Cloud Tech - On demand computing power, on demand storage and in-build services for IT solution.
----------------------------------------------------------------------------------------------------------------------------
Cloud Types - Infrastructure As a Service ( Iaas ) - AWS EC2
- Software As a Services ( SaaS ) - Most of Inbuilt AWS Services
- Platform As a Service ( PaaS ) - AWS Beanstalk
----------------------------------------------------------------------------------------------------------------------------
AWS Infrastructure - Data Centers - Physical locations of AWS infrastructure
- Regions - Has multiple availability zones, Some regions has limited services
- Edge Locations - Users access AWS services via these locations
- Availability Zones - Set of data centers with redundant power and storage
----------------------------------------------------------------------------------------------------------------------------
AWS Global Services - Identity and Access Management ( IAM, IAM MFA, IAM Federation - User, Groups, Roles, Active Directory Integration, Never use ROOT other than initial setup )
- CloudFront ( CDN )
- Route 53 ( DNS )
- Firewall ( WAF )
----------------------------------------------------------------------------------------------------------------------------
AWS Regional Service - Computing Service ( EC2 - Infrastructure as a Service )
- App service ( Beanstalk - Platform as a Service )
- Lamda ( Function as a Service )
IAM - User, Groups, Roles, Password Policies, Multi-factor Authentication, One IAM account per physical user, One Role per Application , Policy attach to the group.
----------------------------------------------------------------------------------------------------------------------------
EC2 - ( Elastic Virtual Machines Elastic Block Storage, Elastic Load Balancer, Auto Scale Groups )
----------------------------------------------------------------------------------------------------------------------------
EC2 SSH command - ssh -i testkey.pem ec2-user@13.212.19.241
ssh -i testkey.pem ec2-user@ec2-13-212-220-134.ap-southeast-1.compute.amazonaws.com
EC2 IP Types - Public IP
- Private IP
- Elastic IP ( Private IP will not change after EC2 restart )
Note : Inbound rule 0.0.0.0/0 accepts any connection from any device
EC2 Apache Installation - yum install -y httpd
- systemctl start httpd.service
- systemctl enable httpd.service
EC2 Boostrap - EC2 User data scripts
EC2 Instant Types - On demand ( Per second price , highest price, good for short term elastic loads )
- Reserved ( Pay upfront with long term commitment with reserved instant type. Ex: DB setups )
- Reserved - convertible ( Can change instance type ) - Reserved - scheduled convertible
EC2 Spot Block Instances - Spot instances in a time frame without interruptions
EC2 Spot Request Type - Onetime / Persistence to renew based on current price
EC2 Spot Fleet - Set of spot instances and it will automatically request lowest spot instances.
EC2 Dedicated Hosts - Dedicated hardware and controls with 3 year reservations. Expensive.
EC2 Instance Types - R for RAM
- C for Compute, M for Medium,
- G for Graphics and ML
- I for DBs
- T1, T2 to handle any load
EC2 AMI - Customization images of given OS ( Required packages, Security, Faster boot-time without EC2 User data, Monitoring and other features like AD integrations ) , Can be stored in S3, Can share with other AWS account, Sharing AMI with account doesn't affect ownership of it, Sharing it with another region then they become owners of it. To copy an AMI, original owner should provide access for it. If you copy shared AMI, then you will be the owner of shared AMI. AMI can be stored in S3 or EBS. You can share the encrypted AMI with its keys only. Cannot share Windows or AWS Marketplace AMI which are having billing product code. Instead you can launch and create image from it and share.
EC2 Placement Group - Cluster - Clusters instances in same Availability Zone and same Hardware. Great network performances. Ex: Big data jobs.
- Spread - Spread instances across hardware platform under different Availability Zones. Good for critical applications
- Partitions - Spread instances across partitions in Availability Zone. Good for Big data applications, Kafka
ENI - Virtual network card, has primary IPV4 and secondary IPV4s. Has one public IP, one MAC, One or more security groups, Specific to single Availability Zones. We can move ENI from one instance to another in case of fail-over.
EC2 Hibernates - RAM will stored in encrypted EBS. Can be used to reduce startup time. Support C,M and R families, RAM < 150 GB, Support most of VM types, Root EBS need to encrypted, Hibernate time < 60 days
AWS scalability - Vertical scalability - ( Increasing the size of instance, t2.micro -> t2.large, Ex : Non distributed systems like Databases )
- Horizontal scalability - ( Elasticity, Distributed systems to increases number of instances, Ex : web application )
AWS High-availability - Distribute the system at least in 2 data centers ( AWS zones )
- Active high-availability - Horizontal scaling with LB, Auto scaling groups
- Passive high-availability - Multi-zone RDS
AWS Load balancing- Routes user traffic to different downstream nodes.
- Provide single access point ( DNS )
- Handle downstream failures using health checks on ports.
