while Memcached does not
How is monitoring configured for ec2 instances using a launch configuration or template?
Monitoring is enabled whenever instance is launched. By default basic monitoring is enabled when you create launch template or use AWS console to create a launch config . detailed monitoring is enabled by default when you create a launch config using the aws cli or sdk
A leading video streaming provider is migrating to AWS Cloud infrastructure for delivering its content to users across the world. The company wants to make sure that the solution supports at least a million requests per second for its EC2 server farm. As a solutions architect, which type of Elastic Load Balancer would you recommend as part of the solution stack?
NLB
Can an ELB distribute traffic across targets in multiple regions?
NO
Can we use dynamodb for storing videos?
NO it is used for storing document data
Are you charged for health checks done by Route53?
No because it is only using existing health checks. You aren't creating any new or custom ones.
Can you connect to a s3 static site using HTTPS?
No, only HTTP
A video analytics organization has been acquired by a leading media company. The analytics organization has 10 independent applications with an on-premises data footprint of about 70TB for each application. The media company has its IT infrastructure on the AWS Cloud. The terms of the acquisition mandate that the on-premises data should be migrated into AWS Cloud and the two organizations establish connectivity so that collaborative development efforts can be pursued. The CTO of the media company has set a timeline of one month to carry out this transition. What are 2 cost-effective solutions for completing the data transfer and then establishing connectivity?
Order 10 Snowball Edge Storage Optimized devices to complete the one-time data transfer Setup a site-to-site vpn to establish connectivity between the on-premises data center and aws cloud
How can you make your lambda functions run faster?
Over-provision memory to run them faster and potentially reduce costs.
What is VPC sharing?
Part of AWS Resource Access Manager (RAM) allows multiple aws accounts to create their resources into shared, centrally managed VPCs. In this model, the account that owns the VPC shares one or more subnets with other accounts that belong to the same AWS Org. After a subnet is shared, participants can view, modify, and delete their app resources in the subnets shared with them. Participants CANNOT view, modify, or delete resources that belong to other participants or the VPC owner
How to encrypt traffic to RDS in transit?
RDS creates an SSL cert and installs the cert on the db instance when RDS provisions it. These certs are signed by a CA. The SSL cert includes the DB instance endpoint as a common name for the SSL cert to guard against spoofing attacks. We can download these root certs and use them when connecting to the RDS DB instanceq
How does RDS Multi-AZ work?
RDS provisions and maintains synchronous standby replica in a different AZ. Failover automatically handled by RDS. When failing over, RDS flips the canonical name record (CNAME) for your DB instance to point at the standby which is promoted to become the new primary URL will remain the same and CNAME record automatically updated
What can SQS be used with?
RedShift, DynamoDB, EC2, ECS, RDS, S3, Lambda
what is connection multiplexing?
Requests from multiple clients on multiple front-end connections can be routed to a given target through a single backend connection improves latency and reduces load on your apps Can be used by CLB and ALB.
How can we determine the health of an ELB endpoint and point DNS to a secondary ELB in case of a failure?
Route53 Health checks
What is DNS Failover for Route53?
Route53 integrates with your ELB to configure and manage health checks for ELB nodes. It combines results of EC2 instance health checks and your ELB health checks to evaluate the health of load balancer + instances + app running on those instances. If any part of the stack goes down, Route53 can detect the failure and route traffic away from the failed endpoint.
What are the supported lifecycle transitions for S3?
S3 standard -> any other storage class any storage class -> Glacier or Deep Archive S3 standard-IA -> S3 Intelligent-Tiering or S3 One Zone-IA S3 Intelligent-Tiering -> S3 One Zone IA Glacier -> Deep Archive
What is an ideal destination for Backup & Restore DR method?
S3.
Should you authorize SGs or CIDRs when optimizing for Security?
SGs. Allowing a CIDR can woprk, but doesnt guarantee that exactlhy one type of thing can access your resources.
How is data encyrpted in transit between applications and RDS db instances?
SSL encryption
what type of termination does a CLB provide?
SSL termination
What protocol does FSx for Windows use?
Server Message Block (SMB)
What is AWS EventBridge?
