General

Concepts

 Scalability – accommodate larger load:

o Vertical – increasing the size of an instance
o Horizontal - increasing the number of instances (Elasticity)
 Availability – purpose is to survive a data center loss (disaster)

Billing principles

 Pay as you go: pay for what you use, remain agile, responsive, meet scale
demands
 Save when you reserve: minimize risks, predictably manage budgets, comply
with long-terms requirements
 Pay less by using more: volume-based discounts
 Pay less as AWS grows

AWS Support Plans

 Basic – Customer service & communities

 Developer – All above + Cloud support associates
 Business – All above + Infrastructure Event Management
 Enterprise – All above + Technical Account Manager + Concierge Support
Team (for billing and account best practices)

AWS Support teams:

 Abuse Team - report AWS resources used for abusive or illegal purposes
 Security team – assist with security of services offered by AWS
 Concierge team - assist with billing and account management
 Customer Service team – assist with technology questions

Regions / Availability zones / etc

Compute

EC2 – Elastic Compute Cloud

Description

 Provides secure, resizable compute capacity in the cloud ((Infrastructure as a

service)
 Web-scale cloud computing easier for developers
 Allows choice of processor, storage, networking and operating system
 Instance - virtual server in Amazon's EC2 for running applications on AWS

EC2 Instance Types

  Compute – high performance computing (CPU)
 Memory – process large data sets in memory/cache (RAM)
 Storage - large data sets on local storage (Storage)

AMI - Amazon Machine Image

 Provides the information required to launch an instance

 An AMI includes:
o Instance storage and root template (operating system, application
server and applications)
o Launch permissions
o Volumes to attach to the instance
 EC2 Image Builder - automate the creation of Virtual Machines (AMIs)

EC2 storage options (explained in Storage section)

 EC2 Instance store - temporary storage for an instance

 EBS - Storing data on virtual drives for one instance
 EFS – Network file system for multiple instances
 S3 - Object storage to store and retrieve data from anywhere

Billing options

 On-Demand – short workload, predictable pricing, pay per use

 Reserved – long workloads, discount up to 70% (minimum 1 year):
o Convertible Reserved Instances: can change the instance type
o Scheduled Reserved Instances: available at a specific time
 Spot Instances – short workloads, cheap, can lose instances (less reliable)
 Dedicated Hosts – book an entire physical server, control instance placement
 Dedicated Instances - no other customers will share your hardware

Testing

 Penetration testing can be done without prior AWS authorization

ELB – Elastic Load Balancer

 Automatically distributes incoming application traffic across multiple EC2

instances, containers and IP addresses
 Perform health checks
 3 types: Application layer (HTTP traffic – L7), Network layer (TCP traffic –
L4), Classic (legacy)

ASG - Auto-Scaling group

 Automatically add or remove EC2 instances according to conditions defined

 Scale EC2 instances based on the demand on your system, replace unhealthy
 Integrated with the ELB
  3 types: manual, dynamic (input demand or schedule parameters), predictive
(use ML to predict traffic)

Lambda

 Run code without provisioning or managing servers (serverless)

 Automatically manages the underlying compute resources
 Pay only for the compute time you consume – run on demand
 It scales quicker than EC2 but is generally more expensive

Storage

EC2 Instance Store

 Provides temporary storage for an EC2 instance

 Located on disks that are physically attached to the host computer
 Ideal for temporary storage, such as caches or temporary content
 Content lost if stopped

EBS - Elastic Block Store

 File storage for EC2 instances for data that must be quickly accessible and
requires long-term persistence
 Network drives attached to one EC2 instance at a time
 Mapped to an Availability Zones
 EBS snapshots - backup of EBS volume & transfer across AZ

EFS – Elastic File System

 File storage for use with Amazon EC2 (like a shared folder)
 Highly scalable file storage system designed to provide flexible storage for
multiple EC2 instances
 Network file system attached on several EC2 instances in a region
 EFS-IA – Infrequent Access: Cost-optimized storage class for infrequent
accessed files

Amazon S3 – Simple Storage Service

 Object storage to store and retrieve data from anywhere (websites, mobile
apps, corporate applications, and data from IoT sensors or devices)
 Concepts: Buckets (folders) and Objects (files) tied to a region
 Features:
o Security: IAM policy, S3 Bucket Policy (public access), S3 Encryption
o Websites: host a static website on Amazon S3
o Versioning: multiple versions for files to roll-back
o Access logs: log requests made within your S3 bucket
o Replication: same-region or cross-region replication
 o Object Lock: Block an object version deletion
o Glacier Vault Lock: Lock policy of object deletion for future edits
o Lifecycle rules: move objects across different storage classes
 S3 Storage classes (for real-time data access):
o S3 Standard General Purpose - low latency and high throughput
o S3 Standard Infrequent Access (IA) - data that is less frequently
accessed
o S3 One Zone-Infrequent Access – same as above for but stored in only
one zone
o S3 Intelligent Tiering - Cost-optimized by automatically moving objects
between two access tiers – better for unpredictable access patterns
 S3 Glacier (for archive & backup)
o Glacier & Glacier Deep Archive - Low cost object storage, long retrieve
times

Amazon FSx – File system

 Launch, run, and scale feature-rich, high-performance file systems in the

cloud
 It has similarities in its concept with EFS
 Two options: Windows File Server and Lustre
o Windows File Server – Network File System for Windows servers
o Lustre – High Performance Computing Linux file system

AWS Storage Gateway

 Hybrid storage service that enables on-premises applications to use AWS

cloud storage
 Used to integrate AWS Cloud storage (e.g.: S3) with existing on-site
workloads

Database

RDS - Relational Database Service

 Set up, operate, and scale a relational database in the cloud

 Optimized for memory, performance or I/O
 Provides six database engines: Aurora (AWS proprietary DB), PostgreSQL,
MySQL, MariaDB, Oracle and MS SQL Server
 RDS is a managed service: Automated provisioning, OS patching, Continuous
backups, Monitoring dashboards, Disaster Recovery, Maintenance windows
for upgrades and Scaling capability

Aurora
  Set up, operate and scale a relational database based on MySQL and
PostgreSQL
 Aurora is a proprietary DB technology from AWS
 5x performance improvement over MySQL on RDS and 3x over Postgres
 Aurora costs more than RDS (20% more) – but is more efficient

DynamoDB

 Key-value database that delivers single-digit millisecond performance at any

scale (NoSQL database)
 It's a fully managed, multiregion database with built-in security, backup and
restore, and in-memory caching for internet-scale applications
 Scales to massive workloads with low latency
 Used for caching, message queuing, and user/session management
 Millions of requests per seconds, trillions of row, 100s of TB of storage

Amazon ElastiCache

 Web service that makes it easy to deploy, operate, and scale an in-memory
cache in the cloud
 Provide ultrafast and inexpensive access to copies of data

Analytics

Redshift

 Fast, scalable data warehouse

 Makes it simple and cost-effective to analyze data across data warehouses

EMR

 Provides a managed Hadoop framework

 Makes it easy, fast, and cost-effective to process vast amounts of data across
dynamically scalable Amazon EC2 instances

Athena

 Interactive query service to analyze data in Amazon S3 using standard SQL

 Athena is serverless, so there is no infrastructure to manage
 Pay only for the queries run

Migration & Transfer

AWS Snow (Snowcone, Snowball, Snowedge and Snowmobile)

Objective:

 Import data onto S3 through a physical device

  Used for Data migration and Edge computing
 AWS OpsHub – desktop application to manage Snow Family devices

Types of devices:

 Snowcone
o Small briefcase, less storage < 8 TB
o Petabyte-scale data transport solution
 Snowball
o Large suitcase, large storage > 80 Tb
o Petabyte-scale data transport solution
o Transfer large amounts of data into and out of AWS
 Snowbal Edge
o Data migration and edge computing device
o Two types of solutions: Storage Optimized (100 TB) and Compute
Optimized (52 vCPUs)
o To be used in environments with limited connectivity
 Snowmobile
o Truck, huge storage (exabytes)
o Exabyte-scale data transfer service
o Move extremely large amounts of data to AWS

AWS DMS – Database Migration Service

 Migrate databases to AWS easily and securely

 Source database remains operational during the migration, minimizing
downtime
 Supports homogeneous (Oracle to Oracle) and heterogeneous migrations
between different database platforms (Microsoft SQL Server to Aurora)

Networking

VPC – Virtual Private Cloud

 Provision a logically isolated section of the AWS Cloud

 Launch AWS resources in a virtual private network
 Allows selection of IP address, creation of subnets and configuration of route
tables and network gateways
 Leverage AWS Cloud as an extension of corporate data center by creating a
VPN connection between the data center and VPC

Direct Connect

 Establish a dedicated private network connection from your premises to AWS

 Offer better bandwidth throughput and better network experience
  Allows to use the same connection to access: Public resources and Private
resources (EC2 instances running within a VPC)

