Presented by: Jon Bonso

COURSE AUTHOR Jon Bonso

• https://au.linkedin.com/in/jonbonso

• https://portal.tutorialsdojo.com/courses/aws-certified-
COURSE LINK cloud-practitioner-clf-c01-video-course/

Tutorials Dojo
www.tutorialsdojo.com
AWS Certified Cloud Practitioner
CLF-C02 Exam Overview
 2013

CERTIFICATION PROGRAM
S T A R T E D

CLF-C01
 2013 2023

CERTIFICATION PROGRAM
S T A R T E D

CLF-C01 CLF-C02
 Multiple Choice

Has 1 CORRECT response and 3 INCORRECT responses

Multiple Response

Has 2 CORRECT responses out of 5 OPTIONS

WH Questions
What
When
Where
Who
Why
Which
How
WH Questions
What
When
Where
Who
Why
Which
How
Tutorials Dojo
www.tutorialsdojo.com
WH Questions
What
When
Where
Who
Why
Which
How
WH Questions
What
When
Where
Who
Why
Which
How
prerequisites
AWS Certified Cloud Practitioner
Exam Domains
 TASK STATEMENT

• TASK STATEMENT #1

EXAM DOMAIN • TASK STATEMENT #2

• TASK STATEMENT #3
 Domain 1: Domain 2: Domain 3: Domain 4:
Cloud Concepts Security & Cloud Technology Billing, Pricing
Compliance & Services & Support

๏1.1. Define the benefits of the AWS Cloud.

๏1.2. Identify design principles of the AWS Cloud.
๏1.3. Understand the benefits of and strategies for migration to the AWS Cloud.
๏1.4. Understand concepts of cloud economics.

Tutorials Dojo
www.tutorialsdojo.com
 Domain 1: Domain 2: Domain 3: Domain 4:
Cloud Concepts Security & Cloud Technology Billing, Pricing
Compliance & Services & Support

๏2.1. Understand the AWS shared responsibility model.

๏2.2. Understand AWS Cloud security, governance, and compliance concepts.
๏2.3. Identify AWS access management capabilities.
๏2.4. Identify components and resources for security.
 Domain 1: Domain 2: Domain 3: Domain 4:
Cloud Concepts Security & Cloud Technology Billing, Pricing
Compliance & Services & Support

๏3.1. Define methods of deploying and operating in the AWS Cloud.

๏3.2. Define the AWS global infrastructure.
๏3.3. Identify AWS compute services.
๏3.4. Identify AWS database services.
๏3.5. Identify AWS network services.
๏3.6. Identify AWS storage services.
๏3.7. Identify AWS artificial intelligence and machine learning (AI/ML) services and
analytics services.
๏3.8. Identify services from other in-scope AWS service categories.
 Domain 1: Domain 2: Domain 3: Domain 4:
Cloud Concepts Security & Technology Billing, Pricing
Compliance & Support

๏4.1. Compare AWS pricing models.

๏4.2. Understand resources for billing, budget, and cost management.
๏4.3. Identify AWS technical resources and AWS Support options.
Appendix
KEY TOPICS
๏ AWS Marketplace

๏ APIs ๏ AWS Professional Services

๏ Cost Explorer ๏ AWS Personal Health Dashboard

๏ AWS Cost and Usage Report ๏ AWS Service Health Dashboard

๏ AWS Command Line Interface (AWS CLI) ๏ Security Groups

๏ Elastic Load Balancers ๏ AWS Service Catalog

๏ Amazon EC2 Instance Types ๏ Service Quotas

๏ AWS Global Infrastructure ๏ AWS Software Development Kits (SDKs)

๏ Infrastructure as Code (IaC) ๏ AWS Support Center

๏ Amazon Machine Images (AMIs) ๏ AWS Support Tiers

๏ AWS Management Console ๏ Virtual Private Networks (VPNs)

 RELATED AWS SERVICES

ANALYTICS APPLICATION INTEGRATION COMPUTING

๏ Amazon Athena ๏ Amazon SNS ๏ AWS Batch

๏ Amazon Kinesis ๏ Amazon SQS ๏ Amazon EC2
๏ Amazon QuickSight ๏ AWS Elastic Beanstalk
๏ AWS Lambda
๏ Amazon Lightsail
๏ Amazon WorkSpaces

CONTAINER DATABASE DEVELOPER TOOLS

๏ Amazon ECS ๏ Amazon Aurora ๏ AWS CodeBuild

๏ Amazon EKS ๏ Amazon DynamoDB ๏ AWS CodeCommit
๏ AWS Fargate ๏ Amazon ElastiCache ๏ AWS CodeDeploy
๏ Amazon RDS ๏ AWS CodePipeline
๏ Amazon Redshift ๏ AWS CodeStar
RELATED AWS SERVICES
MANAGEMENT, MONITORING & GOVERNANCE

CUSTOMER ENGAGEMENT ๏ AWS Auto Scaling

๏ AWS Budgets
๏ Amazon Connect ๏ AWS CloudFormation
๏ AWS CloudTrail
๏ Amazon CloudWatch
๏ AWS Config
NETWORKING
๏ AWS Cost and Usage Report
๏ Amazon API Gateway ๏ Amazon EventBridge
๏ Amazon CloudFront ๏ AWS License Manager
๏ AWS Direct Connect ๏ AWS Managed Services
๏ Amazon Route 53 ๏ AWS Organizations
๏ Amazon VPC ๏ AWS Secrets Manager
๏ AWS Systems Manager
๏ AWS Systems Manager Parameter Store
๏ AWS Trusted Advisor
 RELATED AWS SERVICES

SECURITY, IDENTITY & COMPLIANCE STORAGE

๏ AWS Artifact ๏ AWS Backup

๏ AWS Certificate Manager ๏ Amazon Elastic Block Store
๏ AWS CloudHSM ๏ Amazon Elastic File System
๏ Amazon Cognito ๏ Amazon S3
๏ Amazon Detective ๏ Amazon S3 Glacier
๏ Amazon GuardDuty ๏ AWS Snowball Edge
๏ AWS Identity and Access Management (IAM) ๏ AWS Storage Gateway
๏ Amazon Inspector
๏ AWS License Manager
๏ Amazon Macie
๏ AWS Shield
๏ AWS WAF

Tutorials Dojo
www.tutorialsdojo.com
 AWS Overview

Tutorials Dojo
www.tutorialsdojo.com
WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?
WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?

Amazon
Web
Services
WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?

Amazon Web Services

 WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?

Amazon

Web
Services
 WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?

Amazon

Web
Services
WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?

Amazon
Web = Cloud Service Provider
Services •
•
provides a cloud-based platform or cloud services
Allows you to rent out virtual servers that you access remotely
 WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?

Cloud Service Provider is like a Car Rental

I need a car
$40,000
for just
vs
3$100
days Brand New Car
?
for my trip

$100

$40,000
 WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?

Cloud Service Provider Car Rental

With different types of CPU, Storage, Network
and other components that you can choose from!

Virtual Machines

Physical Servers

Storage Appliances

Network Devices

Available for RENT and accessible online via Web Service interfaces (REST, SOAP etc…)
 WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?

• AWS started out as a department within Amazon Inc.

• Used only by early Amazon customers
2004
• Web services are not available publicly
 WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?

2004

• AWS officially started its operation as a public cloud

service provider

2006 • Released Amazon S3 (Simple Storage Service)

• Released Amazon SQS (Simple Queue Service)
 WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?

2004

2006 • Offers hundreds of fully-featured services that are available

globally
• Provides a highly reliable, scalable, and low-cost
infrastructure platform in the cloud
Today
• Boasts a broad set of cloud-based products
WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?

Today

• is the world’s leading cloud platform.

• Used by millions of customers

• Supports various workloads
• Significantly lower your operating costs
• Enables companies to scale globally in minutes!
AWS Global Infrastructure
Has thousands of servers!

Data Center

These physical servers generate

virtual machines or store your data!
 Availability Zone Region Edge Networks

er Data Center Data Center Data Center Data Center Data Center Data Center
 Edge Networks
Improves the “Availability” Region Literally a
of your systems Geographic “Zone”

Availability Zone

Data Center Data Center Data Center

100 kilometers or 60 miles from each other

 AWS REGION
Edge Networks
AVAILABILITY ZONE 1

Data Center

Region Data Center Data Center

AVAILABILITY ZONE22
Availability Zone AVAILABILITY ZONE33
Availability Zone
Availability Zone
Data Center Data Center

Data Center Data Center Data Center Data Center

 US East (Ohio)
us-east-2
Edge Networks
Availability Zone 1

Data Center

Region Data Center Data Center

Availability Zone 2 Availability Zone 3

Availability Zone
Data Center Data Center

Data Center Data Center Data Center Data Center

Your system will still run

even if one or more data centers
encountered an outage
Edge Networks

Point of Presence / Edge Location

Region
Origin
Serve
r

Availability Zone
PoP

PoP

Content Delivery Network

Advantages of Cloud Computing
 Advantages of Cloud Computing

• Launch solutions and computing resources in a matter of minutes

• No need to buy & maintain costly physical servers or data centers

• On-demand access to a wide range of virtual machines, storage

services, databases, and other IT resources

Cloud • Revolutionary Cloud Economics

• Unparalleled Flexibility for your enterprise IT infrastructure

• Better Price-to-Performance Ratio

• Lower Total Cost of Ownership (TCO)

Advantages of Cloud Computing

Trade Fixed Expense for Variable Expense

Benefit from Massive Economies of Scale

Stop Guessing Capacity

Increase Speed and Agility

Stop Spending Money Running & Maintaining Data Centers

Go Global in Minutes
AWS Shared Responsibility
Model
 A model for enabling ubiquitous,
convenient, on-demand network
access to a shared pool of
configurable computing
CLOUD COMPUTING
resources
that can be rapidly provisioned
and released with minimal
management effort
or service provider interaction.
Tutorials Dojo
www.tutorialsdojo.com
configurable computing resources
configurable computing resources
 configurable computing resources
HOST COMPUTER

GUEST OS

HYPERVISOR

HOST OS
 CUSTOMER DATA

CUSTOMER
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT

RESPONSIBLE FOR THE OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION

SECURITY OF
IN THE CLOUD
CLIENT-SIDE DATA NETWORKING TRAFFIC
SERVER-SIDE ENCRYPTION
ENCRYPTION & DATA INTEGRITY PROTECTION (ENCRYPTION,
(FILE SYSTEM AND/OR DATA
AUTHENTICATION INTEGRITY, IDENTITY)

SOFTWARE

COMPUTE STORAGE DATABASE NETWORKING

RESPONSIBLE FOR THE

HARDWARE / AWS GLOBAL INFRASTRUCTURE
SECURITY OF THE CLOUD
REGIONS AVAILABILITY ZONES EDGE LOCATIONS
 Who is responsible for patching the operating system of your Amazon EC2 instance?

Who is responsible for applying the security patches of the guest operating system that your
EC2 instance is using?

Who is responsible for running the host operating system and the virtualization layer that
powers your Amazon EC2 instances?

Who is responsible for managing all your IAM user access and secret keys?

WHO? Who is responsible for maintaining the underlying server of your AWS Lambda functions?

Who is responsible for the Service and Communications Protection or Zone Security of your
data?

Who is responsible for the physical security of the servers and the entire network of data
centers of the AWS Global Infrastructure?

Who is responsible for designing encryption-at-rest strategies and other security features in
your Amazon RDS database?

Who is responsible for the security OF the cloud and the security IN the cloud?
 HOST OS GUEST OS

CLIENT-SIDE
CLIENT-SIDE && SERVER-SIDE
SERVER-SIDE
DATA ENCRYPTION
ABSTRACTED
ABSTRACTED
SERVICES
ZONE SECURITY

INFRASTRUCTURE CONFIGURATION
CONFIGURATION
SECURITY MANAGEMENT
MANAGEMENT
 IT CONTROLS

INHERITED
PHYSICAL & ENVIRONMENTAL

CUSTOMER-SPECIFIC
ZONE
SECURITY

SHARED

PATCH MANAGEMENT
PHYSICAL
HOST OS GUEST OS CUSTOM APPS
SERVERS

CONFIGURATION MANAGEMENT

AWARENESS & TRAINING

 Who is responsible for patching the operating system of your Amazon EC2 instance?

Who is responsible for applying the security patches of the guest operating system that your
EC2 instance is using?

Who is responsible for running the host operating system and the virtualization layer that
powers your Amazon EC2 instances?

Who is responsible for managing all your IAM user access and secret keys?

Who is responsible for maintaining the underlying server of your AWS Lambda functions?

Who is responsible for the Service and Communications Protection or Zone Security of your
data?

Who is responsible for the physical security of the servers and the entire network of data
centers of the AWS Global Infrastructure?

Who is responsible for designing encryption-at-rest strategies and other security features in
your Amazon RDS database?

OF IN Who is responsible for the security OF the cloud and the security IN the cloud?
AWS Support Plans
 PEOPLE

TOOLS

PROGRAMS

TECHNOLOGY
 ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP
 ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP

FREE $ $$ $$$ $$$$

 ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP

RESPONSE TIME

ARCHITECTURAL 30 DAY
GUIDANCE MINIMUM TERM

PROGRAMMATIC
CASE MANAGEMENT

3RD-PARTY
SOFTWARE SUPPORT CLOUD SUPPORT CLOUD SUPPORT
ASSOCIATES ENGINEERS
PROACTIVE SELF SERVICE
PROGRAMS

CONCIERGE SUPPORT AWS MANAGED SERVICES TECHNICAL ACCOUNT

TECHNICAL ACCOUNT
MANAGEMENT (TAM) TEAM TEAM TAM MANAGER

ACCOUNT
ASSISTANCE
 ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP

• Included for all AWS customers by default FREE

• 24/7 access to the AWS customer service, documentation, whitepapers & AWS re:Post site

• SLOW RESPONSE TIME

• Access to the AWS Personal Health Dashboard

• Access to the core security & service quota checks in AWS Trusted Advisor LIMITED ACCESS
 ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP

• Recommended for testing or for running non-critical production workloads in AWS

• Access to the core security & service quota checks in AWS Trusted Advisor LIMITED ACCESS

CLOUD SUPPORT
• Support provided by: ASSOCIATES

ENHANCED TECHNICAL • Unlimited support cases with 1 primary contact

SUPPORT
• Prioritized responses on AWS re:Post
8 AM - 6 PM
• Support Schedule: Business Hours
MON - FRI
 ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP

CLOUD SUPPORT
• Support provided by: ASSOCIATES

ENHANCED TECHNICAL • Unlimited support cases with 1 primary contact

SUPPORT
• Prioritized responses on AWS re:Post
ARCHITECTURAL
GUIDANCE BASIC • Support Schedule: Business Hours 8 AM - 6 PM

MON - FRI

RESPONSE
• General guidance: < 24 hours

TIMES • System impaired: < 12 hours

• NO Phone or Chat Assistance

 ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP
AWS Systems Manager

SUPPORT AUTOMATION
WORKFLOWS (SAW)
 ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP

*NOT SUPPORTED IN THE

DEVELOPER PLAN

BASIC PREMIUM
RUNBOOK RUNBOOK
AWS Systems Manager

SUPPORT AUTOMATION AWSSupport- AWSPremiumSupport-

WORKFLOWS (SAW)
 ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP

BASIC
RUNBOOK

AWS Systems Manager • AWSSupport-CopyEC2Instance

• AWSSupport-ResetAccess
SUPPORT AUTOMATION
WORKFLOWS (SAW) • AWSSupport-ExecuteEC2Rescue
• AWSSupport-ListEC2Resources

Tutorials Dojo
www.tutorialsdojo.com
 ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP

• Has all the features of the DEVELOPER support plan

• Recommended if you have one or more production workloads in AWS
• Access to full best practice checks in AWS Trusted Advisor FULL ACCESS

CLOUD SUPPORT
• Support provided by: ENGINEERS

ENHANCED TECHNICAL • Unlimited support cases by Unlimited Contacts (IAM Supported)

SUPPORT • Support Schedule: 24/7
• Prioritized responses on AWS re:Post
ARCHITECTURAL
CONTEXTUAL
GUIDANCE
• Access to AWS Support App in
 ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP

• General guidance: < 24 hours

RESPONSE
• System impaired: < 12 hours

TIMES • Production system impaired < 4 hours

• Production system outage < 1 hour

Tutorials Dojo
www.tutorialsdojo.com
 ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP

• A web service that provides programmatic access to AWS

Support Center operations
AWS SUPPORT
• API endpoint: https://support.<region>.amazonaws.com
API
• Supports the following operations:
• Support Case Management Operations
• AWS Trusted Advisor operations
 ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP

3RD-PARTY
SOFTWARE SUPPORT

AWS Systems Manager

BASIC PREMIUM
SUPPORT AUTOMATION RUNBOOK RUNBOOK
WORKFLOWS (SAW)
AWSSupport- AWSPremiumSupport-
 ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP

• Available for an additional fee.

• Offers architecture guidance and operational support during the
preparation and execution of your planned events (e.g. scheduled
INFRASTRUCTURE shopping holiday, product launches, system migrations et cetera)
EVENT MANAGEMENT
• Prevents unnecessary system degradation or site outages by
optimizing your cloud architecture prior to your event

• Allows you to easily assess operational readiness, mitigate risks, and

execute your planned activity confidently with assistance from AWS
experts
 ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP

• Available for an additional fee.

• Helps you operate your AWS infrastructure on your behalf
AWS MANAGED • Augments your existing internal teams with advanced cloud
SERVICES operation skills
TEAM
• Provides you with AWS experts such as a designated Cloud
Service Delivery Manager, a Cloud Architect, an AMS security
team, or all three.
 ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP

• Recommended if you have business-critical production workloads with strict SLA

(high RTO and RPO requirements)

• Has all the features of the BUSINESS support plan

• General guidance: < 24 hours

• System impaired: < 12 hours

RESPONSE
TIMES • Production system impaired < 4 hours

• Production system outage < 1 hour

• Business-critical system outage < 30 mins

 ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP

CONCIERGE SUPPORT
TEAM
• Primary contact for AWS Billing & AWS Support

TA TECHNICAL ACCOUNT • Access to a pool of Technical Account Managers

M MANAGER to provide proactive guidance and assistance

INFRASTRUCTURE • Included without any additonal fees

EVENT MANAGEMENT • Use for 1 Event per year only

• Consultative review
ARCHITECTURAL
GUIDANCE • Architectural Guidance based on your
applications (one-per-year only)
 ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP

• Recommended if you have mission-critical production workloads with strict SLA

(high RTO and RPO requirements)

• Has all the features of the ENTERPRISE ON-RAMP support plan

• Most expensive AWS Support Plan

• Access to the premium AWS Trusted Advisor Priority feature

Tutorials Dojo
www.tutorialsdojo.com
 ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP

< 24 hours
• General guidance:

RESPONSE
• System impaired: < 12 hours

TIMES • Production system impaired < 4 hours

• Production system outage < 1 hour

• Business/Mission-critical system < 15 mins

outage
 ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP

INFRASTRUCTURE
EVENT MANAGEMENT
• Can be used for multiple corporate events
 ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP

ONLINE SELF-PACED • Provide a hands-on learning environment based on

LABS real-world scenarios.

• Available for an additional fee

• 24/7 proactive monitoring & incident management for

your selected production workloads that are regularly
conducted by AWS experts.

AWS SUPPORT
PROACTIVE SERVICES
• Workload reviews, best practices workshops, and deep
dives delivered by AWS Experts

TA TECHNICAL ACCOUNT • Access to a dedicated Technical Account Manager

M MANAGER
 AWS Support Plans

ENTERPRISE
BASIC DEVELOPER BUSINESS ENTERPRISE
ON-RAMP
Advantages of Cloud Computing
 Advantages of Cloud Computing

• Launch solutions and computing resources in a matter of minutes

• No need to buy & maintain costly physical servers or data centers

• On-demand access to a wide range of virtual machines, storage

services, databases, and other IT resources

• Revolutionary Cloud Economics

Cloud
• Unparalleled Flexibility for your enterprise IT infrastructure

• Better Price-to-Performance Ratio

• Lower Total Cost of Ownership (TCO)

Tutorials Dojo
www.tutorialsdojo.com
 Advantages of Cloud Computing

Trade Fixed Expense for Variable Expense

Benefit from Massive Economies of Scale

Stop Guessing Capacity

Increase Speed and Agility

Stop Spending Money Running & Maintaining Data Centers

Go Global in Minutes
 Advantages of Cloud Computing

Trade Fixed Expense for

Variable Expense
 CAPEX OPEX
CAPITAL EXPENDITURES OPERATING EXPENSES

Fixed Expense Variable Expense

•Long-term asset acquisition (usually costly) •For maintaining assets (usually inexpensive)
•One-off purchases •Recurring purchases
•For establishing business operations •For continuing business operations
Fixed Expense
 The bill remains CONSTANT
even if the utilization is LOW

FIXED EXPENSE: $10,000 per month

SERVER UTILIZATION

M T W TH F SAT SUN

80% 100%
100% 50% 100%
50% 100%
20% 100%
20% 0% 0%
 The bill remains CONSTANT
even if the utilization is LOW ON-PREMISES DATA CENTER

FIXED EXPENSE: $10,000 per month HIGH

ADMINISTRATIVE
OVERHEAD
TO DECOMMISSION
SERVER UTILIZATION THE SERVERS

M T W TH F SAT SUN –––––

80% 100%
100% 50% 100%
50% 100%
20% 100%
20% 0% 0% SLOW PROCESS

NO FLEXIBILITY
FIXED EXPENSE: $10,000 per month L FOUWL LU T CI A
L IP ZAACT I I TOYN

HIGH
ADMINISTRATIVE
OVERHEAD
TO
NO DECOMMISSION
FLEXIBILITY THE SERVERS

–––––

SLOW PROCESS

ADDITIONAL $4,000 per month

 Fixed Expense
•Alternative to
•Lowers down the CAPEX & the initial funds required.
•Monthly expenses VARY and not fixed.
•The bill is based on how many cloud resources you
actually run and the other features you had utilized

•More flexible in terms of adding or removing

Variable Expense resources through Auto Scaling & other features

•Provides Serverless options

•Pay by the hour / second / milliseconds that
you actually spent for processing.
 Advantages of Cloud Computing

Benefit from Massive

Economies of Scale
 Data Center Data Center

Availability Zone 2
3 AVAILABILITY ZONE 3
Availability Zone 3
AVAILABILITY ZONE22
Availability Zone
Data Center
Data Center
Data
Center

Data Center Data Center

Data Center Data Center
Data
Data Center
Center
 A W S R E G I O N
AVAILABILITY ZONE 1

Data Center

Data Center Data Center

Availability Zone 2
3

MASSIVE
AVAILABILITY ZONE22
Availability Zone
Data Center

AVAILABILITY ZONE33
Availability Zone

Data Center Data Center

Data Center Data Center

Data Center Data Center Data Center Data Center

 • A microeconomic concept, which is a branch of
economics that studies the behaviors of individuals
and firms regarding resource allocation,
production, exchange, and consumption.
MASSIVE • Described as a state where the unit cost
ECONOMIES OF SCALE decrease with the increase in the scale of
the output being produced by a company

•Products can be sold cheaper since the

company’s production capacity is bigger
 $ 1.50

$ 3.00

$ 6.00

$ 12.00

$6 Savings

BULK DISCOUNT $ 18.00 $ 12.00

 MASSIVE
CLOUD SERVICE
PROVIDER ECONOMIES OF SCALE

Tutorials Dojo
www.tutorialsdojo.com
 Advantages of Cloud Computing

Stop Guessing Capacity

 More Control / Flexibility
to your Computing Capacity

Pay-As-You-Go Pricing

Stop Guessing Capacity = Right-Sizing

NOT Constrained by the

Limited Capability of Your
Physical Infrastructure
 Expected Demand Computing Capacity

CPU: 30 Cores
200,000
100,000
150,000
50,000
75,000
RAM: 64 GB

NETWORK: 20 Gbps

DIFFICULT TO ACCURATELY ESTIMATE

THE RIGHT COMPUTING CAPACITY TO
FU U
NDL ELR CU TAI LPI Z
A ACT I OT NY
MATCH THE CHANGING DEMAND
 Actual Demand Computing Capacity

CPU: 30 Cores
200,000
100,000
150,000
75,000
RAM: 64 GB

NETWORK: 20 Gbps

DIFFICULT TO ACCURATELY ESTIMATE

THE RIGHT COMPUTING CAPACITY TO
OVER UTILIZATION
MATCH THE CHANGING DEMAND
 Removes the guesswork in your
capacity planning activities
CLOUD Matches the real usage patterns of
SERVICE your applications and systems
PROVIDER
Allows you to Right-Size your
Computing Capacity
 SCALE UP SCALE OUT

VERTICAL SCALING HORIZONTAL SCALING

SCALE DOWN
SCALE IN
 4 vCPU Cores

4 GB RAM
Large Amazon EC2
SCALE UP Instance Type

VERTICAL SCALING

SCALE DOWN

1 vCPU Core

Smaller Amazon EC2 1 GB RAM

Instance Type
 SCALE IN

HORIZONTAL SCALING
 SCALE OUT

HORIZONTAL SCALING
Serverless = Less Server Management
 Less Server Management

Serverless = Does NOT run all the time unlike a

traditional virtual machine
Will only run once you invoked it
Get billed based on the number of
seconds your function is running only
Highly scalable without manual overhead
 Advantages of Cloud Computing

Increase Speed & Agility

Speed Agility
 Speed Agility
•Speeds up the process of launching servers, storage •Makes the organization more agile due to the many
services, network devices, and other resources available services that can be utilized

•Hastens the momentum of product deliveries, system •Easily shift to a totally new implementation
upgrades, and expansion
•Low cost to experiment, develop and test different
solutions
•Accelerates the pace of scaling the business by
removing time-consuming infrastructure tasks
•Removes the constraint of being limited by the
physical assets of the organization
•Ability to deploy an entire online solution in the
cloud with just a click of a button
•Have the leverage to use the various available
automation tools and features in the cloud
•Expedites software development process
•Gain more free time to explore various solutions
•Faster deployment of your IT infrastructure and
enterprise applications
 Advantages of Cloud Computing

Stop Spending Money

Running and Data Centers
Center
 Data Center

Tutorials Dojo
www.tutorialsdojo.com
 Costs of Running a Data Center

Payroll for the security staff,

Property Expenses
engineers, specialists,
Legal Requirements (permits, consultants and others
taxes, compliance, etc)
IT Assets (servers, storage
Insurance appliances, routers, cables,
etc)
Security Equipments
Maintenance Costs
Physical and Environmental
Expenditures Data Replication
 Removes the
large upfront investment,
management overhead and
CLOUD monthly recurring expenses
SERVICE = required in running a

PROVIDER

Data Center
 Advantages of Cloud Computing

Go Global in Minutes
Content Delivery
Network
 Consists of a global network of
point-of-presence locations
(PoPs) scattered in various
countries.

Reduces the latency of your

Content Delivery website, images, videos, and
Network static assets

Utilizes the PoPs to deliver the

data and not from your local
point of origin

No need for you to build

thousands of physical edge
locations in hundreds of
countries
 Covers Data Sovereignty
requirements
Abide by the Regional Rules that
needs to be strictly followed
Quickly establish a digital
presence in other countries while
Foreign Laws &
being compliant with its data
Security Requirements
protection and privacy laws
Example: General Data Protection
Regulation (GDPR)
Each country has its own data
privacy law with a unique data
residency and data sovereignty
requirements
AWS Well-Architected
Framework
 Conceptualized from extensive
years of cloud research,
development, and real-world
experience

A knowledge base of design

AWS Well-Architected principles, best practices and
architectural guidance

Helps you avoid costly mistakes

Allows you to establish key

performance indicators (KPIs) to
measure workload
performance
AWS Well-Architected
AWS Well-Architected

cloud architectural

? QUESTIONS
AWS Well-Architected

Design Principles
Pillar 1

Pillar 2 Key Topics

Design Patterns
Pillar 3
Pillars Anti-Patterns
Pillar 4
Implementation Guide
Pillar 5
Risks
Pillar n...

Benefits

Best Practices
AWS Well-Architected
HOW DOES IT WORK?
Your Cloud Solution

DATA TRANSPORT

FIREWALL
IDENTITY & ACCESS NETWORK
MANAGEMENT

Your App

USER
Security Pillar
COMPUTE
GROUP
GROUP

ROLE

DATA
LAYER
AWS Well-Architected
HOW DOES IT WORK?
Your Cloud Solution

Security Pillar
DATA TRANSPORT

FIREWALL
IDENTITY & ACCESS NETWORK
MANAGEMENT
How do you protect your data at rest?

Your App

USER

How do you protect your data in transit?