Serverless event bus that makes it easy to build event-driven apps at scale using events generated from your apps, integrated SaaS apps, and AWS services delivers stream of realtime data from event sources like Shopify or Zendesk to targets like Lambda and other SaaS apps
How to enable Route53 health checks?
Set Evaluate Target Health to true on the record set that targets your ELB
How can we increase records per second (RPS) sent to Kinesis without generating a ProvisionedThroughputException?
Simply calling the PutRecord api in a loop is inadequate application must batch records and implement parallel HTTP requests.
How do launch configurations work?
Specify how an ASG should create instances. You can't modify a launch config once its created. To change launch config for an ASG, use an existing launch config as the basis for a new launch config. Then update the ASG to use the new launch config. New instances will now be generated using the new config, however old instances won't be affected. To update the existing instances, terminate them so that they are replaced by your ASG using the new config.
What type of connection termination does NLB support?
TLS termination
When to use db on EC2
Ultimate control over db preferred DB not available on RDS
How to privately share services between AWS accounts without allowing customers to connect to other instances in the shared services vpc?
Use PrivateLink to create an endpoint for the application in one vpc Route to this endpoint from an NLB in a different VPC
An IT company has built a custom data warehousing solution for a retail organization by using Amazon Redshift. As part of the cost optimizations, the company wants to move any historical data (any data older than a year) into S3, as the daily analytical reports consume data for just the last one year. However the analysts want to retain the ability to cross-reference this historical data along with the daily reports. The company wants to develop a solution with the LEAST amount of effort and MINIMUM cost. What should you recommend?
Use Redshift Spectrum to create Redshift cluster tables pointing to the underlying historical data in S3. Analytics team can query this historical data to cross-reference with daily reports from Redshift
when to use a snowmobile vs. snowball edge?
Use Snowmobile to migrate large datasets of 10PB or more in a single location. For datasets less than 10PB or distributed in multiple locations, use Snowball.
What is Origin Failover?
Use an origin group in which you designate a primary origin for CF + second origin that CF switches to when the primary origin returns specific HTTP status code failures works with Lambda@Edge
simple routing poliy
Use for a single resource that performs a given function for your domain e.g. a web server that serves content for the example.com site
How can we control access to a Gateway Endpoint?
VPC endpoint policies
Why use WAF on CloudFront rather than ALB?
WAF rules run in all edge locations Security does not come at the expense of performance Blocked requests are stopped before they reach your web servers. When you use WAF on an ALB, your rules run in the region of that ALB
Limitation of Backup/restore DR method?
Will see loss of critical data depending on RPO.
How to change from standard SQS queue to FIFO
You cant convert an existing standard queue into a FIFO queue. You must either create a new fifo queue for your app or delete your existing standard queue and recreate it as a fifo
what is SSE-C encryption?
You manage the encryption keys and S3 manages the encryption as it writes to disks, and decryption when you access your objects
What is an accelerator?
a component of Global Accelerator directs traffic to endpoints over the AWS global network to improve performance of your internet apps. 2 types 1. standard accelerator directs traffic to optimal endpoint based on user's location, health of endpoint, and endpoint weights 2. Custom routing accelerator lets you deterministically route multiple users to a specific EC2 destination behind your accelerator. Do this by mapping users to a unique IP and port on your accelerator, which Global Accelerator has mapped to the destination
What is the most secure way to provide limited time access to an object in S3?
a presigned URL. When you create one, you must provide your security credentials then specify a bucket name, object key, http method, and an expiration date/time.
what is client side encryption?
act of encrypting data before sending it to the server
AWS DMS targets
all major DBs DynamoDB ElasticSearch S3 Redshift Kinesis Data Streams Neptune Apache Kafka Aurora Serverless / Aurora
AWS DMS sources
all major DBs including S3. EXCLUDES dynamodb
What does VPC-enabling a lambda function accomplish?
all network traffic from your function is subject to the routing rules of your VPC/subnet. If your function needs to interact with a public resource, you'll need a NAT gateway in a public subnet
What do SCPs affect?
all users and roles in the attached accounts, including the root user DO NOT affect any service-linked roles
What rule actions can WAF take?
allow block (403 code) count`
What is Redshift Spectrum?
allows efficient querying and retrieval of structured/semistructured data from files in S3 without loading it into Redshift Tables. Spectrum resides on dedicated Redshift servers that are independent of your cluster. Spectrum pushes many compute-intensive tasks to this other layer of servers. Thus Spectrum queries us much less of your cluster's processing capacity than other queries.