CloudFront

 Fast content delivery network (CDN) service

 Delivers data, videos and applications with low latency and high speed
 It uses a network of over +225 Edge locations that are connected to the AWS
Regions through a backbone network
 AWS peers with thousands of Tier 1/2/3 telecom carriers globally for
connectivity

Route 53

 It provides Managed DNS (Domain Name System)

 DNS is a collection of rules and records which helps understand how to reach
a server through URLs
 Route end users to Internet applications by translating human readable
names (www.example.com) into the numeric IP addresses (192.0.2.1) that
computers use to connect to each other

Management & Governance

AWS CloudWatch

 Monitoring and management service that provides metrics for all AWS
services
 Use CloudWatch for:
o Metrics: monitor the performance of AWS services and billing metrics
o Alarms: automate notifications based on metric
o Logs: collect log files from AWS services
o Events: react to events or trigger a rule on a schedule

AWS CloudTrail

 Enables governance, compliance and auditing of your AWS account

 Records AWS API calls for your account and delivers log files

Trusted Advisor

 Helps to reduce cost, increase performance, and improve security

 Provides real-time guidance to help provision resources

AWS CloudFormation

 Create and manage a collection of related AWS resources

 Infrastructure as code – changes to the infrastructure reviewed through code
 Create templates for AWS resources, dependencies and runtime parameters
  Allows for exact cost estimation and high productivity

AWS Config

 Enables to assess, audit, and evaluate the configurations of your AWS

resources
 Helps with auditing and recording compliance of your AWS resources
 Helps record configurations and changes over time

AWS Personal Health Dashboard

 Provides alerts and remediation guidance

 Personalized view into the performance and availability of the AWS services

AWS Systems manager

 Gives you visibility and control of your infrastructure on AWS

 Provides a unified user interface to view operational data from multiple AWS
services

Security

IAM – Identify Access Management

 Control access to AWS services and resources for your users

 Allows to create and manage:
o Users and groups to manage their access to AWS resources
o Roles and permissions to control which operations can be performed
 3 types:
o AWS Management Console: protected by password + MFA
o AWS Command Line Interface (CLI): protected by access keys
o AWS Software Developer Kit (SDK): protected by access keys

Amazon Inspector

 Automated Security Assessments for EC2 instances

 Analyze vulnerabilities and unintended network access

AWS Shield

 Managed Distributed Denial of Service (DDoS) protection service

 Safeguards web applications running on AWS
 Provides always-on detection and automatic inline mitigations that minimize
application downtime and latency

AWS Organizations

 Allows to manage multiple AWS accounts

 Helps customers centrally govern their environments as they grow and scale
  Manage billing, control access, compliance, and security

AWS WAF

 Firewall that helps protect your web applications from common web exploits

AWS Artifact

 Provides customers with on-demand access to AWS’ compliance

documentation and AWS agreements

Application integration

SQS – Simple Queue Service

 Send, store, and receive messages between software components

 Place messages into a queue to be run later (e.g.: delaying sent email)

SNS – Simple Notification Service

 Send notifications to subscribers of topics (text messages)

 Notifications are triggered by AWS services (e.g.: billing alarms)
 Notifications are sent via email, SMS, HTTP, etc.

Cost management

Cost and Usage Reports

 Contains the most comprehensive set of AWS cost and usage dataset
 Lists AWS usage for each service used by an account and its IAM users

Cost Explorer

 Visualize, understand, and manage your AWS costs and usage over time
 Create custom reports that analyze cost and usage data
 View current usage (detailed) and forecast usage
 Choose an optimal Savings Plan (to lower prices)

AWS Budgets

 Provide alerts when costs or usage exceed the budgeted amounts

 3 types of budgets: Usage, Cost, Reservation

AWS Management & Governance

AWS Pricing Models

AWS Shared Responsibility Model

AWS Security, Identity, & Compliance

AWS Database

CLOUD (Madalena)

Cloud computing: Increased flexibility to scale, better quality infrastructure at

competitive prices, reduced maintenance costs, faster turnaround times, easy
access to upgrades

Five characteristics:

1. Internet technology (need internet connection)

2. Shared (uses a common pool of resources)
3. Elastic (scales easily)
4. Metered (pay as you go)
5. Service-focused (jump right in with automation and ready-to-use structures

It’s a win-win for businesses and individuals

Architecture

Front end (1) + Back end (2) (connected by the internet)

(1) Represents the computer or smartphone you see

Requires you to access the cloud via a browser, an app, or a unique
software interface
Takes security into account
Is protected by access controls to the back end

(2) Is compromised of computer servers and data storage systems

Does all the work

The central server: Monitors traffic and client demands

Follows a set of protocols

Uses middleware

Redundancy – multiple copies!

iCloud – uploads across all devices, syncs automatically, has virtually storage,
backs up data

IaaS (Infrastructure as a Service) – PaaS (Platform as a Service) – SaaS (Software

as a Service) – BpaaS (Business Process as a Service)
Instead of businesses buying and maintaining their own data storage, providers like AWS, GCP, and
Azure provide access to this on demand through IaaS. The storage and networking is hosted by
providers. This is the foundation on which the cloud is built. IaaS can be leveraged as a cloud-based,
end-to-end analytics platform designed to help build cost-effective solutions and rapidly develop
turnkey analytics solutions

SaaS allows access to software through a subscription model hosted by a provider and is consumed
by customers over the internet in an “as-you-go” model, which usually means lower upfront costs,
regular updates, and easy maintenance. With SaaS, the positives are ease of adaptation,
predictable expenses, and higher speeds and benefits. Software as a Service is simple,
straightforward, and keeps unnecessary costs down.

Public cloud – suited for less confidential information and is hosted at the provider’s location.
The service may be free or offered as a pay-per-usage model. Examples: dropbox, google
drive, facebook moments
Private cloud – dedicated to a single organization with high levels of confidential information.
Serves as a data center
Hybrid cloud – mix. Examples: Office 365, (users can execute some work publicly through
public cloud and the rest privately on the private cloud using SharePoint)

Risks associated with cloud computing

Technology risks – improper security controls and procedures may expose to cyber attacks
Movement of wrong workload to the cloud may result in improper usage of
cloud resources
Managing risks
AWS
5 characteristics of cloud computing:

 On demand self service – Users can provision resources and use them without
interaction from the service provider
 Broad network access – Resources available over the network, and can be accessed by
diverse client platforms
 Multi-tenancy and resource pooling – Multiple customers can share the same
infrastructure and applications with security and privacy; multiple customers are serviced
from the same physical resources
 Rapid elasticity and scalability (+Importante) – Automatically and quickly acquire and
dispose resources when needed; quickly and easily scale based on demand
 Measured service: Usage is measured, users pay correctly for what they have used
6 Advantages:
1. Trade capital expense (CAPEX) for operational expense (OPEX)
Pay on demand: don’t own hardware
Reduced total cost of Ownership (TCO) & Operational Expense (OPEX)
2. Benefit from massive economies of scale
Prices reduced as AWS is more efficient due to large scale
3. Stop guessing capacity
Scale based on actual measured usage
4. Increase speed and agility
5. Stop spending money running and maintain data centers
Problems solved by the Cloud:
 Flexibility: change resources type when needed
 Cost-Effectiveness: pay as you go, for what you use
 Scalability: accommodate larger loads by making hardware stronger or adding additional
nodes
 Elasticity: ability to scale out and scale in when needed
 High availability and fault-tolerance: build across data centers
 Agility: rapidly develop, test and launch software applications
Types of Cloud Computing
IaaS: provide building blocks for cloud IT; provides networking computers, data storage space;
highest level of flexibility; easy parallel with traditional on-premises IT
PaaS: Removes the need for your organization to manage the underlying infrastructure; focus
on the development and management of your applications
SaaS: completed product that is going to be run and managed by the service provider

Pricing of the Cloud: Compute and Storage and Data transfer OUT of the cloud (only for the
compute time and amount of data stored). Data transfer IN to the Cloud is free

Choosing na AWS region: compliance with data governance and legal requirements, proximity
to customers, available services and features within a Region, and pricing. AWS regions is
composed of multiple, isolated and separated availability zones. IAM encompasses all regions

PÁG. 36 do Doc Ver imagem

Customer = responsibility for security IN the cloud
AWS = responsibility for security OF the cloud

IAM (Identify and Access Management, global service)

Root account created by default, shouldn’t be used or shared
Users are people within your organization – access using a user name ans a passwaord
Groups contain users (not other groups)
MFA – combination of a password + security device you own! (Virtual MFA device, Universal
2nd Factor (U2F) Security Key
To Access AWS, you have three options:

 AWS Management Console (protected by password + MFA)

 AWS Comand Line Interface (CLI): protected by access keys
 AWS Software Developer Kit (SDK): for code: protected by access keys
IAM Roles for Services
Some AWS service will need to perform actions on your behalf
To do so, we will assign permissions to AWS services with IAM Roles (Common Roles: EC2
Instance Roles, Lambda Function Roles, Roles for CloudFormation)
IAM Credentials report lists all your account's users and the status of their various credentials.
The other IAM Security Tool is IAM Access Advisor. It shows the service permissions granted to a
user and when those services were last accessed.

