Here is the link for part 3
Auto Scale-in Algorithm:
EC2 Auto-Scaling happens
Horizontally(Adding more instances) and DB
scaling happens vertically(Adding more space on existing instance).
VPC
In a SubNet: You loose 5 Ips
.0 - Network
.1 - Router
.2 - DNS
.3 - Reserved
.255 - Broadcast
VGW - VPC Gateway to communicate with your On-Prem DC
Every subnet will have VPC CIDR with local - which allows the
components with in VPC to talk to each other.
Adding 0.0.0.0/0 -
IGW(Internet Gateway) will make the subnets public.
On top of IGW on subnet, you still need to add Public IP for each
EC2. to make them public.
NAT gateway is used by private VPC components to talk to internet.
But need to add 0.0.0.0/0 should be pointed to NATGW.
Network ACL - Stateless allowing traffic In and out of subnet. For
connecting to a instance, you need to open both inbound and outbound
connections on NACL.
Security Group - Stateful,
kind of firewall around EC2 Instances.
Take note that an egress-only
Internet gateway is for use with IPv6 traffic only. To enable outbound-only
Internet communication over IPv4, use a NAT gateway instead.
VPC Peering - Connecting one
VPC to other VPCs. But other networks cannot access second VPC using Peering
VPC Endpoints: VPC Endpoints
are the way you can communicate to outside VPC on your private VPC network
without going through internet. There are 2 types on VPC Endpoints.
- VPC Interface Endpoints: This is the access points setup on your VPC for other AWS services to communicate. Eg: If a call need to be made by a SQS to components within VPC, this will be used.
- VPC Gateway Endpoints: This is where your components within VPC need to interact with other AWS services like S3 or a DynamoDB without going through internet. Remember any gateway endpoints need to be listed in Route tables.
IAM Policy will have 3 parts :
Action, Effect, Resource
AWS Organizations uses SCP (service
control policies) for enforcing restrictions on almost all the users
including Root.
Instance metadata is the data
about your instance that you can use to configure or manage the running
instance. You can get the instance ID, public keys, public IP address and many
other information from the instance metadata by firing a URL command in your
instance to this URL:
AWS Security Token Service (AWS STS)
is the service that you can use to create and provide trusted users with
temporary security credentials that can control access to your AWS resources.
AWS DR Strategies:
Economical--------------------------------------------------------Costly
Pilot Light is a DR scenario
in which a minimal version of an environment is always running in the cloud.
AWS Cognito works on 2
components. USER Pool and Identity Pool. You can enable MFA on User Pools.
AWS Cognito Works like this:
- User authenticate with FB, Google or other auth providers.
- Get the Authenticated UserID
- Then send it to AWS Cognito and get Cognito OpenID Token (CognitoID)
- Send it to AWS STS to assume a role or get Temporary access via Access Keys
Amazon Kinesis Data Firehose
is the easiest way to load streaming data into data stores and analytics tools.
It can capture, transform, and load streaming data into Amazon S3, Amazon
Redshift, Amazon Elasticsearch Service, and Splunk, enabling near real-time
analytics with existing business intelligence tools and dashboards you are
already using today.
Amazon Kinesis Data Streams:
By defaults retention period is 24 hours and can be extended to 168 hours.
Amazon SWF interacts with activity workers and deciders by
providing them with work assignments known as tasks. There are three types of
tasks in Amazon SWF:
- Activity task – An Activity task tells an activity worker to perform its function, such as to check inventory or charge a credit card. The activity task contains all the information that the activity worker needs to perform its function.
- Lambda task – A Lambda task is similar to an Activity task, but executes a Lambda function instead of a traditional Amazon SWF activity. For more information about how to define a Lambda task, see AWS hf Tasks.
- Decision task – A Decision task tells a decider that the state of the workflow execution has changed so that the decider can determine the next activity that needs to be performed. The decision task contains the current workflow history.
Routing Policies
of Route53: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html
Amazon Route 53 currently
supports the following DNS record types:
- -A (address record)
- -AAAA (IPv6 address record)
- -CNAME (canonical name record)
- -CAA (certification authority authorization)
- -MX (mail exchange record)
- -NAPTR (name authority pointer record)
- -NS (name server record)
- -PTR (pointer record)
- -SOA (start of authority record)
- -SPF (sender policy framework)
- -SRV (service locator)
- -TXT (text record)
Connection Draining
: To ensure that a Classic Load Balancer stops sending requests to instances
that are de-registering or unhealthy while keeping the existing connections
open, use connection draining
No comments:
Post a Comment