What does a vpc peering connection do?
allows you to route traffic between the peered vpcs using ipv4 or ipv6 addresses.
What is an Endpoint group?
associated with a specific aws Region. Includes 1+ endpoints in the region.
rds multi-az replication for aurora config
asynchronous replication
What is Route53 DNS failover?
automatically configures/manages halth checks for individual ELB nodes. Takes advantage of EC2 instance health checking that the ELB performs . By combining results of health checks of your EC2 instances and your ELBs, Route53 DNS Failover can evaluate health of the load balancer AND health of app running on instances behind it. If any part of the stack goes down, Route53 detects the failure and routes traffic away from the bad endpoint. Using Route53 you can run your primary app simultaneously in multiple AWS regions and failover across regions.
How are archived objects accessed?
before an archived object can be accessed, must first restore a temporary copy of it. restored copy is available only for duration you specify in the restore request After that S3 deletes temp copy and object remains archived in glacier
What happens during RDS hardware maitenance?
before maintenance is scheduled, you receive email notification about the time and AZs tat are affected. During maintenance single-AZ deployments are unavailable for a few minutes. Multi-AZ deployments are unavailable for the time it takes the instance to failover (about 60s) If only the secondary AZ is affected, there is no downtime
What is Object storage?
breaks data files into pieces called objects, then stores those objects in a single repo which can be spread out across multiple networked systems
what is block storage
breaks data up into blocks then stores those blocks as separate pieces each with a unique identifier.
How can Redshift improve performance?
cache result of repeat queries and return the cached result when queries are rerun.
use case for Site to Site VPN when transferring data
can be established in a few minutes and are a good fit if you have an immediate need, have low to modest bandwidth reqs, and can tolerate the inherent variability of internet-based connectivity
what is a custom HC?
can be used if your app cant be checked by simple HTTP request and requires advance
Constraints on storage class transitions?
cannot make the following transitions for objects smaller than 128 kb 1. S3 standard/S3 standard IA -> Intelligent Tiering 2. S3 Standard -> Standard IA or one zone IA Before transitioning objects from S3 standard / Standard IA TO standard IA/One Zone IA, must store them for at least 30 days in s3 standard.
How is RDS scaling achieved with reserved instances pricing model?
changing instance class for compute and modifying storage capacity for additional sotrage allocation
geolocation routing policy
choose resources that serve your traffic based on the geographic location of your users. e.g. Have all queries from Europe be routed to an ELB in the Frankfurt region restrict distribution of content to only the locations you have distribution rights
How does client request routing work?
client must resolve the load balancer's domain name using a DNS server controlled by Amazon. Amazon DNS servers return one or more IP addresses to the client. These are the IPs of the load balancer nodes from your load balancer As traffic to your app changes over time, Elastic Load Balancing will update the DNS entry. This entry also specifies a ttl of 60s to ensure IP addresses can be remapped quickly in response to changing traffic Client determines which IP address to use to send requests to the LB. The LB that receives the request selects a healthy registered target and sends the request to the target using its private IP.
what is a db subnet group?
collection of private subnets that you create in a VPC and designate for your db instances
How to handle failure in a distributed architecture/system?
components of the system must operate in a way that does not negatively impact other components in the workload. When calling a failed/timed out service, we should return a static degraded response to the caller. This notifies of the failure, but prevents a failure in one service from cascading to others. SHOULD NOT return an error as this will cause the application to halt. SHOULD NOT recompute response using a different means to replace the failure. Such attempts at a completely different mechanism to achieve the same result are called fallback behavior, and are an anti-pattern to be avoided
Most cost-effective way to scale read performance for multi-AZ RDS db?
create a read replica as a mullti-az DB instance
what are the tenancy options for ec2?