An IAM policy is an entity that, when attached to an identity or resource, defines their
permissions.

EC2 – Elastic Compute Cloud – IaaS

EC2 is one of the most popular of AWS’ offering
• EC2 = Elastic Compute Cloud = Infrastructure as a Service

It mainly consists in the capability of :

• Renting virtual machines (EC2)
• Storing data on virtual drives (EBS)
• Distributing load across machines (ELB)
• Scaling the services using an auto-scaling group (ASG)

Knowing EC2 is fundamental to understand how the Cloud works

EC2

Eg.: m5.2xlarge
m – instance class
5 – generation of hardware (AWS improves the hardware over time)
2xlarge – size within the instance class (more size, more memory, more CPU in the instance)
EC2 Instance types

 General Purpose great for a diversity of workloads such as web servers or code
repositories. Balance between: compute, memory, networking t2
t2.micro is a General Purpose EC2
 Compute Optimized great for compute intensive tasks that require high performance
processors: batch processing workloads, media transcoding, high performance web
servers, high performance computing (HPC), scientific modeling & machine learning,
dedicated gaming servers C6g. All these things are tasks that require a very good CPU
 Memory Optimized fast performance for workloads that process large data sets in
memory. Use cases: High performance, relational/non-relational databases, distributed
web scale cache stores, in-memory databases optimized for BI (business intelligence),
applications performing real time processing of big unstructured data R6g
 Storage Optimized great for storage intensive tasks that require high, sequential read
and write access to large data sets on local storage. Use cases: high frequency online
 transaction processing (OLTP) systems, relational & NoSQL databases, cache for in-
memory databases (Redis), data warehousing applications, distributed file systems I3
Security Groups are the fundamental of network security in AWS; they control how traffic is
allowed into or out of our EC2 Instances
Security groups are easy because they only contain allow rules, so we can say what is allowed
to go in and to go out. They have rules that reference either by IP addresses
Security groups can be attached to multiple instances and an instance can have multiple
security groups too. Security groups are locked down to a region (switch to another region,
create a new security group)
Ports to know:
o 22 = SSH (Secure Shell) – log into a Linux instance
o 21 = FTP (File Transfer Protocol) – uploads files into a file share
o 22 = SFTP (Secure File Transfer Protocol) – upload files using SSH
o 80 = HTTP – access unsecured websites
o 443 = HTTPS – access secured websites
o 2289 = RDP (Remote Desktop Protocol) – log into a Windows instance

EC2 Instances Purchasing Options

 On-demand Instances: short workload, predictable pricing

Pay for what you use, has the highest cost but no upfront payment, no long term
commitment.
Recommend for short term and un-interrupted workloads, where you can predict how the
application will behave

 Reserved (minimum 1 year)

- Reserved instances: long workloads
Up to 75% discount compared to on-demand. Reservation period (1 year
or 3 years). Purchasing options: no upfront (pay monthly) | partial upfront |
all upfront (pay today). Reserve a specific instance type. Recommended
for a steady state usage applications (e.g. database)
- Convertible Reserved Instances: long workloads with flexible instances
Can change the EC2 instance type over time (t2 large to C5 large or R5
4x large)
Up to 54% discount
- Scheduled Reserved Instances: eg. Every Thursday between 3 and
6pm
Launch between time window you reserve
When you require a fraction of day/week/month
Still commitment over 1 to 3 years

 Spot Instances: short workloads, cheap, can lose instances (less reliable)
Provide you the highest discount in AWS – 90%
 But you can loose them at any point of time, if the price you are willing to pay for them
(max price), is less than the current spot price. Spot prices change over time
The most cost efficient instances in AWS
Just use for workloads that are resilient to failure: batch jobs, data analysis, image
processing, any distributed workloads, workloads with flexible start and end time
Not suitable for critical jobs or databases!! (loose all the work)

 Dedicated Hosts: book an entire physical server, control instance placement

Is a physical server with EC2 instance capacity fully dedicated to your use. Dedicated
Hosts can help you address compliance requirements and reduce costs by allowing
you to use your existing server bound software licences.
Allocated for your account for a 3 year period reservation
More expensive
Useful for companies that have strong regulatory or compliance needs

 Dedicated Instances n precisamos saber distinguir das outras

EC2 Instance Storage

EBS VOLUME – é como uma pen!!
An EBS (Elastic Block Store) Volume is a network drive you can attach to your instances while
they run. It allows your instances to persist data, even after their termination. We can recreate
an instance and mount to the same EBS Volume from before, and we will get back our data
They can only be mounted to one instance at a time. (on instance can have multiple EBS
volumes). They are bound to a specific availability zone
- It’s a network drive (not physical) – uses network to communicate, there
might be a bit of latency. It can be detached from an EC2 instance and
attached to another one quickly
- It’s locked to an Availability Zone (AZ)
- Have a provisioned capacity (size in GBs and IOPS) – we can increase
the capacity of the drive over time
Delete on Termination attribute !!
Controls the EBS behavior when an EC2 instance terminates
 By default, the root EBS volume is deleted (attribute enabled)
 By default, any other attached EBS volume is not deleted (attribute disabled)
This can be controlled by the AWS console / AWS CLI – tirar os ticks! Podemos nao eliminar o
root se quisermos ter sempre a info à mão
Use case: preserve root volume when instance is terminated

EBS Snapshots transferimos o q temos para um EBS snapshot e desse colocamos noutra AZ
Make a backup (snapshot) of your EBS volume at a point in time
Not necessary to detach volume to do snapshot, but recommended
Can copy snapshots across AZ or Region!! When we need to have the info in another region

AMI (Amazon Machine Image) Overview

AMI are a customization of an EC2 instance
 You add your own software, configuration, operating system, monitoring, …
 Faster boot / configuration time because all your software is pre-packaged (the software
we needed was already installed onto our EC2 instance – a lot quicker)
AMI are built for a specific region (and can be copied across regions)
You can launch EC2 instances from:
o A public AMI: AWS provided (e.g. Amazon Linux 2 AMI)
o Your own AMI: you make and maintain them yourself
o An AWS Marketplace AMI: an AMI someone else made (and potentially sells on the
marketplace)
AMI (Amazon Machine Image) Process
Start an EC2 Instance and customize it
Stop the instance (to make sure data integrity is correct)
Build an AMI from it – this will also create EBS snapshots behind the scenes
Finally, we can launch instances from other AMIs, using the one we customize
EC2 Image Builder !!
Used to automate the creation of Virtual Machines or container images = Automate the creation,
maintain, validate and test AMIs for EC2 Instances
So, we have the EC2 Image Builder service and automatically, when it’s gong to run, it’s going
to create an EC2 instance called a Builder EC2 instance. This EC2 instance is going to build
components and customize a software. And once this is done, then an AMI is going to be
created out of that EC2 instance. All of this is automated. After the AMI is created, we need to
validate it. So the EC2 Image Builder will automatically created a test EC2 instance from that
AMI and going to run a set of tests that you define in advance (we can skip the tests). Once the
AMI is tested, the AMI is going to be distributed to multiple regions.  allowing the application
and the workflow to be truly global (free service – just pay for the underlying resources)

Storage we can attach onto an EC2 instance (3)

EC2 Instance Store vs. EBS Volumes (são ambos pens) – attach network drives into our EC2
EBS volumes are network drives with good but “limited” performance. If we need a high
performance hardware disk, we use EC2 Instance Store
- Better I/O performance
- Problem: Instance Store lose their storage if they’re stopped (ephemeral)
- Good for buffer/cache/scratch data/temporary content (not good for long
term storage – EBS is good for this)
- Risk of data loss if hardware fails
- Make sure we do backups and replication (our responsibility)
EFS – Elastic File System
Benefit: Managed NFS (network file system) can be mounted on 100s of EC2 at a time (EBS
Volume can be only attached to one EC2 instance at a time but with an EFS drive we can
mount 100s of EC2 instances)
EFS works with Linux EC2 instances in multiple Availability Zones (AZ)
Highly available, scalable, expensive (3 x EBS Vol), pay per use, no capacity planning

EFS Infrequent Access (EFS-IA) – qnd não precisamos de aceder todos os dias aos files
Storage class that is cost-optimized for files not accessed every day
Up to 92% lower cost compared to EFS Standard – COST SAVING
EFS will automatically move your files to EFS-IA based on the last time they were accessed
Enable EFS-IA with a lifecycle policy
Eg.: move files that are not accessed for 60 days to EFS-IA
Transparent to the applications accessing EFS
Amazon FSx
1) Amazon FSx for windows File Server
A fully managed, highly reliable and scalable Windows native shared file system
Built on Windows File Server
Supports SMB protocol & Windows NTFS
Integrated with Microsoft Active Directory
Can be accessed from AWS or your on-premise infrastructure

2) Amazon FSx for Lustre (linux + cluster)