- Heath check url : /helth , checks HTTP status 200 in every 5 seconds
- Support SSL implementation
- Enforce stickiness with cookies
- Support high availability across zones
AWS Load Balancer Types - Classic load balancer ( 2009, HTTP, HTTPS, TCP )
- Network load balancer ( 2017, TCP, TLS (secure TCP), UDP )
- Application load balancer ( 2016, HTTP, HTTPS, Websockets )
ELB security group - From user to Load balancer (TCP 80, 443 from any where 0.0.0.0/0 )
- From Load balancer to EC2 ( TCP 80, from load balancer source )
ELB Error Codes - 4xx client related
- 5xx application related , 503 - not registered target
ELB Monitoring - ELB access logs, CloudWatch metrics for connection counts, aggregated reports
TCP/ IP and OSI Layer Representations -
TCP/IP | OSI Layers | Examples |
Application Layer | Application Layer |
- End User HTTP, SSH, DNS, FTP, DHCP |
Presentation Layer |
- Data representations SSL, JPEG, MPEG, SSH |
|
Session Layer |
- Host to Host port Connectivities API's , Sockets |
|
Transport Layer | Transport Layer |
- End to End Connection TCP / UDP |
Internet Layer | Network Layer |
- Packets IP , IPSec |
Network Layer | Data Link |
- Frames Switch, Bridge, Ethernet |
Physical |
- Physical structure - Binary Transmission
|
1. List block storage : lsblk
xvda 202:0 0 8G 0 disk
└─xvda1 202:1 0 8G 0 part /
xvdb 202:16 0 2G 0 disk
2. Check file system : sudo file -s /dev/xvdb :
/dev/xvdb: data
This says no file system created so far
3. Create file system : sudo mkfs -t ext4 /dev/xvdb
It will format and create new file system on given storage
4. Create mount folder : sudo mkdir /data
5. Mount the volume : sudo mount /dev/xvdb /data
6. Check mount points : lsblk
xvda 202:0 0 8G 0 disk
└─xvda1 202:1 0 8G 0 part /
xvdb 202:16 0 2G 0 disk /data
7. Set auto mount in every reboot : sudo cp /etc/fstab /etc/fstab-orginal
----------------------------------------------------------------------------------------------------------------------------
EBS Snapshots - Stored in S3, Uses IOs while backup and having a downtime is recommended, Volumes need to be warmed-up once restored ( using dd or fio commands ), Can be automate using AWS life cycle manager
RDS Rest Encryption - Encrypting master and replicas using AES-256
- If master node not encrypted, replicas cannot be encrypt
- If master node not encrypted, replicas cannot be encrypt
- Manual work
RDS In-flight Encryption - Encryption at data transmission time
- All clients have to use SSL connectivity
- SSL certificates will use
RDS Aurora - AWS Optimized DB 5 times faster than MySQL and 3 times faster than Postgres
- Support 15 replicas while MySQL support only 5
- Support 15 replicas while MySQL support only 5
- Default HA
- Maintains 6 copies across 3 availability zones
- 4 to 3 instances will use as write instances
- Shared volume across 3 AZ
- Less than 30 second fail-over
- Support cross region replications
- Has writer endpoint ( Master ), reader endpoints ( Read replicas )
- Automatic backups, recovery, industry compliance, Patches with zero downtime
- Can create with MySQL or Postgres compatibility modes
- There will be 2 endpoints for read and write
- DB size automatically increased from 10 GB to 64 TB
- Create A name record. Ex: myapp.myname.com with IPV4 address.- Check it using nslookup myapp.myname.com- Create EC2 instances in different regions- Create public internet load balancer link EC2 instances.- Define TTL- Create CNAME with load balancer
AWS S3 Buckets - Has global unique name
- Regionally located
- Can store objects in directories
- Buckets have a key. Ex : s3://mybucket/myfolder/mytest.txt , myfolder/mytest.txt is a key
- Max allowed object size - 5 TB
- Multipart upload for more than 5 GB data
- Can use pre-sign URL to access objects
- Can enable versioning like 1,2,3 for same object uploads
- Once delete, can be restored
- Can deploy static web sites - Enable website hosting using index.html and error.html
{"Code" : "Success","LastUpdated" : "2021-01-12T02:10:17Z","Type" : "AWS-HMAC","AccessKeyId" : "ASIAYZDZKN633CCTNH7Y","SecretAccessKey" : "4thYiQVwduH1PvwGzYCgbXI8ky490QbsHusv67cw","Token" : "--- short lived token --- ","Expiration" : "2021-01-12T08:33:57Z"}
MFA Based S3 Delete - S3 versioning is required
- Only root account can enable/disable MFA-delete via CLI
- Root user -> security credentials -> MFA devices
- Enable CLI for MFA based S3 delete setup
- Get Root access key and secret key
- aws configure --profile root-mfa-s3-delete
AWS Access Key ID [None]:
AWS Secret Access Key [None]:
Default region name [None]: ap-southeast-1
Default output format [None]:
- aws s3 ls
2021-01-10 22:31:14 elasticbeanstalk-ap-southeast-1-603697344439
2021-01-15 21:02:15 mfa-delete-s3
- aws s3 ls --profile root-mfa-s3-delete
2021-01-10 22:31:14 elasticbeanstalk-ap-southeast-1-603697344439
2021-01-15 21:02:15 mfa-delete-s3
- Enable MFA based delete via CLI only
- aws s3api put-bucket-versioning --bucket mfa-delete-s3 --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::603697344439:mfa/root-account-mfa-device 149189" --profile root-mfa-s3-delete
- Then add items to bucket "mfa-delete-s3" and delete them.
- It will not allow to delete a version as it enable MFA
- Disable MFA based delete via CLI only
- aws s3api put-bucket-versioning --bucket mfa-delete-s3 --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::603697344439:mfa/root-account-mfa-device 196789" --profile root-mfa-s3-delete
- It will allow to delete a versioned item
- Go to Root account and remove the previously generate access keys
- Enable versioning before enabling replications- Buckets can be in different accounts- Have to provide IAM rules to first S3 bucket to copy second S3 bucket- Cross region replication Use Cases ( lower latency access , compliance, replication among account )- Same region replication Use Cases ( live replications )- Only new objects will be replicated- Delete with version id - delete from source and not replicate- Delete without version id - update with delete marker and not replicate- No chain replication