default (shared) dedicated - your instance runs on hardware dedicated to you host - instance runs on a Dedicated host which is an isolated server dedicated to you with configurations you control
How to grant an ECS task access to other services?
define an IAM role to use in your task definitions or the RunTask API operation. You can also use the taskRoleArn override when running a task manually with the RunTask API operation
What does Access Advisor do?
determine permissions your devs have used by analyzing the last timestamp when an IAM entity (user, role, group) accessed an AWS service. Lets you audit service access, remove unnecessary permissions, and set appropriate perms across different envs
How to prevent connection multiplexing?
disable HTTP keep-alives by setting the Connection: close header in your HTTP responses
How is traffic routed from a LB to multiple AZs with Cross-zone load balancing disabled vs. enabled?
disabled: The total traffic is split evenly between the 2 AZs. Therefore whichever AZ has fewer instances will process more traffic per instance. enabled: traffic split evenly between all instances between the 2 AZs
Multi-Region RDS deployment purpose
disaster recovery and local performance
What is RTMP distribution?
distribute streaming media files using Adobe flash Media Server's RTMP protocol allows user to begin playing a media file before the file has finished downloading from a CF edge location files must be stored in S3
S3 Standard IA encryption
does not support encryption by default for data at rest OR in transit
S3 one zone-IA encryption
does not support encryption by default for data at rest OR in transit
How does ec2 Auto Scaling treat instances in an Impaired status?
doesn't immediately terminate them. Waits a few minutes for the instance to recover.
How does CF handle dynamic content?
dynamic content goes straight to the origin and does not flow through regional edge caches
What is Kinesis Data Analytics used for?
easiest way to analyze streaming data in real-time. It enables you to easily and quickly build queries and sophisticated streaming apps in 3 steps: 1. setup your streaming data sources 2. write your queries or streaming apps 3. set up your destination for processed data. CANNOT directly ingest data from the source as it ingests data either from Kinesis Data Streams or Kinesis Data Firehose.
What is the difference between EBS Snapshots and AMI images?
ebs snapshot is a backup of a single ebs volume, containing all the data stored on that volume at the time of the snapshot. AMI is a backup of an entire ec2 instance. Associated with an AMI image are EBS snapshots which are the backups of the individual ebs volumes attached to the ec2 instance.
what is the difference between an ec2 health check and an ELB health check?
ec2 health check is based on the status of instance. If it is in any state other than "running" it is considered unhealthy. ELB health check looks for "running" ec2 instance state AND ELB health check verifies that a specified TCP port on an instance is accepting connections OR that a specified web page returns 2xx code. Thus ELB checks are smarter and can verify that the actual app works rather than just verifying the underlying instance
What are VPC endpoints?
enable private connectivity to services hosted in AWS, from within your VPC without using an IGW, VPN, NAT devices, or firewall proxies
What does API Gateway allow?
enable stateless client-server communication and stateless restful apis implement http methods create WebSocket APIs that: adhere to websocket protocol, which enables stateful, full duplex communication between client and server If you enable caching for a stage, it will cache responses from your endpoint for a specified TTL period in seconds. Default ttl is 300s, max is 3600s, 0 means caching disabled
S3 Glacier encryption
encryption at rest using Advanced Encryption Standard (AES 256) supports secure transfer of data over Secure Sockets Layer (SSL)
Key difference between configuration of CLB vs. ALB and NLB (and even Gateway Load Balancers)?
for ALB, NLB, and GLB, you register targets in target groups and route traffic to the target groups With CLB, you register instances directly with the LB.
From where do Lambda functions operate?
from an AWS-owned VPC. Hence lambda has access to any public internet address or public aws apis.
what does EFS offer?
fully managed service that requires no changes to your existing apps, providing access through a standard file system interface for seamless integration built to scale on demand to petabytes without disrupting applications.
how does CF handle put/post/patch/options/delete?
go directly to the origin from the edge locations and don't proxy through regional edge caches
most common reason to use SNI with multiple certs
handle different domains within the same load balancer.