COMPUTE
GROUP
GROUP

How do you manage identities for people

and machines?
ROLE

DATA
LAYER
AWS Well-Architected
TRADE-OFFS

DO YOU REALLY NEED

It depends on your TO FOLLOW
ALL THE GUIDELINES
REQUIREMENTS OF THE
AWS WELL-ARCHITECTED
FRAMEWORK?
 AWS Well-Architected
TRADE-OFFS

AVERAGE COST
REQUIREMENTS

ENVIRONMENT RELIABILITY DATA SECURITY SCALABILITY COMPLIANCE

PROD HIGH AT REST MUST HIPAA

PRE PROD MID IN TRANSIT OPTIONAL GDPR

DEV LOW NONE PCI-DSS

 AWS Well-Architected
TRADE-OFFS

ENVIRONMENT

TRADE-OFF RELIABILITY

DEV
over

LOW COST

Tutorials Dojo
www.tutorialsdojo.com
 AWS Well-Architected
TRADE-OFFS

REQUIREMENTS

ENVIRONMENT RELIABILITY DATA SECURITY SCALABILITY COMPLIANCE

PROD HIGH AT REST MUST HIPAA

PRE PROD MID IN TRANSIT OPTIONAL GDPR

TEST
DEV LOW NONE PCI-DSS

LOW COST
 AWS Well-Architected
TRADE-OFFS

HIGH COST
REQUIREMENTS
MISSION-CRITICAL
APPLICATIONS

ENVIRONMENT RELIABILITY DATA SECURITY SCALABILITY COMPLIANCE

PROD HIGH AT REST MUST HIPAA

PRE PROD MID IN TRANSIT OPTIONAL GDPR

DEV LOW NONE PCI-DSS

MORE COMPUTE &
MORE REDUNDANT STORAGE
RESOURCES RESOURCES
 AWS Well-Architected
TRADE-OFFS

REQUIREMENTS

ENVIRONMENT RELIABILITY DATA SECURITY SCALABILITY COMPLIANCE

PROD HIGH AT REST MUST HIPAA

PRE PROD MID IN TRANSIT OPTIONAL GDPR

DEV LOW NONE PCI-DSS

IN PRODUCTION, SECURITY IS
NOT USUALLY
TRADED-OFF WITH ANY OTHER
FACTORS
 Covers Data Sovereignty
requirements
Abide by the Regional Rules that
needs to be strictly followed
Quickly establish a digital
presence in other countries while
Foreign Laws &
being compliant with its data
Security Requirements
protection and privacy laws
Example: General Data Protection
Regulation (GDPR)
Each country has its own data
privacy law with a unique data
residency and data sovereignty
requirements
 The Pillars of the
AWS Well-Architected
Framework

Tutorials Dojo
www.tutorialsdojo.com
AWS Well-Architected
Framework Pillars
AWS Well-Architected
Framework Pillars

OPERATIONAL EXCELLENCE

SECURITY

RELIABILITY

PERFORMANCE EFFICIENCY

COST OPTIMIZATION

SUSTAINABILITY
AWS Well-Architected
OPERATIONAL EXCELLENCE PILLAR

Revolves around how you run your operations to deliver business value
Allows you to verify that your AWS workloads are operating excellently or
poorly
Provides the ability to:
• Effectively run workloads in AWS
• Gain helpful insight into your cloud operations
• Continuously improve your supporting processes & procedures

Example of an Operationally Excellent AWS solution:

• An AWS workload with loosely-coupled components which can be updated on a
regular basis and where the changes can be made in small, reversible
increments.
AWS Well-Architected
OPERATIONAL EXCELLENCE PILLAR

Can be achieved by establishing protocols in place to continuously

improve the supporting processes of your cloud operations
Supporting Processes:
• Continuous Improvement
• Knowledge Management
• Post-incident Analysis
• Feedback Loops

• Other protocols that support your primary processes

Includes the concepts of Risk Mitigation, Disaster Recovery Exercises,
Game Days or Team Drills to test your Disaster Recovery Action Plan
AWS Well-Architected
OPERATIONAL EXCELLENCE PILLAR

DESIGN PRINCIPLES BEST PRACTICE AREAS

Perform Operations as Code

Organization
Make Frequent, Small, Reversible
Changes Prepare

Refine Operations Procedures Operate

Frequently Evolve
Anticipate Failure

Learn from All Operational Failures

 AWS Well-Architected
SECURITY PILLAR

Covers the overall security of your AWS workloads

Not usually traded off over other aspect of your system

Checks the use of various security-related AWS services to protect the

data, systems, and assets of your cloud solutions

Includes the concept of Traceability (monitoring & tracking the changes

made to your environment and resources)

Root Cause Analysis and Remediation Automation of production incidents

Aims to improve your overall Security Posture

Tutorials Dojo
www.tutorialsdojo.com
AWS Well-Architected
SECURITY PILLAR

Examples of Secure AWS solutions:

Enabling Traceability via AWS Config to record, audit, and evaluate

changes to AWS resources in your production environment.

Implementing data encryption, tokenization, SSL, and firewalls to

protect your sensitive data in transit and data at rest

Granting the least privilege to your staff with the minimum permissions
required to perform a task
AWS Well-Architected
SECURITY PILLAR

DESIGN PRINCIPLES BEST PRACTICE AREAS

Implement a Strong Identity Foundations for Security

Foundation
Identity and Access Management
Enable Traceability
Detection
Apply Security at All Layers
Infrastructure Protection
Automate Security Best Practices
Data Protection
Protect Data in Transit and at Rest
Incident Response
Keep People Away from Data

Prepare for Security Events

AWS Well-Architected
RELIABILITY PILLAR
Focused on the ability of your systems to recover and work consistently &
accurately

Ensures your applications remain reliable even if there are traffic surges,
unexpected system changes, or natural disasters

Includes the ability to operate and test your AWS workloads throughout its
entire lifecycle

Accentuates the concept of Recovery to your cloud solutions in AWS to meet

your strict Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
requirements

Verifies that your application has the ability to recover from service
disruptions, natural disasters, application failures, and other type of outages

Checks if your cloud architecture can dynamically acquire computing resources

to meet the changing demand of your application
AWS Well-Architected
RELIABILITY PILLAR

Examples of Reliable AWS solutions:

• A system that is able to recover from infrastructure or service disruptions

by using redundant AWS resources such as an Amazon RDS database in
Multi-AZ Deployments configuration, Amazon Aurora Global Database
or an application deployed in multiple Availability Zones or AWS
Regions.

• Implementing Amazon EC2 Auto Scaling on multiple Availability Zones

behind an Application Load Balancer to automatically recover from
outages and dynamically acquire computing resources to avoid system
degradation.

• Using Cross-Region Replication for databases, S3 buckets, and other

resources to increase the ability of your systems to recover.
AWS Well-Architected
RELIABILITY PILLAR

DESIGN PRINCIPLES BEST PRACTICE AREAS

Automatically Recover from Failure Foundations for Reliability

Test Recovery Procedures Workload Architecture
Scale Horizontally to Increase Change Management
Aggregate Workload Availability
Failure Management
Stop Guessing Capacity

Manage Change through

Automation
AWS Well-Architected
PERFORMANCE EFFICIENCY PILLAR

Covers the ability to improve the performance factors efficiently to meet your
system requirements

Focuses on achieving and maintaining a high level of efficiency even as your

customer demand changes

Adopting new technologies (e.g. Serverless, Containerization)

Re-factoring/re-architecting the existing design of your system to improve

application performance

Example AWS solution that demonstrates Performance Efficiency:

• Re-architecting an on-premises monolithic system to become a Serverless

Application to efficiently lessen the operating cost, enhance scalability and
further improve other performance factors.
 AWS Well-Architected
PERFORMANCE EFFICIENCY PILLAR

DESIGN PRINCIPLES BEST PRACTICE AREAS

Democratize Advanced Technologies Selection

Go Global in Minutes Review

Use Serverless Architectures Monitoring

Experiment More Often Trade-offs

Consider Mechanical Sympathy

Tutorials Dojo
www.tutorialsdojo.com
AWS Well-Architected
COST OPTIMIZATION PILLAR

Focuses on the ability to run your systems and deliver business value at the
lowest price point possible

A continual process of improving your AWS workloads while minimizing costs

to achieve the outcomes expected of the business in a cost-effective manner

Aims to increase revenue and maximize return on investment (ROI)

Example of a Cost-Optimized AWS Solution:

Adopting a Consumption Model via Pay-as-you-go pricing where you only

pay for the resources that you actually consume or by using AWS Serverless
services.
AWS Well-Architected
COST OPTIMIZATION PILLAR

Removes the reliance on elaborate forecasting to determine what would be

the expected usage of your compute resources

Less dependency on extremely inaccurate forecasting and guesswork in terms

of capital expenditures (CAPEX) or operating expenses (OPEX)

Trade Fixed Expense with Variable Expense by choosing Pay-As-You-Go Pricing

and adopting a cost-effective Serverless Architecture

Have the ability to dynamically increase or decrease resource usage to meet

the ever-changing requirements of the business
AWS Well-Architected
COST OPTIMIZATION PILLAR

DESIGN PRINCIPLES BEST PRACTICE AREAS

Implement Cloud Financial Practice Cloud Financial Management

Management
Expenditure & Usage Awareness
Adopt a Consumption Model
Cost-effective Resources
Measure Overall Efficiency
Manage Demand & Supplying Resour
Stop Spending Money on
Undifferentiated Heavy Lifting Optimize over Time

Analyze and Attribute Expenditure

AWS Well-Architected
SUSTAINABILITY PILLAR

All about sustainable development, which addresses the long-term

environmental, economic, and societal impact of your business operations as
you use the AWS Cloud

A Sustainable Development is:

• “...a type of development that meets the needs of the present without compromising the
ability of future generations to meet their own needs”

Aims to lessen negative environmental impacts such as carbon emissions,

unrecyclable waste, and damage to shared natural resources

Focuses on Environmental Sustainability which is a shared responsibility

between you & AWS
AWS Well-Architected
SUSTAINABILITY PILLAR
AWS Well-Architected
SUSTAINABILITY PILLAR

DESIGN PRINCIPLES BEST PRACTICE AREAS

Understand your Impact Region Selection

Establish Sustainability Goals User Behavior Patterns
Maximize Utilization Software & Architecture Patterns
Anticipate and Adopt New, More Data Patterns
Efficient Hardware & Software
Offerings Hardware Patterns

Use Managed Services Development & Deployment Process

Reduce the Downstream Impact of

your Cloud Workloads
AWS Well-Architected
Tool
AWS Well-Architected

JUST A
PDF DOCUMENT!
 AWS Well-Architected

Security Pillar

Tutorials Dojo
www.tutorialsdojo.com
 AWS Well-Architected

Security Pillar

Takes a lot of time to check manually!

 Automates the review process of cloud
workloads against architectural best
practices in AWS

Allows to easily identify opportunities for

improvement
AWS Well-Architected
A self-service console for the
AWS Well-Architected
Tool Also known as the AWS WA Tool

Automatically tracks the progress of your

improvement plan
 Can be integrated with:

Automates the review process of cloud

workloads against architectural best
practices in AWS

Allows to easily identify opportunities for

AWS Well-Architected improvement
Tool
Automatically tracks the progress of your
improvement plan
 Can be integrated with: AppRegistry

AWS Trusted AWS Compute AWS Service

Advisor Optimizer Catalog

AWS Well-Architected Automated workload discovery in AWS

Tool
Saves you time manually identifying your
resources
Simplifies workload and compliance reviews
 Can be invoked via web APIs which
enables you to extend the AWS Well-
Architected functionality into your
applications, workflows and processes

Allow you to fetch the workloads, best

AWS Well-Architected
practices, and measurements
Tool programmatically
 1 Define Workload

2 Conduct Architectural Review

AWS Well-Architected
Tool 3 Apply Best Practices
AWS Well-Architected Tool: STEP #1

Define a Workload
Workload ?
 AWS + On-Premises Workload s
Architectural
Design
Environment Type
Business Purpose
Scope
Review Owner
AWS Regions
Other Attributes

On-Premises Data Center

1 SPECIFY PROPERTIES 2 APPLY LENSES

Lens

Lens Architectural
Design
Environment Type
Business Purpose
Scope
Review Owner
AWS Regions
Other Attributes
1 SPECIFY PROPERTIES

Tutorials Dojo
www.tutorialsdojo.com
1 SPECIFY PROPERTIES
1 SPECIFY PROPERTIES
AppRegistry
AWS Service
Catalog
1 SPECIFY PROPERTIES
AWS Trusted
Advisor
2 APPLY LENSES
 Workload
Your Cloud Solution

Your App

Amazon
EC2

SELF-HOSTED DATABASE
AWS Well-Architected Tool: STEP #2

Conduct Architectural Review

Did we implement actionable
security events in our AWS
architecture?

Which AWS services are we

currently using to detect and
investigate security events?

Do I really know what an

actionable security event is at
all?
Use the available INFO
Tooltips
Post your questions on the
official AWS re:Post site for
assistance
Enable Amazon GuardDuty

Use Runbooks (a predefined

procedure to achieve a specific
outcome)

Set up Playbooks (a set of

predefined steps that your team
must perform to identify an issue)

Automate runbooks/playbooks by
using the AWS Systems Manager
Automation service
Enable Amazon GuardDuty

Use Runbooks (a predefined

procedure to achieve a specific
outcome)

Set up Playbooks (a set of

predefined steps that your
team must perform to identify
an issue)

Automate
runbooks/playbooks by using
the AWS Systems Manager
Automation service
 AWS Well-Architected Tool: STEP #3

Apply Best Practices

Tutorials Dojo
www.tutorialsdojo.com
AWS Well-Architected Framework Documentation
 AWS Services Overview

Tutorials Dojo
www.tutorialsdojo.com
 Host Run Real-Time
Web Apps Data Analytics

Develop Store Data

Mobile Apps for Backup
PER CATEGORY

COMPUTE SERVICES

Amazon EC2 AWS Lambda

AWS Outposts Amazon Lightsail

Amazon EC2 Amazon Elastic Compute Cloud

Amazon S3 Amazon Simple Storage Service

Amazon RDS Amazon Relational Database Service

Fully Managed By: Open Source Technology

Amazon Elastic Kubernetes Service (EKS)

Amazon FSx for Lustre (FSx)

Amazon Elasticsearch Service

 Routes Traffic
What’s the
meaning of
this
number?

Amazon Route 53

The number 53 is the TCP and UDP Port Number

used for the Domain Name System (DNS) protocol transport PORT

Tutorials Dojo
www.tutorialsdojo.com
Amazon Elastic Container Amazon Elastic Kubernetes
Amazon EC2
Service Service
AWS Compute Services
Overview
 AWS Compute Services

Virtual Machines Serverless Orchestration Container

Amazon EC2 AWS Lambda AWS Elastic Beanstalk Amazon EKS

Amazon LightSail AWS Batch Amazon ECS

AWS Outposts AWS Fargate

 Virtual Machines

Tutorials Dojo
www.tutorialsdojo.com
Used by MULTIPLE Tenants / Customers Used by a SINGLE Customer

Network
Virtual
CPU
Storage
Instance

DEFAULT
VIRTUALIZATION

CUSTOM
VIRTUALIZATION

VIRTUALIZATION
Also called a
Virtual Machine Monitor
or a
Hypervisor

SHARED DEDICATED
 Serverless Hybrid

Fully Managed By:

CPU

On-premises data center

NO DIRECT
Server access
via:

SSH or RDP
Unlike
Amazon EC2
 • A computing service that runs virtual servers in AWS

• Allows you to launch Windows, Linux or even MacOS virtual

machines

• A type of an Infrastructure as a Service (IaaS)

• A basic building block for your cloud architecture

Amazon EC2
• Used by other AWS services as an underlying compute service
 Shared Responsibility Model

Guest
OS

Host
Amazon EC2 OS
 Elastic Compute Cloud

• Flexible

• Customizable

• Scalable
Amazon EC2
 Elastic Compute Cloud

Amazon EC2 EC2

 Fully Managed By:

Serverless

SSH connection

Remote Desktop connection

RUNTIME ENVIRONMENT

AWS Lambda

CUSTOM
Lambda function RUNTIME
 Orchestration

AWS Batch AWS Elastic Beanstalk

 • Enables you to run batch computing workloads

• Dynamically provisions the optimal quantity and type of compute

resources, based on the volume and specific resource
requirements.

• Does the planning, scheduling, and execution of your batch

AWS Batch computing workloads using Amazon EC2 instances.
 • Automates the deployment, management, scaling, and monitoring
of your custom applications in AWS

• Just upload your application and it will automatically handle the

common tasks to run your application.

AWS Elastic • Handles capacity provisioning, load balancing, database

Beanstalk management, auto-scaling, and health monitoring
 Jack
and the

Beanstalk
AWS Elastic
Beanstalk

Your Applications
AWS Elastic
Beanstalk
Your Applications

Beanstalk
 • An easy-to-use Virtual Private Server (VPS)

• Has its own web management console

• Also provides other services like databases, load balancers, DNS

records and many more.
Amazon LightSail

Tutorials Dojo
www.tutorialsdojo.com
 • A hybrid service that allows you to run AWS services, like Amazon
EC2, in your on-premises data center

AWS Outposts
AWS Outposts
AWS Container Services
Overview
 AWS Container Services

Amazon ECS Amazon EKS AWS Fargate Amazon ECR

CLI Tools

A2C

AWS App2Container AWS Copilot

(A2C)
 Virtual Machine Container

App App App App App

Container 1 Container 2 Container 3 Container 1 Container 2

Guest Can also

OS run…

HYPERVISOR
CONTAINER ENGINE
HYPERVISOR

Bare Metal Hosted

Host
Host
Host
OS
OS OS

Firmwar
e
 • Amazon Elastic Container Service (Amazon ECS)

• A container orchestration service that supports Docker

containers.

• Allows you to easily install, operate, and scale your cluster

management infrastructure in AWS

• Containers are defined in a task definition which you use to run

an ECS task or are grouped together as an ECS service

• Runs your ECS tasks using:

Amazon ECS

Amazon EC2 AWS Fargate

• An IAM Role can be attached to your ECS task in the TaskRoleArn

property of your task definition for security control

• Store your Docker Images to:

Amazon ECR
 Storage Integration Scaling

ECS Task 1
Amazon ECS
Service Auto Scaling
Data

Data

Amazon SQS

Amazon ECS
Amazon EFS Amazon FSx

ECS Task 2
 • Amazon Elastic Kubernetes Service (Amazon EKS)

• A fully-managed Kubernetes service

• Portable, extensible, and open-source platform for managing

containerized workloads and services

• Containers are grouped into Pods — the basic operational unit for
Kubernetes.

• Launches and orchestrates a cluster of compute resources using:

Amazon EKS Amazon EC2 AWS Fargate

• Considered as Cloud-agnostic as it allows you to easily move

your workloads to your on-premises network or to other cloud
service providers like Microsoft Azure, Google Cloud Platform
(GCP) et cetera.
 • A serverless compute engine

• Works on:

Amazon ECS Amazon EKS

• Allows you to focus on building your applications without worrying

about server provisioning, scaling, and management

• Provides a more cost-effective solution than a container running

on Amazon EC2 launch type
AWS Fargate
• Runs each ECS task or Kubernetes pod in its own kernel.

• Provides the tasks and pods in their own isolated compute

environment.
 • Amazon Elastic Container Registry (Amazon ECR)

• A fully-managed Docker container registry

• Allows you to store, manage, and deploy Docker container

images.

• Integrated with Amazon ECS

Amazon ECR • Stores your docker images in a highly available and scalable
architecture

• You can use IAM to provide resource-level control of each

repository.
 • A command-line tool

• Transforms .NET & Java applications to containerized applications

• Packages the application artifact and dependencies into container

A2C images.

AWS App2Container • Configures the network ports and generates the ECS task and
(A2C) Kubernetes pod definitions.

Tutorials Dojo
www.tutorialsdojo.com
 • Also a command-line tool, just like AWS App2Container (A2C)

• Transforms .NET & Java applications to containerized applications

• Enables you to quickly launch and easily manage containerized

applications on AWS

AWS Copilot • Automates the deployment lifecycle of your containers

AWS Storage Services
Overview
 AWS Storage Services
Built-in component and NOT
a full-fledged AWS Service

Amazon Elastic Block Amazon Simple Storage Amazon Elastic File

Amazon EC2 Amazon S3 Glacier
Store Service System
Instance Store (Amazon EBS) (Amazon S3) (Amazon EFS)

Amazon FSx for Lustre Amazon FSx for Windows AWS Backup AWS Storage Gateway
File Server
Underlying Host Computer that

powers your .

Amazon EC2 Instances

• A temporary or ephemeral block-level storage

• Uses the local disks or storage volumes that are physically attached to
the underlying host computer of the Amazon EC2 instance.

• Provides low-latency access to your data

Amazon EC2 • Loses its stored data if:

Instance Store
• The underlying local storage fails
• The Amazon EC2 Instance:

STOP Stops Hibernates Terminates

 • A persistent block-level storage service

• Your data will still be there even if you stop, restart, or terminate
your Amazon EC2 instance, unlike:

Amazon EC2
Instance Store

• Also called EBS Volumes

• Mounted or attached to your Amazon EC2 instances

Amazon Elastic Block Store

• Zonal in scope — you can only attach a volume to any EC2
(Amazon EBS) instances in the same Availability Zone.

• Can be encrypted at rest using:

AWS Key Management Service
(AWS KMS)
 Solid State Drive Hard Disk Drive
(SSD) (HDD)

Amazon Elastic Block Store

(Amazon EBS)

Read & Write Speeds Fast ! Slow…

For workloads with For data archiving, backups

Use Case frequent read/write operations or throughput-oriented storage

Dominant Performance IOPS Throughput

Attribute Input/Out operations Per Second Megabit per second (Mbps)

Can be used as
Boot Volume for ? Yes No
Amazon EC2
 Solid State Drive Hard Disk Drive
(SSD) (HDD)

Amazon Elastic Block Store

(Amazon EBS)

TYPES gp General Purpose SSD st Throughput Optimized HDD

Faster data retrieval than:

io Provisioned IOPS SSD sc Cold HDD
Amazon S3
Can only be attached to a single at a time
Amazon EC2

Amazon EFS Cannot be used

Can be used as
Boot Volume for
Amazon EC2 as a Boot Volume
Amazon EC2
Amazon Elastic Block Store
(Amazon EBS)
File-Manila.txt io Provisioned IOPS SSD

EBS
Multi-Attach
Amazon EC2 Amazon EC2 Amazon EC2 Amazon EC2
Nitro-based Nitro-based Nitro-based Nitro-based
Instance Instance Instance Instance

No concurrent file modification

Amazon EFS

Tutorials Dojo
www.tutorialsdojo.com
 • An object storage service

• Highly durable and scalable

• Can store virtually unlimited amounts of data

• The files are called “objects” that you upload to an S3 Bucket

Amazon Simple Storage
Service • Access files via a REST API call
(Amazon S3)
 Amazon S3 Storage Classes

For changing or
For frequently accessed data
unknown access patterns

S3 Standard S3 Intelligent-Tiering

For storing long-lived,

yet less frequently accessed data
S3 Standard-IA S3 One Zone-IA
(Infrequent Access) (Infrequent Access)

For low-cost long-term storage

and data archiving
S3 Glacier S3 Glacier Deep Archive
 30 Days 90 Days 180 Days

S3
S3 Standard S3 Standard-IA Intelligent-Tiering S3 Glacier S3 Glacier
Lifecycle Policy S3 One Zone-IA
Deep Archive

- Secure access to your S3 buckets and objects

Access Control List
(ACL)

- Control external access to your Amazon S3 bucket.

Bucket Policy
 Version
x.* - Prevent accidental data deletion in Amazon S3.

S3 Versioning Multi-Factor Authentication

(MFA)

- Automatically replicate objects to a different

AWS Region for backup purposes
Cross Region Replication (CRR)

- Accelerate or expedite the data transfer

(upload/download) of S3 objects

Transfer Acceleration Multipart Upload …and many more S3 features!

 • One of the storage classes in Amazon S3

• Has its own web management console apart from Amazon S3

• Based on the word — Glacier:

• Rarely Accessed Data (Cold)
sc Cold HDD
• Frequently Accessed (Hot)

Amazon S3 Glacier
• Low-cost storage for data archiving and long-term backup.
 S3 Standard
Vault

S3 Glacier
S3 Glacier vs Deep Archive

LOW $ $ COST LOWEST $

MINIMUM STORAGE
90 Days DURATION 180 days

You will be billed for the entire 90 Days DATA DELETED AFTER You will be billed for the entire 180 Days
1 DAY (24 HOURS)

Normal storage usage charge DATA DELETED AFTER

90 DAY
You will be billed for the entire 180 Days

DATA DELETED AFTER

Normal storage usage charge 180 DAYS
Normal storage usage charge
 S3 Standard vs S3 Glacier

HIGHEST $ $ $ COST Timed Storage - Byte Hours LOWEST $

MINIMUM STORAGE
None DURATION 90 days

Regular storage usage charge DATA DELETED AFTER You will be billed for the entire 90 Days
(24 hours) 1 DAY (24 HOURS)

Regular storage usage charge DATA DELETED AFTER

(30 days) 30 DAYS
You will be billed for the entire 90 Days

Regular storage usage charge DATA DELETED AFTER Regular storage usage charge
(90 days) 90 DAYS (90 Days)
Archive Retrieval Options EXPEDITED STANDARD BULK

S3 Glacier 1 - 5 minutes 3 - 5 hours 5 - 12 hours

S3 Glacier Within Within

Deep Archive NOT AVAILABLE
12 Hours 48 hours
 • A scalable shared file storage service

• Provides a POSIX-compliant (Portable Operating System Interface)

shared file system

• Can be simultaneously accessed by multiple Amazon Linux EC2

instances in different Availability Zones.

• Uses the Network File System (NFS) protocol. Works as a file share
Amazon Elastic File System
(Amazon EFS)

• Only supports:

Linux Servers
Amazon FSx for
= Windows File Server
 Amazon Elastic File System
(Amazon EFS)

Lifecycle Policy

30 Days
IA

EFS STANDARD EFS INFREQUENT ACCESS

 Amazon FSx

Amazon FSx for

Amazon FSx for Lustre
Windows File Server
 Amazon Elastic File System
(Amazon EFS)

• A scalable shared file storage service

• Provides a POSIX-compliant (Portable Operating System Interface)

shared file system

• Can be simultaneously accessed by multiple Amazon Linux EC2

instances in different Availability Zones.

• Uses the Network File System (NFS) protocol

Amazon FSx for Lustre

• Only supports:

Linux Servers
 Linu x Cluste r
=
open-source, parallel file system

• a parallel file system used for large-scale cluster computing.

• Primarily used for High-Performance Computing, Machine Learning,

or HPC applications

• For workloads that need high-performance parallel storage for

frequently accessed hot 🥵 data.

• Provides a throughput of hundreds of gigabytes per second

Amazon FSx for Lustre • Offers millions of IOPS

• You can mount an Amazon FSX for Lustre file share to:

Amazon EC2 Amazon ECS Amazon EKS

• Use the Container Storage Interface (CSI) to connect to your

Amazon EKS cluster.
 • A fully managed Microsoft Windows file server service

• Uses the Server Message Block (SMB) protocol

• Can be integrated to your existing:

Microsoft AWS Managed
Active Directory Microsoft AD

• Can be used as shared file storage for your:

Microsoft Microsoft
Amazon FSx for
Windows File Server SharePoint SQL Server

Microsoft

Containers
 • A fully managed backup service

• Automates your server and database backup processes.

Service-level backups

Amazon FSx Amazon EFS Amazon DynamoDB Amazon EC2

Service-level snapshots
AWS Backup Amazon Aurora Amazon RDS Amazon EBS AWS Storage
Gateway

7 Days (Default) 35 Days (Maximum)

90 Days, One Year or even more!

 • A hybrid cloud storage service

• Connects your on-premises applications and data storage to the AWS

Cloud.

• Integrate your local & cloud storage systems by using a gateway.

On-premises data center

AWS Storage Gateway On-premises applications

VIRTUAL MACHINE
 File Gateway Volume Gateway Tape Gateway

Store and retrieve objects in Amazon S3 Provides block storage to your on-premises apps
with low-latency via the A cloud-based Virtual Tape Library
using NFS and SMB protocols Internet Small Computer System Interface (iSCSI)

Amazon S3 Amazon S3
EBS Volumes

Can be integrated with: Uses for point-in-time snapshots of your Uses to back up the tapes
AWS Managed Microsoft
Microsoft AD Active Directory

On-premises data center

Can store the archived tapes in:

Provides a hardware appliance CACHED S3 Glacier

STORED S3 Glacier Deep Archive
hosted on-premises
VM VM

Storage Area
Network - On-premises apps can connect to the
tape gateway as iSCSI devices
- Stores a subset of frequently - Stores entire dataset
To replicate your local data to Amazon S3
accessed data locally
- Asynchronously back up the data - Reduce costs by eliminating the use of
- Uses S3 as the primary storage to AWS. physical backup tapes
 REPLICATE DATA MOVE DATA

INTEGRATION MIGRATION

On-premises data center

AWS Storage Gateway VM VM AWS DataSync

On-premises data will On-premises data would not

still be actively used Storage Area be utilized anymore/will be
Network
decommissioned

Tutorials Dojo
AWS Database Services
Overview
 A C I D
Atomicity Other
Consistency
Databases
Isolation
Durability
Relational NoSQL In-Memory

Amazon Keyspaces

Amazon ElastiCache

Amazon RDS Amazon Aurora Amazon DynamoDB

Amazon Neptune

Data warehouse Amazon Timestream

Amazon DocumentDB
emcached

Amazon Redshift Amazon Quantum

Ledger
 • A relational database that is managed by both you (limited access)
and AWS.

• The time-consuming tasks are handled by AWS — such as

hardware provisioning, patching, backups, and maintenance.

• You can configure the underlying EC2 instance used by Amazon

RDS

DB Instance

Amazon Relational Database Service

(Amazon RDS) Storage Instance Type Network Access

VPC Endpoint

Amazon EC2

Amazon VPC
 • You decide the actual time for the patches to be applied on
its maintenance window
security patch

• Can run various types of database engines:

DB Instance

Microsoft
Amazon Relational Database Service SQL Server
(Amazon RDS)

Amazon
PostgreSQL Aurora

Tutorials Dojo
www.tutorialsdojo.com
AWS Cloud

N. Virginia Region

Single AZ Multi-AZ
Availability Zone (AZ) 1 Availability Zone (AZ) 2 Availability Zone (AZ) 3

VPC A

Synchronous Replication

A sy
nch
ron
o us
PRIMARY PRIMARY Re STANDBY
plic
atio
n

READ REPLICA
AWS Cloud

N. Virginia Region

Single AZ Multi-AZ Ohio Region

Availability Zone (AZ) 1 Availability Zone (AZ) 2 Availability Zone (AZ) 3

VPC A VPC B

STANDBY

Asynchronous Replication

PRIMARY
PRIMARY
READ REPLICA

READ REPLICA
 • A type of a database engine (that you can run on Amazon RDS) and
a fully managed database service.

• Compatible with: PostgreSQL

• Scales automatically, performs faster, and costs lower than other

databases

• Can automatically grow its data storage

• Deployed as a database cluster that consists of:

PRIMARY READ REPLICA

Amazon Aurora • Similar to Multi-AZ Deployments in Amazon RDS

• A cluster has a single-master configuration where applications can

only write data to a single, master DB instance.

• In a multi-master cluster, all DB instances have read/write

capability.
Amazon Aurora Amazon Relational Database Service
(Amazon RDS)

• Suitable for applications that read or write constantly changing data,

such as Online Transaction Processing applications or OLTP.
Data warehouse • A fully managed data warehouse

• Allows you to analyze all your data using standard SQL or

through your existing Business Intelligence tools

• Optimized to analyze relational data coming from transactional

systems, business applications, and other sources for fast SQL
queries.

Amazon Redshift • Offers a concurrency scaling feature that supports virtually

unlimited concurrent users and concurrent queries

• Has a feature called Redshift Spectrum that allows you to query

and retrieve structured and semistructured data from files stored in:

Amazon S3
Amazon Redshift

• Primarily used for Online Analytical Processing or OLAP

applications like data reporting and analytics.
 NoSQL Databases

Amazon DynamoDB Amazon DocumentDB

 • A fully managed NoSQL database service

• A non-relational database that does not have a rigid schema or

extensive table relationships.