A fully managed, high performance, saclable file storage for High performance
computing (HPC)
Machine Learning, Analytics, Video processing, Financial Modeling,…
Scales up to 100 GB/s, millions of IOPS, sub-ms latencies
SECTION 7 – Elastic Load Balancing & Auto Scaling Groups Section
Scalability & High Availability
Scalability means that an application/system can handle greater loads by adapting. There are
two kinds of scalability: Vertical or Horizontal (=elasticity)
Vertical scalability: means increasing the size of the instance; for example, your application
runs on a t2.micro --- scaling ---- t2.large; vertical scalability is very common for non-distributed
systems, such as a database. There’s usually a limit to how much you can vertically scale
(hardware limit). Eg: Operator --- senior operator
Horizontal Scalability: means increasing the number of instances/systems for your application.
Implies distributed systems. This is very common for web applications / modern applications. It’s
easy to horizontally scale thanks the cloud offerings such as Amazon EC2. Eg:1 EC2 --- 19 EC2
High Availability usually goes hand in hand with horizonal scaling. Means running your
application / system in at least 2 Availability Zones. The goal is to survive a data center loss
(disaster)
Scalability: ability to accommodate a larger load by making the hardware
stronger (scale up), or by adding nodes (scale out)

• Elasticity: once a system is scalable, elasticity means that there will be

some “auto-scaling” so that the system can scale based on the load. This
is “cloud-friendly”: pay-per-use, match demand, optimize costs

• Agility: (not related to scalability - distractor) new IT resources are only

a click away, which means that you reduce the time to make those
resources available to your developers from weeks to just minutes
Elastic Load Balancing (ELB)
Load balancers are servers that forward internet traffic to multiple servers (EC2 Instances)
downstream
- Why use it? Spread load across multiple downstream instances, Expose a single point of
access (DNS) to your application, Seamlessly handle failures of downstream instances, Do
regular health checks to your instances, Provide SSL termination (HTTPS) for your websites,
High availability across zones.

 An EBL (Elastic Load Balancer) is a managed load balancer

AWS guarantees that it will be working
AWS takes care of upgrades, maintenance, high availability
AWS provides only a few configuration knobs
 It costs less to set up your own load balancer but it will be a lot more effort on your end
(maintenance, integrations)
 3 kinds of load balancers offered by AWS
Application Load Balancer (http/https) – Layer 7
Network Load Balancer (ultra high performance, allows for TCP) – Layer 4 low latency
Classic Load Balancer (slowly retiring) - Layer 4 & 7 (n é preciso saber)

Auto Scaling Group – create automatically

The goal of ASG is to:
- Scale out (add EC2 instances) to match an increased load
- Scale in (remove) to match a decreased load
- Ensure we have a minimum and a maximum number of machines running
- Automatically register new instances to a load balancer
- Replace unhealthy instances
Cost Savings: only run at an optimal capacity (principle of the cloud elasticity)

Auto Scaling Group – Scaling strategies

 Manual scaling: Update the size of an ASG manually
 Dynamic scaling: Respond to changing demand automatically
- Simple/Step Scaling (when a cloud watch alarm is triggered (CPU >
70%), then add 2 units
- Target Tracking Scaling (I want the average ASG CPU to stay at around
40%)
- Scheduled Scaling (anticipate a scaling based on known usage patterns –
increase the min capacity to 10 at 5 pm on fridays)
 Predictive Scaling !! (uses machine Learning to predict the future traffic ahead of time,
automatically provisions the right number of EC2 instances in advance) Useful when
your load has predictable time-based patterns
 High availability – across multiple AZ. Vertical scaling – increase the size of the instance.
Horizontal - increase the nº of instances. Elasticity – scale up and down based on
demand. Agility is the concept of the cloud that is going to be able to make your work
faster because you can create and delete resources very quickly.

SECTION 8 - S3
Amazon S3 is on of the main building blocks of AWS
It’s advertised as “infinitely scaling” storage
Many websites use Amazon S3 as a backbone. Many AWS services uses S3 as an integration
as well

S3 Use Cases
1. Backup and storage
2. Disaster Recovery
3. Archive
4. Hybrid Cloud Storage
5. Application hosting
6. Media hosting
7. Data lakes & big data analytics
8. Software delivery
9. Static website
Amazon S3 allows people to store objects (files) in buckets (directories)
Buckets must have a globally unique name (across all regions all accounts)
Buckets are defined at the regional level
S3 looks like a global service but buckets are created in a region
Naming convention – global unique

What can we store? Objects

Objects files have a Key (prefix + object name)
There’s no concept of “directories” within buckets
Just keys with very long names that contain slashes (/)
Object values are the content of the body (max object size is 5TB, if uploading more than 5GB,
must use “multi-part upload”)

Metadata (list of text key / value pairs – system or user metadata)

Tags (Unicode key /value pair – up to 10) – useful for security/lifecycle
Version ID (if versioning is enabled)

S3 Security
 User based IAM policies – which API calls should be allowed for a specific user from
IAM console
 Resource Based Bucket Policies – bucket wide rules from the S3 console – allows
cross account
Object Access Control List (ACL) – finer grain
Bucket ACL – less common !!
 Note: An IAM principal can access an S3 object if:
The user IAM permissions allow it OR the resource policy allows it AND ther’s no explicit
DENY
 Encryption: encrypt objects in Amazon S3 using encryption keys

S3 Bucket Policies
JSON based policies
Resources: buckets and objects
Actions Set of API to Allow or Deny
Effect: Allow/Deny
Principal: The account or user to apply the policy to

Use S3 bucket for policy to: grant public access to the bucket, force objects to be encrypted at
upload, grant access to another account (cross account)

S3 Websites
S3 can host static websites and have them accessible on the www
The website url will be <bucket-name>.s3-website-<AWS-region>.amazonaws.com

If we don’t make the S3 bucket public in the first place, we’re going to get a 403 Erros
(Forbidden)!!

Amazon S3 – Versioning
You can version your files in Amazon S3. It is enabled at the bucket level. Same key overwrite
will increment the “version”: 1,2,3,… It is best practice to version your buckets (protect against
unintended deletes, easy roll back to previous version)
Notes: any file that is not versioned prior to enabling versioning will have version “null”,
suspending versioning does not delete the previous versions

S3 Access Logs for audit purpose, you may want to log all access to S3 buckets
S3 Replication (CRR & SRR)
• Must enable versioning in source and destination
• Cross Region Replication (CRR)
• Same Region Replication (SRR)
• Buckets can be in different accounts
• Copying is asynchronous
• Must give proper IAM permissions to S3
• CRR - Use cases: compliance, lower latency access, replication across accounts
• SRR – Use cases: log aggregation, live replication between production and test accounts

S3 Storage Classes overview

Amazon S3 Standard – General Purpose (commonly used)
Amazon S3 Standard - Infrequent Access (IA) (a file not accessed every time)
Amazon S3 One Zone - Infrequent Access (a file that you know you can recreate over time and
you don’t risk losing it)
Amazon S3 Intelligent Tiering (don’t know where to put the file)
Amazon Glacier (backups and archives)
Amazon Glacier Deep Archive (backups and archives that can take a lot of time to be retrieved)

S3 Durability and Availability

Durability means how often you will lose a file, By default, we have a high durability of 11 9’s of
objects across multiple AZ

Availability is how rapidly available a service is. S3 standard has 99,99% availability. Varies
depending on storage class
Shared Responsibility Model for S3
AWS Infrastructure (global security, durability, sustain concurrent loss of data in two facilities),
Configuration and vulnerability analysis, Compliance validation
User S3 Versioning, Bucket policies, replication, Logging and Monitoring, S3 storage classes,
data encryption at rest and in transit

AWS Snow Family

Highly secure, portable devices to collect and process data at the edge and migrate data into
and out of AWS
- Data migration: Snowcone, Snowbal Edge, Snowmobile
- Edge Computing: Snowcone, Snowbal Edge

Snow family are offline devices to perform data migrations (receive via the post)! If it takes more
than 1 week to transfer over the network, use Snowball devices!!