What is Standby State?
helps temporarily remove an instance from your ASG for troubleshooting/updating deregisters your instance from any load balancer or target group attached to your ASG. Decrements desired capacity Return instance to service by exiting standby state
What does AWS Cost Explorer do?
helps you ID under-utilized resources like EC2 instances that may be downsized while understanding the potential impact on your bill by taking into account your Reserved Instances and Savings Plans.
What is S3 Storage Class analysis?
helps you analyze storage access patterns to help you decide when to transition the right data to the right class. Gives recommendations to help you determine when to transition less frequently accesed data from Standard to Standard_IA DOES NOT give recommendations for transitions to Onezone_IA or Glacier
Multi-AZ RDS main purpose
high availability
What determines whether a subnet is public/private?
if its traffic is routed to an IGW< its public If subnet does not have a route to IGW, it is private
When to use Kinesis Data Streams enhanced fanout?
if you have multiple consumers retrieving data from a stream in parallel. With enhanced fanout, developers can register stream consumers to use enhanced fanout and receive their own 2mb/second pipe of read throughput per shard
non-aurora multi az vs. aurora multi-az. Which instances are active?
in non-aurora, only primary instance is active in aurora, all instances are active
What type of info does Access Advisor provide about AWS Orgs?
info about services that are allowed by an SCP and which principals in an Org or account last attempted to access the service and when
ow to delete a distribution?
it must first be disabled
what is DynamoDB?
key-value and document db that delivers single-digit ms performance at any scale fully managed, multi-region, multi-master with builtin security backup and restore can handle more than 20mil reqs per second
What functionality does Cognito provide?
lets you add user sign-up, sign-in, and access control to your web app/mobile app. Scales to millions of users and supports sign-in with social identity providers like Fb, google, amazon, and enterprise id providers via SAML 2.0
How does an ELB health check work?
load balancer sends pings , attempts connections, or sends requests to test the ec2 instances and determine if the instance is unhealthy.
What is Kinesis Data Firehose used for?
load streaming data into data stores and analytics tools It can capture transform, and load streaming data into S3, Redshift, Elasticsearch, Splunk, enabling near real-time analytics with existing business intelligence tools and dashboards. It can batch, compress, and encrypt data before loading it, minimizing storage used at the destination and increasing security.
How does an ASG choose which instances to terminate?
looks at AZ with most instances and then at the instance with the oldest config. If oldes config is shared by multiple instances, then termination happens at random between them.
when to use Redshift
massive amounts of data primarily OLAP (analytical) workloads
Use case for Data Migration Service
migrate dbs quicklyu and securely, enabling source db to remain fully operational during migration. Continuously replicate your data with high availability and consolidate databases into a petabyte-scale data warehouse by streaming data to Reshift and S3
How can we coordinate Availability Zones accross accounts?
must use the AZ ID, which is a unique and consistent identifier. e.g. use usw2-az2 for the us-west-2, az2
when to use DynamoDB
name/value pair or unpredictable data structure in-memory performance with persistence. Near realtime with ms responsiveness high I/O needs scale dynamically
When to use Aurora Serverless?
need complete auto scaling solution for unpredictable changes in traffic. Simple and cost effective For relational dbs only Can migrate between Aurora standard and Serverless configs with a few clicks in the RDS console
when to use RDS
need traditional db for OLTP your data is well-formed and structured existing apps requiring RDBMS
What is VPC peering?
networking connection between 2 vpcs that enables you to route traffic between them using private IPv4/v6 addresses. Instances in either vpc can communicate as if they were within the same network
can IAM be used to manage mobile/webapp user accounts?
no, you should use cognito for this. IAM only manages AWS users and groups
What is file storage
normally associated with Network-Attached Storage tech. Presents storage to users and apps using the same ideology as normal file system with directory trees, folders, individual files
which load balancers support WebSocket type apps?
only NLB
EFS pricing
only pay for resources that you use. Cost is $0.3 per GB per month
Use case for ALB
operates at request level (layer 7), routing traffic to targets (ec2 instances, containers, IPs, lambda functions) Ideal for advanced load balancing of http and https traffic. NOT a good fit for low latency, high throughput scenarios
When to use a Network load balancer
operates at the connection lvel low-latency and high throughput workloads that must scale to millions of requests per second. Routes connections to targets - ec2 instances, microservices, and containers - withing a VPC based on IP protocol data Expose a fixed IP to public web allowing your app to be predictably reached using these IPs.
