Skip to main content

[[TOC]]

AWS Private vs Public Services

Separated by networking Public - accessed using public endpoints Private - accessed using private endpoints.

AWS Global Infrastructure

Regions

  • Not necessarily a country
  • Separates geopolitical areas
  • Separates physical locations - fault domain.
  • Data does not move from one area to another. You have to explicitly move data between regions.
  • Defined by region code or region name.

What is in a region?

  • Availability Zones - usually multiple

What is an edge location?

  • an edge location is a location that is very close in proximity to the users.
  • Lets say you run a global application and Chicagoan users access it. Edge location may be in Chicago and is used as the closest location to the user for access

3 Types of resiliency.

  1. Globally resilient which means it can tolerate an entire region failure. a. IAM and Route53
  2. Region resilient
  3. AZ resilient

Virtual Private Cloud Basics

A VPC is a virtual network inside of a region.

  • located in one account and in one region - regionally resilient
  • private and isolated unless you decide to change that.
  • there are two types. Default and Custom VPC's
    • one default vpc per regions, leave them and don't use them for production uses.
    • same predictable structure and IP ranges - 173.31.0.0 CIDR
    • Internet gateway and Security Groups and NACL provided by default.
  • Subnets are created in each availability zone for a bit of resiliency.
    • subnets provide IPv4 addresses by default in default VPC.
    • subnet IP's are unique.
  • VPC's cannot communicate to other VPC's by default unless the networking is put into place to do so.

Default VPC

  • Can delete and recreate the default VPC - only one per region. Default CIDR is 172.31.0.0/16
  • /20 subnet in each AZ of the region. Higher the subnet number is, the larger it is.
  • subnets assign public IPv4 addresses.

Quick VPC Demo

  1. Log into your AWS acct and navigate to the VPC console.
  2. Notice that there is one VPC already there and that it is marked as the default VPC.
  3. Notice there is one subnet for each availability zone.
  4. You can delete the VPC if you'd like.
  5. You can then recreate the default VPC.

Elastic Compute Cloud Basics

EC2 Time! Important features:

  • IaaS - infrastructre as a service - provides VM's called instances.
  • private AWS service. launches into single VPC and single subnet.
  • AZ resilient. If the AZ fails, the instance will fail.
  • different sizes
  • charged by the usage by the second.
  • local on host storage or you can use Elastic Block Store (EBS)
  • Instances have a state that can be Running, Stopped, Terminated or temporary transition states.
  • Terminated is a deleted instance.
  • If the instance is in the stopped state, you're not charged for CPU or memory or networking, but you will be charged for the storage.

Amazon Machine Instance

Basically a iso or server image of an OS.

  • contains attached permissions
    • owner can make EC2 instances from this AMI or make an AMI from an EC2 instance.
    • owner can set this to a public instance
  • contains boot volume and block device mapping.

Connecting to EC2 instance

Windows instances

  • RDP 3389 Linux instances
  • via SSH on port 22 using an SSH Key Pair
  • public key is loaded into the instance and you use your private key to connect.

Quick EC2 Demo

  1. Navigate to the EC2 console in the management account.
  2. Create a Key Pair
  3. Click on Instances and then launch instance
  4. Select the Amazon Linux 2 AMI - x86
  5. Select the instance type (free tier)
  6. Select a public IP
  7. Review the storage
  8. Add Tags
  9. Configure the security group. Set the SG to open to the internet
  10. Launch and select the key pair that you created.
  11. Review the status checks to make sure the instance is reachable.
  12. Click on Connect and then select EC2 instance connect.
  13. You should be able to connect with the PEM file using the steps listed.
  14. Select Instance and then Stop and Start and then Stop and then Terminate the Instance.

Windows instances will need the private key to unencrypt the admin password so you can RDP into the instance.

Simple Storage Service (S3)

S3 is global, meaning that you create things inside S3 globally, but select a region. It's a bit confusing to understand.