Snowball Edge (for data transfers) petabyte-scale data 10PBs)

Physical data transport solution: move TBs of data in or out of AWS
Alternative to moving data over the network (and paying network fees)
Pay per data transfer job
Provide block storage and Amazon S3 compatible object storage
Snowball Edge Storage Optimized – 80 TB of HDD capacity for block volume and S3
compatible object storage
Snowball Edge Compute Optimized – 42 TB of HDD capacity for block volume and S3
compatible object storage
Use cases: large data cloud migrations, DC decommission, disaster recovery

AWS Snowcone
Small, portable, computing, anywhere, rugged & secure, withstands harsh environments
Light (4.5 pounds, 2,1 kg)
Device used for edge computing, storage, and data transfer
8TBs of usable storage
Use Snowcone where Snowball does not fit (space-constrained environment)
Must provide your own battery/cables
Can be sent to AWS offline, or connect it to internet and use AWS DataSync to send data

AWS Snowmobile
Transfer exabytes of data (1 EB = 1000000 TBs)
Each Snowmobile has 100 PB of capacity (use multiple in parallel)
High security: temperature controlled, GPS, 24/7 video surveillance
Better than Snowball if you transfer more than 10 PB

Edge Computing
Process data while it’s being created on an edge location (eg: a truck on the road, ship on the
sea). These locations may have: limited / no internet access ; Limited / no easy access to
computing power. So, we setup a Snowball Edge / Snowball device to do edge computing. Use
cases of Edge Computing: Preprocess data, Machine learning at the edge, Transcoding media
streams. Eventually (if need be) we can skip back the device to AWS (for transferring data for
eg)
Hybrid Cloud for Storage (storage gateway)
AWS is pushing for “hybrid cloud”(part of your infrastructure is on-premises and the other part is
on the cloud)
This can be due to: Long cloud migrations, security requirements, compliance requirements, IT
strategy
S3 is a proprietary storage technology, so how do you expose the S3 data on premise? AWS
Storage Gateway – allows you to bridge whatever happens on-premises directly into the AWS
cloud

Section 9: Databases & Analytics

Relational Databases looks like Excel spreadsheets, with links between them. Can use the
SQL language to perform queries/lookups

NoSQL (non-relational databases) Databases are purpose built for specific data models and
have flexible schemas for building modern application
Benefits: - Flexibility: easy to evolve data model, - Scalability: designed to scale-out (add) by
using distributed clusters, - High performance: optimized for a specific data model, - Highly
functional: types optimized for the data model
Eg: key value, document, graph, in-memory, search databases
 data in JSON format (same as IAM policies)
AWS offers mange different databases.
Benefits: Quick provisioning, High Availability, Vertical and Horizontal Scaling; Automated
Backup and Restore, Operations, Upgrades; Operating System Patching is handled by AWS,
Monitoring, alerting

Note: we can use our own databases but it is our responsibility (so a managed database is a
lifesaver in many cases)

Examples of Relational databases:

AWS RDS Overview

RDS stands for Relational Database Service. Use SQL language. It allows you to create
databases in the cloud that are managed by AWS (such as postgres, mySQL, Oracle, Aurora).
Suited for OLTP workloads
Advantages:
RDS is a managed service (Automated provisioning, continuos backups and restore, monitoring
dashboards, read replicas for improved read performance, Multi AZ set up for disaster recovery,
maintenance windows for upgrades, sacling capability, storage backed by EBS)
BUT you can’t SSH into your instances

Amazon Aurora
Aurora is a proprietary technology from AWS (not open sourced)
PostgreSQL and MySQL are both supported as Aurora DB
Aurora is “AWS cloud optimized” (better performance)
Aurora storage automatically grows in increments of 10GB, up to 64TB
Aurora costs more than RDS but is more efficient
Not in the free tier

RDS Deployments
1) Read Replicas
Scale the read workload of your DB
Can create up to 5 Read Replicas
Data is only written to the main DB
2) Multi AZ
Failover in case of AZ outage (high availability)
Data is only read/written to the main database
Can only have 1 AZ as a failover AZ
3) Multi Region (Read Replicas)~
Disaster recovery in case of region issue
Local performance for global reads
Replication cost

ElastiCache Overview is to get managed Redis or Memcached (serve all the databases)
Caches are in-memory databases with high performance, low latency
Helps reduce load off databases for read intensive workloads
AWS takes care of OS maintenance / patching, optimizations, setup, configuration, monitoring,
failure recovery and backups
DynamoDatabase – NoSQL database (not relational)
Fully managed Highly available with replication across 3 AZ
Scales to massive workloads, distributed “serverless” database
It scales to millions of requests per seconds
Fast and consistent in performance
Single digit millisecond latency – low latency retrieval
Integrated with IAM for security, authorization and administration
Low cost and auto scaling capabilities

DynamoDatabase Accelerator – DAX (like ElasticCache but only for DynamoDatabase)

Fully managed in memory cache for Dynamo DB, performance improvement!

Redshift
Is based on PostgeSQL but it’s used for OLAP - online analytical processing – (analytics and
data warehousing)
Look data once every hour, not every second
10x better performance than other data warehouses
Columnar storage of data (instead of row based)
Massively Parallel Query Execution (MPP), highly available
Pay as you go based on the instances provisioned
Has a SQL interface for performing the queries
BI tools such as AWS Quicksight or Tabeau integrate with it

EMR (Elastic MapReduce) helps creating Hadoop clusters (Big Data) to analyze and process
vast amount of data
The clusters can be made of hundreds of EC2 instances
EMR takes care of all the provisioning and configuration
Auto-scaling and integrated with Spot instances
Use cases: data processing, machine learning, web indexing, big data

Amazon Athena
Serverless query service to perform analytics against S3 objects
Uses SQL language to query the Files
Use cases: Business intelligence/analytics/reporting, analyze & query VPC Flow Logs, EBL
Logs, CloudTrails,…
Analyze data in S3 using serverless SQL

Amazon QuickSight
Serverless machine learning-powered business intelligence service to create interactive
dashboards
Fast, automatically scalable, embeddable, with per-session pricing
Use cases: Business analytics, building visualisations,
Integrated with RDS, Aurora, athena, redshift, S3, …

DocumentDB- NoSQL database

Is the same for MongoDB, which is used to store, query and index JSON data
Similar deployment concepts as Aurora
Fully managed, highly available with replication across 3 AZ
Automatically scales to workloads with millions of requests per seconds

Amazon Neptune
Fully managed graph database. A popular graph would be a social network
Highly available across 3 AZ, with up to 15 read replicas
Build and run applications working with highly connected datasets
Can store up to billions of relations and query the graph with milliseconds latency
Highly available with replications across multiple AZs

Amazon QLDB (Quantum Ledger database)

A ledger is a book recording financial transactions
Fully managed, Serverless, High Available, Replication across 3 AZ
Used to review history of all the changes made to your application data over time
Immutable system: no entry can be removed or modified
2-3 better performance tha common ledger blockchain frameworks
Difference with Amazon Managed Blockchain: central database, in accordance with financial
regulation rules

Amazon Managed Blockchain

Blockchain makes it possible to build application where multiple parties can execute
transactions without the need for a trusted, central authority. (decentralized blockchain)
Compatible with the frameworks Hyperledger fabric & Ethereum

DMS – Database Migration Service

- Quickly and securely migrate databases to AWS, resilient, self-healing
- The source database remains available during the migration
- Supports homogeneous (oracle to oracle) and heterogeneous (Microsoft
to Aurora) migrations

AWS Glue
Managed extract, transform, and load (ETL) service – Loaded for analytics
Usedful to prepare and transform data for analytics
Fully serverless service
Glue Catalog
Section 10: ECS, Lambda, Batch, Lightsail

What is Docker? Docker is a software development platform to deploy apps. Apps are
packaged in containers that can be run on any OS. Apps run the same, regardless of where
they’re run. Scale containers up and down very quickly (seconds) Docker is a software
development platform that allows you to run applications the same way, regardless of where
they are run. It can scale containers up and down within seconds. nao e preciso saber

Launch docker containers: ECS and Fargate

ECS – Elastic Container Service
Launch Docker containers on AWS
You must provision & maintain the infrastructure (create the EC2 instances in advance)
AWS takes care of starting/stopping containers
Has integrations with the Application Load Balancer
I want to run docker containers on AWS, think of ECS.

Fargate (easier to use because we don’t manage any EC2)

Launch Docker containers on AWS
But you do not provision in the infrastructure (no EC2 instances to manage) – simper!
Serverless offering
AWS just runs containers for you based on the CPU/RAM you need

ECR (Elastic Container registry) - IMAGES

Private Docker Registry on AWS
This is where you store your Docker images so they can be run by ECS or Fargate

Serverless Introduction
Is a new paradigm in which the developers don’t have to manage servers anymore… They just
deploy code and functions. Serverless does not mean there are no servers… it means you just
don’t manage / provision/ see them (eg: Amazon S3, Dynamo DB, Fargate, Lambda)

AWS Lambda

Amazon EC2 Amazon Lambda

Virtual servers in the Cloud Virtual functions – no servers to manage
Limited by RAM and CPU Limited by time – short executions
Continuously running Run on demand
Scaling means intervention to add/remove Scaling is automated
servers

Benefits of AWS Lambda:

- Easy Pricing (pay per request and compute time)
- Integrated with the whole AWS suite of services
- Event-Driven: functions get invoked by AWS when needed – Lambda is a
reactive type of service
- Integrated with many programming languages
- Easy monitoring through AWS CloudWatch
- Easy to get more resources per functions
- Increasing RAM will also improve CPU and network
Language support of lambda: JAVA, Python, ….
Lambda pricing is based on calls and duration
Amazon API Gateway – build a serverless HTTP API (also scalable)
Fully managed service for developers to easily create, publish, maintain, monitor and secure
APIs – give permission to the client