wen to use an application load balancer
operates at the request level (layer 7) routing traffic to targets - ec2 instances, containers, ip addresses, and lambda functions based on the content of the request. Ideal for advanced load balancing of HTTP/https traffic Provides advanced request routing targeted at delivery of modern app architectures, including microservices and container-based apps ALB and CLB Expose a fixed DNS (=URL) rather than the IP address
What is a DynamoDB stream?
ordered flow of info about changes to items in a dynamodb table When you enable a stream on a table, DynamoDB captures info about every modification to data items in the table a stream contains info about a change to a single item in a dynamodb table configure stream to capture additional info such as before and after images of modified item
EBS GP2 pricing
pay for provisioned amount NOT amnt used. Cost is $0.10 per GB of provisioned storage per month
what are CloudFront price classes
price charged for a distribution varies depending on the edge location from which CF serves your request Edge locations are grouped into geographic regions. By default CF responds to requests for objects based only on performance - objects are served from the edge location for which latency is lowest for the requestor. If willing to accept higher latency for viewers in some regions in return for lower cost, you can choose a specific price class
what is a listener?
process that checks for connection requests. Configured with a protocol and port number for connections from clients to the load balancer.
What is a Listener in a Global Accelerator?
processes inbound connections based on port and protocol that you configure. Each listener has 1+ endpoint groups associated with it and forwards traffic to endpoints in one of the groups
How does Aurora promote read replicas?
promotes the replica with the highest priority (lowest numbered tier) IIf 2+ replicas share same priority, it promotes the replica with the largest size if 2+ replicas have same priority and size, then aurora promotes an arbitrary replica in the same promotion tier
How does AWS Global Accelerator Work to achieve blue/green deployments?
provides 2 static anycast IPs that serve as fixed entry point to your app endpoints in a single or Multiple AWS regions Uses endpoint weights to determine proportion of traffic that is directed to endpoints in an endpoint group Uses traffic dials to control percent of traffic directed to an endpoint group (an AWS region where your app is deployed)
How does an Interface Endpoint work?
provides an elastic network interface with a private IP Uses DNS entries to redirect traffic Works for all services except S3 and DynamoDB
What is Amazon Quicksight?
provides visualization of data through dashboards, graphs, etc. Rich feature set to analyze data and the complex relationships that exist between different data features. It is NOT as powerful an analysis tool like Athena
redis use cases
real-time transactional and analytical processing for use cases like caching, chat/messaging, gaming leaderboards, machine learning, media streams, real time analytics, and session store
What does AWS Compute Optimizer do?
recommends optimal AWS compute resources for your workloads to reduce costs and improve performance by using machine learning to analyze historical utilization metrics. Helps you choose optimal ec2 instance types including those that are part of an ASG, based on your usage data Provides Instance Type recommendations NOT instance purchase options
advantage of cross zone load balancing
reduces need to maintain equivalent numbers of instances in each AZ and improves your app's ability to handle loss of instances
What are valid origins for CloudFront?
s3 bucket ec2 instance ELB route53 external (non-AWS)
Read replica RDS purpose
scalability
EFS uses
scalable fully managed NFS for use with AWS and on-premises resources.
elasticache use cases
seamlessly run/scale in-memory data stores in the cloud boost performance of your dbs by retrieving data from high throughput and low latency in-memory data stores. WILL REQUIRE UPDATES TO THE APP'S CODE TO USE THIS. caching autocompletion session stores gaming geospatial services real time analytics queueing
How can we control access to an Interface Endpoint
security groups
What happens in Cross-zone load balancing?
separate load balancers are setup in each AZ client sends requests route53 responds to each request with the IP address of one of the load balancer nodes from a specific AZ such that the LB with fewer targets behind it is returned less frequently than the LB with more targets, ensuring that the TARGETS, NOT THE LBs receive evenly distributed traffic
What is SSE-S3 encryption?
serverside encryption with Amazon S3 managed keys. Each object encrypted with a unique key managed by s3
Easiest way to set specific password complexity reqs for all AWS IAM user accounts?
set a password policy for the entire aws account.