NON-RELATIONAL DATABASE RELATIONAL DATABASE

NO RELATIONSHIP Relationship
Dynamo Table #1
JOINS
ATTRIBUTE ITEM

Dynamo Table #2
Amazon DynamoDB
ATTRIBUTE ITEM h ip
Foreign Key io ns
a t
R el
 DOCUMENT
•
{
id: 1898, A fast, scalable, highly available MongoDB-compatible
gid: “tutorialsdojo1898”,
firstName: "Jose", database service.
lastName: "Rizal",
profile: {

•
nationality: “Filipino,
country: “Philippines,
birthPlace: “Laguna"
A document-oriented database program
}
}
• Cross-platform, NoSQL database

• Each document contains fields and values in JSON format with

no rigid schema enforced

DOCUMENT DATABASE RELATIONAL DATABASE

COLLECTION

Amazon DocumentDB
 • A caching service

• Allows you to set up, run, and scale open-source in-memory

databases like: emcached

IN-MEMORY DATABASE

CACHED

NO CACHE

Amazon ElastiCache
• Faster than disk-based databases

• Useful for database caching that eliminates unnecessary

frequent calls to the database just to return identical datasets

• Useful for real-time analytics, distributed session management,

geospatial services, and many more
 Amazon ElastiCache

Sub-millisecond latency

emcached
Data Partitioning

Can be integrated
to your apps with
minimal code change
 emcached • Based on the open-source Memcached in-memory data store.

• Suitable for building a simple, scalable caching layer for your data-
intensive apps.

• Multithreaded — it can utilize multiple processing cores.

• Lacks data replication capability

Amazon ElastiCache for

• Does not:
Memcached
• Support Advanced Data Structures

• Provide Highly Available Caching Layer

 stands for

REmote DIctionary Server

• Based on the open-source Redis in-memory data store.

• Provides:

• Advanced Data Structures

• Pub/Sub messaging

• Geospatial support

• Point-in-Time Snapshot support

Amazon ElastiCache for
Redis
• Has a replication feature that provides high availability via data
replication.

• You can enable the Cluster Mode in Redis to have multiple

primary nodes and replicas across two or more Availability Zones.
 • A scalable, highly available, and managed Apache Cassandra–
compatible database service

• An open-source, wide column data store that is

designed to handle large amounts of data.

Amazon KeySpaces
• Run your Cassandra workloads on AWS without having to provision,
patch, or manage servers.
 • A fast, reliable, fully-managed graph database service

• Makes it easy for you to build and run applications that work with
highly connected datasets

• Allows you to store billions of relationships and query your

data graphs with milliseconds latency.
Amazon Neptune
• Uses nodes to store data entities and edges to store
relationships between entities.
 9 AM 10 AM 11 AM 12 PM

Time Series

• A fast, scalable, and serverless time series database service

• Primarily used for Internet-of-Things and operational

applications.

• Track the changes of your data

Amazon Timestream
• Can be used to track stock prices, temperature measurements,
and the CPU utilization of an EC2 instance over a specific amount
of time.
 • A fully managed ledger database service.

• Provides a transparent and immutable transaction log that is

owned by a central trusted authority.

• Creates logs that are cryptographically verifiable

• Provide an auditable history of all changes made to your

Amazon Quantum Ledger application data.
(Amazon QLDB)
• Can be used to track each and every application data change.
AWS Deployment Services
Overview
 DEFINITION FILE

Infrastructure as Code
(IaC)
 Hybrid Multi-Cloud

On-premises data center On-premises data center

 AWS Deployment Services

AWS CloudFormation AWS Elastic Beanstalk AWS CodeDeploy Amazon ECS

Anywhere

Amazon EKS AWS OpsWorks AWS Proton

Anywhere
 • Provisions and manages your AWS resources using a
custom code template in JSON or YAML format

• Has a built-in graphical drag-n-drop online tool called

CloudFormation designer

• Primary Infrastructure as Code (IaC) service in AWS

AWS CloudFormation • Provides different features such as Nested Stacks,

Change Sets, StackSets and others
 NESTED STACK

ROOT STACK

DATABASE STACK

STACK

APPLICATION STACK
 CHANGE

CHANGE SET
DOJO DB DOGGO DB

PROVIDES A PREVIEW BEFORE

THE ACTUAL CHANGE
STACKSET

STACK
 AWS CloudFormation

AWS Cloud Development Kit AWS Serverless Application Model

(AWS CDK) (AWS SAM)

AWS Serverless Application Repository

 • Allows you to upload your application code in AWS and
provision the required cloud environment easily

• Automatically deploys the necessary AWS resources and

components to run your application

• Environment Tiers:

AWS Elastic
Web Server Worker
Beanstalk

• Uses a configuration file to automatically deploy and configure

your applications. All configuration files are stored in the
.ebextensions folder
 • A fully managed deployment service

• Automates your application deployments to Amazon EC2

instances, Amazon ECS clusters, AWS Lambda functions, and
other computing services in AWS

• Capable of doing hybrid deployment of your applications to

your on-premises data center and to AWS
AWS CodeDeploy
• Does NOT create or provision AWS resources, unlike the AWS
CloudFormation service
 • A container orchestration service that supports Docker
containers

• Automates the process of installing, operating, managing,

networking and scaling your cluster management
infrastructure in AWS
Amazon ECS

Tutorials Dojo
www.tutorialsdojo.com
Amazon VPC AWS Fargate Amazon ECS Anywhere

On-premises data center

Serverless

internally powered by:

Amazon EC2
Instances

Amazon CloudWatch Container Insights

 • A managed orchestration service that supports
Kubernetes containers

• Automates the process of installing, operating, managing,

networking and scaling your Kubernetes control plane, pods
and nodes in AWS

Amazon EKS
 On-premises data center

Kubernetes Cluster running Kubernetes Cluster running

Amazon EKS
Amazon EKS on AWS on-premises via on-premises via
on AWS Outposts
Amazon EKS Anywhere Amazon EKS Distro

Amazon EC2 AWS Fargate

Physical Servers supplied

by AWS

Kubernetes Data Plane

managed by AWS

Kubernetes Control Plane

managed by AWS

Support provided by
AWS Support
 On-premises data center

Kubernetes Cluster running Kubernetes Cluster running

Amazon EKS
Amazon EKS on AWS on-premises via on-premises via
on AWS Outposts
Amazon EKS Anywhere Amazon EKS Distro

Amazon EC2 AWS Fargate AWS Outposts Amazon EKS Anywhere Amazon EKS Distro

Physical Servers supplied

by AWS Physical Rack Server supplied by Physical Server supplied Physical Server supplied
AWS but managed by you and managed by you and managed by you

Kubernetes Data Plane

Kubernetes Data Plane Kubernetes Data Plane Kubernetes Data Plane
managed by AWS managed by you
managed by you managed by you

Kubernetes Control Plane Kubernetes Control Plane Kubernetes Control Plane

managed by AWS Kubernetes Control Plane
managed by AWS managed by you
managed by you

Control Plane by AWS

Support provided by Support provided by Support provided by No AWS Support

AWS Support AWS Support AWS Support
 • A configuration management service

• Provides managed instances for your automation platforms

based on:

• Automates how your servers are provisioned, configured, and

managed across:
AWS OpsWorks

On-premises
Servers

Amazon EC2
Instances
 AWS OpsWorks for Chef Automate

AWS OpsWorks for Puppet Enterprise

AWS OpsWorks
AWS OpsWorks Stacks
 • A service that automates container & serverless deployment

• Ensures that you have consistent development standards and

best practices across your AWS account

• Deploys container and serverless applications using pre-

approved stacks that your platform team manages.

• Grants developers the freedom to innovate but still within the set
guardrails that the security team implemented

• Offers a self-service portal for your developers

AWS Proton
• Provides AWS Proton template which contains all the
information required to deploy your custom environments and
services
AWS Monitoring Services
Overview
 AWS Monitoring Services

Forecast

High
CPU Utilization
Today!

CPU STORAGE NETWORK

Logs
 AWS Monitoring Services

AWS Service Health Dashboard

Amazon CloudWatch AWS Health API

AWS Personal Health Dashboard

 • A suite of AWS services used in monitoring your systems on
both:
On-premises data center

• A metrics repository that collects system data from AWS services

as well as your custom metrics

Amazon CloudWatch • Monitors and analyzes system metrics

• Notifies you if a certain threshold has been reached

• Triggers an action based on a specific threshold or events that

you define
 Logs

Metrics Logs Alarms

Amazon CloudWatch

Events Dashboards
 • Collect metrics from various AWS Services and your custom
applications

• Aggregate (combine) metrics across multiple resources

• Most AWS services send metric data to CloudWatch every 1 minute

by default

Amazon CloudWatch • For Amazon EC2, the default frequency is every 5 minutes
METRICS
• Detailed Monitoring sends EC2 metrics data every 1 minute

L
o
g
s
 • Primarily used for logs monitoring

• Allows you to monitor, store, access, analyze or query the logs

from your AWS resources or from your custom applications

• Install CloudWatch Logs agent to your EC2 instances to

Amazon CloudWatch automatically collect and publish your application logs to
LOGS CloudWatch

L
o
g
s
 Logs

CloudWatch
Logs Agent

Amazon EC2 Instance Amazon CloudWatch Logs

 • Allows you to create alarms for your monitoring

• Performs one or more actions based on a system metric and a

specific threshold

• Can notify you or other systems/services using Amazon SNS

• Can trigger a custom action, such as:

• Auto Scaling your EC2 instances

Amazon CloudWatch • Sending a billing alert
ALARMS • Invoking a Lambda function
• … and many more!
L
o
g
s
 CloudWatch Events and Amazon EventBridge

have the same underlying service and API,

but the latter provides more features. Amazon EventBridge

• Monitors and responds to the system/service events of your

AWS resource in near real-time

• Allows you to create a CloudWatch Event rule to track the

changes or the state of your services

• Invokes a certain action if a specific event matched your Event

rule
Amazon CloudWatch
EVENTS • Allows you to create a scheduled job that invokes a Lambda
function on a regular basis, like every hour, every day, every week,
or any schedule that you like.
L
o
g
s
 • A customizable dashboard containing your AWS system metrics

• Monitor your resources in a single view, even if those resources

are located across different AWS Regions

Amazon CloudWatch • Allows you to publish and view your custom metrics
DASHBOARDS

L
o
g
s
 REGIONS
RSS

SERVICE STATUS

AWS Service Health

Dashboard
 • A personalized dashboard that shows the status of the AWS
services that you are using

• Does NOT show you the status of all the AWS services globally but
only the status of the AWS services that you have in your account.

• Shows the AWS Health events that might affect your applications
running on AWS such as scheduled maintenance or system outages
AWS Personal Health
Dashboard • Allows you to create alerts and notifications based on the health
of your AWS resources
 • Provides programmatic access to the AWS Health information
that appears in your AWS Personal Health Dashboard

• A RESTful web service that you can access via HTTPS

• NOT available by default

AWS Health API • Only available in Business or Enterprise support plans

AWS Audit & Compliance Services
Overview
AWS Audit & Compliance Services

RESOURCE CHANGES
 AWS Audit & Compliance Services

AWS CloudTrail AWS Artifact AWS Security Hub

 • Tracks user activity and API usage in your AWS account

• Stores the audit log data in:

Amazon S3 Bucket

• Enables risk auditing by continuously monitoring and logging

account activities, such as user actions:

AWS CloudTrail

AWS Management AWS SDK AWS API AWS Command Line

Console Interface (CLI)
 MANAGEMENT EVENTS DATA EVENTS

Control Plane Data Plane

Provide information about the resource operations

Provide information about the
performed ON (e.g. S3 bucket) your resources
management operations
performed on your AWS resources or
performed IN (e.g. S3 objects) your resources

AWS CloudTrail

• Attaching an IAM Role

• Amazon S3 object-level API activities
• Creating a new VPC
• Invoking an AWS Lambda function
• Creating a subnet
 • Provides on-demand AWS security and compliance reports

• Acts as a self-service portal to find compliance-related information

and reports for:

• ISO Reports

• Payment Card Industry (PCI) reports

• Service Organization Control (SOC) reports

AWS Artifact
• . . . and many more!

• Allows you to download AWS security and compliance documents

such as SOC 1 report, ISO certifications, and other reports

Tutorials Dojo
www.tutorialsdojo.com
 • Provides a centralized & comprehensive view of the
security posture of your cloud infrastructure across multiple
AWS accounts

• Helps you to comply with your company’s specific security

standards and best practices

• Collects security alerts and findings from:

AWS Security Hub

Amazon GuardDuty Amazon Inspector Amazon Macie AWS IAM Access AWS Firewall
Analyzer Manager
AWS Networking & Content Delivery Services
Overview
 AWS Networking & Content Delivery Services

Amazon VPC Elastic Load Amazon AWS Amazon AWS PrivateLink

Balancing Route 53 Global Accelerator CloudFront

AWS VPN AWS Direct AWS Amazon

AWS App Mesh AWS Cloud Map
Connect Transit Gateway API Gateway

Also categorized as an
Application Integration Service
 Amazon Virtual Private Cloud
CLOUD

REGION

IPv4 CIDR Range: 10.0.0.0/16

ROUTE TABLE
IPv6 CIDR Range: 2001:db8:1234:1a00::/56

Amazon VPC

Private subnet 10.0.0.0/24 Public subnet 10.0.1.0/24

INTERNET GATEWAY
Amazon EFS Amazon RDS Amazon FSx Amazon EC2

VIRTUAL PRIVATE GATEWAY

 Amazon Virtual Private Cloud
CLOUD

REGION

Public Internet
IPv4 CIDR Range: 10.0.0.0/16
ROUTE TABLE
IPv6 CIDR Range: 2001:db8:1234:1a00::/56

Amazon VPC

Private subnet 10.0.0.0/24 10.0.1.0/24

Public subnet

INTERNET GATEWAY

On-premises data center

Amazon EFS Amazon RDS Amazon FSx Amazon EC2

I’m an

Customer!

CUSTOMER GATEWAY
VIRTUAL PRIVATE GATEWAY
 Amazon Virtual Private Cloud
CLOUD

ASIA PACIFIC (Singapore) US EAST (Northern Virginia)

VPC A - Manila Branch VPC B - New York Branch

IPv4 CIDR Range: 10.0.0.0/16

ROUTE TABLE
IPv6 CIDR Range: 2001:db8:1234:1a00::/56

Amazon VPC
VPC

Private subnet 10.0.0.0/24 10.0.1.0/24

Public subnet

VPC Peering

Amazon Amazon Amazon Amazon

EFS RDS FSx EC2
 Virtual Private Cloud

Amazon VPC

Virtual Devices

NETWORK VIRTUALIZATION

PCIe Network Interface Card

Nitro Card for VPC

Physical Devices
 Virtual Private Cloud

Amazon VPC
Public Internet

On-premises data center

INTERNET GATEWAY

Local
VPC Extension Gatewa
y

AWS Outpost

CUSTOMER GATEWAY

VIRTUAL PRIVATE GATEWAY

 Virtual Private Cloud
CLOUD Also located within CLOUD

Amazon VPC
Amazon S3

VPC Endpoint The traffic does NOT

Auto Scaling pass through the

Amazon
DynamoDB

Amazon EC2

Other
Services
Amazon FSx
 • Automatically distributes incoming traffic across multiple targets
such as:

Amazon EC2 Amazon ECS AWS Fargate AWS Lambda

Instance Task Task Function
IP Address

• It distributes (load balances) the incoming traffic to your underlying

resources

• Provides high-availability to your web applications

Elastic Load Balancing
• if one of your servers or EC2 instances fails (unhealthy resource), the
request will be routed to another server (healthy resource)

• Routes incoming traffic across multiple Availability Zones, within a

single AWS Region only.
 Application Network Gateway Classic
Elastic Load Balancing Load Balancer Load Balancer Load Balancer Load Balancer
TYPES ( ALB ) ( NLB ) ( GWLB ) ( CLB )

HTTP / HTTPS
HTTP / HTTPS TCP / UDP
PROTOCOL LISTENERS IP TCP
gRPC TLS
SSL/TLS

For legacy applications

Handling in AWS
For web apps, millions of requests Running third-party
USE CASES microservices per second virtual appliances
For implementing
& containers while maintaining in AWS Custom Security Policies
ultra-low latencies and
TCP passthrough
configuration
 • A Domain Name System (DNS) web service

• DNS is a system that routes a domain name to a particular IP address

• Map domain names to:

Amazon Route 53
Elastic IP Amazon EC2 Amazon S3 Elastic Load Amazon CloudFront
address Instance Static Website Balancers Web Distributions
 Buy Domains Manage Domains

Amazon Route 53

Also known as
Zone Apex or Naked
Domain

Root Domain

Subdomains

philippines.tutorialsdojo.com blog.tutorialsdojo.com portal.tutorialsdojo.com cdn.tutorialsdojo.com manila-datacenter.tutorialsdojo.com

On-premises data center

Elastic IP Amazon EC2 Amazon S3 Elastic Load Amazon CloudFront

address Instance Static Website Balancers Web Distributions
 ROUTING POLICIES

Simple Failover Geolocation Geoproximity Latency-Based Multivalue Answer Weighted

Amazon Route 53

Root Domain

Subdomains

philippines.tutorialsdojo.com blog.tutorialsdojo.com portal.tutorialsdojo.com cdn.tutorialsdojo.com manila-datacenter.tutorialsdojo.com

On-premises data center

Elastic IP Amazon EC2 Amazon S3 Elastic Load Amazon CloudFront

address Instance Static Website Balancers Web Distributions
 • Provides a set of static anycast IP addresses

• The static IP address serves as a single fixed entry point to:

Elastic IP
AWS Global Accelerator Network Application Amazon EC2
address
Load Balancer Load Balancer Instance
 🇺 US East Region

Amazon EC2
Instance

static anycast IP address Application

Load Balancer

Amazon EC2
Instance

🇦🇺 Sydney Region

AWS Global Accelerator

Amazon EC2
Instance

Network
Load Balancer

Amazon EC2
Instance
 🇺 US East Region

Amazon EC2
Instance

static anycast IP address Application

Load Balancer

Amazon EC2
Instance

🇦🇺 Sydney Region

AWS Global Accelerator

Amazon EC2
Instance

Network
Load Balancer

Amazon EC2
Instance
 • A content delivery network (CDN) service

• Quickly delivers static content and video stream to your clients.

• A CDN is a globally-distributed network of services/servers

spread around the globe that stores or caches your files.

• Reduces latency by shortening the time it takes to deliver your

data to your users
Amazon CloudFront
• Improves the response time of your application.

• Caches your images, videos, media files, or software packages

 • Allows private connectivity to various AWS services

• Does not pass through the public Internet.

• Provides a private endpoint that you can use for your:

AWS PrivateLink
Other
Services
Amazon VPC Amazon EC2 Amazon S3 Amazon
DynamoDB
 All are located within CLOUD

Amazon S3

Amazon VPC

AWS PrivateLink Amazon

DynamoDB

VPC Endpoint
Amazon EC2

Other
Services
 • AWS Virtual Private Network, or AWS VPN

• Enables you to connect your on-premises network to AWS.

• An encrypted connection that passes through the public Internet.

• Uses the IPsec protocol to authenticate and encrypt your data in

AWS VPN transit.
 On-premises data center
Client VPN
Software

CUSTOMER GATEWAY

AWS Site-to-Site VPN AWS Client VPN

AWS VPN
AWS VPN

ENDPOINTS Site-to-Site VPN Endpoint Client VPN Endpoint

Amazon VPC

Tutorials Dojo AWS Transit Gateway

www.tutorialsdojo.com
 On-premises data center

• Allows you to establish a dedicated network connection from

your on-premises network to AWS

• Provides a more consistent network experience over

Internet-based connections such as a VPN, and a higher
bandwidth.

• You can create a private virtual interface to enable your on-

premises servers to connect to the virtual private gateway of your
Amazon VPC.

AWS Direct Connect • You can group your virtual private gateways and private virtual
interfaces using a Direct Connect Gateway.

• You can also use a public virtual interface to connect to your

Amazon S3 buckets and other public resources in AWS.

Amazon VPC
• The traffic does NOT pass through the public Internet.
Amazon EC2 Amazon EC2
 Amazon VPC
On-premises data center

Amazon EC2 Customer Router

AWS Direct Connect

 100s

AWS Direct Connect

Amazon VPC Gateway

100s
• Connects your cloud networks (e.g. Amazon VPCs, VPNs, Direct
Connect Gateways, and on-premises networks) to a single gateway.

• Recommended for large organizations with hundreds of Amazon

VPCs, site-to-site VPNs, and external networks.

AWS Transit Gateway • Reduces the complexity of your infrastructure and makes scaling
easier

AWS
Site-to-Site VPN
 • Allows you to publish, maintain, monitor, and secure your
RESTful APIs.

• Also supports WebSockets for real-time message communication

• Acts as a front door for your back-end services that are

running on:

Amazon API Gateway

Amazon EC2 Amazon ECS AWS Fargate AWS Lambda AWS Elastic
Beanstalk

• Works as a Proxy — similar to APIGEE, Mulesoft and other

proxies/integration platforms
 • A service mesh (an infrastructure layer that handles communication
between microservices)

• Provides application-level networking for the different types of

containerized applications in AWS.

• Allows your services to communicate with each other across

multiple types of computing infrastructure.

AWS App Mesh • Uses (an open-source service mesh proxy)

• Can be used with microservice containers managed by:

Amazon ECS Amazon EKS AWS Fargate Amazon EC2

 • A cloud resource discovery service.

• Commonly used in microservices and containerized applications that

have dynamically changing resources.

• You can name your containerized application resources with

custom names.

AWS Cloud Map • Improves your containerized applications in AWS by always

discovering the most up-to-date locations of your resources

• Improves the availability of your system.

Application Integration Services
Overview
 Application Integration Services

MONOLITHIC MICROSERVICES

UI UI UI

UE
QUE
USER INTERFACE

BUSINESS LOGIC

SERVICE 1 SERVICE 3 SERVICE 5

DATA ACCESS LAYER

SERVICE 2 SERVICE 4
 Application Integration Services

Amazon Simple Queue Service Amazon Simple Notification AWS Step Functions Amazon MQ
(Amazon SQS) Service (Amazon SNS)

Amazon EventBridge AWS Amazon AppFlow

AppSync
 UE
QUE

• A fully managed message queueing service

• The messages can be consumed or processed by:

Amazon EC2 AWS Lambda Amazon ECS Other Consumers

Amazon Simple Queue

Service (Amazon SQS) • Can replace your traditional message-oriented middleware
without having to manage any servers or resources
 STANDARD FIFO
First In, First Out

ChangeMessageVisibility API

4
Amazon SQS 2 3 5
1 1 2 3 4
4 6
TYPES
Possible Duplicate Messages!

DELIVERY At Least Once Exactly Once

Best Effort Preserves the exact order

ORDERING Messages might be delivered in a different order in which the messages are received

THROUGHPUT HIGH LIMITED

 • Age of the Oldest Message

1 2 3 4
• Queue Depth

Amazon SQS • Number of Messages

Target Tracking
Policy

Auto Scaling group

EC2 EC2 EC2

EC2 EC2 EC2

EC2 EC2 EC2

 Amazon Simple Notification Service
Amazon ECS
(Amazon SNS)

ECS Task 1

Data

Amazon SQS

Amazon SQS
Amazon S3 Bucket

ECS Task 2
 • A fully managed messaging and notification service

• Enables you to communicate between systems through

publish/subscribe patterns or pub/sub messaging

• Messaging via mobile push, email, or SMS

TOPIC

Amazon Simple Notification

Service (Amazon SNS) Amazon CloudWatch

Pet Insurance
Car Insurance Home Insurance
Queue
Queue Queue
 FANOUT EVENT NOTIFICATIONS

Amazon RDS Events

Message Filtering
Car Insurance Queue
Amazon EC2

TOPIC

Home Insurance Queue Amazon ECS

Filter by

QUOTE Type

Pet Insurance
AWS Lambda
Queue
 FANOUT EVENT NOTIFICATIONS

SQS QUEUES CONSUMERS

Amazon SNS with Message Filtering

Car Insurance
Queue Amazon EC2
Message Filter

Home Insurance Amazon ECS

Custom Events SNS TOPIC Queue
Filter by

QUOTE Type

Pet Insurance
Queue
AWS Lambda

Amazon CloudWatch

Tutorials Dojo
www.tutorialsdojo.com
 • A serverless function orchestrator for:
AWS Lambda

• Allows you to orchestrate multiple AWS Lambda functions, in

order to achieve a specific workflow

• Enables you to create a state machine containing a combination

of steps, activities and service tasks

Lambda
STEP 3 Send Report

AWS Step Functions STEP 2

Lambda
Verification

Lambda
STEP 1 Register
 • A managed message broker service

• Uses the open-source message broker

• The “MQ“ in Amazon MQ stands for Message Queue, which is a

form of asynchronous communication

• Works like but supports more messaging protocol types

Amazon SQS
Amazon MQ
• Supports Java Message Service (JMS), .NET Message Service
(NMS), AMQP, MQTT, WebSocket and many others.
 • A serverless event bus service

• Enables you to connect applications together using data from

your own applications, Software-as-a-Service (SaaS)
applications, and other AWS services.

Amazon CloudWatch
• Uses the same service API, endpoint, and
EVENTS
the underlying service infrastructure of:

Amazon EventBridge • Recommended to be used for your own applications, 3rd party
Software-as-a-Service apps, and other external sources

• Suitable for building event-driven applications

 • A managed service that uses GraphQL

• GraphQL is a data query language that basically allows you

to query your REST APIs

• Has different types of schema

QUERY Read Data

MUTATION Write Data
Download/Upload
SUBSCRIPTION
Data
• Only fetches the data that you want and not the entire data set

AWS AppSync • Unlike REST API, you can query different APIs or resources
easily using a single API call

• Uses a Resolver which populates the data in your schema

• Simplifies application development by easily integrating

GraphQL with your applications
 • A fully managed integration service

• Enables you to securely transfer data between various systems

such as your Software-as-a-Service (SaaS) applications and
different AWS Services

• Supports different SaaS apps such as Salesforce, Marketo, Slack,

ServiceNow and many more

• Can be integrated with other AWS services

Amazon AppFlow • Allows you to run your data flows on-demand, by schedule or as
a response to a business event

• Provides you with powerful data transformation capabilities like

filtering and validation
AWS Security Services
Overview
AWS Security Services
7 Open Systems Interconnection
(OSI) Model Layers

DDOS
Distributed Denial-Of-Service Attack

UDP TCP
SYN SYN SYN SYN SYN SYN SYN SYN
IP

SYN ACK

ACK ACK ACK

 AWS Security Services

AWS Web Application AWS Firewall AWS Key Management

AWS Shield Amazon GuardDuty AWS CloudHSM
Firewall (AWS WAF) Manager Service (AWS KMS)
1.

AWS Certificate Manager Amazon Amazon Amazon

AWS Secrets Manager
(AWS ACM) Macie Inspector Detective
 • A web application firewall service

• Protects your web applications from common web exploits

• Allows you to create custom rules that block common attack patterns
such as:
XSS

</>

AWS Web Application Firewall

(AWS WAF)
• Can be integrated with:
Application Load Amazon API
Amazon CloudFront
Balancer Gateway

Tutorials Dojo
www.tutorialsdojo.com
 • Has an IP Match condition feature, you can block malicious requests
from a recurring set of IP addresses.

• Can protect your application from illegitimate requests sent by

illegitimate external systems, through its rate-limiting rule.

Only Minimizes DDoS Attacks

AWS Web Application Firewall (not entirely mitigate)

(AWS WAF)

Amazon CloudFront
Rate-based
Web Access Control List
(Web ACL)

🇦🇺 🇧🇷
🇵🇭 🇮🇳 🇩🇪
Geo Match condition
🇬🇧 🇨🇦
Web Access Control List (ACL)
 • A security management service designed for:
AWS WAF Rules

• Allows you to centrally configure and manage WAF rules across

multiple AWS accounts and applications.

• Enables you to roll out your custom rules to your AWS Organization

Web ACL

Your AWS
Organization

AWS Firewall Manager

AWS Account AWS Account
Manila New Clark City

Amazon Application Load Amazon API Amazon Application Load Amazon API
CloudFront Balancer Gateway CloudFront Balancer Gateway
 • A managed DDoS protection service

• Provides detection and automatic mitigations that minimize

application downtime and latency.

• Mitigate different types of flood attacks such as UDP reflection,

SYN flood, DNS Query flood, and HTTP flood attacks.

• Protects your applications that use:

Amazon EC2 Elastic Load Amazon AWS Global Amazon

Balancer CloudFront Accelerator Route 53

• Two Tiers:
AWS Shield
• Built-in by default
• Standard
• No extra charge

• Has an additional charge

• Advanced • Provides access to real-time DDoS attack notification
• DDoS Response Team (DRT) supports you during
DDoS Attack
 • A managed threat detection service

• Identifies malicious or unauthorized activities in your AWS

accounts and workloads.

• Monitors activities such as unusual API calls, cryptocurrency

mining, or potentially unauthorized deployments that indicate a
possible account compromise.

• Also detects potentially compromised:

Amazon EC2 Instances

• Produces security reports called:

Amazon GuardDuty
Findings

• Able to send notifications using CloudWatch Events when a

change was detected

• NOT capable of doing any resource changes by itself, like rate-

limiting protection or DDoS attack mitigation.
 AWS Key Management
AWS CloudHSM Service (AWS KMS)
1.
 • A fully managed, cloud-based hardware security module or HSM.

• The HSM in CloudHSM means: Hardware Security Module

AWS CloudHSM

• Enables you to easily generate and use your own encryption keys.

• Encryption keys can be in 128-bit or 256-bit

 HSM Hardware Security Module

• A physical hardware device

• Performs cryptographic operations

• Securely stores cryptographic key material

AWS CloudHSM Leading HSM Providers

• A random, Base64 or hexadecimal string

• Binary format ( .bin )
• Used by your encryption key.
 • The CloudHSM clients is installed and hosted in your:
Amazon EC2
• The HSM cluster is deployed in your: Instances

Amazon VPC

• Single Tenant — Only used by one tenant or user (you)

• Can be used to:

• Offload SSL Processing

• Enabling Transparent Data Encryption (TDE) for Oracle databases

AWS CloudHSM
• Protecting the private keys for an Issuing Certificate Authority
(CA).

• Integrate CloudHSM and to create a custom key store.

AWS KMS
 AWS CloudHSM
• A managed service that works like:

• Internally, it also uses hardware security modules (HSMs) for

creating and controlling your encryption keys.

• Has multi-tenant access

Shared HSM

You share the HSM with other

tenants or AWS customers

• Unlike CloudHSM, you cannot launch the HSM to Amazon VPC or

EC2 instances (as clients with direct HSM access) that you own.
AWS Key Management
Service (AWS KMS) • Can be integrated with other AWS services to help you protect the
1. data you store with these services.