AWS Batch
Fully managed batch processing at any scale
Efficiently run 100000s of computing batch jobs on AWS
A “batch” job is a job with a start and an end (opposed to continuous)
Batch will dynamically launch EC2 instances or Spot instances
AWS Batch provisions the right amount/memory
Batch jobs are defined as Docker images and run on ECS
Helpful for cost optimization and focusing less on the infrastructure (automatically scales)
AWS Batch enables developers, scientists, and engineers to easily and efficiently run hundreds of
thousands of batch computing jobs on AWS. AWS Batch dynamically provisions the optimal
quantity and type of compute resources (e.g., CPU or memory-optimized instances) based on
the volume and specific resource requirements of the batch jobs submitted

Lambda Batch
Time limit No Time limit
Limited runtimes Any runtime
Limited temporary disk space Rely on EBS
Serverless Relies on EC2 (can be managed by AWS)

Amazon Light Sail

Virtual servers, storage, databases and networking
Low & predictable pricing
Simpler alternative - Great for people with little cloud experience
Use cases: simple web applications, websites, test environment (without configuring things
much) started quickly
Has high availability but no auto scaling, limited AWS integrations
Section 11 – Deploying and Managing Infrastructure at a Scale Section

CloudFormation is a declarative way of outlining your AWS Infrastructure, for any resources
(most of them are supported)
Is going to be used when we have infrastructure as code, templates when we need to repeat an
architecture in different environments, different regions, or even AWS accounts
For example: I want a security group, I want 2 instances, I want a EBL….

Then, Cloud Formation creates those for you, in the right order, with the exact configuration
that you specify

Benefits: Infrastructure as code (no resources are manually created, which is excellent for
control; changes to the infrastructure are reviewed through code).
Cost (savings strategy)
Productivity (ability to destroy and re-create infrastructure on the cloud, automated
generation of Diagram for your templates)
Don’t’ reinvent the wheel (leverage existing templates on the web and documentation)
Supports (almost) all AWS resources

AWS Cloud Development Kit (CDK) define your cloud infrastructure using a familiar language:
JavaScript, Python, … The code is compiled into a CloudFormation template /JSON/YAML).
You can therefore deploy infrastructure and application runtime code together (great for lambda
functions and dock containers)

Benstalk
(When we are a developer on AWS, we don’t want to be managing infrastructure and
configuring all the databases, load balancers, … . We just want to deploy code! And ensure it
scales!
Most web infrastructure have the same architecture: load bouncer + auto scaling group)
So Benstalk is the answer! Platform as a Service (PaaS) – only manage data and apps
Is a developer centric of deploying an application on AWS. It’s all in ONE view and we still have
full control over the configuration. It is free but we pay for the underlying instances. It is a
managed service. Just the application code is the responsibility of the developer! Very
developer friendly service.
Three architecture models: Single instance (good for dev), LB+ASG (great for production web
applicants), ASG only (great for non-web apps in production
Support for many platforms!
Health Monitoring – Health agent pushes metrics to CloudWatch. Checks for app health,
publishes health events
that I've gotten to really show you that Beanstalk is a way to do health monitoring for
your applications.

CodeDeploy Advance service 3

We want to deploy our application automatically Automate software deployments to a hybrid
Works with EC2 instances and with On-premises Servers = Hybrid Service (Upgrades both
types from version 1 to version 2)
Servers/Instances must be provisioned and configured ahead of time with the CodeDeploy
Agent

CodeCommit 1
Before pushing the application code to servers, it needs to be stored somewhere. Developers
usually store code in a repository, using GIT technology
A famous public offering is GitHub, AWS’ competing product is CodeCommit (makes it easy to
collaborate with others on code. The code changes are automatically versioned). Benefits:
Fully managed, Scalable & highly available, Private, Secured, Integrated with AWS

CodeBuild – code building service in the cloud 2

Compiles source code, run tests, and procedures packages that are ready to be deployed (by
CodeDeploy)
Benefits: fully managed, serverless, continuously scalable & highly available, secure, pay-as-
you-goo pricing – only pay for the build time)

CodePipeline
Orchestrate the different steps to have the code automatically pushed to production (basis for
CICD – continues integration & continuous delivery) – orchestration of pipeline
Benefits: fully managed, compatible with different services, fast delivery and rapid updates

CodeArtifact
Software packages depend on each other to be built – dependencies
Storing and retrieving these dependencies is called artifact management
Traditionally, you need to setup your own artifact management system. Now, with CodeArtifact,
it is a secure, scalable, and cost effective artifact management for software development / a
place to store their code dependencies
CodeStar
Unified UI to easily manage software development activities in one place
Central Service that allows you developers to quickly start with development while using best
CI/CD practices
Can edit the code “in the cloud” using AWS Cloud9

AWS Cloud9
Is a cloud IDE (Integrated Development Environment) for writing, running and debugging
code
Classic IDE are downloaded on a computer before being used
A cloud IDE can be used within a web browser, meaning you can work from anywhere without
any setup - Allows code collaboration

Systems Manager (SSM)

Helps you manage your EC2 and On-premises systems at scale
Another Hybrid AWS service; Patch you’re your fleet of EC2 instances or On-premises; run a
command consistently across all your servers; configure our servers
Get operational insights about the state of your infrastructure
Suite of 10+ products
Most important features are: Patching automation for enhanced compliance; Run commands
across an entire fleet of servers; Store parameter configuration with SSM Parameter Store;
Works for both Windows and Linux OS

AWS OpsWorks = Managed Chef & Puppet in the Cloud

Chef & Puppet help you perform server configuration automatically, or repetitive actions
It’s an alternative to SSM but with Chef & Puppet we can only provision EC2 instances,
databases, load balancers, EBS volumes

DEPLOYMENT

DEVELOPER
SERVICES
SECTION 12 – Global Infrastructure section
Why Global Application? A global application is an application deployed in multiple
geographies
On AWS: deploy your application onto different AWS Regions or Edge Locations
Decreased Latency (latency is the time it takes for a network packet to reach a server)
Disaster Recovery (A DR plan is important to reach high availability)
Attack protection: distributed global infrastructure is harder to attack (hackers online)

Regions: for deploying applications and infrastructure. They’re made of multiple data centers
(AZ). Edge Locations (Points of Presence): for content delivery as close as possible to users

Global Applications in AWS:

1) Global DNS: Route 53 (great to route users to the closest deployment with least latency,
great for disaster recovery strategies)
2) Global Content Delivery Network (CDN): Cloud Front (Replicate part of your application
to AWS Edge Locations – decrease latency)
3) S3 Transfer Acceleration (Accelerate global uploads & downloads into Amazon S3)
4) AWS Global Accelerator (Improve global application availability and performance using
the AWS global network)

Route 53 is a Managed DNS (Domain Name System)

DNS is a collection of rules and records which helps clients understand how to reach a server
through URLs
Route 53 Routing Policies:
 Simple Routing Policy: No health checks (the only one)
 Weighted Routing Policy: Allows to distribute the traffic across multiple institute
instances – load balancing)
 Latency Routing Policy: minimize the latency between the users and the servers by
making the users connect to the server (the closest to them)
 Failover Routing Policy: Disaster Recovery – clients know exactly which instance to
connect based on the health of that instance
Route 53 features are (non exhaustive list): Domain Registration, DNS, Health Checks, Routing
Policy

AWS CloudFront Content Delivery Network (CDN) – you cage content at the edge
Improves read performance, content is cached at the edge location – content distributed all
around the world
Improves users experience (since content is cached all around the world)
216 Points of Presence (number of edge locations)
DDoS protection (because worldwide), integration with Shield, AWS Web Application Firewall
Wat CloudFront can cache from? It can cache from S3 buckets (enhanced security with cloud
front Origin Access Identity (OAI), Custom Origin HTTP (EC2 Instance, Application Load
Balancer, …)
You can use AWS WAF web access control lists (web ACLs) to help minimize the effects of a
distributed denial of service (DDoS) attack. For additional protection against DDoS attacks, AWS
also provides AWS Shield Standard and AWS Shield Advanced.

S3 Transfer Acceleration
S3 Buckets are linked only to one Region and
sometimes we need to transfer files all around the world into one specific S3 buckets
Increase transfer speed by transferring file to an AWS edge location which will forward the data
to the S3 bucket in the target region.
We can test using a URL link

AWS Global Accelerator to make your request go faster and go through the internal AWS
network globally
Improve global application availability and performance using the AWS global network
Leverage the AWS internal network to optimize the route to your application (60% improvement)
You only access you application through 2 Anycast IP that are created and traffic is sent
through Edge Locations
The Edge Locations send the traffic to your application

AWS Outposts
Hybrid Cloud: businesses that keep an on-premises infrastructure alongside a cloud
infrastructure
Therefore 2 ways of dealing with IT systems: One for AWS cloud, one for their on-premises
infrastructure
AWS Outposts are “server racks” that offers the same AWS infrastructure, services, APIs &
tools to build your own applications on-premises just as in the cloud
AWS will set up and manage “outposts Racks” within your on-premises infrastructure and you
can start leveraging AWS services on-premises
You are responsible for the Outposts Rack physical security!!
Benefits: Low-latency access to on premises systems; local data processing, data residency,
easier migration from on premises to the cloud, fully managed service.