What is AWS Batch
set of batch management capabilities enabling devs/scientists to efficiently run hundreds of thousands of batch computing jobs on aws dynamically provisions optimal quantity and type of compute resources (cpu or memory optimized instances) CANNOT be used to orchestrate a workflow
ec2 tenancy default setting
shared tenancy
sqs short polling vs. long polling cost
short polling uses more requests which implies higher cost long polling uses fewer requests and reduces cost.
Best practice for monitoring Lambda?
since functions scale fast, deploy a CloudWatch alarm that notifies your team when function metrics such as ConcurrentExecutions or Invocations exceed expected threshold.
What does "IpAddress" restriction do ina condition?
specifies the SOURCE IP range. These IPs can take the allowed action
what is a web distribution
static and dynamic content including .html, .css, .php, and graphics files distributes files over HTTP and HTTPS add, update, or delete objects, and submit data from web forms use live streaming to stream events in realtime
what is a VPN-only subnet?
subnet that doesn't have a route to an internet gateay, but has traffic routed to a virtual private gateway for a VPN connection
RDS multi-az replication for non-aurora configs
synchronous replication to standby
How to encrypt an unencrypted rds db?
take snapshot of db copy it as encrypted snapshot restore db from encrypted snapshot terminate previous db
What happens when you disable an AZ that a LB is associated with?
targets in the AZ remain registered with the load balancer, but the LB does not route traffic to them.
What is a blue/green deployment?
technique for releasing apps by shifting traffic between 2 identical environments running different versions of the app. blue is the currently running version green is the new version
How does EC2 instance recovery work?
terminated instances cannot be re overed. a recovered instance is identical to the orgiinal, including ID, private IP, elastic IP and metadata. If impaired instance is in a placement group, recovered instance runs in that placement group If instance has public ip, it retains after recovery However, any data that is in-memory is lost
What happens if an ELB target group contains only unhealthy registered targets?
the load balancer nodes route requests across the unhealthy targets.
what happens when we copy an ami between regions?
the underlying ebs snapshots are also copied, since they are required to launch instances from the ami
What is Snowball Edge Storage Optimized?
up to 80TB 40vCPUs, 1TB of SATA SSD and 40 Gb network connectivity to address large scale transfer and pre-processing use ases
How to transition root domain name of your CF distribution?
use AWS support
How does Route53 help with Blue/green deployments.
use Route53 weighted routing to route traffic to resources in proportions you specify and gradually push more traffic to the green environment or rever to blue in case of issues DOWNSIDE: many client devices and internet resolvers cache DNS traffic and may cause issues transitioning between blue/green versions
How can we use ec2 user data to speed up deployments?
use it to customize dynamic installation parts at boot time, rather than installing the app itself at boot time
AWS recommendation for SQS when you need to prioritize work?
use separate queues for different priority levels.
weighted routing policy
use to route traffic to multiple resources in proportions that you specify
multivalue routing policy
use when you have resources in multiple aws regions and you want to route traffic to the region that provides the best latency
multivalue answer routing policy
use when you want route 53 to respond to dns queries with up to 8 healthy records selected at random
faillover routing policy
use when you want to configure active-passive failover
geoproximity routing policy
use when you want to route traffic based on location of your resources and optionally shift traffic from resources in one location to resources in another
what is a partition key in Kinesis?
used to group data by shard within a stream. Kinesis Data Streams segregates data records belonging to a stream into multiple shards. It uses the partition key associated with each data record to determine which shard a given data record should belong to.
How does RDS send events to other services?
via SNS notifications Can use API calls to the RDS service to list RDS events in the last 14 days (DescribeEvents API) CLI shows events from last 14 days Console only shows events from last 1 day
Which storage gateway for block level storage?
volume gateway
When is multi AZ load balancing most effective?
when each enabled AZ has at least one registered target
What is a best practice when deploying our lambda functions?
when packaging all needed dependencies, keep size to a minimum by removing all unnecessary items like documentation/unused libraries. the bigger the package, the slower your function will cold-start
How does AZ Rebalancing work?
when rebalancing, ec2 auto scaling launches new instances before terminating old ones so that the rebalancing does not compromise the performance or availability of your app. To avoid exceeding max ASG capacity, the system can temporarily exceed specified max by 10% margin or 1-instance margin, whichever is greater during this activity.