Other
AWS KMS key Amazon EBS Amazon S3 Amazon RDS Services
Snapshots Encryption Encryption
 ENVELOPE ENCRYPTION

CMK

Customer Data Key Plaintext

Data
AWS Key Management Master Key
Service (AWS KMS)
1.

• AWS KMS automatically rotates your CMK

 • You can also create a custom key store in AWS KMS with
AWS CloudHSM

• Provides complete control over your

encryption key lifecycle management

• Allows you to remove the key material

of your encryption keys.
AWS Key Management
Service (AWS KMS)
1.

• You can audit key usage independently of:

AWS CloudTrail AWS KMS

 • Protect the secrets of your applications, services, and IT resources.

• Enables you to easily rotate, manage, and retrieve your secrets

• A secret can be:

• A database password *** ***
• API key
• Authentication token
• Other sensitive data

• Eliminates hardcoded sensitive information in plain text in:

• Offers secret rotation with built-in integration for: AWS Lambda

AWS Secrets Manager

Amazon RDS Amazon Redshift Amazon DocumentDB Other Services

• Control access to secrets using fine-grained permissions and

centrally audit your secrets.

• Not recommended for storing encryption keys or key materials

since it does not use an HSM
 • A fully managed data security and data privacy service

• Automatically recognizes and classifies sensitive data or intellectual

property

• Uses machine learning to automatically discover, classify, and protect

sensitive data stored in your:

Amazon S3
bucket Other Services

AmazonName:
Macie
•
Jon Bonso

Social Security #: 06-12-1898 Recognizes sensitive data such as personally identifiable information
Driver License #: PH18981206 or PII.
Bank Account #: 12061898

•
Password: AdoBonGM4n0k
Email Address: [email protected]
Provides dashboards and alerts that give visibility into how sensitive
data is being accessed or moved.
 • Provisions, manages, and deploys public and private Secure Sockets
Layer/Transport Layer Security (SSL/TLS) certificates

• Enables you to create private certificates for your internal

resources and manage the certificate lifecycle centrally

• SSL Certificates are free of charge for ACM-integrated services

AWS Certificate Manager such as:
(AWS ACM)

Amazon API Elastic Load

Gateway Balancing

Tutorials Dojo
www.tutorialsdojo.com
 • An automated security assessment service

• Improves the security and compliance of applications deployed on

your AWS cloud infrastructure

• Automatically assesses applications for vulnerabilities or

deviations from best practices.

• Produces a detailed list of security findings prioritized by level of

security risk severity

• Provides an automated security assessment report that will

Amazon Inspector
identify unintended network access to your:

Amazon EC2 Instances

• The detailed assessment reports are available via the Amazon

Inspector console or API
 • Helps you detect the root cause of your security issues easier

• It analyzes, investigates, and quickly identifies the potential security

issues or suspicious activities in your AWS infrastructure

• Automatically collects log data from various AWS resources

such as:

Amazon Detective AWS CloudTrail VPC Flow Logs GuardDuty Findings

• Uses machine learning to analyze and conduct security

investigations.
AWS Management & Governance.
Services Overview
 AWS Management & Governance.Services

SOP HIPAA GDPR

Health Insurance Portability and
Standard Operating Procedures General Data Protection Regulation
Accountability Act of 1996
 AWS Management & Governance.Services

MANAG — control resources GOVERN — enforce standards

E — ensure compliance

AWS Management AWS Command Line AWS Console

AWS Config AWS Organizations
Console Interface Mobile Application
(AWS CLI)

AWS Resource AWS Systems Manager

AWS Service Catalog AWS Control Tower
Access Manager (SSM)
 • A web interface to control your AWS resources

• Accessible through your web browser

• Log in using your IAM username and password

• Supports Multi-Factor Authentication (MFA)

AWS Management
Console • Accessible via this URL: https://console.aws.amazon.com
 • A command-line interface to control your AWS resources

• Accessible through your terminal, command prompt or Windows

PowerShell

AWS Command Line

Interface • Allows you to develop custom shell scripts that invoke
(AWS CLI)
different AWS CLI commands
 • The official mobile app provided by Amazon Web Services

• Allows you to monitor your resources through a dedicated dashboard

• Enables you to view your configuration details, metrics, and alarms of

select AWS services (not all services) on your mobile device

• Provides an overview of the account status, real-time CloudWatch

AWS Console metrics, Personal Health Dashboard, and AWS Billing
Mobile Application
• Has limited capabilities compared with:

AWS Management AWS CLI

Console

Tutorials Dojo
www.tutorialsdojo.com
 • A suite of services that allows you to manage your resources

• Allows you to control both of your AWS Cloud and on-premises

infrastructure

• Composed of:

Session Manager State Manager Patch Manager Automation

AWS Systems Manager

(SSM) Maintenance
Run Command Parameter Store Others
Windows

• Also has an SSM agent that you can install on your

EC2 instances or on-premises servers to centrally
Amazon EC2 On-premises
manage your resources Instances Servers
 PREDEFINED OR CUSTOM PATCH BASELINE

OS Patches

OS OS OS

Amazon EC2 On-premises

Patch Manager Instances Servers
Maintenance Windows

• Installed softwares (e.g. startup script, antivirus etc)

•
STATE Server configurations
• Firewall settings

State Manager • Associate Ansible playbooks, Chef recipes, PowerShell

modules, and other SSM Documents
AWS Systems Manager
(SSM)

• Passwords
Secure String
• Database Strings
PARAMETER • Amazon Machine Image (AMI) IDs
• License Codes
Parameter Store
• Environment Variables
AWS KMS
 • Enables you to easily and securely share your AWS resources
with any AWS account or within your AWS Organization

• Allows you to share:

Private subnet Public subnet

AWS Transit Subnets AWS License Amazon Route 53 Other

Gateway Manager Resolver AWS Resources

AWS Resource
Access Manager • Eliminates the need to create duplicate resources in multiple
(AWS RAM) accounts

• Reduces the operational overhead of managing multiple

resources in each and every single account you own.
 GOVERN

AWS Config AWS Organizations

AWS Service Catalog AWS Control Tower

 • Enables you to assess, audit, and evaluate the configurations
of your AWS resources

• Automates your compliance assessment process

• Provides visibility on the existing configurations of your

various AWS services and third-party resources (such as your on-
AWS Config premises servers)

• Enables you to identify the changes made to a specific resource

over time
 Periodic or change-based
configuration collectors
NOTIFICATION
on-premises

RESOURCES CHANGES REMEDIATION

AWS Config

The AMI was shared to the

Config Rule 1
AWS Marketplace

AMI Amazon AWS

CloudWatch Events Lambda

The bucket was set

Config Rule 2
to public
S3 Bucket
AWS Systems Manager
Automation

The associated Elastic IP REMEDIATE

NON-COMPLIANT
address was removed RESOURCES

EC2 Instance
 I’ll pay
• Consolidate and centrally manage multiple AWS accounts
all the
bills!

AWS Organizations • Combines the bills of multiple AWS accounts

Consolidated Billing
• Provides volume discounts to further lower
down your costs

SCP SCP • Uses Service Control Policies (SCP) to control access and
ORGANIZATIONAL UNIT (OU)
ensure organizational compliance across your AWS accounts
ORGANIZATIONAL UNIT (OU)
Manila Bangalore

• Offers Central Logging to monitor all activities performed across

your organization using AWS CloudTrail

• Aggregate data from all your AWS Config rules to quickly

audit your environment for compliance.
ACCOUNT ACCOUNT ACCOUNT ACCOUNT
1 2 3 4
 I’ll pay
all the
bills!

AWS Organizations Consolidated Billing

SCP SCP

A single AWS Organization can have

two or more Organizational Unit (OU) ORGANIZATIONAL UNIT (OU)
Manila
ORGANIZATIONAL UNIT
(OU) Bangalore
and underlying AWS accounts with
Service Control Policies (SCPs)
attached

ACCOUNT ACCOUNT ACCOUNT ACCOUNT

1 2 3 4

Tutorials Dojo
www.tutorialsdojo.com
 • Empowers you to set up and centrally manage catalogs of
approved IT services

• Allows you to manage various IT services, referred to as

"products" in Service Catalog then group them in a portfolio

• Machine image (AMI)

• Application server
• Program
PRODUCT
• Tool
• Database
AWS Service Catalog • Other services

• Assists you in meeting your compliance requirements

• Enforce granular access control to your resources

 • Helps you set up and govern a secure multi-account AWS
environment

• Automates the setup of your multi-account AWS environment

• Uses blueprints that follow AWS best practices for security and
management

AWS Control Tower

• Provides mandatory high-level rules called guardrails

• Help enforce your policies using service control policies (SCPs)

• Detect policy violations using AWS Config rules

AWS Identity Services
Overview
AWS Identity Services
 AWS Identity Services

AWS Single Sign-On

AWS Identity & Access AWS Directory

Management (IAM) Service

Amazon Cognito
 • The primary identity service in AWS

• Allows you to manage access to various AWS services

and resources

AWS Identity & Access

Management (IAM)

Tutorials Dojo
www.tutorialsdojo.com
 IAM USER IAM GROUP

PASSWORD

ACCESS KEYS

IAM POLICY
Permission 1 Permission 2 Permission 3 Permission 4

AWS Identity & Access

Management (IAM)

IAM ROLE
Permission 1 Permission 2 Permission 3 Permission 4
 • Let you add user sign-up, sign-in, and access control features
to your web or mobile apps

• Allows users to log in to your application with their:

and other
social media accounts!

Amazon Cognito
Microsoft
SAML
Active Directory Security Assertion Markup Language
 USER POOL IDENTITY POOL

For Authentication For Authorization

Users can sign in by Users can obtain temporary and limited-

Amazon Cognito authenticating through their privilege AWS credentials that authorize
social identity providers
access to other AWS services
 • A single sign-on service in AWS

• Allows a user to log in with a single ID and password to

access multiple and independent, software systems

• Provides a user portal that allows users to access the roles that
they can assume

AWS Single Sign-On

• Offers pre-configured SAML integrations to many business
applications
 Microsoft
• A managed Active Directory

• Does not require you to synchronize or replicate data from your

existing Active Directory to the cloud

• No need to install and manage an Active Directory domain

controller

• Improves security and minimizes administrative overhead

• Allows you to assign IAM roles to your Active Directory users

and groups
AWS Directory Service

• Allows you to assign IAM roles to your on-premises Microsoft

Active Directory using:

AD Connector
 AWS Transfer & Migration.
Services Overview

Tutorials Dojo
www.tutorialsdojo.com
 AWS Transfer & Migration.Services

On-premises data center

 AWS Transfer & Migration.Services

AWS DataSync AWS Application AWS Database AWS Server

Discovery Service Migration Service Migration Service
(AWS DMS) (AWS SMS)

AWS Transfer AWS Snowball Migration Hub Migration Evaluator

Family Family
 • An online data transfer service

• Automate and accelerate the replication of data between your

on-premises storage systems and AWS storage services

• Copy large amounts of data to and from AWS storage

services over the Internet or via AWS Direct Connect

• Can copy data between:

• Shared file servers • Amazon S3 buckets

AWS DataSync • Self-managed object storage • Amazon EFS file systems
• AWS Snowcone • Amazon FSx for Windows File Server file systems

• Transfers your data from your on-premises data center to AWS

through the use of:
DataSync Agent
 MIGRATION

On-premises data center

AWS Storage Gateway AWS DataSync

VM VM
INTEGRATION

Storage Area
Network
 A suite of services that provides a simple and seamless file transfer
to Amazon S3

SFTP
AWS Transfer for SFTP
Secure File Transfer Protocol

FTPS
AWS Transfer for FTPS
File Transfer Protocol over SSL Amazon S3
AWS Transfer
Family

FTP
AWS Transfer for FTP
File Transfer Protocol
 Provides physical storage devices and capacity points to help you
move your on-premises data to AWS

AWS Snowcone AWS Snowball AWS Snowmobile

AWS Snowball
Family
 4.5 lbs / 2.1 kgs 8 TB of Usable Storage Load data via NFS mount Uploads data to Amazon S3

AWS Snowcone

Tutorials Dojo
www.tutorialsdojo.com
 - Over 1 foot in height
Around 50 lbs / 22.5 kgs 80 TB of Usable Storage - 11 inches wide Uploads data to Amazon S3
- 2.3 inches in length

AWS Snowball
 Pulled by 45-foot long ruggedized - Move 100 Petabytes of data
Uploads data to Amazon S3
a semi-trailer truck shipping container - Exabyte-scale data transfer

AWS Snowmobile
 • Helps enterprise customers plan migration projects

• Gathers information about the customer’s on-premises resources

• Enable customers to understand the configuration, usage, and

behavior of servers in their IT environments

• An AWS Discovery Agent is required to be installed to your on-

premises servers or virtual machines to capture system configuration,
AWS Application Discovery
Service system performance, running processes et cetera

• Helps you Discover the technical details of your Applications running

on your on-premises data center
 • Helps you migrate your databases to AWS quickly and securely

• Allows the source database to remain fully operational during the

migration, which minimize the downtime

• Migrates your data to and from the most widely used commercial and
open-source databases

• Allows continuous data replication via change data capture (CDC)

• Can be used along with AWS Schema Conversion Tool (AWS SCT)
AWS Database Migration
Service
(AWS DMS) • Supports both homogeneous (e.g. Oracle to Oracle, MySQL to MySQL) and
heterogeneous (e.g. Oracle to MySQL, MS SQL to Amazon Aurora) database
migrations
 HETEROGENEOUS DATABASE MIGRATION

SOURCE DATABASE TARGET DATABASE

PostgreSQL

Amazon
Aurora

AWS Database Migration

Service
(AWS DMS)
Amazon
DynamoDB
 • An agentless service that migrates on-premises workloads and
resources to AWS

• NO NEED to install and set up an agent like a System Manager or

DataSync agent on-premises

• Uses an SMS connector, which can be installed on your VMware

AWS Server Migration vCenter environment, to establish connection to your AWS resources
Service
(AWS SMS) • Automate, schedule, and track incremental replications of your
live server volumes
 • A single place to discover your existing servers, plan migrations,
and track the status of each application migration

• DOES NOT execute actual data migration — only track its progress

• Provides visibility into your application portfolio and streamlines

planning and tracking
Migration Hub

• Shows the status of the servers and databases that you are
migrating
 • A migration assessment service

• Helps customers to make the best business case for their mission-
critical AWS cloud planning and migration activities

• Provides a clear baseline of what workloads you’re running today

• Recommends future-state configurations

Migration Evaluator • Creates a statistical model of compute patterns for all your
instances, that shows:

• How much is being spent

• Which AWS resources are over-provisioned
• Specific opportunities to realize significant savings
AWS Machine Learning Services
Overview
 AWS Machine Learning Services

COMPUTER VISION CUSTOMER EXPERIENCE IMPROVEMENT

AUTOMATED DATA EXTRACTION & ANALYSIS BUSINESS METRICS

LANGUAGE AI DEVOPS & MLOPS

 AWS Machine Learning Services
COMPUTER VISION AWS ML Platform CUSTOMER EXPERIENCE IMPROVEMENT

Amazon Rekognition Amazon Lookout for AWS Panorama Amazon SageMaker Amazon Kendra Amazon Personalize Amazon Translate
Vision

AUTOMATED DATA EXTRACTION & ANALYSIS BUSINESS METRICS

Amazon Textract Amazon Augmented Amazon Comprehend Amazon Lookout for

Amazon Comprehend Amazon Forecast Amazon Fraud Detector
AI (A2I) Medical Metrics

LANGUAGE AI DEVOPS & MLOPS

Amazon Lex Amazon Transcribe Amazon Polly Amazon CodeGuru Amazon

Amazon DevOps Guru
Reviewer & Profiler CodeWhisperer
AWS Machine Learning Platform • Full-fledged machine learning platform in AWS

• Allows you to build, train, and deploy machine learning

(ML) models for any use case with fully managed
infrastructure, tools, and workflows

• Provides a suite of features and modules, such as:

Amazon SageMaker
Amazon SageMaker Amazon SageMaker Amazon SageMaker Amazon SageMaker Amazon SageMaker
Canvas Studio Lab Ground Truth Built-In Models Notebook

and many more!

 • Extract information and insights from your images and videos
COMPUTER VISION using computer vision

• It can recognize:

• Objects, texts, scenes, labels, and other attributes

• Face of a person or a popular celebrity

• Personal Protective Equipment (e.g. mask, helmet)

Amazon Rekognition • Has a feature called Amazon Rekognition Custom Labels that
allows you to classify custom components or products from
your dataset
 COMPUTER VISION • One of the services in the Amazon Lookout Family

• Detects defects on industrial products

• Used in factories and manufacturing lines to identify defects

• Actual images of defect-free products are used as a dataset.

These images can be stored in Amazon S3 and used as
baseline images to build a custom ML model for you
Amazon Lookout for Vision
• Can automatically detect anomalies in your product like dents,
cracks, scratches et cetera
AUTOMATED DATA EXTRACTION • Its name is a portmanteau of the words ”text” and “extract”
& ANALYSIS
• Extract texts from scanned documents, PDFs, Word
documents, hand-written notes, receipts, passports, IDs, and
many others

• Can generate the results into a table form or a CSV file

• Has a query feature that extracts a particular field using

natural language questions
Amazon Textract
• Can batch upload your documents to Amazon S3 and
automate the text analysis process
 • Provides human review workflows for common machine
learning use cases
AUTOMATED DATA EXTRACTION
& ANALYSIS • The review is done by actual people and not by a computer

• Ensures the accuracy of prediction results and helps provide

continuous improvements to your machine learning model

• Can be directly integrated to Amazon Rekognition, Amazon

Textract and other services

• Useful for image moderation such as explicit adult or violent

Amazon Augmented AI (A2I) content

• Allows you to to run a human review with a custom machine

learning workflow of your choice
 • A natural language processing service

• Finds insights and relationships from text documents

AUTOMATED DATA EXTRACTION
& ANALYSIS • Can extract key phrases, sentiment, language, syntax, topics,
and even Personally Identifiable Information (PII) from
unstructured data

• Can implement patient data privacy solutions and identify

protected health information (PHI) using: Amazon
Comprehend
Medical

Amazon Comprehend
• Can comprehend or understand the information written in
your text documents

• Raw text data must be supplied first in order to use the

Amazon Comprehend service
 LANGUAGE AI
• Enables you to develop conversational chatbots

• Allows you to build Voice-based or Text-based chatbots

• Useful for developing a self-service bot or a virtual agent for

your conversational Interactive Voice Response (IVR) system,
corporate website, or others

Amazon Lex • Reduces costs in maintaining a contact center

 LANGUAGE AI
• A speech-to-text transcription service

• Transcribes, or makes a written record of, a speech, a phone

call, or any spoken language

• Can generate call transcripts and provide conversation insights

to improve customer experience and agent productivity

Amazon Transcribe • Offers real-time transcription

 LANGUAGE AI • Converts text into speech

• Generates a lifelike speech in different voices based on a raw

text file you uploaded

• If you typed: Beautiful Philippine Islands, the Amazon Polly

service will generate an audio file saying that phrase in a male
voice, a female voice, a kid’s voice, or in any voice that you
want your text to be spoken
Amazon Polly
• Allows you to upload custom lexicon files which can help you
to customize the pronunciation of specific words and phrases
 • An intelligent search service in AWS

• Can search items from multiple data sources containing both

structured and unstructured data
CUSTOMER EXPERIENCE
IMPROVEMENT
• Supports natural language processing:

• "Who is the founder of the EdTech startup: Tutorials Dojo?"

• "Where is the JP Rizal Hospital located?"

• "How much did Mr. Jon Bonso earn a year ago?"

Amazon Kendra
• Searches all of the documents in your S3 bucket, FSx file
systems, RDS databases, Github repository, Jira, Slack,
Sharepoint and other data sources

• Uses machine learning to provide context to your search

results for a better customer experience
 CUSTOMER EXPERIENCE • Provides personalized recommendations to your customers
IMPROVEMENT
based on their past activity and behavior

• Similar to the recommendation feature in Amazon Prime,

Netflix and other online streaming platforms

• Gives recommendations based on the customer's profile,

viewing history and past activities

Amazon Personalize • Improves customer experience and sales since you can offer
products that your customers wanted
 • A real-time language translation service

• Works like Google Translate

CUSTOMER EXPERIENCE • Enables you to create custom terminologies based on a

IMPROVEMENT
company-specific and domain-specific vocabulary

• For example:

• Set the acronym "TD" as "Tutorials Dojo"

• Enter the Tagalog phrase: "Magandang umaga, TD"

• It will return: "Good morning, Tutorials Dojo" as an output

Amazon Translate

• Has a Formality option that controls whether the translation

output uses a formal tone

• Can mask profane words or phrases

 • Helps you forecast a future outcome based on your historical
records and other relevant data
BUSINESS METRICS

• You can either import or stream your time-series data to the

Amazon Forecast service

• Can provide intelligent predictions to your sales, web traffic,

inventory, revenue, cloud resource capacity, weather, future
AWS bill et cetera

• Has a range of built-in datasets such as Weather Index, national

Amazon Forecast
holidays for various countries and many more

• Uses a Predictor machine learning model that consumes all the

time-series data that you provide to make a prediction
 • Automates the fraud detection process in your applications
BUSINESS METRICS
• Identifies potential fraudulent activity, fake reviews and spam
account creation in neal-real-time

• Use cases:

• Detecting the IP addresses with a history of spamming,

hacking attempts, and DDoS attacks

• Blocking users with exactly the same IP address are posting

Amazon Fraud Detector spam and fraudulent review on your website

• Preventing a malicious user who uses an offending IP

address, an email domain, or a key attribute
 • One of the services of the Amazon Lookout family
BUSINESS METRICS
• Detects anomalies in your business metrics, such as:

• A sudden nosedive in your sales revenue

• Unexpected drop in your customer acquisition rates

• Causal relationships

• Identifies unusual variances in your business metrics

Amazon Lookout for Metrics
• Can be integrated with Amazon SNS to send alerts whenever an
anomaly is detected
 • A machine learning service that detects abnormal behavior in
your application or AWS resources

DEVOPS & MLOPS • Prevents unexpected downtimes or operational issues in the

near future

• Monitors applications and AWS resources within your own

account or on all accounts across your AWS Organization

• Identifies operational defects such as:

• An unusually high DB load that is more than three times or 5

Amazon DevOps Guru times its normal value

• Extremely high number of invocations in your Lambda

function beyond the provisioned concurrency

• Overprovisioned write capacity on your DynamoDB tables

 • A suite of development services in AWS with different tools
and features such as:

Amazon CodeGuru Reviewer

• Provide intelligent recommendations for improving your

DEVOPS & MLOPS Amazon CodeGuru Profiler
application performance, efficiency, and code quality

• Scans your code and detect a range of code defects like bad
exception handling, insecure CORS policy, path traversal,
hardcoded credentials et cetera

• Can be integrated with your CI/CD workflow to automate the

code review process

Amazon CodeGuru

• A component that collects CPU data and analyzes the runtime

performance data from your live applications

• Identifies expensive lines of codes that inefficiently use the CPU,

which causes CPU bottlenecks.
 DEVOPS & MLOPS
• Automatically generates code and functions in real-time

• Similar to Github CoPilot

• Installed in your Visual Studio IDE

• The lines of codes are generated right from your IDE editor
based on the comments that you write
Amazon CodeWhisperer
 DEVOPS & MLOPS
COMMENTS

GENERATED LINES
OF CODES

Amazon CodeWhisperer
AWS Analytics Services
Overview
 Data Warehouse Data Lake
STRUCTURED DATA UNSTRUCTURED DATA
STRUCTURED DATA

Tutorials Dojo
www.tutorialsdojo.com
Open Source Technologies used by AWS Analytics Services

…and many other open-source projects!

3rd Party Technologies used by AWS Analytics Services

…and many more!

Extract Transform Load
 SERVERLESS

Extract Transform Load

 AWS Analytics Services

Amazon Elasticsearch Amazon Elastic MapReduce

Amazon Kinesis Amazon Athena (Amazon ES) (Amazon EMR)
Amazon QuickSight Amazon CloudSearch

Amazon Managed
Amazon Redshift AWS Data Pipeline AWS Glue AWS Lake Formation
Streaming for Apache Kafka
 • A suite of services for processing your data streams

• Analyzes your data streams in real-time

• Allows you to collect, transform, process, load, and

analyze the streaming data in real-time to help you
Amazon Kinesis acquire the data insights and respond to data changes
 Amazon Kinesis Amazon Kinesis
Data Streams Data Firehose

Amazon Kinesis

Amazon Kinesis Amazon Kinesis

Data Analytics Video Streams
 • A massively scalable, durable, secure and low-cost
real-time data streaming service

• Can continuously capture gigabytes of data per

second from thousands of different sources

Amazon Kinesis • Collects and sends data to your data analytics

Data Streams applications and consumers in real-time
 • Can be used in:

‣ Real-time Applications ‣ Predictive Maintenance

‣ Website Clickstreams ‣ Mobile Game Data Streams
‣ Database Event Streams ‣ Online Marketplaces
‣ IoT Telemetry ‣ Real-time Recommendations Systems
‣ Location-tracking Events ‣ …and many more!

• Provides ordering of records

• Can read & replay records in the same order

Amazon Kinesis
Data Streams • Suitable if you have a requirement where:
‣ The data events must be received in an ordered manner
‣ There’s a need to process the data stream of your web
applications, or mobile game updates, in order of receipt
 • Can be used to decouple your cloud architecture like
Amazon SQS by accepting data from your data sources
and forward it to different compute resources

• Similar to Amazon SQS with notable

differences:
‣ SQS can’t process data in real-time

‣ SQS Standard queue doesn’t maintain the

order of data records by default
Amazon Kinesis Amazon SQS
‣ SQS FIFO queue maintains the order of data
Data Streams
records but is significantly slower than SQS
Standard and doesn’t perform in real-time
 USE CASES • If you need a solution that captures the clickstream
data from multiple websites in real-time and analyzes
it using batch processing

• For setting up and building a scalable, near-real-time

recommendations for your users

• For mobile games that stream score updates to a

backend system and post the results on a leaderboard
Amazon Kinesis
Data Streams • For collecting the mobile game scores in order of receipt
which can then be processed by an AWS Lambda function
and stored in DynamoDB
 USE CASES • For implementing predictive maintenance on different
types of machinery equipment using IoT sensors

• For sending data to AWS in real-time wherein the data

stream will receive events in an ordered manner for
each connected device, data producer or machinery asset

• For implementing a scalable, near-real-time solution in

processing millions of financial transactions
Amazon Kinesis
Data Streams • For launching a data stream that can be consumed by
Amazon Kinesis Data Analytics which can be queried using
SQL queries
 • A fully managed service that reliably transforms and
loads your streaming data into data stores and analytics
tools

• Directly delivers data to Amazon S3, Amazon Redshift,

Amazon Elasticsearch Service, and any HTTP endpoint

• Can be integrated with your third-party service providers

• Enables your data producers to directly send data to a

Amazon Kinesis specific destination or data store that without any
Firehose custom applications or consumers

• Can transform your data before sending it to a

specified destination to remove sensitive data or for data
pre-processing procedures
 • Similar to Amazon Kinesis Data Stream but with certain
differences:

‣ Both service can accept streaming data in real-time

‣ However, Kinesis Data Stream requires an external consumer

to store the records while Kinesis Data Firehose does not

• Acts like a ”firehose” to immediately send the streams

Amazon Kinesis of data to your data store
Firehose
• Delivers your data stream directly to your Amazon S3
buckets, Redshift databases, Amazon ES clusters, and
others without the need for a consumer
 • Can transform the data before it is sent to its
destination

• Internally invokes an AWS Lambda function to

transform the incoming source data and deliver the
processed data to its destination

Amazon Kinesis • Recommended if you need to parse the data stream to

Firehose remove any sensitive data such as personal data
or protected health information (PHI)
 • A service that securely streams video from
connected devices or sources to AWS

• Commonly used for data analytics, machine learning,

video playback, and other types of media processing

• Automatically provisions and scales all the required

infrastructure to ingest streaming video data from
millions of devices

Amazon Kinesis • Stores, encrypts, and indexes video data in your

Video Streams
streams to improve performance

• Provides access to your video data through a collection

of easy-to-use APIs
 • A serverless service that enables you to analyze your
streaming data, acquire actionable insights, and
respond to events in real-time

• Reduces the complexity of building, managing, and

integrating streaming applications with your custom
applications and other AWS services

• Serverless

Amazon Kinesis • Uses Apache Flink to process and analyze streaming

Data Analytics
data

• Eliminates the manual tasks of setting up and

maintaining Apache Flink
 • Enables you to author and run code against
streaming sources

• The data can be analyzed using SQL queries and

the results can be delivered to Amazon S3, Amazon
Redshift, and other data stores using Kinesis Data
Firehose
Amazon Kinesis
Data Analytics • Java or Scala can be used to process and analyze your
streaming data

Tutorials Dojo
www.tutorialsdojo.com
 • In near-real-time data processing and data querying
USE CASES for acquiring timely insights of your application

• For processing your streaming data with minimal

effort and operational overhead

• For providing scalable and near-real-time data querying

with minimal data loss

• For analyzing the location data points of your GPS

Amazon Kinesis application that tracks the movement of people, bikes,
Data Analytics
automobiles, or any other moving object

• You can expose a REST API using API Gateway that can
be used as an Amazon Kinesis proxy
 • An interactive query service for your data that is
stored in Amazon S3

• Simplifies data analysis in Amazon S3 using standard

SQL queries

• Unlike S3 Select, you can query the entire data in

your Amazon S3 bucket with Amazon Athena and
Amazon Athena not just its subset

• Serverless
 • Sample use case:
‣ A global eCommerce website stores 250 gigabytes of
transactional data each month in Amazon S3

‣ You need to identify the number of items sold in each particular

region for the previous month in the most cost-effective way

• Athena costs less than Amazon Redshift, Amazon

EMR, or Amazon ES since it’s serverless

Amazon Athena
• Can use an AWS Glue Data Catalog to store and
retrieve table metadata for your Amazon S3 data and
provide data visualization using Amazon QuickSight
 • A fully managed Elasticsearch service

• Elasticsearch is a distributed, multitenant-capable full-

text search engine based on the Apache Lucene library

• Provides an HTTP web interface that can store data as

a schemaless JSON document

Amazon Elasticsearch • Provisions the necessary infrastructure and

Service automatically manages the resources needed to run
(Amazon ES) the Amazon ES cluster
 • Also allows you to launch an ELK (Elasticsearch,
Logstash, and Kibana) stack in AWS