AWS WaveLenght are infrastructure deployments embedded within the telecommunications

providers’ datacenters at the edge of the 5G networks
Brings AWS services to the edge of the 5G networks
Ultra-low latency applications through 5G zones. Traffic doesn’t leave the Communication
Service Providers Network
No additional charges or service agreements
Use cases: Smart cities, ML assigned diagnostics, connected vehicles, Real time gaming

Section 13: Cloud Integrations

Applications need to communicate with one another. There are 2 patterns of application
communication: 1) Synchronous communications (application to application); 2)
Asynchronous/Event based (application to queue to application)
It’s better to decouple your applications because they can scale independently! Use SQS and
SNS

SQS – Simple Queue Service

Fully managed service (serverless), use to decouple applications
Default retention of messages (4 days, max 14 days)
No limit to how many messages can be in the queue
Messages are deleted after they’re read by consumers
Low latency. Consumers share the work to read messages & scale horizontally

SNS – Simple Notification System

The “event publishers” only sends messages to one SNS topic
Notification, subscribers, publishers
Each subscriber to the topic will get all the messages
SNS Subscribers can be: HTTP, HTTPS, emails, sms messages, mobile notifications, …
Kinesis – Real time big data streaming

Amazon MQ
SQS and SNS are cloud native services, they are using proprietary protocols from AWS. But
applications may use open protocols such as MQTT, AMQP, WSS, Openwire
When migrating to the cloud, instead of re-engineering the application, we can use Amazon MQ
(does not scale as much as the others and it is not a serverless)

Section 14: Cloud Monitoring

Amazon CloudWatch Metrics provides metrics for every services in AWS (metric is a variable
to monitor).
Important metrics:
 EC2 instances: CPU utilization, status checks, network
 EBS Volumes: Disk Reads/Writes
 S3 buckets: BucketSizeBytes, Number of objects
 Billing: Total Estimated Charge
 Service Limits: how much you’ve been using a service API
 Custom metrics: push your own metrics

Amazon CloudWatch Alarms

Alarms are used to triggers notifications for any metric

Amazon CloudWatch Logs

Collect Logs from AWS services. Enables real-time monitoring of Logs. Centralizes the Logs

Amazon CloudWatch Events = Amazon Event Bridge

React to events automatically happening within your architecture and infrastructure in AWS.
Amazon CloudTrail
Provides governance, compliance and audit for your AWS account (if a resource is deleted in
AWS, investigate CloudTrail first!). A trail can be applied to all Regions or single region – get an
history of all the events
 Types of Events: Management (events on resources), Data (not logged),
CloudTrail Insights (detect unusual activities), Retention (keep events
beyond the period)
 Read Events (don’t modify) vs. Write Events (modify resources)

AWS X-Ray
Do tracing and get visual analysis of your application – get a full picture
Distributed tracing, troubleshooting, you want to have a service graph
AWS X-Ray helps developers analyze and debug production, distributed applications, such as
those built using a microservices architecture

CodeGuru
Do automated code reviews (Reviewer) and application performance recommendations
(profiler)

Service Health Dashboard

Shows all regions, all services health

Service Health Dashboard

Provides alerts and remediation guidance when AWS is experiencing events that may impact
you
Section 15: VPC & Networking
VPC stands for Virtual Private Cloud
Subnets allow you to partition your network inside your VPC (public vs private subnets)
We use Route Tables to define acess to the Internet

Internet Gateways helps our VPC instances connect with internet – public
Nat Gateways & NAT Instances – private

Network ACL Subnet level

A firewall which controls traffic from and to subnet. Can Allow or Deny Rules. Rules only include
IP addresses
Security Groups EC2 Instance level
A firewall that controls traffic to and from an ENI/ an EC2 Instance. Only have Allow rules.

VPC – Virtual Private Cloud

 Provision a logically isolated section of the AWS Cloud

 Launch AWS resources in a virtual private network
 Allows selection of IP address, creation of subnets and configuration of route tables and
network gateways
 Leverage AWS Cloud as an extension of corporate data center by creating a VPN
connection between the data center and VPC
 Internet Gateway: at the VPC level, provide Internet Access
 NAT/Gateway: give internet Access to private subnets
 Network Security: Network ACL – Subnet level / Security Groups - EC2 Instance level
 Flow Log: capture information about IP traffic / network traffic logs
 VPC Endpoints: to use a private network (gateway is used for S3 in DynamoDB and
interface is used for every other AWS service)
Site to Site VPN

 Public internet
 On-premises: must use a Customer Gateway (CGW)
 AWS: must use a Virtual private Gateway (VGW)
Vs. Direct Connect

 Establish a dedicated private network connection from your premises to AWS

 Offer better bandwidth throughput and better network experience (fast)
 Allows to use the same connection to access: Public resources and Private resources
(EC2 instances running within a VPC)
Transit Gateway way to connect hundreds or thousands of VPC together with your on-
premise infrastructure
DDoS Protection: WAF & Shield
DDoS: Distributed Denial-of-Service
Use Shield Standard (no additional costs) or Shield Advanced (24/7 premium protection for
more sophisticated attacks, 3000dolares/month)
WAF: Filter specific requests based on rules
CloudFront and Route 53 – combined with AWS Shield and WAF will give a real protection
AWS WAF is a web application firewall that helps protect your web applications or APIs against
common web exploits that may affect availability, compromise security, or consume excessive
resources.

Penetration Testing
When you are trying to attack your own infrastructure to test your security. We can do pen
testing on the Cloud. Remember that some are authorized, but anything that looks like an attack
such as DDoS attack or DNS zone walking is not authorized because for AWS it would seem
like you’re trying to attack their infrastructure

Encryption with KMS & CloudHSM

Data at rest (data stored at a device) vs. Data in transit (data being moved from one location to
another – transferred on the network)

KMS (Key Management Service) – “Encryption”

KMS – AWS manages the software for encryption
CloudHSM – AWS only provisions encryption hardware
Dedicated Hardware (HSM = Hardware Security Module) – we manage our own encryption
keys entirely

AWS Certificate Manager (ACM) – service that can help us do in flight encryption for websites
(HTTPS) and generates SSL/TLS certificates
AWS Secrets Manager – Storing secret to be managing in RDS and to be rotated every X
days

AWS Artifact – portal that provides customers with on demand access to AWS compliance
documentation and AWS agreements

Amazon GuardDuty protect your accounts against attacks from the outside and inside. Uses
Machine Learning to detect anomalies and malicious activities and can match with a third party
data sets – CloudWatchEvents

Inspector Automated Security Assessments for EC2 Instances. After the assessment, you get
a report with a list of vulnerabilities

AWS Config Helps auditing and recording compliance of your AWS resources. Helps recording
configurations and changes over time. Possibility of storing the configuration data into S3. Per-
region service

Amazon Macie is a fully managed data security and data privacy service that uses machine
learning and pattern matching to discover and protect your service data in AWS. Helps identify
and alert you to sensitive data, such as personally identifiable information (PII)

Security Hub Security centralized place, integrated view and make simper to find security
issues and remediate them
Central security tool to manage security across several AWS accounts and automate security
checks. Must first enable the AWS Config Service

Amazon Detective analyses, investigates and quickly identifies the root cause of security
issues or suspicious activities

AWS Abuse Report suspected AWS resources used for abusive or illegal purposes (Spam,
DDoS attacks). Contact the AWS abuse team (through a form or an e-mail)

Root user privileges

Root user = Account owner (created when the account is created)
Actions that can be performed only by the root user: Change account settings, Close your AWS
account, Change or cancel your AWS Support Plan; Register as a seller in the Reserved
Instance Marketplace
Section 17: Machine Learning Section

Amazon Recognition find objects, people, text, scenes and videos using ML. Face detection,
labeling, celebrity recognition
Amazon Transcribe automatically convert speech to text (audio to text – subtitles)
Amazon Polly (opposite of transcribe) turn text into speech using deep learning (text to audio)
Amazon Translate natural and accurate language translation
Amazon Lex (it is like Siri for iPhone, build conversational chatbots) & Connect (virtual contact
center)
Amazon Comprehend – Natural Language Processing – NLP, fully managed and serverless
service
Amazon SageMaker fully managed service for developers/data scientists to build ML models
Amazon Forecast fully managed service that uses ML to deliver highly accurate forecasts
Amazon Kendra fully managed document search service powered by ML
Amazon Personalize ML service to build apps with real time personalized recommendations

Section 18: Account Management, Billing & Support

AWS Organizations – global service that allows to manage multiple AWS accounts. The
main account is the master account.
Cost benefits – Consolidated Billing across all accounts (single payment method),
aggregated usage, pooling of Reserved EC2 instances for optimal savings
API is available to automate AWS account creation
Restrict account privileges using Service Control Policies (SCP)
Multi Account strategies
Create accounts per department, per cost center, per dev/test, based on regulatory restrictions
for better resource isolation to have separate per-account service limits, isolated account for
logging.