When to use ElastiCache as db
when you need fast, temporary storage for small amnts of data highly volatile data
When to VPC-enable a lambda function?
when you need to interact with a private resource in a private subnet (e.g. an RDS instance)
How does ec2 auto scaling treat instances that fail to report data for status checks?
will delay and not immediately terminate. This usually happens when there is insufficient data for the status check metrics in CW
what is memcached
works as an in-memory data store and cache to support demanding apps making sub-ms responses
Is SQS HIPAA eligible and PCI DSS level 1 compliant?
yes
can DMS migrate from on-premise to cloud?
yes
Can read replicas be in a different region?
yes, uses asynchronous replication
NAT Gateway characteristics
1. cannot use security groups. SGs are associated with instances behind the NAT gw 2. use a NACL to control traffic to/from subnet in which your NAT GW resides use flow logs to capture traffic 3. does not support port forwarding 4. cannot be used as Bstion server 5. When connection times out, NAT Gateway returns an RST packet to any resources behind the gw
process to change storage class of an object from Glacier to any class other than deep archive?
1. use restore operation to make temp copy of object 2. use copy operation to overwrite the object specifying the new storage class
what options does the AWS VPC wizard give?
1. vpc with a single public subnet + IGW. recommended if you need a single-tier, public facing web app like a blog or simple site 2. vpc with public and private subnets (NAT). Recommended if you want to run public-facing web app while maintaining backend servers that arent publicly accessible 3. vpc with public and private subnets and AWS site-to-site vpn access with a virtual private gateway to enable comms with your network over an IPsec vpn tunnel. recommended if you want to extend network into cloud and directly access internet from your vpc 4. vpc with private subnet only and AWS site-to-site vpn. Includes virtual private gateway to enable comms with your network over an IPsec vpn tunnel No internet gateway to enable comms over internet. Recommended if you want to extend your network into the cloud using AWS uinfra without exposing your network to internet
A geological research agency maintains the seismological data for the last 100 years. The data has a velocity of 1GB per minute. You would like to store the data with only the most relevant attributes to build a predictive model for earthquakes. What AWS services would you use to build the most cost-effective solution with the LEAST amount of infrastructure maintenance?
Ingest the data in Kinesis Data Firehose and use a Lambda function to filter and transform the incoming stream before the output is dumped on s3
Routing algorithm for ALB
LB node that receives the request uses following processes: 1. evaluate the listener rules in priority order to determine which rule to apply 2. select target from target group for the rule action, using the routing algorithm specified for that target group. Default is round robin. Routing performed independently for each target group even when instance is registered to multiple target groups.
How to prevent a root ebs volume from being deleted when its ec2 instance terminates?
Set the DeleteOnTermination attribute to false using a block device mapping
rds multi-region deployments replication typ
asynchronous
rds read replicas replication type
asynchronous
What is the HealthCheckGracePeriod setting?
attribute on an ASG that determines how long to wait before checking the status of an instance. EC2 and ELB health checks can complete before this grace period expires, but ASG does not act on them until the health check grace period expires.
Use case for NLB
best suited to low latency and high throughput workloads that involve scaling to millions of reqs per second. Operates a connection level (layer 4), routing connections to targets (ec2 instances, microservices, containers) within VPC based on IP protocol data
A junior scientist working with the Deep Space Research Laboratory at NASA is trying to upload a high-resolution image of a nebula into Amazon S3. The image size is approximately 3GB. The junior scientist is using S3 Transfer Acceleration (S3TA) for faster image upload. It turns out that S3TA did not result in an accelerated transfer. What transfer charges does the scientist pay for?
none. S3 only charges for transfer OUT of the cloud, not in from the internet. With S3TA, you only pay for transfers that are actually accelerated.