• ELK Stack:
‣ Elasticsearch - full-text search engine

‣ Logstash - server-side data processing pipeline

‣ Kibana - user interface to visualize Elasticsearch data

• Provides support for open-source Elasticsearch APIs,

Amazon Elasticsearch managed Kibana, integration with Logstash and other
Service AWS services
(Amazon ES)

• Lets you pay only for what you use (no upfront costs or
usage requirements)
 • Allows you to run different types of big data
frameworks in AWS

• A managed big data platform for processing vast

amounts of data using open source tools such as:

Amazon
Elastic MapReduce
(Amazon EMR)

Apache Zeppelin
 • Runs your big data framework on Amazon EC2
instances, Amazon Elastic Kubernetes Service clusters,
or in your on-premises EMR cluster via AWS Outposts

• The compute resources launched by Amazon EMR are

deployed in your VPC and then grouped as an Amazon
EMR cluster

• You can directly access and control the underlying

EC2 instances of your EMR cluster

Amazon • NOT serverless

Elastic MapReduce
(Amazon EMR) • Automates the server provisioning and management
process for you and allows your data to interact with
other AWS data stores such as Amazon S3 and Amazon
DynamoDB
 • A scalable, serverless, embeddable, machine learning-
powered business intelligence service

• Allows you to create and publish interactive

dashboards that can be accessed from different
browsers or mobile devices

• Allows you to embed dashboards into your

applications

Amazon QuickSight • Highly scalable and can easily scale up to thousands of

users globally

• Serverless
 • A managed search service in AWS

• Can be used to add a search feature in your application

or websites

• You can use this to:

‣ Retrieve contents of selected fields
‣ Provide facet information to categorize results
‣ Provide statistics for numeric fields
Amazon CloudSearch ‣ Provide highlights showing search hits in the field data
‣ Autocomplete suggestions
‣ Geospatial search
‣ and many more!
 • Allows you to create a search domain, specify an
index and upload your data as documents

• Provisions and manages all the underlying servers and

resources needed to build and deploy search indexes

• Simply upload your data to any data store, create a

Amazon CloudSearch search domain in CloudSearch, and integrate it into
your applications
 • A fast, scalable data warehouse

• Allows you to analyze all your data across your data

warehouse and data lake

• Delivers faster performance than other data

warehouses through the use of machine learning,
massively parallel query execution and columnar
storage on high-performance disks

• Can run queries across petabytes of data in your

Amazon Redshift Redshift data warehouse and analyze exabytes of data
in your S3 data lake

• Primarily used for Online Analytical Processing

(OLAP) applications and reporting tools
 • Redshift clusters run in internal Amazon EC2 instances
that are configured as nodes

• You can select the particular node type and instance

size that you prefer

• Not a serverless service

• Has a feature called Redshift Spectrum that allows

you to query data from Amazon S3 without loading the
Amazon Redshift entire data into Redshift tables

• Redshift Spectrum queries use massive parallelism to

quickly execute large datasets at a fraction of the
cost
 • A service that processes and moves your data
between different AWS compute and storage
services

• Enables you to process and move your data in specific

intervals that you define to transfer your data to and
from your on-premises data center

• Allows you to access, transform and process your data

where it's stored at scale
Amazon Data Pipeline
• Empowers you to transfer and store the results to
various AWS services such as Amazon S3, Amazon
RDS, Amazon DynamoDB, and Amazon EMR
 • A fully managed and serverless service that is primarily
used for extract, transform, and load workloads
or ETL

• Simplifies the process of preparing and loading your

data before running your data analytics workload

• Creates a Data Catalog that allows you to specify and

search your data that is stored on Amazon S3 and
other AWS services

AWS Glue • Automatically discovers your data and store the

associated metadata in the AWS Glue Data Catalog

• The data will be immediately searchable, queryable,

and available for ETL once the metadata is stored
 • A fully managed Apache Kafka service in AWS

• Apache Kafka is an open-source platform that allows

you to build real-time streaming data pipelines
and applications

• Allows you to use Apache Kafka APIs to stream

Amazon Managed Streaming changes to and from different databases, populate your
for Apache Kafka Amazon S3 data lakes, and empower machine learning
and analytics applications
 • Makes it easy for you to set up a secure data lake

• Allows you to create data catalogs for your external

data just like AWS Glue

• Collects and catalogs your data from different data

sources and moves the data into a new Amazon S3
data lake

• Classifies and processes your data using machine

learning algorithms, and secures access to your
AWS Lake Formation sensitive data

• Data can be queried and analyzed using Amazon

Athena, Amazon Redshift, Amazon EMR, and other
services
IAM Overview
Identity and Access Management
AUTHENTICATION AUTHORIZATION
Identity Access Management
AUTHENTICATION AUTHORIZATION

IAM ENTITIES

TYPES:

- Root User
IAM USER - Regular IAM User Permission 1 Permission 2 Permission 3
IAM POLICY

AWS-managed Policy
IAM GROUP

Customer-managed Policy

IAM ROLE
Inline Policy
Grant Least Privilege
 Follows the best
Doespractice
not grant
ofthe
granting
least privilege
the least privilege

IAM ROLE
IAM ROLE
GROUP

• PowerUserAccess
ROOT USER ACCESS
• AdministratorAccess

CloudFormation Templates

External User
 • Use the Instance Profile to pass a specific IAM
role to your Amazon EC2 instance for it to
perform certain actions

• IAM roles attached to your instance can also be

viewed on your EC2 metadata.

curl http://169.254.169.254/latest/meta-data/iam/info

Amazon EC2 and AWS IAM

 • You can set up a bucket policy to grant IAM
users and other AWS accounts the access
permissions for your bucket and its objects.

• In AWS Organization, you can set up an S3

bucket policy that allows cross-account access
to other departments of your organization.

Amazon S3 and AWS IAM

 • For DynamoDB, you can design an IAM policy
that allows access to put, update, and delete
items in one specific table.

• IAM DB Authentication is a feature available for

Amazon RDS and Aurora. This allows you to use
IAM to centrally manage access to your
database resources

AWS Databases and AWS IAM

 • An Access Policy can be provisioned to control
external access to your SQS queue.

• Helps you grant permissions to an external

company to access your queue.

• An SQS access policy can allow external

companies to poll the queue without giving up
the permissions of your own account.

Amazon SQS and AWS IAM

IDENTITY-BASED POLICY RESOURCE-BASED POLICY

IAM ENTITIES

IAM USER

IAM GROUP

IAM ROLE
 • Allows you to set the maximum
permissions that an identity-based policy
PERMISSIONS BOUNDARY can grant to an IAM entity.

• Ensure that the entity can only perform

the actions that are allowed by both its
identity-based policies and its
permissions boundaries.
IAM Identities
IAM GROUP

IAM POLICY

Permission 1 Permission 2 Permission 3

IAM ROLE
 IAM USER

IAM IDENTITIES
IAM GROUP

IAM ROLE
 • An entity that represents an actual
person or a service

• Can interact with your AWS resources

using the AWS command-line interface,
IAM USER AWS API, or through the AWS
management web console

• Provides someone the ability to sign in to

the AWS Management Console and
programmatic access to AWS APIs
 Consists of:

• NAME

• PASSWORD
IAM USER

• ACCESS KEY PAIR

AWS CLI
• Access Key ID AWS APIs
• Secret Access Key AWS SDKs
AWS CDKs

Tutorials Dojo
www.tutorialsdojo.com
 OR

AWS-managed Customer-managed

Permission 1

IAM USER
Permission 2

IAM POLICY

Permission 3
 IAM POLICY TYPES

AWS-managed Customer-managed

• Managed by AWS • Managed by you (the customer)

• Cannot be fully customized • Can be fully customized

• Has AWS Managed-Policies for • You have to manually create a

Job Functions that you can policy for a particular job
readily use: function
• Administrator
• Support User
• Security Auditor
• Network Administrator IAM USER
• Developer Power User
• Billing
• …and others
 Welcome to
the Group!

IAM USER IAM GROUP

 • Can contain multiple IAM Users

• A single IAM User can belong to multiple

IAM Groups

• Cannot be nested
IAM GROUP
• It can only contain IAM users and not
other IAM Groups

• There is no default user group that

automatically includes all of the IAM
Users in your AWS account
Tutorials Dojo Developers
Permission 1

IAM GROUP
Permission 2

IAM POLICY

Permission 3
 assumed by

IAM ROLE
 IAM ROLE IAM USER

• Intended to be assumed by one

• Uniquely associated with one
single person only
or more AWS resources

• No long-term credentials
• Has long-term credentials:
• AWS Management Console
password
• Access Keys
 US - AWS ACCOUNT #1 INDIA - AWS ACCOUNT #2

CROSS-ACCOUNT

IAM ROLE
 Grants access to your resources
in one account to a trusted
CROSS-ACCOUNT principal in a different AWS
account

Assumed by an AWS service or

applications running in your EC2
instance

IAM ROLE AWS SERVICE ROLE Limited within your AWS account only

The custom applications hosted in

Amazon EC2 can assume an AWS
service role to perform certain actions

AWS SERVICE-LINKED A predefined role that is directly linked

ROLE to an AWS service
IAM Policy Types
IAM IDENTITIES
RESOURCES

IAM USER

IAM GROUP IAM POLICY

IAM ROLE
 • Contains permissions that explicitly ALLOW or
DENY access to certain AWS services

• It provides fine-grained access control to

IAM POLICY specific API actions as well as the AWS
resources that the policy should be applied to

Tutorials Dojo
www.tutorialsdojo.com
 ALLOWS THE API ACTIONS
YOU SPECIFY
API action
IAM POLICY
 DENIES THE API ACTIONS

API actions

IAM POLICY

IP Condition
 Multi-Factor Authentication
(MFA)

API actions

IAM POLICY

MFA Condition
JSON EDITOR VISUAL EDITOR
 Standalone Policy Inline Policy

• Remains unchanged even if • Will be automatically be

you delete its associated IAM deleted if you delete its
identity associated identity

• It doesn’t have a strict one- • Has a strict one-to-one

to-one relationship to its relationship to its associated
associated IAM identity IAM identity
 • Identity-based Policies

• Resource-based Policies

• Permissions Boundaries

• AWS Organizations SCPs

• S3 Access Control Lists (ACLs)

IAM Policy Types
• Session Policies
 • A policy that you attach to an IAM
Identity

• Two Types:
Managed
Policies

• A type of a standalone policy

Identity-Based Policy
• Can either be AWS managed or Customer-managed

Inline Policies

• Maintains a strict one-to-one relationship between a

policy and an IAM identity.

• Tightly-coupled with its associated IAM Identity

 • Attaches an inline policy to a specific AWS
Resource

• Types:

S3 Bucket SQS Access

Policy Policy
Resource-Based Policy

Trust Policy
 • Defines the maximum permissions that an
identity-based policy can grant to an IAM
entity
Permissions Boundaries
• Does not explicitly grant permissions

• Sets a clear boundary to ensure that a

given IAM policy will not over-provision the
permissions to your AWS resources
 • Primarily used in: AWS Organizations

• Defines the maximum permissions for

account members of an organization or
organizational unit.

• Limits the permissions that identity-based

Service Control Policies policies or resource-based policies grant to
(SCPs) the IAM users or roles within the AWS
account

• IAM policies can't restrict the AWS account

root user. In the contrary, the specified
actions from an attached SCP can affect all
IAM identities, including the root user, of
the member account
 • Primarily used in: Amazon S3

• Controls which principals in other AWS

accounts can access a particular bucket

• These are cross-account permission policies

Access Control List
that grant certain permissions to a
(ACL)
specified principal that you define

• ACLs cannot grant permissions to entities

within the same account
 • Limits the permissions that an identity-
based policy grants to a particular session

• Works like Permissions Boundaries

• Sets a limit of what kind of permission a

session has, without granting any
Sessions Policies
permissions.

• Aside from an identity-based policy, the

permissions of a session policy can also
come from a resource-based policy

• If there’s an explicit deny in any of the

policies, then it will effectively override any
allowed permissions
IAM Policy Basics
 {
Policy-wide "Id": "TutorialsDojoPolicy1",
Information "Version": "2012-10-17",

"Statement": [
{
"Sid": "AllowAllActionsOnBooksTable",
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/Books"
},
Statements Logical OR
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": ["s3:ListBucket", "s3:DeleteObject"],
"Resource": ["arn:aws:s3:::tutorialsdojo-manila"]
}
]
}
 IAM Statement Elements
{
“Sid” : "AllowActionsOnBooksTable", Statement ID
ALLOW or DENY “Effect” : “Allow",
“Principal” : { "AWS": "arn:aws:iam::123456789012:root" }
“Action” : [
“dynamodb:PutItem”,
“dynamodb:*”,
“dynamodb:UpdateItem”,
“s3:*”,
“dynamodb:DeleteItem”
“Resource” : “arn:aws:dynamodb:us-east-1:123456789012:table/Books”,
arn:aws:s3:::tutorialsdojo/*
“Condition” : {
“IpAddress”: {
CONDITION ELEMENT
“aws:SourceIp”: "220.110.16.0/20"
}
}
 CONDITION ELEMENT

• String
• Numeric
• Date
• Boolean
• Binary
• ARN
• IfExists
• IpAddress
• …and many more!
 CONDITION ELEMENT

• StringEqualsIfExists

IfExists
• NumericEqualsIfExists
• BoolIfExists
• IpAddressIfExists
• etc…

Tutorials Dojo
www.tutorialsdojo.com
Shares the Amazon S3 bucket named tutorialsdojo-manila with an external vendor while ensuring that
the bucket owner is still be able to access all objects

. . .
"Action": [
"s3:PutObject"
],
"Resource": “arn:aws:s3:::tutorialsdojo-manila/*”,
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
. . .
Users will be denied of all API actions ( except for the s3:PutObject action ) if
their multi-factor authentication (MFA) is not enabled

{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DenyAllTDojoUsersNotUsingMFA",
"Effect": "Deny",
"NotAction": “s3:PutObject",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"}
}
}]
}
IAM Policy Evaluation Logic
 {
"Id": "TutorialsDojoPolicy1",
"Version": "2012-10-17",

"Statement": [
{ Will the API
action be
“Effect“: “Allow“, Allowed or
Denied?
Allows the API Action “Action“: “lambda:*“,
“Resource“: “*”
},
Logical OR
{
“Effect“: "Deny",
Denies the API Action “Action“: ["lambda:CreateFunction", "lambda:DeleteFunction"],
“Resource“: “*”
}
]
}
 1. Authentication

2. Process the request context

3. Evaluate all policies within a single account

Tutorials Dojo
www.tutorialsdojo.com
 If the IAM policies are within a single account…

Except for the

All requests will be implicitly denied
AWS account root user

Permissions Boundaries

Process the explicit ALLOW statements for Sessions Policies

identity-based or resource-based policy
Service Control Policies (SCPs)

An explicit DENY in any policy

overrides any type of ALLOW ALLOW
actions
DENY
 {
"Version": "2012-10-17",
"Statement": [
{ This policy will allow
"Effect": "Allow",
"Action": "ec2:TerminateInstances", you to terminate an
"Resource": "*", POLICY 1
"Condition": { Amazon EC2 instance
"IpAddress": {
in the
"aws:SourceIp": "49.147.194.0/24"
} POLICY 2 us-west-1 region as
}
}, long as your source IP
{
is within the
"Effect": "Deny",
"Action": "ec2:*", 49.147.194.0/24
"Resource": "*",
"Condition": { CIDR block.
"StringNotEquals": {
"ec2:Region": "us-west-1"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [ This policy provides
{ full access to Amazon
"Effect": "Allow",
POLICY 1 EC2.
"Action": [
"ec2:*",
"ds:*" It also allows creating,
], POLICY 2
"Resource": "*" reading and updating
}, the AWS Directory
{
Service (DS)
"Effect": "Deny",
"Action": "ds:Delete*", directories but not
"Resource": "*"
delete them.
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
This policy will allow
"Effect": "Allow",
you to terminate an
"Action": "lambda:*",
"Resource": "*"
POLICY 1 Amazon EC2 instance
},
{ in the
"Effect": "Deny",
"Action": [
us-west-1 region as
"lambda:CreateFunction", POLICY 2 long as your source IP
"lambda:DeleteFunction"
] is within the
"Resource": "*",
"Condition": { 49.147.194.0/24
"IpAddress": {
"aws:SourceIp": “220.200.16.0/24" CIDR block.
}
}

}
]
}
Amazon VPC Overview
 US East (Ohio) us-east-2

Availability Zone 1

IPv4 CIDR Range: 10.0.0.0/16

Data Center

IPv6 CIDR Range: 2001:db8:1234:1a00::/56

Data Center
Data Center

ROUTE TABLE Availability Zone 2 Data Center

Availability Zone 3
Data Center

Amazon VPC
Data Center Data Center

Private subnet Public subnet Data Center Data Center

Private subnet Public subnet

Private subnet Public subnet

CLOUD

REGION

IPv4 CIDR Range: 10.0.0.0/16

ROUTE TABLE
IPv6 CIDR Range: 2001:db8:1234:1a00::/56

Amazon
VPC

Private subnet 10.0.0.0/24 Public subnet 10.0.1.0/24

A subnet must reside entirely within one

Availability Zone only You can have multiple subnets in the same
Availability Zone.
One subnet cannot span to two or more AZs.
CLOUD

REGION

IPv4 CIDR Range: 10.0.0.0/16

ROUTE TABLE
IPv6 CIDR Range: 2001:db8:1234:1a00::/56

Amazon
VPC

Private subnet 10.0.0.0/24 Public subnet 10.0.1.0/24

For backend systems like databases or For publicly accessible web servers and
application servers that are not meant to be resources
accessed publicly
This subnet has a connection to the Internet
Gateway of the VPC

Amazon EFS Amazon RDS Amazon FSx

PUBLIC Amazon EC2 web servers

PRIVATE Amazon EC2

servers

INTERNET GATEWAY
Anatomy of an Amazon VPC
CLOUD
AWS IAM

REGION

IPv4 CIDR Range: 10.0.0.0/16

ROUTE TABLE
IPv6 CIDR Range: 2001:db8:1234:1a00::/56

Amazon VPC

Private subnet Public subnet

Amazon EFS Amazon RDS Amazon FSx

PUBLIC Amazon EC2 web servers

PRIVATE Amazon EC2

servers

VIRTUAL PRIVATE GATEWAY INTERNET GATEWAY

CLOUD

REGION
IPv4 CIDR Range: 10.0.0.0/16
ROUTE TABLE
IPv6 CIDR Range: 2001:db8:1234:1a00::/56

Amazon VPC

Private subnet Public subnet

Amazon VPC VPC PEERING Amazon Amazon Amazon

EFS RDS FSx PUBLIC Amazon EC2 web servers

PRIVATE Amazon EC2

servers

VIRTUAL PRIVATE GATEWAY INTERNET GATEWAY

 US East (Ohio) us-east-2

SUBNET 1

SUBNET 2

SUBNET 3
 US East (Northern Virginia) us-east-1

us-east-1b
Ashburn 4

8 us-east-1a
Sterling

us-east-1c
Chantilly 4
CLOUD

Fully Managed By:

Amazon VPC

AWS Lambda

VPC Endpoint
Amazon EC2
Amazon
DynamoDB

Other
Amazon S3
Services
Amazon S3 is not hosted in an Amazon VPC
 • CIDR Block

• Subnets

• Route Table

• DHCP Options Set

• NAT Devices

Amazon VPC • Network ACLs

Components
• Security Groups

• Different types of Gateways

 • Allows you to specify the size of your
network

• The allowed block size for a VPC is between

/16 to /28 netmask

• A netmask (subnet mask) tells you the total

number of available hosts for your network

/16 = 65,536 IP addresses

CIDR BLOCK
/17 = 32,768 IP addresses

/18 = 16,384 IP addresses

/28 = 16 IP addresses
 • AWS reserves a total of 5 IP addresses from
your CIDR block

• The first four IP addresses and the last IP

address in each subnet CIDR block are
reserved

CIDR 10.0.0.0/24

CIDR BLOCK
10.0.0.0 – Network Address

10.0.0.1 – VPC Router

10.0.0.2 – DNS Server

10.0.0.3 – Reserved for Future Use

10.0.0.255 – Network Broadcast Address

 IPv4 CIDR Range: 10.0.0.0/16

IPv6 CIDR Range: 2001:db8:1234:1a00::/56

CIDR BLOCK
 • The implicit router in Amazon VPC

• Controls the network traffic in your VPC

through subnet routing

• All subnets in your VPC must be associated

with a route table.
ROUTE TABLE
• A route table can either be the main route
table or a custom route table

• A subnet in your VPC can only be associated

with one route table at a time but you can
associate multiple subnets with the same
subnet route table.
 • A set of options that controls the automatic
provisioning of IP addresses to your Amazon
EC2 instances and other resources

• Uses the Dynamic Host Configuration

Protocol
DHCP OPTIONS
SET • Allocates an IP address to every host, virtual
machine, EC2 instance, RDS database, load
balancer, or any other AWS resources in your
VPC

• Configures your DNS, NetBios Name Server,

and Network Time Protocol (NTP)
 • Uses Network Address Translation (NAT)

• Enable Amazon EC2 instances that are in a

private subnet to connect to the public Internet
or other AWS services
NAT DEVICES
• Prevents the public Internet from initiating
connections with your private EC2 instances.

• Works like a one-way street which means only

the traffic initiated within your VPC is allowed
but not vice versa
 NAT DEVICES

NAT Instance NAT Gateway

• A virtualized NAT • An advanced NAT

device running in an device that is not
EC2 instance within running in your VPC
your VPC
• Managed by AWS
• Managed by the
customer (you)
• Highly available and
scalable
• Not highly available
nor scalable
AWS
Cloud
N. Virginia Region

Availability Zone (AZ) 1 Availability Zone (AZ) 2

VPC A
Public subnet Public subnet

NAT Gateway NAT Gateway

Private subnet Private subnet

Amazon EC2 Amazon EC2

Security Groups Network Access Control List
(Network ACL)
 N. Virginia Region
AWS
Cloud
You can create a rule that explicitly
Network ACL allows or denies traffic by its IP
address, port, or destination

SUBNET

VPC A

You can only specify ALLOW rules in

Security Group
a Security group, but not DENY rules

Amazon EC2
 • Internet Gateway

• Customer Gateway
Gateways
• Virtual Private Gateway

• Carrier Gateways

• Egress-only Internet Gateway

Amazon VPC On-premises data center

VIRTUAL PRIVATE CUSTOMER GATEWAY

GATEWAY
AWS Direct Connect
connection
 IPv6 IPv4

NAT Instance

Egress-only Gateway

NAT Gateway
 • For VPCs that use AWS Wavelength to deliver
ultra-low latency applications for 5G devices.

• Allows incoming traffic from a carrier

network in a specific location
CARRIER
GATEWAY • Allows outgoing traffic to the carrier network
and to the public Internet.

• Only available for VPCs that contain subnets

in a Wavelength Zone
Amazon VPC On-premises data center

VIRTUAL PRIVATE CUSTOMER

GATEWAY AWS Direct Connect GATEWAY
Connection
Amazon VPC Network Architectures
CLOUD

REGION

IPv4 CIDR Range: 10.0.0.0/16

ROUTE TABLE
IPv6 CIDR Range: 2001:db8:1234:1a00::/56

Amazon VPC

Private subnet Public subnet

INTERNET GATEWAY

VIRTUAL PRIVATE GATEWAY

AWS VPN

Amazon
Direct Connect
 • There is a default VPC in each AWS Region

• A default VPC can immediately be used to launch your Amazon

EC2 instances, Elastic Load Balancers, Amazon RDS
databases, and other resources.

• Perfect for quickly launching simple public websites or

applications
Default VPC
• The existing components of your default VPC can be
configured

• Has an attached Internet Gateway by default

CLOUD

REGION

IPv4 CIDR Range: 172.31.0.0/16 /16 = 65,536

ROUTE TABLE IP addresses

Default VPC

Private subnet Public subnet

172.31.0.0 – Network Address

The first 4 IP addresses and the
172.31.0.1 – VPC Router last IP address of that range are
reserved.
172.31.0.2 – DNS Server
You have a total of 5 IP addresses
172.31.0.3 – Reserved for Future Use
that are not usable
172.31.255.255 – Network Broadcast Address

INTERNET GATEWAY
CLOUD

/20 = 4,096 Total IP addresses - Reserved AWS IPs= ~ 4,090 Usable IPs

REGION DHCP OPTIONS SET

IPv4 CIDR Range: 172.31.0.0/16 ROUTE TABLE

Default VPC

Private subnet Public subnet

172.31.0.0/20 172.31.0.32/20

Private subnet Public subnet

172.31.0.16/20 172.31.0.48/20

0.0.0.0
INTERNET GATEWAY
 CUSTOM AMAZON VPC
/28 = 16 Total IP addresses - 5 Reserved AWS IPs = 11 Usable IPs

IPv4 CIDR Range: 10.0.0.0/28

/28 ROUTE TABLE

Private subnet

Auto Scaling group

Auto Scaling group

Tutorials Dojo
www.tutorialsdojo.com
 • A VPC with a single public subnet

• A VPC with public and private subnets

• A VPC with public and private subnets AWS VPN

and Hardware VPN Access

Amazon VPC
• A VPC with a private subnet only and AWS VPN
Network Architecture Types
Hardware VPN Access
 A VPC with a single public subnet

IPv4 CIDR Range: 10.0.0.0/16

ROUTE TABLE
IPv6 CIDR Range: 2001:db8:1234:1a00::/56

Amazon VPC

Public subnet

INTERNET GATEWAY
 A VPC with public and private subnets

IPv4 CIDR Range: 10.0.0.0/16

ROUTE TABLE
IPv6 CIDR Range: 2001:db8:1234:1a00::/56

Amazon VPC

Private subnet Public subnet

INTERNET GATEWAY
 A VPC with public and private subnets and Hardware VPN Access

IPv4 CIDR Range: 10.0.0.0/16

ROUTE TABLE
IPv6 CIDR Range: 2001:db8:1234:1a00::/56

Amazon VPC

Public subnet Private subnet

AWS VPN

INTERNET GATEWAY VIRTUAL PRIVATE GATEWAY

 A VPC with private subnet and Hardware VPN Access

IPv4 CIDR Range: 10.0.0.0/16

ROUTE TABLE
IPv6 CIDR Range: 2001:db8:1234:1a00::/56

Amazon VPC

Private subnet

VIRTUAL PRIVATE GATEWAY AWS VPN

AWS Cloud
N. Virginia Region

Availability Zone (AZ) 1 Availability Zone (AZ) 2

VPC A
Public subnet Public subnet

NAT Gateway NAT Gateway

Private subnet Private subnet

Amazon EC2 Amazon EC2

Amazon EC2 Overview
Shared Responsibility YOU
Can be integrated with
a lot of AWS Services

Amazon EC2
 CPU

MEMORY (RAM)

NETWORK
Your Computer
both have

DISK IMAGE (ISO)

Amazon EC2
SSD/HDD STORAGE

SHARED FILE SERVER

SSD/HDD STORAGE

Instance Store Amazon EBS

SHARED FILE SERVER

Amazon EFS Amazon FSx for Lustre Amazon FSx for Windows
File Server

OBJECT STORAGE

Amazon S3
NETWORK
Elastic IP Elastic Network Placement Elastic Network Elastic Fabric
Amazon VPC Interface (ENI) Groups
Address Adapter (ENA) Adapter (EFA)

Amazon EC2 Auto

AUTO SCALING Scaling

Amazon Machine
DISK IMAGE Image (AMI)
 Instance Purchasing Options
Amazon EC2
 Underlying
Virtual Machines
Physical Servers of
Amazon EC2

Rack-mounted servers

A single server can instantiate

multiple EC2 Instances

Rack

Shared by MULTIPLE Tenants / Customers

across the globe!
 I’ll pay that spare EC2
Instance for
I would like to rent the entire server
Spare or
Unused Server
without any virtualization & is dedicated
for my exclusive use! $1 / hour

INTERRUPTION

Amazon EC2 I want to order an

Service EC2 Instance for
I would like to reserve
this instance for $2 / hour

1 year at
INTERRUPTS
$1.5 / hour

(Automatically Terminates
Your Spot EC2 Instance)
 • On-Demand

• Spot

• Reserved

Amazon EC2 • Dedicated

Instance Purchasing
Options
• Savings Plans

• Capacity Reservation
Spot Instances
LOW Supply Spot Instances
=
HIGH Price
X Instance Type

SUPPLY DEMAND
LOWEST COST

Spare or
Unused EC2
Capacity

80
Unused

20
Capacity

SURPLUS

70
 I want to order a
Spot Instances Spot
EC2 Instance for

Spare or
$1 / hour

Unused Capacity

Amazon EC2 I want to order an On-

Service Demand
EC2 Instance for

$2 / hour

INTERRUPTS

(Automatically Terminates
Your Spot EC2 Instance)
 Spot Instances

Based on Spot Market

$ Spot Price

Buy “On the Spot”

for lower prices
 • Provide discounts of up to 90% compared to an On-Demand
instance

• The most cost-effective type among the Instance purchasing

options
Spot Instances
• The interruption/termination is based on the Instance Type
FEATURES available in the AWS Global Infrastructure

• Can be interrupted, or be automatically terminated by AWS

• Suitable for non-critical and infrequent jobs that can be

interrupted or processed again
 • Servers on your development or test environments that do not
require to be 100% up all the time

• Applications with flexible start and end times

Spot Instances • Interruptible workloads that can handle failures gracefully

USE CASES • Handling the peak load or the additional load of your
application on top of your Reserved or On-Demand EC2
instances

• Infrequent and interruptible jobs

• Workloads that are infrequently executed

 • Interruptible batch jobs or non-production applications that
are currently hosted on your On-Demand Instances

• Running the task nodes of your Amazon Elastic MapReduce

cluster

Spot Instances
• Highly dynamic batch processing where each job:

USE CASES • Is stateless in nature

• Can be started and stopped at any given time

• Typically takes upwards of 60 minutes or an hour in

total to complete

• For whenever you need the MOST cost-effective solution in

running your interruptible workloads
 Spot Fleet Spot Block

• Specify a “block of time” or

• A collection, or fleet, of Spot the duration in which your
Instances instance will run
continuously
• Can optionally have On-
Demand Instances • Rarely interrupted than your
regular Spot instances.
On-Demand Instances
 On-Demand Instances

Demand #1
Right now, I want to launch an EC2
Instance for my app!