Service Control Policies SCP

Whitelist or blacklist IAM policies. SCP is applied to all Users and Roles of the Account,
including Root. SCP must have a specific ALLOW
Use cases: 1) Restrict access to certain services (for example: can’t use EMR), 2) Enforce PCI
compliance by explicitly disabling services

AWS Organization – Consolidated Billing

When enabled, provides you:
 Combined usage – combine the usage across all AWS accounts in the AWS
Organization to share the volume pricing, Reserved Instances and Saving Plans
discounts
 One bill – get one bill for all accounts in the organization

AWS Control Tower – easy way to set up and govern a secure and compliant multi-account
AWS environment based on best practices. Benefits: automate set ups in a few clicks, detect
violations, monitor compliance through an interactive board. It also implements SCP

Pricing Models
 Pay as you go: pay for what you use, remain agile, responsive, meet scale demands
 Save when you reserve: minimize risks, predictably manage budgets
 Pay less by using more: volume based discounts
 Pay less as AWS grows

Free services (IAM, VPC, Consolidated Billing)

Pay for the resources created (Elastic Benstalk, CloudFormation, ASG) Lamdda ia charged!!

Compute pricing – EC2

Only charged for what you use, Nº of instances, configuration (memory, region, type), detailed
monitoring VER 215 VIDEO

Data transfer IN is always FREE. Data transfer OUT we have to pay!

Savings Plan – EC2 savings plan, Compute savings plan (Lambda, Fargate). Commit a certain
amount of $ per hour for 1/3 years --- long term commitments on AWS

AWS Compute Optimizer

Reduce costs and improve performance by recommending optimal AWS for your workloads
Helps you choose optimal configurations and right size workloads. Lower your costs by up to
25%. Uses Machine Learning!

Billing and Costing Tools

Estimating Costs Tracking Costs Monitoring Costs
TCO Calculator Billing dashboard Billing alarms
Simple monthly calculator / Cost allocation tags Budgets
pricing calculator
Cost and usage reports
Cost explorer

Estimating Costs
TCO (Total Cost Ownership) Calculators
which is able to help us understand how much it will cost us and the cost savings associated
with us when we migrate from on premises to the cloud and creates an executive report for it.

Simple monthly calculator / pricing calculator

Simple math and calculator now renamed the pricing calculator, which is helpful
to estimate the cost of an actual solution architecture on AWS.

Tracking costs
AWS billing dashboard – will show you all the costs ushered in front of the month, the forecast
and the month to date
Cost Allocation Tags – use tags to track your AWS costs on a detailed level. Starts with a prefix
– aws:____ ou user:___
Cost and usage reports – contains the most comprehensive/ granular set of AWS cost and
usage data available, including metadata about AWS services, pricing, and reservations. We
can analyse this report by using Athena, QuickSight and Redshift.
Cost Explorer – tool that will allow you to forecast your bills up to 12 months based on previous
usage. It also allows you to choose an optimal Savings Plan (to lower prices on your bill)

Monitoring costs
CloudWatch Billing alarms: Billing data metric is only stored in CloudWatch us-east-1. It’s for
actual costs, not for projected costs. Intended a simple alarm (not as powerful as AWS Budgets)

Budgets – create budget and send alarms when costs exceed the budget defined. 3 types of
budgets: Usage, Cost and Reservation.

Trusted Advisor analyze your AWS account and provides recommendation on 5 categories:
Cost Optimization, Performance, Security, Fault tolerance and Service Limits (best practices)
7 CORE CHECKS (basic & developer support plan): S3 Budget Permissions, Security Groups,
IAM Use, MFA on Root Account, EBS Public Snapshots, RDS Public Snapshots, Service Limits
FULL CHECKS (Business & Enterprise Support plan): Full checks available on 5 categories,
Ability to set CloudWatch alarms when reaching limits, Programmatic Access using AWS
Support API

AWS Support Plans Pricing (4)

1) Basic Support: free
Customer Service & Communities – 24x7 access to customer service, documentation,
whitepapers and support forums
 AWS Trusted Advisor – Access to the 7 core checks and guidance to provision your
resources following best practices to increase performance and improve security
AWS Personal Health Dashboard – A personalized view of the health of AWS services
and alerts when your resources are impacted

2) Developer Support: not free

All Basic Support Plan + Business hours email access to Cloud Support Associates,
Unlimited cases / 1 primary contact, Case Severity/response times – 24 or 12 business
hours (general guidance or system impaired)

3) Business Support
Intended to be used if you have production workloads. Trusted Advisor – full set of
checks + API access. 24x7 phone, email and chat access to Cloud support Engineers.
Unlimited cases/unlimited contacts. Access to Infrastructure Event Management for
additional fee. Case Severity/response times – 24 or 12 business hours or <4 hours
(production impaired) or <1hour (production system down)

4) Enterprise Support
Intended if you have mission critical workloads
All of Business Plan + Access to a Technical Account Manager (TAM) and Concierge
Support Team (for billing and account best practices), Infrastructure Event Manager,
Well-Architected & Operations Reviews. Case Severity/response times – 24 or 12
business hours or <4 hours (production impaired) or <1hour (production system down)
or <15 mins (business critical system down)

Section 19: Advanced Identity

AWS STS (Security Token Service) – enables you to create temporary, limited privileges
credentials to access your AWS resources
We configure expiration period

Amazon Cognito – Identity for your Web and Mobile applications users (potentially millions).
Instead of creating them an IAM user, you create a user in Cognito
Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile
apps quickly and easily.

Microsoft Active Directory (AD) Database for objects: User, accounts, computers, printers, File
shares, Security groups. AWS Directory Services

AWS Single Sign-On (SSO) – Centrally manage Single Sign-On to access multiple accounts
and 3rd party business applications. Integrated with AWS Organisations. Supports SAML 2.0
markup. Integration with on-premise Active Directory

Amazon WorkSpaces – virtual desktops as a service. AppStream 2.0

Minimizing latencies for workspaces – the best practice is to deploy workspaces as
close as possible to users. And so the idea is here, you'd have as many workspace
regions as you know, center locations you have for your company to minimize latency.
And overall, if you wanna minimize latency, always think about deploying close to users.

So Elastic Transcoder is used to convert media files stored

in Amazon S3 into media files in the format required by consumer playback devices
(phones)

Now, the main one you're being tested on at the exam is called Disaster Recovery. So
Disaster Recovery, as the name indicates, is a way for you to quickly and easily recover
your physical, virtual and cloud-based servers into AWS using a Disaster Recovery
strategy.

AWS DataSync – move large amount of data from on-premises to AWS. The replication tasks
are incremental after the first full load

Section 21: AWS Architecting & Ecosystem

Well architected framework

Scalability (vertical & horizontal)
Disposable resources: servers should disposable & easily configured
Automation: Serverless
Loose Coupling: Break down into smaller, loosely coupled components
Services, not Servers (not only EC2!)

5 Pillars: 1) Operational Excellence; 2) Security; 3) Reliability; 4) Performance Efficiency; 5) Cost

Optimization
They are not something to balance, or trade-offs, they are synergy!

1) Operational Excellence
Platform operations as code; Annotate documentation; Make frequent, small and
reversible changes; Refine operations procedures frequently; Anticipate failure; Learn
from all operational failures. PREPARE, OPERATE, EVOLVE

2) Security
Implement strong identity foundation; Enable traceability; Apply security at all layers;
Automate security best practices; protect data, Prepare for security events
3) Reliability
Recover from infrastructure or service disruptions
Test recovery procedures; Automatically recover from failure; Scale horizontally to
increase availability; Stop guessing capacity; Manage change in automation
 4) Performance Efficiency
Democratize advanced technologies; Go global in minutes; Use serverless; Experiment
more often; Mechanical sympathy

5) Cost optimization
Adopt a consumption mode – pay for what you use; Measure overall efficiency
(cloudwatch); Stop spending money on data center operations; Analyse and attribute
expenditure; Use managed and application level services to reduce cost of ownership

Right size – EC2 has many instance types, but choosing the most powerful instance type isn’t
the best choice, because the cloud is elastic. The idea is to size your workload performance and
capacity requirements at the lowest possible cost! Scaling up is easy so always start small!
Do Right Size before a Cloud Migration and continuously after the cloud onboarding process

AWS Professional Services & AWS Partner Network (APN)

AWS Professional Services organization is a global team of experts
APN Technology Partners: providing hardware, connectivity, and software
APN Consulting Partners: professional services firm to help build on AWS
APN Training Partners: find who can help you learn AWS
AWS Competency Program: AWS Competencies are granted to APN Partners who have
demonstrated technical proficiency and proven customer success in specialized areas
AWS Navigate Program: help partners become better partners REVER 250