  • Region resilient
  • Objects and buckets \cats\rolex\sleeping.jpg is the key (name) of the object.
  • Object storage, not file or block
  • Cannot mount S3 - not block storage
  • great for large scale data storage, distribution, or upload
  • great for offloading
  • Input and/or output to many AWS products

Objects

  • Files
  • name is the object key. The value is the data in the file. Object also contains
    • Version ID
    • Metadata
    • Access Control
    • Subresources

Buckets

  • has a primary home region that never leaves that region unless you configure it to leave that region
  • blast radius is limited to the region.
  • unlimited amount of objects
  • name is globally unique
  • flat structure, not folder based.
  • folders are referred to as prefixes

Exam Tips

  • bucket names are globally unique
  • 3-63 characters
  • start with a lowercase letter or number
  • cannot be IP formatted
  • 100 soft limit, 1000 hard limit
  • unlimited objects, 0 bytes to 5TB
  • Key = Name, Value = Data

Quick S3 Demo

  1. Navigate to the S3 console in the management account
  2. Click the region dropdown in the upper right and notice that this is a global resource.
  3. Click Create Bucket
  4. Name the bucket (unique)

CloudFormation Basics

User Guide Allows you to create, update, manage and delete resources using templates.

  • uses JSON or YAML

The Resources section is the meat and potatoes of the template.

  • It's the only mandatory part of the template. Without resources, the template does nothing.

NOTE: If you have the AWSTemplateFormatVersion declared, the Description must always directly follow that.

AWSTemplateFormatVersion: "2020-07-08"

Description: # Give some details about what the template does.

Metadata: # You can control the UI with this here

Parameters: # This is where you put in the input parameters to prompt the user for information.

Mappings: # allows you to create lookup tables (dev, prod, test, etc)

Conditions: # allow for decision making. IF this condition is met, do this. 

Transform:

Resources: # These are the resources you are wanting to build. EC2, S3, VPC, Security Groups, etc.

Outputs: # this outputs information when the creation is finished. DNS names, IP addresses, server names, etc.

Running this template creates a stack, which is a list of logical resources. The stack then creates physical resources that match.

Logical vs physical resources - Logical means that they're defined in the template and the template is compared to the physical infrastructure.

You can use CFN templates to deploy multiple copies of infrastructure.

Demo:

From: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-s3.html Example:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: PublicRead
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
    DeletionPolicy: Retain
  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      PolicyDocument:
        Id: MyPolicy
        Version: 2012-10-17
        Statement:
          - Sid: PublicReadForGetBucketObjects
            Effect: Allow
            Principal: '*'
            Action: 's3:GetObject'
            Resource: !Join 
              - ''
              - - 'arn:aws:s3:::'
                - !Ref S3Bucket
                - /*
      Bucket: !Ref S3Bucket
Outputs:
  WebsiteURL:
    Value: !GetAtt 
      - S3Bucket
      - WebsiteURL
    Description: URL for website hosted on S3
  S3BucketSecureURL:
    Value: !Join 
      - ''
      - - 'https://'
        - !GetAtt 
          - S3Bucket
          - DomainName
    Description: Name of S3 bucket to hold website content

How to read the example above:

  • This creates a bucket as a website. The AccessControl property is set to PublicRead because the bucket needs to be read by everyone if it's a website.
  • The deletionPolicy is set to Retain so when the stack is deleted, the S3 bucket will not be deleted. See below.
  • the output section outputs the WebsiteURL and the DomainName attribute of this resource. See below.

What this looks like in the AWS CloudFormation Console:

image.png image.png image.png And the delete skipped: image.png

CloudWatch Basics

  • collects and manages operational data.
  • Metrics - AWS Products and apps and on prem data.
    • May need to install the AWS CloudWatch Agent
  • CloudWatch Logs - Logs from AWS products, apps AND onprem data via the CloudWatch agent.
  • CloudWatch Events - AWS Services and Schedules - billing alarm is an example.