NO

INTERRUPTIONS

My batch job processing has been

Demand #2 completed. I want to terminate my EC2
instance now
 • Mission-critical workloads that must not experience any
interruptions

• Servers of your mission-critical applications that are running

on your production environment

On-Demand Instances • Short-term workloads that cannot be interrupted

USE CASES
• Handling the steady-state load of your applications

• Running the master node and the core nodes of your Amazon
EMR cluster

• Any workloads that require uninterruptible processing

 • Allows you to reserve EC2 capacity for a specific Availability
Zone for a period of time

On-Demand • Ensures that you always have access to EC2 capacity

Capacity Reservation
• No one-year or three-year term reservation or commitment

• Suitable for scenarios where you require a guaranteed

compute capacity for a week or a few months
OS Type

Pay Minimum of
by the second 1 minute

Linux

Pay Minimum of
by the hour 1 hour

Windows
 NO
$
INTERRUPTIONS

Has the highest cost among the The high price you pay ensures that your
other EC2 Instance Purchasing Options EC2 Instance will NOT be interrupted
Reserved Instances
 Reserved Instances

FOR MISSION-CRITICAL
APPLICATIONS

On-Demand Instances UNINTERRUPTIBLE Spot Instances

CHEAPER THAN
ON-DEMAND INSTANCES
Reserved Instance
Marketplace
 1 year
RESERVE 3 years

All Upfront Partial Upfront No Upfront

 Costs a little more!

All Upfront Partial Upfront No Upfront

Pay the FULL Price Pay the PARTIAL Price Pay on a MONTHLY basis

Provides the Provides the

highest savings! least amount of discount
Standard Reserved Instance Convertible Reserved Instance

Both can modify the attributes such as the Availability Zone or Network

Both can modify the Instance Size using other sizes within the same instance family

Both require a fixed 1-year or 3-year commitment

Can be sold Cannot be sold

in the Reserved Instance Marketplace in the Reserved Instance Marketplace

Can be exchanged for another Convertible Reserved

Cannot be exchanged for any other Reserved
Instance with a different configuration, including instance
Instance
family, operating system, and tenancy
 • Running non-interruptible workloads for a
one-year or three-year time frame

• Workloads with predictable capacity and

Reserved Instances uptime requirements

USE CASES • Hosting the application servers of your

production environment

• For processing the steady-state load or the

baseline capacity of your workloads
 • For Batch jobs that cannot be interrupted once
started

• For consuming Amazon SQS queue messages in

Reserved Instances which the application should continually process
messages without any downtime
USE CASES
• Running the master node or core nodes of your
Amazon Elastic MapReduce cluster (cheaper than
On-Demand Instances)

• And many more!

 SCOPE

Regional Zonal
Dedicated Hosts &
Dedicated Instances
 TENANCY
It’s like “renting” an entire house for your family,
which you are the sole tenant (single-tenant).
Dedicated Instance If you share a house with your friends or co-
workers, then there are multiple tenants (multi-
tenant).

Dedicated Host

A rack-mounted server DEFAULT

TENANCY
is also called a HOST

Used by a SINGLE Customer / Tenant

 DEDICATED HOST

A single, physical rack-mounted server

or also known as a host

• per-socket

• per-core = CPU Core

• per-VM

Used by a SINGLE Customer / Tenant

 • For cases when the existing server-bound software
licenses must be used by customers

• To comply with your per-core software license

requirements
DEDICATED HOST
• For compliance and software licensing requirements
mandating that a workload must be hosted on a physical
server

• For migrating commercial off-the-shelf applications with

licenses that must still be utilized upon migration

A rack-mounted server / host • For performing cost analysis that supports physical
isolation of a customer workload

• Launching Windows Server, SQL Server, SUSE Linux

Enterprise Server, Red Hat Enterprise Linux, or other
software licenses that are bound to particular VMs,
sockets, or physical CPU cores
 DEDICATED INSTANCE

• Regular virtual machines that run in a virtual private cloud

(VPC) on hardware that's dedicated to a single customer

• Dedicated Instances that belong to different AWS accounts

are physically isolated at a hardware level

• Dedicated Instances may share hardware with other

Amazon EC2 instances if the instances are:
• In the same AWS account
• Not a type of Dedicated Instance

• Allows you to launch Dedicated Spot Instances, Dedicated

Virtual Machines / Instances
On-Demand Instances, or Dedicated Reserved Instances
hosted on a
dedicated single-tenant hardware
Savings Plans
 • A flexible pricing model in AWS that helps you
save on the usage of your:

Amazon EC2 AWS Fargate AWS Lambda

• Provides discounts in exchange for a commitment to

a consistent usage amount that is measured in dollars

Savings Plans per hour for a one or three-year term

• Aside from Amazon EC2, it also cover other compute

FEATURES
resources such as AWS Fargate and AWS Lambda

• Can be purchased from:

• Any AWS account
• Management account of your AWS Organization
• Member account of your AWS Organization
 Savings Plans Reserved Instances

• Both require a fixed one-year or three-year commitment

• Both provides Billing Discounts

• Based on a consistent amount of • Based on a specific Instance Type or

compute usage Instance Size

• Provides flexibility to use a more

• Must exchange or modify the
suitable compute option at low
Reserved Instance to suit your
prices without any exchanges or
current requirements
modification
Capacity Reservation
 • Allows you to reserve capacity for your EC2
instances in a specific Availability Zone

• Independent of the billing discounts offered by

Savings Plans or regional Reserved Instances
Capacity Reservation
• Works like a Zonal Reserved Instance
FEATURES
• No 1-year or 3-year commitment

• You can reserve a particular Availability Zone

only (Zonal), no Regional reservations in scope

• Can be applied to On-Demand EC2 Instances

 • Availability Zone
Capacity Reservation
• Number of Amazon EC2 Instances
REQUIREMENTS
• Instance Attributes (e.g. instance type, OS, etc)
 Capacity Reservation

MATCH
Running EC2 Instances in your VPC

us-east-1a • Availability Zone

2 • Number of Amazon EC2 Instances

Instance Type: • Instance Attributes (e.g. instance type, OS, etc)

A3
Amazon EC2 Instance Types
 *Powered by Mac Mini

Mac Instances

CPU GRAPHICS

RAM
NETWORK

Amazon EC2 Instance Type

STORAGE OTHER
COMPONENTS…
 CPU OPTIONS

Amazon EC2 Instance Type

AWS Graviton

The newer your EC2 instance type is,

the more cost-efficient and powerful it is.
also known as…

INSTANCE
FAMILY
nano
micro

small

Instance Sizes medium

Amazon EC2 Instance Type

large

xlarge
metal
INSTANCE CATEGORIES INSTANCE FAMILY / TYPES

Mac, T*, M*, A*

• General Purpose
C*
• Compute Optimized

• Memory Optimized R*, X*, Z*, U*

• Storage Optimized I*, D*, H*

• Accelerated Computing P*, Inf*, G*, F*

• Others More Instance Types to be launched soon!

 INSTANCE TYPE NAMING CONVENTION

TYPE & GENERATION SIZE

INSTANCE
FAMILY m6 . nano
micro
small
medium Indicates that you
GENERATION large are using a
bare metal type
xlarge (non-virtualized)

metal
 INSTANCE TYPE NAMING CONVENTION

TYPE & GENERATION

m4 & below PREVIOUS GENERATION

m5 5th GENERATION

m6 6th GENERATION

m7 & above NEXT GENERATION

 INSTANCE TYPE NAMING CONVENTION

TYPE & GENERATION

CPU TYPE

**a

AWS
**g Graviton
 INSTANCE TYPE NAMING CONVENTION

TYPE & GENERATION

t3a

AWS
m6g Graviton

t3, m5, r5
 INSTANCE TYPE NAMING CONVENTION

TYPE & GENERATION

***d Has a local NVMe-based SSD storage

***n Has enhanced networking capabilities

 INSTANCE TYPE NAMING CONVENTION

TYPE & GENERATION

•Burstable Performance Instances

•Provides a baseline level of CPU performance

T with the ability to burst above the baseline

•The ability to burst is governed by CPU Credits

 INSTANCE TYPE NAMING CONVENTION

CPU Utilization 200

150 • A CPU Credit accrued when the instance is idle

BURST ZONE
• A sort of ‘vertical scaling’ since it temporarily
100 provides higher CPU performance over the
maximum CPU capacity of the instance

50 • A CPU Credit provides a full CPU core

BASELINE
performance for one minute

0
10 AM 11 AM 12 PM 1 PM
 INSTANCE TYPE NAMING CONVENTION

• Bare metal instances

• Grants direct access to the CPU and memory
resources of the underlying server SIZE

• Doesn't have a pre-installed KVM, Xen, or AWS

Nitro Hypervisor that other EC2 instances use

• Allows you to fully access the CPU, Storage, metal

and Networking bandwidth of the underlying
server

• Allows customers to run their own hypervisor

or virtualization secured containers such as
Clear Linux Containers
 INSTANCE TYPE NAMING CONVENTION

• Meant for customers who have

enterprise applications that need to run in
non-virtualized environments or need to
use their own hypervisor

• Can still be integrated with Amazon EBS,

Elastic Load Balancers, and other
resources on your Amazon VPC

• Provides the highest attributes across all

other types in its Instance Family

• Have equal or more attributes than the

largest instance type in the instance
family
Amazon Machine Image (AMI)
apps & configurations

EC2 Instance
AMI
DISK IMAGE
 Amazon Machine Image
DISK IMAGE
(AMI)
 Amazon Machine Image
(AMI)

Volume Snapshots Block Device Mapping Launch Permissions

 Amazon Machine Image
(AMI)

BLOCK STORE TYPE Volume Snapshots Block Device Mapping Launch Permissions

Amazon EBS Amazon EBS Volumes

• Public
EBS Snapshots mapping

• Explicit

• Implicit
N/A

Amazon EC2 Template for the root

Instance Store volume
 • Regional in scope

• You can copy your AMI to another AWS Region

• You can also copy your AMI to another AWS account

Amazon Machine Image
(AMI)
AWS Cloud

N. Virginia Region Ohio Region

Availability Zone (AZ) Availability Zone (AZ)

VPC A VPC A

COPY AMI
AWS Marketplace
 Amazon Machine Image
(AMI)

VIRTUALIZATION BOOT UP SUPPORT FOR

PROCESS SPECIAL HARDWARE
TYPE EXTENSIONS

PV Uses special boot

loader called PV-GRUB
N/A
Paravirtual

HVM Executes the master boot

record of the root block
Uses several
special hardware extensions
such as
Hardware device of your image enhanced networking or
Virtual Machine GPU processing
 1 2 3 4 • Age of the Oldest Message

Amazon SQS

Target Tracking
Policy

Auto Scaling group

Amazon Machine Image
(AMI)
EC2 EC2 EC2

EC2 EC2 EC2

EC2 EC2 EC2

Instance User Data
#!/bin/bash
yum update -y
mkdir tdojologs
systemctl start httpd
echo “tutorialsdojo OK!”

EC2
Instance

User Data
 Amazon EFS Auto Scaling Group

mkdir ~/tutorialsdojo-efs #!/bin/bash

curl https://s3.amazonaws.com/aws-
sudo mount -t nfs -o nfsvers=4.1,\ cloudwatch/downloads/latest/awslogs-agent-
rsize=1048576,wsize=1048576,hard,\ setup.py -O
timeo=600,retrans=2,noresvport \ chmod +x ./awslogs-agent-setup.py
awsjonbonsoefs:/ ~/tutorialsdojo-efs ./awslogs-agent-setup.py -n -r us-east-1 -c
s3://tutorialsdojo

User Data
 • Must be in a base64-encoded format

• Limited to 16 KB only when in raw form

• Accessible from the Instance Metadata using this URI:

http://169.254.169.254/latest/user-data

User Data

• Only run once upon the first EC2 Instance Launch

• Modifying the User Data and restarting the instance won’t

affect the initial User Data
Instance Metadata
EC2 EC2 EC2

EC2 EC2 EC2

EC2 EC2 EC2

VIRTUALIZATION
MANIFEST EC2

METADATA
 • AMI

• Hostname

• Public IP address

• Private IP address
INSTANCE METADATA
• Instance type

• MAC address

• Security groups

• Security credentials

• IAM Roles of your instance

• . . . and many more!

 Link-local Address

http://169.254.169.254/latest/meta-data/

INSTANCE METADATA SERVICE

INSTANCE METADATA SERVICE
version 2

Session Oriented
CATEGORIES
Private IP Address
Public IP or Elastic IP Address
Media Access Control (MAC) Address
Security Groups
Instance Profile
Amazon EC2 Networking
 PUBLIC INTERNET

EC2

PRIVATE NETWORK
in AWS
Powered by Physical
Networking Devices

EC2
 VIRTUAL PHYSICAL
Network Interface Card Network Interface Card

EC2
 IP Addressing Elastic Network Interface

Elastic IP Address Enhanced Networking Elastic Fabric Adapter

(EFA)
 are powered by NETWORK INTERFACE CARD

PHYSICAL VIRTUAL
 EC2

Elastic Network Interface

 • Primary private IPv4 address

• Secondary private IPv4 addresses

• One Elastic IP address per private IPv4 address

• One public IPv4 address

• One or more IPv6 addresses

• One or more security groups

Elastic Network Interface
• Media Access Control (MAC) address

• Source-Destination check flag

• Custom description
 EC2
Private
192.168.2.5

Private
192.168.3.6 EC2
 CIDR
• Classless Inter-Domain Routing
• A method for allocating IP addresses
• Also used for IP Routing

IPv4 Address

EC2
IPv6 Address

Private
192.168.2.5
Request For Comments 1918

Private
192.168.2.5
 RFC 1918
Private
Private IP Address
 Private
Private IP Address RFC 1918

Class IP Address Range CIDR Block Prefix

Class A 10.0.0.0 /8

Class B 172.16.0.0 /12

Class C 192.168.0.0 /16

 Private
Private IP Address

Class IP Address Range Total IP Address CIDR Block Prefix

Class A 10.0.0.0 – 10.255.255.255 Over 16 million /8

Class B 172.16.0.0 – 172.31.255.255 Over 1 million /12

Class C 192.168.0.0 – 192.168.255.255 Over 64,000 /16

 Private
Private IP Address

10.0.0.0 – 10.255.255.255

172.16.0.0 – 172.31.255.255

192.168.0.0 – 192.168.255.255
 Private
Private IP Address

10.0.0.0 – 10.255.255.255 10.0.0.10

172.16.0.0 – 172.31.255.255 172.16.0.5

192.168.0.0 – 192.168.255.255 192.168.0.9

 Private
Private IP Address

10.0.*.*

172.16.*.*

192.168.*.*
Private
Private IP Address

10.0.*.*

172.16.*.*

192.168.*.*
 CIDR 192.168.68.0/24

Jon’s Desktop Rizal’s Laptop

Private Private
192.168.68.107 192.168.1.11
 ip-10-251-50-12.ec2.internal

Internal DNS hostname

Private
Private IP Address

Public
Public IP Address
 Public
Public IP Address

Dynamic IP Address
Your
Account
Static IP Address
Elastic IP Address
 ec2-136-158-28-50.compute-1.amazonaws.com

External DNS hostname

 NAT Gateway

Elastic IP Address

Network Load Balancer

Features that enhances and accelerates the network capability
of your EC2 instances:

Enhanced Networking Elastic Fabric Adapter

(EFA)
 • Based on the network adapter drivers of the
underlying physical host

• The network adapter drivers can be:

• Intel® Network Adapter Virtual Function

Driver

• AWS-built custom-based network adapter

driver called Elastic Network Adapter (ENA)
Enhanced Networking
• Network drivers provided by AWS or other
companies

• Similar to the “driver” or the software package that

allows your computer to access a printer or other
physical computer devices
 • Uses single root I/O virtualization or SR-IOV

• Provides higher I/O performance and lower CPU

utilization than the traditional virtualization
techniques

• Controlled by network drivers (software)

• Provides:
Enhanced Networking
• Higher bandwidth

• Consistent lower inter-instance latencies

• Higher packet per second performance

(PPS)
 Network Drivers

Elastic Network Adapter Intel 82599 Virtual Function

(EFA) (VF) interface
 • Just like with additional capabilities
Elastic Network Interface
(ENI)

• Can directly communicate to the network

interface hardware without passing through
the Linux Kernel – also known as OS-
Bypass

Elastic Fabric Adapter • Provides low-latency and reliable transport

(EFA) functionality to your virtual machines.

• Accelerates the networking capabilities of

your High-Performance Computing or HPC
workloads

• Enhances inter-instance communication

 Amazon EC2
Network Security
Security Groups Network Access Control List
(Network ACL)
 N. Virginia Region
AWS
Cloud
Network ACL

SUBNET

VPC A

Security Group
 N. Virginia Region
AWS
Cloud
Network ACL Network ACL Network ACL

Availability
SUBNET Zone
1 1 Availability
SUBNET Zone
2 2 Availability
SUBNET Zone
3 3

VPC A

Security Group Security Group Security Group

EC2 EC2 EC2

 N. Virginia Region
AWS
Cloud

SUBNET 1 SUBNET 2
Default Network ACL Custom Network ACL
VPC A

• You manually have to

• Already exists by default create

• Can be modified • Can be modified

• Allows all inbound and • Denies all inbound and
outbound traffic by default outbound traffic by default
You can: State
STATELESS
• Allow Traffic Network ACL
SUBNET 2

• Deny Traffic
TYPES

Inbound Rules Outbound Rules

• An address prefix of /32 denotes

a single IP address

• The /24 denotes the CIDR block

which contains 256 different IP
addresses
 Network ACL
SUBNET 2

Outbound Rules

• Short-lived port numbers

Ephemeral Ports

• The range varies depending

on the Operating System
 Network ACL
SUBNET 2

Ephemeral Ports

Inbound Rules Outbound Rules

• 32768 – 61000 • Short-lived port numbers

• 49152 – 65535 • The range varies depending
on the Operating System
• 1024 – 65535

Tutorials Dojo
www.tutorialsdojo.com
 Network ACL
SUBNET 2

Inbound Rules Outbound Rules

EC2
Security Groups
 • A virtual firewall that controls the incoming and
outgoing traffic of one or more EC2 instances

• 1 EC2 instance can have one or more security

groups

• Cannot have an explicit DENY Rule (unlike Network

ACL)
Security Groups
• Aside from EC2 Instances, it can also be attached to
Amazon RDS, Amazon ElastiCache and other AWS
resources
 Inbound Rules Outbound Rules

• Allows incoming traffic • Allows outgoing traffic

• Can’t explicitly DENY traffic • Controls traffic originated
from the EC2 instance itself
• Not affected by Outbound
Rules • Does not affect the outgoing
response traffic
Security Groups
• Examples:
• EC2-initiated API call
• Scheduled OS Patches
7 Open Systems Interconnection
(OSI) Model Layers

TCP UDP
7 Open Systems Interconnection
(OSI) Model Layers
HTTP : 80 MSSQL : 1433 RDP : 3389

HTTPS : 443 MySQL : 3306 SSH : 22

SMB : 445

TCP
TCP

ICMP - Ping
You can only Whitelisting
• Allow Traffic
 Default Security Group Custom Security Group

• Already exists on your default VPC

• Has one inbound rule and one outbound rule • You manually have to create
by default
• Has a default outbound rule that allows all
traffic
• Will be attached to your EC2 instance if you
didn’t specify a particular security group
• Doesn’t have a default inbound rule
• Automatically allows incoming traffic from any
resource that also uses the default security • Denies all inbound and outbound traffic by
group default

• Allows all outgoing traffic that originated from

the instance itself
You can only

• Allow Traffic

Security Groups
 Security Group

STATEFUL

Inbound Rules Outbound Rules

HTTP : 80 SMB : 445

EC2
HTTPS : 443 ICMP - Ping
Security Groups
REQUEST
 EC2 Amazon EC2 Amazon RDS

Security Groups
Amazon Aurora Amazon ElastiCache
 AWS Web Application
Firewall (AWS WAF)

Security Groups
• You can’t apply a security group or network ACL to

+
your Amazon S3 buckets

• Both of these features do not provide enough

protection against Cross-Site Scripting or SQL
Injection attacks

• These two are also inefficient in geographic match

conditions or blocking certain countries
Network Access Control List
(Network ACL)
 VPC Flow Logs

Security Groups

Network Access Control List

(Network ACL)
Placement Groups
 US East (Ohio)
us-east-2

Availability Zone 1

Data Center

Data Center Data Center

Amazon EC2 Service

Availability Zone 2 Availability Zone 3

Data Center Data Center

Data Center Data Center Data Center Data Center

 US East (Ohio)
us-east-2

I’ll
place
you…
Data Center

Amazon EC2 Service

Availability Zone 3
Data Center

Data Center
 US East (Ohio)
us-east-2

Data Center

Amazon EC2 Service

Availability Zone 3
Data Center

Data Center
 US East (Ohio)
us-east-2

Amazon EC2 Service

Availability Zone 3
 Placement Groups
CLUSTER PARTITION SPREAD
 Availability Zone

Logical Group / Host Rack Networking

CLUSTER

Provide low-latency network performance and

high network throughput

Group of rack servers on a network building block with special routing configuration
 Availability Zone

Partition 1

PARTITION

Commonly used on large distributed and

replicated workloads, such as Hadoop,
Cassandra, and Kafka Partition 2
 Availability Zone

SPREAD

Reduces correlated failures and improves

availability
 Auto Scaling group

EC2 EC2 EC2

Placement Group
EC2 EC2 EC2

EC2 EC2 EC2

Amazon EC2 Auto Scaling Overview
 Number of requests: 1000
100
10
1

Publicsubnet
Private subnet

AMI

Auto Scaling group

 Number of requests: 1000
100
10
1

Private subnet
Public subnet

Auto Scaling group

 • The ability to dynamically acquire or release
resources when you need them

• Can be easily done in the cloud since it has

hundreds of thousands of servers

• Improves the performance of your

application when it is experiencing a surge of
requests
ELASTICITY
• Avoids over-provisioning of your resources

• Lowers down your operating costs

significantly by eliminating idle resources
 CPU

SSD/HDD STORAGE

Amazon EC2
NETWORK BANDWIDTH
 On-premises data center

RIGID and NOT FLEXIBLE

 SCALING TYPES

VERTICAL SCALING HORIZONTAL SCALING

 30 vCPU

300 GB
Large Amazon EC2
SCALE UP Instance Type

VERTICAL SCALING

SCALE DOWN
10 vCPU

Small Amazon EC2 100 GB

Instance Type
 SCALE OUT

HORIZONTAL SCALING

SCALE IN
 Amazon Machine
Image (AMI)

SCALE OUT

HORIZONTAL SCALING

SCALE IN
 SCALE OUT

HORIZONTAL SCALING

SCALE IN
 HORIZONTAL SCALING

Amazon EC2
Auto Scaling
 AUTO SCALING GROUP

CONFIGURATION TEMPLATE

Amazon EC2
Auto Scaling

SCALING OPTION
 • Organizes your Amazon EC2 instances into
groups

AUTO SCALING GROUP

• A logical unit for scaling and management

• Must have a setting for the minimum,

maximum, and desired number of Amazon
EC2 instances
 • Types:

• Launch Template

• Launch Configuration

• Acts as a template for your Auto Scaling

CONFIGURATION TEMPLATE Group, containing the AMI ID, the instance
type, the key pair, the security groups, block
device mapping and others

• It is recommended to use a Launch

Template, rather than a Launch
Configuration, as the latter only offers
limited features
 • Allows you to choose the suitable scaling
behavior of your Auto Scaling Group.

SCALING OPTION • Types:

• Dynamic

• Predictive

• Scheduled
 NOT YET
READY
READY
TO ACCEPT CONNECTIONS!
CONNECTIONS
Auto Scaling group

1
2
3
4
5

LIFECYCLE HOOKS INSTANCE WARM-UP COOL DOWN

Amazon EC2 Auto Scaling Types
 AMAZON EC2 AUTO SCALING TYPES

SIMPLE SCALING TARGET TRACKING

STEP SCALING SCHEDULED SCALING

 • Automatically increases or decreases the
current capacity of your Auto Scaling Group
based on a single scaling adjustment

CPU UTILIZATION

Amazon CloudWatch ALARM THRESHOLD

SIMPLE SCALING ALARM

COOL DOWN

Auto Scaling
Group
 • Automatically increases or decreases the
current capacity of your Amazon EC2 Auto
Scaling group based on a set of scaling
adjustments, also known as step
adjustments

• Also requires the use of CloudWatch alarms

with specified high and low thresholds as
well as a defined action that either adds or
removes instances
STEP SCALING
• Also supports setting the Auto Scaling
COOL DOWN group to an exact size or a fixed capacity
unit in the event that your CloudWatch
alarm threshold was breached

• Unlike Simple Scaling policy, it can

continue to respond to additional
CloudWatch alarms, even if the current
scaling activity or health check
replacement is already in progress
 • Automatically increases or decreases the
current capacity of your Auto Scaling group
based on a target value for a specific
TARGET TRACKING
metric

• Maintains and adjusts the number of EC2

instances in your Auto Scaling group based
on the target that you specify
 AVERAGE CPU UTILIZATION

Amazon CloudWatch ALARM THRESHOLD = 50%

ALARM

TARGET TRACKING

AVERAGE CPU OF ALL EC2 INSTANCES 30%

80%

Auto Scaling
Group
TARGET TRACKING WORKS LIKE A THERMOSTAT!
 • If you’ve determined the optimal
performance of your web application
and you want to maintain its desired
performance across all EC2 instances
of your Auto Scaling group

TARGET TRACKING • If your application works best when

USE CASES the combined CPU utilization of your
Amazon EC2 instances is at or near a
certain percentage (e.g. 40% ). You
can set up a target tracking policy with
a metric type of “Average CPU
utilization” and a 40% target value
 • Tracking of a certain metric that is
produced by your application. You can
track the average network in or
network out of all your instances
TARGET TRACKING
• You can use the request count per
USE CASES target ( ALBRequestCountPerTarget)
metric of your Application Load
Balancer as the metric type for your
Target Tracking policy
 • Automatically increases or decreases the
current capacity of your Auto Scaling group
based on a set schedule that you define
SCHEDULED SCALING
• Allows you to set up your own scheduled
scaling based on the predictable load
changes of your application.
 Month-end Batch Processing Scenario

• Performs significantly slower when the

month-end financial calculation batch
executes

• Causes the CPU utilization of your

Amazon EC2 instances to immediately
peak to 100% on that period

SCHEDULED SCALING • Always happens on the first day of

every month at the stroke of midnight.
USE CASES

• Set a scheduled scaling policy with a

monthly schedule

• Scale out before the clock hits 12 midnight

on the first day of the month so there would
be more EC2 instances deployed to handle
the peak load
 Holidays and Public Announcements

• Provides a consistent user experience by

scaling your Auto Scaling group a few hours
SCHEDULED SCALING before your event or specific holidays

USE CASES • Scaling out your compute capacity takes

time due to the cooldown period. It may
take an hour or more to fully scale your
compute capacity to match the current
load. This is the reason why you have to
scale-out early!

• Setting up a scheduled scaling activity

beforehand can reduce the performance
issues of your application
 Slow site every morning when work day begins…

• Sluggish application performance right when

the workday begins (e.g. 8 AM ) but usually
runs well by mid-morning (e.g. 10 AM) or at
lunchtime
SCHEDULED SCALING
• There is a delay in launching new instances
USE CASES as opposed to the number of incoming
requests

• For example, your Auto Scaling group scales

up to 20 or 25 instances during work hours,
but scales down to just 2 instances
overnight

• In the morning, it takes a few hours for the

scaling process to complete – extending to
mid-morning or till lunchtime, since there
are only 2 instances at the start of the day
Amazon EC2 Lifecycle Hooks
 • A function that gets executed automatically
on a certain event

• Provides the ability to influence the

outcome of your workflow based on the
criteria that you define

• Can stop, skip, or replace the other

function that is supposed to run on a
particular lifecycle
Hooks
• Also used in some programming languages,
version control, and other programs
 git push
Repository

Git Hook

git commit no commit

PASS FAIL

Hooks
Run Integration Tests
 REACT COMPONENT LIFECYCLE

MOUNTING UPDATING UNMOUNTING

Hooks
ANGULAR COMPONENT LIFECYCLE
 Amazon EC2 Instance Lifecycle

Amazon EBS-Backed EC2 Instances Only

Pending:Wait

AMI pending

Pending:Proceed

rebooting running stopping stopped

shutting-down

Terminating:Wait
terminated

Terminating:Proceed
 Amazon EC2 Instance Lifecycle

Pending:Wait Terminating:Wait
Amazon EBS-Backed
terminatedEC2 Instances Only
pending Pending:Wait

AMI pending

Pending:Proceed

• During the scale-out event of your Auto • During the scale-in event of your Auto
Scaling group, you can:
rebooting running Scaling group,
stoppingyou can: stopped

• Ensure that your new EC2 instances • Pause the instance termination for a
download the latest code base from your certain amount of time to upload all the
repository remaining data logs before the instance
shutting-down gets completely terminated
• Verify that your EC2 user data has been
successfully completed first before the • Execute a custom shell script
instance can start accepting traffic
Terminated:Wait • You have to use the Terminating:Wait
• You have to use the Pending:Wait
terminated lifecycle hook for these use cases
lifecycle hook for this particular
Terminated:Proceed
scenario
Amazon EBS Overview
 • EBS stands for Elastic Block Store

• A type of a block storage like the Amazon

EC2 Instance Store

• Its data is more persistent and will not get

lost even if the EC2 instance was stopped,
restarted, or terminated

• Zonal in scope, which means it only exists

in a single Availability Zone

Amazon EBS • Can be attached to any EC2 instances in the

same Availability Zone only

• Can be encrypted at rest using AWS KMS

• You can attach one or more Amazon EBS

volumes in a single EC2 instance
 • Suitable for a variety of workloads such as
databases, enterprise applications, big data
analytics engines, file systems, media
workflows, and others

• Allows you to store and retrieve your data

with high throughput and low latency

• The Amazon EC2 instance and its attached

EBS volumes are logically attached
together and are both located within a
single Availability Zone, which significantly
reduces latency
Amazon EBS • Since the underlying physical resources
that power your Amazon EC2 instance and
EBS volumes are located within the same
city or geographic area, Amazon EBS is
capable of providing low latency read or
write access to your data

• Mainly operates on the hardware level

 Total File Size: 8 kb

divided by

BLOCK
Block Size: 4 kb

BLOCK

BLOCK BLOCK

File Size: 4 kb File Size: 4 kb

 RAID
Redundant Array of Independent Disks

RAID 0 RAID 1

• Stripes multiple volumes together • Mirrors two or more volumes together

• Provides greater I/O performance • Provides on-instance redundancy

• Divides a body of data into blocks and • Duplicates data to provide more
then spreads the data blocks across durability and availability
multiple storage devices
• Suitable if data redundancy is your
• Suitable if I/O performance is your focus
priority
 Solid State Drive Hard Disk Drive
(SSD) (HDD)

Amazon Elastic Block Store

(Amazon EBS)

Read & Write Speeds Fast ! Slow…

For workloads with For data archiving, backups

Use Case frequent read/write operations or throughput-oriented storage

Dominant Performance IOPS Throughput

Attribute Input/Out operations Per Second Megabit per second (Mbps)

Can be used as
Boot Volume for ? Yes No
Amazon EC2
 • An incremental backup that internally uses
Amazon S3 to persist your data

• It only saves the data blocks that have

changed after your most recent snapshot

• Allows you to restore the state of your EBS

volume in the event of data loss

• Enables you to copy your EBS volume to

another AWS Region for your data
migration, disaster recovery activities
Amazon EBS
Snapshots • Can be used to encrypt an unencrypted
Amazon EBS volume.

• Automate the creation, retention, and

deletion of your EBS snapshots and EBS-
backed AMIs using the Amazon Data
Lifecycle Manager (Amazon DLM) service
ENCRYPTION IN TRANSIT ENCRYPTION AT REST

AWS KMS Keys

Amazon EBS Encryption
EC2 by Default

Must be manually enabled per AWS Region

AMAZON EBS AMAZON EBS INTERNAL AMAZON

VOLUME SNAPSHOT S3 BUCKET

Exclusively managed by AWS

Amazon EBS Types
 * contains the system image for
booting the EC2 instance
ROOT EBS
VOLUME

OTHER DATA
VOLUMES

Amazon EC2 Instance

Solid State Drive Hard Disk Drive
(SSD) (HDD)
 • Suitable for transactional workloads

• For various types of applications and

Solid State Drive
systems with frequent read/write
(SSD)
operations with small I/O sizes

• Performance Attribute: IOPS

 gp General Purpose SSD
Solid State Drive
(SSD)

io Provisioned IOPS SSD

 Solid State Drive
(SSD)
• Provides a balance of price and
performance for your workloads

gp General Purpose SSD • Recommended for most workloads

• Also suitable for apps with unpredictable

or unknown access patterns

• Provides a configurable and consistent

io Provisioned IOPS SSD IOPS to allow you to accommodate the
changes in your data storage
requirements
 Solid State Drive • Suitable for low-latency interactive apps
(SSD) in production as well as your development
and test environments

• For your infrequently accessed

gp General Purpose SSD applications or systems that:

Only peaks during certain times of the

day

Has a varying Disk I/O operations

io Provisioned IOPS SSD
• Provides ample IOPS for your applications
but not on par with what a Provisioned
IOPS type can give

• The most cost-effective storage option

that does NOT sacrifice performance
 Solid State Drive
(SSD)

• Primarily used for mission-critical, low-

gp General Purpose SSD latency, or high-throughput workloads

• Provides sub-millisecond latency and

consistent IOPS performance

• Allows you to set the amount of available

io Provisioned IOPS SSD IOPS of your EBS volume

• For hosting data to y

that makes small rea
small file system

• For applications that

 Solid State Drive
• For hosting data to your applications
(SSD)
that makes small reads and writes to a
small file system

gp General Purpose SSD • For applications that require a number of

high read and write IOPS performance

• For fixing latency issues

• For scenarios where your database

io Provisioned IOPS SSD storage performance is the bottleneck

• For storage systems that require a

configurable and consistent IOPS

• . . . and many more!

 Amazon EBS Multi-Attach
Solid State Drive
(SSD)
File-Manila.txt
io

gp General Purpose SSD

Amazon EC2 Amazon EC2 Amazon EC2 Amazon EC2

io Provisioned IOPS SSD Nitro-based

Instance
Nitro-based
Instance
Nitro-based
Instance
Nitro-based
Instance

No concurrent file modification

 • Optimized for large streaming workloads

• For various types of applications and

systems with large, sequential I/O
Hard Disk Drive
operations
(HDD)
• Performance Attribute: Throughput (MB/s)
 st Throughput Optimized HDD
Hard Disk Drive
(HDD)

sc Cold HDD
 Hard Disk Drive
(HDD)

• A low-cost HDD designed for frequently

accessed, throughput-intensive
st Throughput Optimized HDD workloads

• Can be used for your Big data

applications, Data Warehouses, and Log
Processing
sc Cold HDD
• Cannot be used as your boot (root
device) volume
 Hard Disk Drive • Lowest-cost HDD storage type
(HDD)
• Meant for storing less frequently
accessed workloads

st Throughput Optimized HDD • The most cost-effective storage EBS type

option for data archiving only since its
throughput performance is substantially
low
sc Cold HDD
• Suitable for throughput-oriented storage
for data that is infrequently accessed

• Perfect for scenarios where the lowest

storage cost is of the utmost importance
 • If you just need a temporary storage for
your data, use EC2 Instance Store
instead

• If you have to store your application or

system data in a POSIX-compliant
hierarchical directory structure (use
Amazon EFS instead)

• If you have multiple applications that are

concurrently accessing the same files at
the same time, it is better to use the
ANTI-PATTERNS Amazon EFS or Amazon FSx service
instead

• If you need to store your static data in

the most cost-effective way, it’s more
appropriate and cheaper to store them in
Amazon S3
Amazon Elastic Load Balancing
Overview
 Elastic
Load
Balancing
the distribution of
traffic to underlying
resources

Amazon EC2 AWS Lambda Amazon EKS Amazon ECS AWS Fargate Custom IP
Instances Functions Clusters Tasks Tasks Addresses
 WEBSITE STATUS:
SIMPLE ROUTING POLICY
DOWN!
UP
52.44.107.223

OS Patching or Critical Application

System Maintenance or System Errors
 WEBSITE STATUS:
FAILOVER ROUTING POLICY
DOWN!
UP
 WEBSITE
WEBSITE STATUS:
STATUS:
UP with slight
Incoming Load of Traffic
UP
degradation

WEIGHTED
MULTIVALUE ANSWER
ROUTING
ROUTINGPOLICY
POLICY
The distribution of the incoming load
traffic is not balanced across the
underlying servers
40% 60%
The traffic is distributed randomly

Unbalanced - Some servers are

overutilized while others are underutilized

No routing algorithm
OVERUTILIZED SERVERS UNDERUTILIZED SERVERS
Lacks security features
CPU Utilization: Over 100%
CLOUD

REGION

AZ 1 AZ 2
Load Balancer

Public subnet A 10.0.1.0/24 Public subnet B 10.0.1.0/24

Balanced distribution
of incoming traffic
through the use of
routing algorithm
 Application Network Gateway Classic
Elastic Load Balancing Load Balancer Load Balancer Load Balancer Load Balancer
TYPES ( ALB ) ( NLB ) ( GWLB ) ( CLB )

Round Robin IP Listener Routing that Round Robin

ROUTING ALGORITHM Flow Hash leverages on GENEVE Least Outstanding
Least Outstanding protocol Requests (LOR)
Requests (LOR)

HTTP / HTTPS
TCP / UDP
HTTP / HTTPS IP TCP
PROTOCOL LISTENERS TLS
gRPC SSL/TLS

Handling For legacy applications

For web apps, millions of requests Running third-party in AWS
USE CASES microservices per second while virtual appliances
& containers maintaining in AWS For implementing
ultra-low latencies Custom Security Policies
and
TCP passthrough
configuration
LISTENER TARGET
 HTTP 80

http://tutorialsdojo.com

LISTENER TARGET
https://tutorialsdojo.com
 Amazon EC2 AWS Lambda Amazon EKS
Instances Functions Clusters

TARGET

Amazon ECS AWS Fargate Custom IP

Tasks Tasks Addresses
 Amazon EC2 AWS Lambda Amazon EKS
Instances Functions Clusters

TARGET GROUP

Amazon ECS AWS Fargate Custom IP

Tasks Tasks Addresses
 Health Check

HTTPS 443

https://tutorialsdojo.com

TARGET
GROU
LISTENER P
CLOUD

US-EAST-1 REGION

ELB

Public subnet A 10.0.1.0/24 Public subnet B 10.0.1.0/24

TARGET GROUP TARGET GROUP

 AWS Global
RouteAccelerator
53
CLOUD

US-EAST-1 REGION US-EAST-2 REGION

ELB ELB

TARGET GROUP TARGET GROUP TARGET GROUP TARGET GROUP

 US-EAST-1 REGION
Number of requests: 1000
100
10
1

RequestCountPerTarget

Availability Zone 1 Availability Zone 2

TARGET GROUP TARGET GROUP

No Auto Scaling
Auto Scaling group group

Manual Process
Amazon Elastic Load Balancing
TYPES
Application Load Balancer Network Load Balancer

Gateway Load Balancer Classic Load Balancer

 • Primarily used for load balancing HTTP and HTTPS
traffic

• Suitable for web applications

• Works on the Layer 7 (Application Layer) of the OSI

Model

• Supports Round Robin (default) and Least

Outstanding Requests (LOR) routing algorithms

• Target types:
Application Load Balancer
Amazon EC2 AWS Lambda
Instance Function IP Address

• Supported Protocol listeners: HTTP, HTTPS, and gRPC

• Also supports WebSockets and HTTP2
• Can be integrated with AWS Global
Accelerator, AWS Config, AWS WAF and other
features
 • Notable features:
Advanced routing via listener rule condition types
Connection Draining
Idle connection timeout
Cross-zone Load Balancing
Preserving Source IP address

Slow Start

• Has different security features such as:

Application Load Balancer
SSL Offloading
Server Name Indication (SNI)
Back-end Server Encryption
User Authentication
Application-Layer Protocol Negotiation (ALPN)
Integration with Security Group and AWS WAF
 LISTENER RULE CONDITION TYPES

tutorialsdojo.com
portal.tutorialsdojo.com
• Host condition app.tutorialsdojo.com
*.tutorialsdojo.com

• HTTP Header
User-Agent
Content-Type

• HTTP Request Method

GET, POST, PUT, DELETE

/img/
Application Load Balancer /doc/cebu

• Path
/pdf/*/report

/info?version=1

• Query String
/health?status=manila
/account?id=123&alias=pogi

• Source IP
192.0.2.0, 198.51.100.10
 • For load balancing TCP, UDP, and TLS traffic

• Can handle millions of requests per second

• Routes the traffic while maintaining ultra-low latencies

• Works on the Layer 4 (Transport Layer) of the OSI

Model

Network Load Balancer • Uses the flow hash routing algorithm

• Can be directly associated with an Elastic IP address

• Supports direct integration with: AWS Global

Accelerator, AWS Config, VPC Endpoint Services and
Traffic Mirroring
 • Notable features:
Connection Draining
Cross-zone Load Balancing
Preserving Source IP address
WebSockets support
Long-lived TCP connection

• Has different security features such as:

Network Load Balancer SSL Offloading
Server Name Indication (SNI)
Back-end Server Encryption
Application-Layer Protocol Negotiation (ALPN)
Integration with AWS Global Accelerator
 Notable differences between ALB and NLB

• Does not have a selection of rule condition types unlike

ALB

• Uses the TCP and UDP transport protocols not HTTP and
HTTPS

• Suitable for various networking use cases, or for real-

Network Load Balancer time multiplayer games that uses UDP

• Can support millions of requests per second while

maintaining ultra-low latencies unlike ALB

• Can be directly integrated with an Elastic IP address,

unlike ALB
 • Primarily used for running third-party virtual
appliances

• Suitable for custom firewalls, deep packet inspection

systems, intrusion detection & prevention systems and
many other virtual appliances

• Uses the Internet Protocol (IP) to pass the OSI Layer 3

traffic to its registered targets

• Works on both Layer 3 (Network Layer) and Layer 4

(Transport Layer) of the OSI Model
Gateway Load Balancer
• Uses the Generic Network Virtualization Encapsulation
(GENEVE) protocol to exchange application traffic

• You can use GWLB endpoints to exchange traffic across

different VPC boundaries

• The access is configured using the route tables of your

VPC, instead of virtual IP addresses
 • Intended for legacy applications that are still using
the EC2-Classic network

• Not recommended for modern applications

• Supports both the transport layer protocols (TCP,

SSL) as well as the application layer protocols
(HTTP, HTTPS)

• Works on both Layer 4 (Transport Layer) and Layer

Classic Load Balancer 7 (Application Layer) of the OSI Model

• For applications with custom security policies and

TCP passthrough configuration

• Can provide end-to-end security for your data-in-

transit
Amazon S3 Overview
 • An object storage service

• S3 stands for “Simple Storage Service”

• Highly durable, available & scalable storage

service

• Primarily used to store static data that does

not change frequently
Amazon S3
• Allows your files to be publicly available via
the Internet
 Highly scalable and allows you to store
METADATA virtually unlimited amounts of files

a set of name-value pairs

OBJECT BUCKET
 • The S3 bucket name is globally unique

• The namespace is shared by all AWS accounts

around the world

• Example:

If you created an S3 bucket named

“tutorialsdojo”, then no other AWS user
can create a bucket with that same name

BUCKET NAMING If someone tries to create a new bucket

GUIDELINES called “tutorialsdojo”, then that request
will fail
 • Amazon S3 does NOT support POSIX,
including:
Concurrent file modification
File system access semantics
File locking

• Helps you organize or group your objects

• S3 has a flat structure

• The concept of a “folder” is not hierarchical

unlike Amazon EFS

• Example:
Object key name

Amazon S3 Folders
and Prefixes tutorialsdojo/aws.jpeg
Prefix Filename
AWS
Cloud
N. Virginia Region

Automatically replicates your objects to

all Availability Zones of the AWS region Availability Zone (AZ) 2 Availability Zone (AZ) 3
by default

YOUR
VPC
AVAILABILITY 99.99%

DURABILITY 99.999999999%
 • The probability that an object remains
intact and accessible after a period of one
year

100% Absolutely no data loss per year

99% 1% chance of data loss per year

99.99% 0.01% chance of data loss per year

DURABILITY
0.000000001% chance
99.999999999% of data loss per year or one lost data
every 10 million years
 Amazon S3 Storage Classes

For changing or
For frequently accessed data
unknown access patterns

S3 Standard S3 Intelligent-
Tiering

For storing long-lived,

yet less frequently accessed data
S3 Standard-IA S3 One Zone-IA
(Infrequent (Infrequent Access)
Access)

For low-cost long-term storage

and data archiving
S3 Glacier S3 Glacier Deep Archive
 Lifecycle Policy

30 Days 90 Days 180 Days

S3
S3 Standard Intelligent-Tiering S3 Glacier S3 Glacier
S3 Standard-IA S3 One Zone-IA Deep Archive
 • Launch a static website with HTML pages,
downloadable packages, images, media files,
or other client-side scripts

• Cost-effective solution for hosting your static

websites with no server management
required (serverless)

Static Website • Cannot be used for running server-side

Hosting scripts such as PHP, JSP, ASP.NET etc…
 Amazon S3 Amazon EBS Amazon EFS

Via the public

Internet by
default

EC2

• Attached/Mounted to
• Invoked via a REST API
the Amazon EC2
request call
instance
 Versio
n
x.* - Prevent accidental data deletion in Amazon S3

S3 Versioning Multi-Factor Authentication

(MFA)

- Secure access to your S3 buckets and objects

Access Control List

(ACL)

- Control external access to your Amazon

S3 bucket
Bucket Policy
 - Automatically replicate objects to a
Cross Region Replication (CRR) different AWS Region for backup purposes

- Accelerate or expedite the data transfer

(upload/download) of S3 objects

Transfer Acceleration Multipart Upload

…and many other S3 features!

Amazon S3 Storage Classes
 Amazon S3 Storage Classes

S3 Standard S3 Intelligent-Tiering

S3 Standard-Infrequent S3 One Zone-Infrequent

Access (Standard-IA) Access (One Zone-IA)

S3 Glacier S3 Glacier Deep Archive

 • Primarily used for storing your data
that are frequently accessed

• Highly durable, highly available, and

high performance object storage

S3 Standard • Replicates your data to 3 or more

Availability Zones

• 99.99% Availability

• No minimum storage duration charge

• No data retrieval fee

 • For setting up a highly available and
durable static web hosting

• As a temporary storage service for

S3 Standard storing the nightly log processing of
USE CASES your application, where the logs are
meant to be stored for 1 day (24
hours) only. It is a cost-effective
option for this case since it has no
minimum storage duration charge
 • Not cost-effective as this storage
class is the most expensive among
all other classes
S3 Standard
LIMITATIONS
• Not recommended for data archiving,
for infrequently access files or for
any workloads that require a cost-
effective storage
 • Primarily used for storing infrequently
accessed data but provides a way to
rapidly retrieve the stored files

• Replicates your data to 3 or more

Availability Zones
S3 Standard-IA
• 99.99% Availability

• 30-day minimum storage duration

charge

• Has a data retrieval fee that is

measured per gigabyte (GB)
 • As a long-term storage for long-
lived, but infrequently accessed data

S3 Standard-IA • For data backups

•
USE CASES
As a data store for your Disaster
Recovery (DR) files

• For storing the primary backup

copies of your on-premises dataset
 • For storing less frequently accessed
and easily reproducible data that
requires immediate retrieval when
needed

• 30-day minimum storage duration

S3 One Zone-IA charge

• Cheaper than: S3 Standard-IA

• Only uses 1 Availability Zone

• 99.95% Availability (the lowest

among all other Amazon S3 storage
classes)
 • If you require a cost-effective option
to store infrequently accessed data

• For workloads that do not require the

availability and resilience of the
S3 One Zone-IA Amazon S3 Standard or S3
USE CASES Infrequent Access class

• For storing secondary backup copies

of rarely-accessed on-premises
dataset

• For storing easily recreatable data

 • The data is replicated in a single AZ
only
S3 One Zone-IA
LIMITATIONS • Not recommended for storing your
company’s primary backup copies or
any critical business data that is
difficult to reproduce
 • Delivers automatic cost savings

• Automatically moves your objects

between different access tiers
whenever your access pattern
changes

• 30-day minimum storage duration

charge
S3 Intelligent-Tiering
• No data retrieval fee

• Moves data to the most cost-effective

access tier without any operational
overhead

• Stores the objects in four access tiers:

2 low-latency access tiers
2 optional archive access tiers
 • Suitable if your data has an
unpredictable access pattern

• For buckets with a mix of frequent

and infrequent accessed data

• If the access patterns to your data

vary all the time

S3 Intelligent-Tiering • If some of your files are accessed

USE CASES
frequently while the others are rarely
accessed (move to Glacier)

• If some of your data are accessed

less frequently than others (move to
IA tier)

• If you are unsure of how frequently

your data will be accessed
 • If you want to keep costs low by
automatically moving your data to
the appropriate S3 storage class

• If your data will be accessed by

users over variable periods of time
S3 Intelligent-Tiering
USE CASES • If you need storage with no
management overhead

• If you want to avoid lifecycle policies

that are not consistently
implemented or are partially
implemented
 • A secure, durable, and low-cost
storage

• Suitable for data archiving

• A cost-effective storage solution for

rarely accessed data and does not
require a fast retrieval time
S3 Glacier
• Replicates your data to 3 or more
Availability Zones

• 99.99% Availability

• 90 day-minimum storage duration

charge

• High data retrieval fee (expensive)

 • Has its own management console
apart from the regular Amazon S3
console

• 2 Ways to store your data:

S3 Glacier Using the Amazon S3 console

Using the Amazon Glacier console

• Automatically move your data from

S3 Standard or S3 Standard-IA to
Amazon S3 Glacier by using a
lifecycle policy
 • Has a resource called: Vault

• A vault is a container for storing your

data archives

• Base unit of storage in S3 Glacier,

S3 Glacier containing a unique ID and an
Vault optional description

• Can only be created in the Amazon

S3 Glacier console

• You must provide the vault name and

its corresponding AWS Region
 • Use a Vault Lock to ensure data
integrity and access control to your
Amazon S3 Glacier Vaults

• A Vault Lock is an access policy that

helps you enforce regulatory and
compliance requirements
S3 Glacier
Vault • You can specify a “Write Once Read
Many” (WORM) control to lock your
Glacier vault policy from future edits

• A Glacier vault access policy can no

longer be changed when the vault
lock process has been completed
after 24 hours
 • Applicable if your company wants to
retain its archives for a specific
number of years before the files can
be deleted
S3 Glacier
• If you want to deny users from
Vault modifying or deleting an archive until
after 1 year, 3 years, 7 years et
USE CASES cetera
 S3 Glacier Archival Retrieval Options

EXPEDITED STANDARD BULK

• Lowest-cost retrieval
• Quickly access a subset of • Default option for option
your data archives retrieval requests
• Retrieves large amounts
• Allows you to access your • Allows you to access any of data archive in less
archived data within 1 - 5 of your glacier archives than half a day
minutes ( file size should within 3 – 5 hours
NOT exceed 250 MB ) • Typically completes the
process within 5 – 12
• Ensure sufficient retrieval hours
capacity for your Expedited
retrieval operations by
purchasing provisioned
capacity
 • The lowest-cost storage class in
Amazon S3.

• Supports long-term retention and

digital preservation for your data

S3 Glacier Deep Archive • Primarily used to retain your data

sets for 7 to 10 years or longer to
meet regulatory compliance
requirements

• Replicates your data to 3 or more

Availability Zones

• 99.99% Availability
 • 180-day minimum storage duration
charge ( roughly 6 months )

S3 Glacier Deep Archive • Should be used for data archiving

only

• The data stored here should be rarely

accessed with no strict retrieval time
 S3 Glacier Deep Archive - Retrieval Options

STANDARD BULK

• Default option for • Costs lower than the

retrieval requests Standard retrieval option

• Data will be restored • Data will be restored

within 12 hours within 48 hours
 Amazon S3
Minimum Storage Duration
 Which is more cost-effective?

S3 Glacier S3 Standard
 • The specific amount of time that your
objects must be stored in a particular
storage class

• Deleting your objects won’t affect

the minimum storage duration. You
will still have to pay the remaining
days of the mandatory minimum
period

Minimum Storage Duration • A minimum storage duration of 30

days means that you will be charged
for the entire 30 days even if you
deleted or changed the storage class
of your objects before that period
 30-Day Minimum storage

Only stored for 10

Days
S3 Standard-IA

• An object was uploaded in an Amazon

S3 Standard Infrequent Access (S3
Standard-IA) storage class
Minimum Storage Duration
• You deleted the object after 10 days

• You’re still billed for the entire 30 days

• Also applicable if you changed the

storage class to another class
 Which is more cost-effective?

Non-reproducible and frequently-accessed data that needs to be temporarily stored for hours only

S3 Glacier S3 Standard

90–Day Minimum Storage NO Minimum

Duration Storage Duration
 180 - 10 = 170 Days!

S3 Glacier
S3 Glacier vs Deep Archive

LOW $ $ COST LOWEST $

90 Days MINIMUM STORAGE DURATION 180 days

You will be billed for the entire 90 You will be billed for the entire 180
DATA DELETED AFTER
Days 10 DAYS Days

Normal storage usage DATA DELETED AFTER You will be billed for the entire 180
charge 90 DAYS Days

Normal storage usage DATA DELETED AFTER Normal storage usage

charge 180 DAYS charge
Amazon S3 Event Notification
AWS CloudTrail AWS CloudFormation Amazon EBS ELB Access
Logs Templates Snapshots Logs

DATA LAKE

Amazon Redshift
AWS Glue Amazon Athena Amazon EMR
Spectrum
S3 Event Notifications
 • New Object Creation

• Object Deletion

• Object Restoration from the Amazon

S3 Glacier storage class

S3 Event Notifications • Reduced Redundancy Storage (RRS)

object lost events

• Replication events
 Amazon SNS Amazon SQS AWS Lambda

• Transmitted within seconds

S3 Event Notifications • Delivered at least once

• Enable object versioning to ensure

that an event notification is always
sent whenever you upload an object
Amazon RDS Overview
 • A relational database service

• Managed by both you (limited access) and AWS

• Allows you to run various database engines:

Microsoft

SQL Server

Amazon RDS
Amazon
PostgreSQL Aurora
 • Can be deployed using:

AWS AWS Management AWS CLI Amazon RDS

CloudFormation Console API

Amazon RDS • Eliminates the time-consuming tasks of hardware

provisioning, patching, backups, and maintenance
for your database
 • You can configure the underlying EC2 instance used by your
Amazon RDS database such as its size, instance type &
storage

• Purchase a Reserved DB instance to lower down your RDS

costs

• Allows you to choose the Availability Zone where your

database will be hosted, including its associated security
group

DB Instance

Instance Size & Type Storage Network Access

Amazon RDS
VPC Endpoint

Amazon EC2

Amazon VPC
 Self-Hosted Database Amazon RDS Database
Amazon EC2
 MANAGED BY Self-Hosted Database Amazon RDS Database
Amazon EC2

• Patching
• Scaling

YOU • Taking database backups • Minimal maintenance

(AWS Customer)
• Ensuring high availability work
• Replication
• Monitoring

• Patching
• Scaling
• Physical Infrastructure
• Taking database backups
• Virtualization layer
• Ensuring high availability
• Host OS of the EC2
instance • Replication
• Monitoring
 Self-Hosted Database Amazon RDS Database
Amazon EC2

• Can be directly accessed via SSH, RDP • The underlying EC2 instance CANNOT
or other connections be directly accessed via SSH or RDP

• Allows direct access and modification

of your database configuration files
such as:

/etc/mysql/my.cnf

ConfigurationFile.ini

INIT.ORA, TNSNAMES.ORA, *.ORA

Read-Only setting
 Self-Hosted Database Amazon RDS Database
Amazon EC2

• You have full access to the virtual • Modify the database configuration via:
machine and the underlying database

• You are responsible for making your Parameter Group Options Group
database highly available, fault-
tolerant and secure

• You have to apply the OS patches as • You can choose the actual time when
well as the Database Engine patches Amazon RDS will apply the DB
regularly patches in its maintenance window

• You will handle all of the database • Database maintenance tasks are
administrative tasks handled automatically
 Self-Hosted Database Amazon RDS Database
Amazon EC2

Microsoft

SQL Server
AWS
Cloud
N. Virginia Region

Single AZ Multi-AZ
read_only

s
Availability Zone (AZ) 1 Availability Zone (AZ) 2 Availability Zone (AZ) 3

VPC A

Synchronous Replication

s
A sy
nch
ron
o us
PRIMARY PRIMARY Re STANDBY
plic
atio
n

READ REPLICA
AWS
Cloud
N. Virginia Region

Single AZ Multi-AZ

Availability Zone (AZ) 1 Availability Zone (AZ) 2 Availability Zone (AZ) 3

VPC A

Synchronous Replication

A sy
nch
ron
o us
PRIMARY PRIMARY Re STANDBY
plic
atio
n

READ REPLICA
AWS
Cloud
N. Virginia Region

Single AZ Multi-AZ Ohio Region

Availability Zone (AZ) 1 Availability Zone (AZ) 2 Availability Zone (AZ) 3

VPC A VPC B

STANDBY

Asynchronous Replication

PRIMARY
PRIMARY
READ REPLICA

READ REPLICA
 Amazon RDS OLTP Applications

• Suitable for applications that read or write constantly changing

data, such as Online Transaction Processing OLTP applications
 A TOMIC

C ONSISTENT

Amazon RDS
I SOLATED

D URABLE
• A fully managed, highly available
database proxy

• Automatically connects your

application to a new DB instance
while preserving its application
connections

• Minimizes downtime by instantly

routing the incoming requests
directly to the new database instance
Amazon RDS Event Notification
Your Database
 Security Group

Inbound Outbound
Rules Rules EC2

TCP : 3306

Who made the

change?

RDS Events Notification

RDS Events Notification
SOURCE TYPE

Instances

Security Groups

Parameter Groups

Snapshots

Clusters

Cluster Snapshots
SOURCE TYPE

EVENT CATEGORIES
SOURCE TYPE

EVENT CATEGORIES
 Amazon SNS

TARGET TYPE

FANOUT EVENT NOTIFICATIONS

AWS
Cloud
N. Virginia Region Ohio Region

Availability Zone (AZ)

VPC A VPC B

SNS TOPIC Lambda Function

PRIMARY READ
PRIMARY
REPLICA
FANOUT EVENT NOTIFICATIONS
 FANOUT EVENT NOTIFICATIONS

SQS QUEUES CONSUMERS

Amazon SNS with Message Filtering

Message Filter QUEUE #1 AWS Lambda

QUEUE #2 Amazon EC2

SNS TOPIC
Filter by
Custom Type

QUEUE #3 Amazon ECS

 Amazon RDS
Multi-AZ Deployments
SYNCHRONOUS ASYNCHRONOUS
REPLICATION REPLICATION

REPLICA
a copy of your primary database

STANDBY REPLICA READ REPLICA

 SYNCHRONOUS
REPLICATION

Two-Way

PRIMARY STANDBY REPLICA

INSERT INTO CITIES (Name, Country)

INSERT INTO CITIES (Name, Country)
VALUES ('Manila', 'Philippines');
VALUES ('Toronto', 'Canada');
 SYNCHRONOUS ASYNCHRONOUS
REPLICATION REPLICATION

Two-Way One-Way

PRIMARY READ REPLICA

UPDATE CITIES
SET City= 'Mumbai'
WHERE CITY_ID = 1;
PRIMARY STANDBY REPLICA

UPDATE CITIES
SET City= 'Chicago'
WHERE CITY_ID = 2;
 MASTER-SLAVE
STANDALONE
CONFIGURATION

Read Replica

Single DB Instance (Single AZ)

PRIMARY READ REPLICA

Multi-AZ Deployments

PRIMARY STANDBY REPLICA

AWS
Cloud
N. Virginia Region | us-east-1 Ohio Region

Availability Zone (AZ) Availability Zone (AZ)

us-east-1a us-east-1b

VPC A VPC A VPC B

SAME DB ENDPOINT

*failover to standby instance

A Standby Instance
can’t be deployed
to another AWS
Region
PRIMARY STANDBY REPLICA
NEW PRIMARY

Failover duration only

lasts a little over a minute

Amazon RDS Multi-AZ Deployments

Configuration
AWS
Cloud
N. Virginia Region | us-east-1 Ohio Region

Availability Zone (AZ) Availability Zone (AZ)

us-east-1a us-east-1b

VPC A VPC A VPC B

A Standby Instance
can’t be deployed
to another AWS
Region
PRIMARY STANDBY REPLICA

DIFFERENT DB ENDPOINT

READ REPLICA READ REPLICA

 AWS
Cloud
N. Virginia Region | us-east-1 Ohio Region

Availability Zone (AZ) Availability Zone (AZ)

us-east-1a us-east-1b

VPC A VPC A
Amazon RDS
VPC B
Multi-AZ Deployments
Configuration
A Standby Instance
can’t be deployed
to another AWS
Region
PRIMARY STANDBY REPLICA

DIFFERENT DB ENDPOINT

• Provides High Availability • Keeps your database available on your

planned system maintenance or DB Engine
• Improves Data Redundancy upgrade
READ REPLICA READ REPLICA

• Minimizes latency spikes during • Protects your database against DB

system backups instance failure and disruptions when an
Availability Zone outage occurs
AWS
Cloud
N. Virginia Region | us-east-1 Ohio Region

Availability Zone (AZ) Availability Zone (AZ)

us-east-1a us-east-1b

VPC A VPC A
Amazon RDS
VPC B
Multi-AZ Deployments
Configuration
A Standby Instance
can’t be deployed
to another AWS
Region
PRIMARY STANDBY REPLICA

DIFFERENT DB ENDPOINT

Multi-AZ Deployments Configuration – Internal Steps

1. Takes a snapshot of your primary DB instance

2. Launch a new Standby Instance in a different Availability Zone

READ REPLICA READ REPLICA

3. Automatically configure synchronous replication between the

primary and standby instances
 • Amazon RDS uses an internal Amazon EC2
instance that has its own operating system and
Multi-AZ Deployments
attributes

• Maintains database performance while the

regular process of patching the database engine
is on-going
PRIMARY STANDBY REPLICA
• Ensures the availability of your database when
the OS and its underlying hardware go through its
scheduled maintenance activities
 • During an AWS-initiated hardware maintenance,
Multi-AZ Deployments a Multi-AZ database will only have a minimal
disruption unlike a Single-AZ database

• Your database will only be unavailable during the

primary DB instance failover to the Standby
Replica
PRIMARY STANDBY REPLICA

• The duration of the failover process to the

Standby Replica is only about 1 minute or so
 • When the automatic failover in Amazon RDS
occurs, the Canonical Name record (CNAME) of
your DB instance is automatically altered to point
Multi-AZ Deployments to the newly promoted Standby Instance

• If AWS conducts a hardware maintenance on the

Availability Zone where your Standby Replica is
hosted, your Multi-AZ RDS database will not
experience any failover or downtime
PRIMARY STANDBY REPLICA

• The Operating System (OS) patch will be applied

to the Standby Replica first before it is installed
to the primary instance

• The only downtime would be the failover process

 • Suitable for mission-critical applications where
you need the highest availability while minimizing
Multi-AZ Deployments your operational and management overhead.