Cloudwatch can take in the data from the services and put together metrics which are then compared to alarm settings which then can fire off an action such as auto-scaling or sending notifications to the SNS topic

Statistics can also be sent in to the console or read via API.

CloudWatch uses Namespaces to organize data.

Metric- Time ordered set of data points (CPU usage, Network in/out or Disk IO) Datapoint - each individual measurement is called a datapoint. Usually timestamped. Dimension - key value pairs that separate datapoints for different things or perspectives within the metric. Alarm - Criteria that sets an OK or Alarm state when compared to the existing metrics

  • example: alarm when CPU is higher than 95%

Shared Responsibility Model

Customer - responsibility for security IN the cloud AWS - responsibility for security OF the cloud.

AWS is responsible for the Hardware, the global infrastructure, regions, availability zones and edge locations. They are also responsible for the compute, storage, database and the networking that lay inside of that infrastructure. They are also responsible for the software that controls this (AWS Console)

The Customer (you) are responsible for the encryption of the data, network traffic protection via encryption, client side data encryption, file system encryption. You are also responsible for the operating systems running on the EC2 instances, the network and firewall configuration and the platform, applications, users. Also, customer data. All of it.

High Availability vs Fault Tolerance vs Disaster Recovery

HA - aims to ensure an agreed level of operational performance (uptime) for a higher than normal period. 99.9% 8.77 hours of downtime annually 99.999% 5.26 minutes of downtime annually

FT - enables a system to continue operating properly in the event of the failure of some of the components.

A highly available airplane is bad. A fault tolerant airplane is better.

DR - a set of policies, tools and procedures that enable the recovery or continuation of vital technology infrastructure and systems following a natural or human induced disaster.

DNS 101

  • Translates IP addresses into human readable names
  • www.google.com -> 8.8.8.8

DNS Client - your laptop, phone, tablet, or pc that needs the IP DNS resolver - could be running on the DNS client or a server that queries DNS on your behalf DNS Zone - part of the DNS database eg. google.com or rsmus.com Zonefile - physical database for that zone. Nameservers -

DNS is shaped like an upside down tree with the root at the top. The root is the . of the domain name www.google.com. The root is hosted by 13 DNS root servers (or clusters).

IANA manages the contents of the root zone - different than the root

  • delegates the top level domains to other companies
  • The nameservers that point to the .com are all hosted by Verisign for example. DNS is a system of TRUST - Authoritative zones are where the trust lies. .com and .org are generic TLD (Top Level Domains)
# Delegation:
.
.com
amazon.com
www.amazon.com

DNS Resolution

How this works: You type in www.google.com and the local resolver says, I don't have this zone, but here's where the .com zones are and points to the root server. The root server then goes, yes, google.com is over here hosted by google, here are the nameservers you need for that. Your browser then travels to google's nameservers that host the zone, where that DNS name resolves inside of that zone to an IP. This is called "walking the tree." Tips:

  • Root hints - config points at the root servers IPs and Addresses
  • Root Server - hosts the DNS root zone
  • Root Zone - Points at the TLD authoritative servers.
  • gTLD - generic top level domain
  • ccTLD - country code top level domain

Route 53 Fundamentals

Hosted Zones

  • hosted on four managed name servers
  • can be public
    • or private (linked to VPC's)
  • zone files live in AWS
  • stores records (recordsets)

DNS Record Types

  • NS - Nameserver how the .com zone points to the google.com zone
  • A and AAAA records - maps the subdomain to a IPv4 or IPv6 Address
  • CNAME - host to host records www.google.com points to an A record for the same IP address
    • Only need to change the IP address and the CNAMEs will pick it up.
  • MX - mail records that point to other MX records that the IP address that handles the mail records for that zone.
  • TXT records - you can add txt records to prove domain ownership or some sort of metadata.
  • TTL - a time to live record that says how long the DNS record stays alive. Almost like a caching service.

Authoritative and Non-Authoritative

Non-Authorative is when the client pulls a cached value from a TTL Authoritative is a fresh DNS value

END