• Applicable if you have an application running in

your production environment that uses a single-
instance RDS database

PRIMARY STANDBY REPLICA • If you want to migrate your existing database

running on your on-premises network, that is
USE CASES running on a single database configuration

• If you are required to eliminate single points of

failure in your architecture
Multi-AZ Deployments
• For minimizing database downtime without
requiring any changes to your application code

• For enterprise systems that need to be highly

available with low operational complexity
PRIMARY STANDBY REPLICA
• For any scenario where the availability of your
USE CASES database is the highest priority/most important
requirement and not its scalability
 • For poorly-designed architectures that needs to
be re-designed/refactored, such as:

A three-tier application architecture runs in

public and private subnets

Multi-AZ Deployments The application is running on a single Amazon

EC2 instance that is hosted in the public
subnet

A single Amazon RDS database running on the

private subnet

PRIMARY STANDBY REPLICA

• Improved architecture:
USE CASES
Launch an Auto Scaling group of EC2
instances behind an Application Load
Balancer that spans multiple AZs

Enable the Multi-AZ Deployments

configuration in Amazon RDS to make the
database tier highly available
 + READ REPLICA
• You can combine Multi-AZ Deployments
Multi-AZ Deployments configuration with Read Replicas

• A Read Replica can provide cross-region database

replication for multi-Region disaster recovery,
which a Multi-AZ Deployment configuration can’t
provide
PRIMARY STANDBY REPLICA

• Having both Standby and Read Replica ensures

USE CASES both high availability and scalability of your
database tier
 • A Multi-AZ database can provide high availability
in a single AWS Region only

Multi-AZ Deployments • You cannot deploy a Standby Replica to another

AWS Region

• Does not provide multi-region disaster recovery

STANDBY REPLICA
PRIMARY
• The Standby Replica cannot be used to read or
write your application data, or accept live traffic
LIMITATIONS

• Cannot be used this to scale your application in

terms or read performance or handle the
increased number of queries to your database
 • Not suitable if the required Recovery Point
Multi-AZ Deployments
Objective (RPO) and Recovery Time Objective
(RTO) are quite short

• It cannot provide an RPO of 1 second and an RTO

of 1 minute
PRIMARY STANDBY REPLICA
• If you have this requirement, you have to use:
LIMITATIONS

Amazon Aurora
Global Databases
Amazon RDS Read Replica
 MASTER-SLAVE
STANDALONE
CONFIGURATION

S S
SOURCE Multi-Master Configuration

REPLICA

Primary
M M

S S Secondary S S
READ REPLICA
 REPLICA
STANDBY REPLICA a copy of something READ REPLICA
 SYNCHRONOUS ASYNCHRONOUS
REPLICATION REPLICATION
o n
t i 1-
ic a W
pl PRIMARY
ay
Re Re
ay pl
- W ica
2 tio
n

STANDBY REPLICA READ REPLICA

• Does not accept live traffic without

• Can accept live traffic
failover
• Cannot be seen in the Amazon RDS
• Can be seen in the Amazon RDS
Console as a separate DB instance
Console as a separate DB instance
• The DB Endpoint is the same as the
• The DB Endpoint is different from
the primary DB instance
primary DB instance
 • Based on the built-in replication functionality of:

Microsoft

SQL Server

PostgreSQL

• Just a regular database with a read-only

READ REPLICA configuration

• Under the hood, Amazon RDS creates this by

cloning your source database, setting up the
replication parameters, and disabling any write
operations
 CREATE
INSERT
UPDATE
DELETE
READ REPLICA
 Other required parameters for
binary logging to be set:
log_bin
binlog-format
sync_binlog
...and many more!

• A binary log

• Also known as ‘binlog’

• A set of log files that contain information about
READ REPLICA
the recent SQL modifications

• Contains all of the CREATE, INSERT, UPDATE,

DELETE, ALTER, and other SQL statements that
were made in your primary database

• The actual data that is being transferred from

the source database to the database replica
READ REPLICA READ REPLICA
 • Can be launched two ways:

On the same AWS Region of your primary DB

On a different AWS region

• Does NOT provide the capability of directly

accessing the actual configuration files – my.cnf
(MySQL), ConfigurationFile.ini (MS SQL) and
READ REPLICA others in Amazon RDS

• View and modify the DB configuration of the

replica using a parameter group
READ REPLICA
 • Can be promoted to be a standalone DB instance

PRIMARY • Useful for:

Database sharding
Implementing failure recovery
Performing Data Definition Language (DDL)
operations

• Lessens the impact to the primary DB instance

brought by rebuilding indexes, scheduled jobs, and
other processing

• Helpful if your primary AWS Region experiences an

outage
READ REPLICA
• Can be deployed to a different AWS Region and be
promoted as the primary DB instance in the event
that the AWS Region of your source/primary
database experiences a downtime
 • Cannot directly create an encrypted Read Replica
from an unencrypted database instance

• Can be created from your encrypted database

instances but not from the unencrypted ones

• An encrypted cross-region read replica can be

launched as long as the target region and an
READ REPLICA encryption key in AWS KMS for that particular region
are supplied

• Allows the use of a custom encryption key or the

default encryption key for Amazon RDS that is
created by AWS KMS in each region
 • Suitable if your company has a web application with
a built-in reporting module

• If your department or application runs large SQL

queries every month that impact your database's
performance due to high usage
READ REPLICA
USE CASES
• If you need to minimize the impact that the
reporting activity has on your application by
offloading the read requests
 • If you need to separate the read requests from the
write requests of your application

• If you have an application wherein the read

operations are causing high I/O usage to your
primary RDS database instance which then results in
high latency to the write requests in your production
environment
READ REPLICA
USE CASES
• If you have application modules or reporting tools
that only send SELECT queries. You can configure the
reporting module to use the Read Replica endpoint
and direct the transactional operations to the
primary database instance
 • If you have 3rd-party applications or other internal
systems that query your database instance heavily

• If you have an internal batch processing job that

fetches reporting data from your RDS DB instance.

• If your entire database slows down significantly

whenever your batch runs which impacts the overall
READ REPLICA
read and write performance of your application
USE CASES

• If you need to configure your internal systems to

fetch data from the replica instead of the primary
instance
 • A Read Replica is primarily used to improve the
scalability of your application in terms of read
operations and not for improving the availability of
your database

• Cannot be used for ensuring that the database will

be highly available in the event of an outage. You
have to use the Multi-AZ Deployments configuration
READ REPLICA instead

ANTI-PATTERNS • Unlike Multi-AZ RDS, a Read Replica doesn’t have an

automatic failover. If the primary DB instance
experienced an outage, the incoming requests are
not automatically routed to the Read Replica by
default
AWS
Cloud
N. Virginia Region Ohio Region

Availability Zone (AZ) A Availability Zone (AZ) A

VPC A VPC A VPC B

CROSS-REGION
READ REPLICA

PRIMARY

READ REPLICA
Amazon Aurora Overview
 Amazon RDS

• A fully managed database service and also a type of

database engine within Amazon RDS

• Scales automatically, performs faster, and costs lower

• A relational database that is compatible with:

Amazon Aurora
PostgreSQL
 • Can automatically grow or scale its storage

• Usually deployed as a database cluster

• A cluster consists:

ONE PRIMARY MULTIPLE REPLICAS

Amazon Aurora Writer/Re

ader
 CLUSTER TYPES

Single-master Multi-master

STANDALONE TYPE
Amazon Aurora
Single primary DB instance
with no replica
 • Performs faster than other databases

• Can scale the computing components and storage

automatically without any manual intervention

• The database cluster typically lags behind the primary

instance by a few milliseconds only

• Provides less than 1 second of read replication latency

Amazon Aurora for Aurora Replicas in the same or different AWS
Region
 • Group the individual DB instances and
associate them with a particular endpoint

Cluster endpoint

Reader endpoint

Custom endpoint
Amazon Aurora
ENDPOINTS
Instance endpoint
 • Recommended for sporadic usage workloads or with
unpredictable usage

• Pay your database usage on a per-second basis

• Provides a more cost-effective option than the regular

Amazon Aurora Amazon RDS or Amazon Aurora databases
Serverless
 • For migrating legacy applications hosted on-premises
that needs to be re-architected and reduce operating
costs
USE CASES

• If it is required to re-architect your application by

using technologies that do not require any IT
administration team to regularly manage your servers
or clusters

• If you need to turn your monolithic application into

Amazon Aurora microservices architecture with serverless resources
Serverless
• Can be used for serverless stack with the application
containers running on AWS Fargate and your database
on Aurora Serverless
 • For sporadic usage patterns

• If your application has:

Extremely high usage at the beginning of each
month
USE CASES
An unpredictable usage at the start of each week
A moderate usage over the weekend

• For situations where it is difficult to predict the

application demand or to choose the most suitable
instance size of your database due to the constantly
Amazon Aurora changing usage
Serverless
• If a cost-effective database platform is required which
does not require any database modifications

• If you need to automatically scale the capacity up or

down based on your application's needs
 • For applications with infrequent access patterns

USE CASES • Automatically scales down your database capacity if

there’s less incoming traffic coming in, without any
manual intervention

• For migrating your on-premises database to AWS

Cloud without having to worry about its particular
database instance type
Amazon Aurora
Serverless • If you need to eliminate the need to manually modify
your database instance type in anticipation of the
changes in the number of your users or workloads
 • Designed for globally distributed applications

• Allows a single Amazon Aurora database to span

multiple AWS Regions

• Offers faster physical replication between Aurora

clusters
Amazon Aurora
• Eliminates the need to manually create cross-region
Global Databases Aurora Replicas yourself
AWS
Cloud
+ OTHER AWS REGIONS
N. Virginia Region Ohio Region

Availability Zone (AZ) 1 Availability Zone (AZ) 2 Availability Zone (AZ) 1 Availability Zone (AZ) 2

Writer/Re
Reader Reader Reader
ader

CLUSTER VOLUME CLUSTER VOLUME

PRIMARY DB CLUSTER SECONDARY DB CLUSTER

 RPO
Recovery Point Objective
= 1 second

RTO
Amazon Aurora
Global Databases

Recovery Time Objective

= 1 minute
Amazon DynamoDB
Overview
 Relational Database NoSQL Database

• For applications with well-defined schema that • For applications that require a flexible schema
does NOT change too often that changes too often

• Has hundreds or thousands of tables • Does not have any related tables or table joins

• Multiple table joins • Usually has one table only

• Tables having foreign keys • Provides high throughput and performance for
your global applications
• Support complex SQL queries
• Can scale better than relational databases
• Tables having a relationship with other tables
• Can be used if you are unsure of the database
• Has ACID properties
A tomicity schema that you will implement
C onsistency
• Suitable if you expect to make a lot of database
I solation
changes as your website or application grows
D urability
• Does not have ACID properties by default
• Perfect for transactional workloads
 • A fully managed NoSQL database

• Highly scalable storage and read/write

capacity

• Provides single-digit millisecond

performance

• Serverless
Amazon DynamoDB
• Highly durable database

• Has built-in security, backup features as

well as in-memory caching
 • Has the least amount of operational overhead
than other types of databases

• Eliminates the manual database management

tasks, provisioning and scaling activities

• Capable of automatically scaling its read and

write capacity without the need for advanced
capacity planning
Amazon DynamoDB
Dynamo
• Can be queried using simple key-value
requests via its APIs

• Can handle millions of requests per second

Dynamo
Amazon DynamoDB
Dynamo
 HIGHLY SCALABLE

ULTRA-FAST PERFORMANCE

Response times in a matter of milliseconds or even in microseconds!

DynamoDB Table
• All data is stored in a single table only
Amazon DynamoDB
Dynamo • Capable of accepting millions of
requests per second globally

• Faster and more scalable than

traditional relational databases

• Does not have a relationship with

other DynamoDB tables
 Relational Database Amazon DynamoDB

TABLE TABLE

ROW ITEM

COLUMN ATTRIBUTE

PRIMARY KEY PRIMARY KEY / PARTITION KEY

INDEX MAKES YOUR SECONDARY INDEX

QUERIES RUN
FASTER!
VIEW GLOBAL SECONDARY INDEX

NESTED TABLE/OBJECT MAP

ARRAY LIST
 • Queries data over a single partition only (localized)

• Supports both eventual consistency or strong

LOCAL SECONDARY INDEX consistency

• Can only be added at the same time that you create

the base table

• Queries data across all partitions of the entire

table
GLOBAL SECONDARY INDEX • Only supports eventual consistency

• Can be added or deleted at any time

Amazon DynamoDB Features
 Single DynamoDB Table DynamoDB Global Tables
AWS AWS
Cloud Cloud

US East 1 US East 1 US East 2

US East 3 US East 4
 • A data stream that captures each and every
data change made to the items

• If an item was added, modified, or deleted,

then that item will be included in the
DynamoDB stream

• Can be associated with AWS Lambda. The

Amazon DynamoDB function can poll the stream and execute a
Streams set of actions whenever it detects new
stream records

• Can also be integrated with Kinesis Data

Streams

• Important component that needs to be

enabled when using Amazon DynamoDB
Global Tables
 • Automatically expire the items based on
their timestamp and the TTL value that you
specify

• TTL stands for Time to Live

Amazon DynamoDB • Allows you to define a timestamp per item

TTL
• Deletes the item from your table after the
date and time of the specified timestamp

• Reduces the number of obsolete data in

your table which can also lower down your
costs
 • Provides ACID properties to your
DynamoDB table for your transactional
workloads

• Provides an all-or-nothing change to

multiple items both within and across
DynamoDB tables

Amazon DynamoDB • Consists of DynamoDB transactional read

and write APIs
Transactions
TransactWriteItems

TransactGetItems

• Empowers you to manage complex business

workflows that require adding, updating, or
deleting multiple items as an atomic
operation
 • An in-memory cache for Amazon DynamoDB
that is fully managed and highly available

• Launches a DAX cluster that can be run in

your default or custom Amazon VPC

• Provides response time in microseconds and

not just in milliseconds
Amazon DynamoDB
Accelerator (DAX) • Delivers fast response times for accessing
eventually consistent data

• Significantly reduces the response times of

your DynamoDB database
 • Measured in terms of:

Amazon DynamoDB Read Capacity Unit or RCU

Scaling
Write Capacity Unit or WCU
 Provisioned Capacity Mode On-Demand Capacity Mode

• For applications with inconsistent

• Suitable if your application has
traffic or has varying access
predictable traffic that doesn’t
patterns
vary over time

• Suitable if you expect that there’ll

• Allows you to manually set or
be more traffic with sharp spikes
provision the RCU and WCU of
in the future
your DynamoDB table

Amazon DynamoDB • No manual Auto Scaling setting

• Has an Auto Scaling feature that
that you can configure. The RCU &
Scaling you can configure
WCU are automatically scaled
without any intervention
• Can set the target utilization,
minimum provisioned capacity,
• Can be used if your application has
and maximum provisioned
a combination of predictable and
capacity values in the Auto Scaling
variable traffic
settings

• Suitable if you have clearly

• At risk of over-provisioning and
defined access patterns
having unnecessary costs when
throughout the year but with
the incoming traffic is way lower
variable amounts of traffic on
than expected
certain days only
 • Protects your data both in transit and at
rest

• All data stored in Amazon DynamoDB is

fully encrypted at rest by default
Amazon DynamoDB
Security • The API calls from your private Amazon EC2
instances that go to DynamoDB can be
configured to not traverse the public
Internet by creating a VPC Gateway
Endpoint and adding a new route table
entry
 {
"Id": "TutorialsDojoPhilippineBooksPolicy1",
"Version": "2012-10-17",

"Statement": [
{
"Sid": "AllowAccessToBooksTable",
"Effect": "Allow",

"Action": [
Amazon DynamoDB "dynamodb:Get*",

Identity & Access "dynamodb:Query",

"dynamodb:Scan",

Management "dynamodb:BatchWrite*",
"dynamodb:CreateTable",
"dynamodb:Delete*",
"dynamodb:Update*",
“dynamodb:PutItem" ],

"Resource": “arn:aws:dynamodb:us-west-2:12345:table/Books"

}
]
}
Tutorials Dojo
www.tutorialsdojo.com
 • Automated backup process

• Enables continuous backups to

your table
Point-in-time Recovery
(PITR)
• Allows you to restore your table
at a point in time that you
specify

• Entails additional costs

Amazon DynamoDB
Backups • Manual backup process

• No continuous backups

On-Demand Backup • Can only restore to a particular

and Restore backup that you’ve taken

• A cost-effective yet limited

backup option feature for your
data
Amazon DynamoDB
Core Components
 Single DynamoDB Table DynamoDB Global Tables
AWS AWS
Cloud Cloud

US East 1 US East 1 US East 2

US East 3 US East 4
 DynamoDB Global Tables

AWS
Cloud

US East 1 US East 2

DynamoDB Streams
US East 3 US East 4
TABLE PRIMARY KEY

ITEM
SECONDARY INDEX

ATTRIBUTE AND OTHER COMPONENTS…

 • Similar to the table of other database
TABLE systems

• A collection of related data that can

represent an object, an idea, a role, or an
abstract concept

• In DynamoDB, the entire NoSQL database is

within a single DynamoDB table only
 • Each table contains zero or more items

• Similar to the rows, records, or tuples in other database

systems

ITEM • The “Row” of the DynamoDB Table

• Can have a nested attribute, which contains another item

or another nested attribute

• Can be automatically expired based on its timestamp

using TTL, or Time to Live

• Each item contains zero or more attributes

ATTRIBUTE • Similar to the fields or columns in other data stores

• The “Column” of the DynamoDB Table

 • Also known as the partition key

• Acts as the primary index that uniquely

PRIMARY KEY identifies each item in your DynamoDB table

• Provides the ability to search for a particular

item in your table

• Used an an input to the internal hash function

in DynamoDB. The output from that function
determines the physical internal storage in
which the item will be stored

• The primary key attribute must be a scalar

 Simple Composite

PRIMARY KEY
PARTITION KEY

PARTITION KEY +
SORT KEY
 • Makes your queries run faster!
SECONDARY INDEX
• Provides more flexibility and performance
improvement to your queries

• Supports your advanced queries to access

your stored data faster

• Allows you to query the data in the table

using an alternate key other than the primary
key
MUSIC TABLE PARTITION KEY: SongId

{ PARTITION KEY: Artist

SECONDARY INDEX
"SongId": 1,
LOGICAL TABLE SORT KEY: Genre
"Artist" : “Jon Bonso",
"SongTitle" : “Brand New Memories”,
"Genre": “Rock”,
"Year" : 2009 {
} "SongId": 1,
"Artist" : “Jon Bonso”,
{ "SongTitle" : “Brand New Memories”,
"SongId": 2, “Genre": “Rock”
"Artist" : “Ariel Rivera", }
"SongTitle" : “Sana Kahit Minsan”,
"Genre": “R&B”,
"Year" : 1991
} {
"SongId": 2,
"Artist" : “Ariel Rivera”,
{
"SongTitle" : “Sana Kahit Minsan”,
"SongId": 3,
"Genre": “R&B”
"Artist" : "Rey Valera",
}
"SongTitle" : "Kung Kailangan Mo Ako",
"Genre": “Jazz”,
"Year" : 1980
{
}
"SongId": 4,
"Artist" : “Gino Padilla”
{
"SongTitle" : “Closer You and I",
"SongId": 4,
"Genre": “R&B”
"Artist" : “Gino Padilla",
}
"SongTitle" : “Closer You and I",
"Genre": “R&B",
"Year" : 2000
}
 PARTITION KEY: Artist
GLOBAL SECONDARY INDEX
SORT KEY: Genre
MUSIC TABLE PARTITION KEY: SongId

SORT KEY: Artist {

"SongId": 1,
{ "Artist" : “Jon Bonso”,
"SongTitle" : “Brand New Memories”,
"SongId": 1,
“Genre": “Rock”
"Artist" : “Jon Bonso", }
"SongTitle" : “Brand New Memories”,
"Genre": “Rock”,
"Year" : 2009
{
} "SongId": 2,
{ "Artist" : “Ariel Rivera”,
"SongId": 2, "SongTitle" : “Sana Kahit Minsan”,
"Artist" : “Ariel Rivera", "Genre": “R&B”
}
"SongTitle" : “Sana Kahit Minsan”,
"Genre": “R&B”,
"Year" : 1991
} PARTITION KEY: SongId
LOCAL SECONDARY INDEX
{ SORT KEY: Genre
"SongId": 3,
"Artist" : "Rey Valera",
{
"SongTitle" : "Kung Kailangan Mo Ako", "SongId": 3,
"Genre": “Jazz”, "Artist" : “Rey Valera”,
"Year" : 1980 "SongTitle" : “Kung Kailangan Mo Ako”,
} “Genre": “Jazz”
{ }
"SongId": 4,
"Artist" : “Gino Padilla", {
"SongTitle" : “Closer You and I", "SongId": 4,
"Genre": “R&B", "Artist" : “Gino Padilla”
"Year" : 2000 "SongTitle" : “Closer You and I",
} "Genre": “R&B”
}

Tutorials Dojo
www.tutorialsdojo.com
 • Similar to the INDEX of MySQL, Oracle, SQL
Server, and other relational databases

SECONDARY INDEX
• Primarily used to make your queries FASTER!
Application Integration
Application Integration
Overview
Application Integration

Distributed Architecture
 Application Integration
Empowers the migration from

Monolithic Architecture Distributed Architecture

Monolithic Architecture Distributed Architecture

MONO

LITH
Monolithic Architecture Distributed Architecture

TIGHTLY-COUPLED

USER INTERFACE

BUSINESS LOGIC SYNCHRONOUS

DATA ACCESS LAYER

Monolithic Architecture Distributed Architecture

TIGHTLY-COUPLED LOOSELY-COUPLED

USER INTERFACE
USER INTERFACE

BUSINESS LOGIC API Gateway

DATA ACCESS LAYER

SERVICE 1 SERVICE 3 SERVICE 5

SERVICE 2 SERVICE 4
 Distributed Architecture

LOOSELY-COUPLED

USER INTERFACE Amazon SQS Amazon MQ

API Gateway

ASYNCHRONOUS

SERVICE 1 SERVICE 3 SERVICE 5

SERVICE 2 SERVICE 4
 Distributed Architecture

LOOSELY-COUPLED

USER INTERFACE Amazon SQS Amazon MQ

API Gateway

Amazon SNS Amazon EventBridge

SERVICE 1 SERVICE 3 SERVICE 5

SERVICE 2 SERVICE 4

AWS AppSync Amazon

AWS Step Functions
API Gateway
Amazon SQS Overview
 • Decouple tightly-coupled architecture

• Process workloads asynchronously

Amazon SQS
 MESSAGE
QUEUE
Amazon SQS
 • The order of processing is First-In, First-Out
(FIFO)
QUEUE • Items are stored sequentially
• The processing is done by a Consumer
 • Handles the incoming messages of your application

•
MESSAGE
Sends the items to the consumers for processing

• Asynchronous service-to-service communication

QUEUE • Messages can be HTTP or an API request

• For workloads that take several minutes to complete

• Fetching messages for processing is called Polling

 • Fully-managed message queue
• For workloads with long-running
requests

• Assists in scaling your compute

resources
Amazon SQS
• Can be integrated with other AWS
services
 STANDARD FIFO
ChangeMessageVisibility API Deduplication

4
2 3 5
1 1 2 3 4
Amazon SQS 4 6

TYPES Possible Duplicate Messages!

DELIVERY At Least Once Exactly Once

Best Effort Preserves the exact order

ORDERING Messages might be delivered in a different order in which the messages are received

THROUGHPUT HIGH LIMITED

 VISIBILITY TIMEOUT
DEAD-LETTER
QUEUE

MESSAGE RETENTION PERIOD

DELAY
DELIVERY DELAY
Amazon SQS QUEUE
SETTINGS
RECEIVEMESSAGE WAIT TIME

TEMPORARY
QUEUE
ACCESS POLICY
TEMPORARY QUEUE CLIENT
 ENCRYPTION

DATA IN-TRANSIT DATA AT-REST

"Version": "2012-10-17",

"Id": “Banana_Queue1_Policy_UUID”,
Amazon SQS "Statement": [{

SECURITY "Sid":"JonBonsoQueue1_SendMessage",

"Effect": "Allow",

"Principal": {
ACCESS POLICY
"AWS": [

"111122223333"

},

"Action": "sqs:SendMessage",

"Resource": “arn:aws:sqs:us-east-2:1234:bananaqueue"

}]

}
 AWS Lambda LAMBDA TRIGGER

Amazon SNS FAN-OUT EVENT NOTIFICATION

AGE OF OLDEST MESSAGE

Amazon EC2 Auto Scaling SQS DEPTH

NUMBER OF SQS MESSAGES

Amazon SQS
INTEGRATION Amazon S3 S3 EVENT NOTIFICATION

INTER-CONTAINER
Amazon ECS & EKS COMMUNICATION
Amazon SNS Overview
NOTIFICATION
 NOTIFICATION

?!?

4 4
 NOTIFICATION

Amazon SNS

FULLY-MANAGED MESSAGING & NOTIFICATION SERVICE

PUBLISHERS SUBSCRIBERS

SNS TOPIC
 SUBSCRIBERS

SQS Queue A

Amazon ECS Task

SNS TOPIC

SQS Queue B

Amazon EC2 Instance

SQS Queue C

AWS Lambda
Function
 APPLICATION TO APPLICATION MESSAGING

SQS Queue A

Amazon ECS Task

SNS TOPIC
SQS Queue B

Amazon EC2 Instance

APPLICATION TO PERSON MESSAGING

Support Manager
 Amazon SNS Types

Standard FIFO
 Amazon SNS Encryption

ENCRYPTION

DATA IN-TRANSIT DATA AT-REST

{
"Statement": [{
"Sid": “TutorialsDojo-Allow-SNS-SendMessage",
"Effect": "Allow",
"Principal": {

ACCESS POLICY "Service": "sns.amazonaws.com"

},
"Action": ["sqs:SendMessage"],
"Resource": "arn:aws:sqs:us-east-2:444455556666:BananaQueue",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:sns:us-east-2:444455556666:TutorialsDojoTopic"
}
}
}]
}
 Amazon SNS Features

FANOUT EVENT NOTIFICATIONS

MESSAGE FILTERING

MESSAGE FANOUT

MESSAGE DURABILITY

MESSAGE ENCRYPTION

MESSAGE ARCHIVING
 Amazon SNS Features

Dead-Letter Queue (DLQ)

for Amazon SNS

Redrive Policy
AWS Amplify Overview
 • One of the development services in AWS
• Allows you to build extensible, full-stack web and
mobile apps faster

• Automates the deployment, scaling and

management of your applications and underlying
resources
AWS Amplify
• Provides Machine Learning integration to your
apps
 AWS Amplify
MODULES

AWS Amplify Studio

AWS Amplify Libraries

AWS Amplify CLI

AWS Amplify Hosting

 AWS Amplify
MODULES

AWS Amplify Studio

AWS Amplify Libraries

AWS Amplify CLI

AWS Amplify Hosting

 AWS Amplify
MODULES

AWS Amplify Studio

AWS Amplify Libraries

AWS Amplify CLI

AWS Amplify Hosting

 AWS Amplify
MODULES

AWS Amplify Studio

AWS Amplify Libraries

AWS Amplify CLI

AWS Amplify Hosting

Serverless Computing
Serverless Computing
Overview
 What is
Serverless Computing ?
 On-Demand Service

Less Server Management

Serverless Computing
Serverless

No Server ?
Serverless

Less Server Management

 FaaS

Serverless
AWS Lambda AWS Fargate

Amazon Aurora
Amazon DynamoDB Amazon S3
Serverless
 powered by

Serverless microVMs
 microVMs

VM

Virtual Machine Container

Serverless
Serverless Edge Computing
 Edge Computing

Edge Location

Serverless
Lambda@Edge

CloudFront Function
 Infrastructure-as-a-Service Function-as-a-Service
Traditional
(IaaS) (FaaS)

- Virtual Server Deployment - Virtual Server Management

Serverless
- OS Patching - Virtual Server Maintenance
- Storage Management - Scaling
 Does NOT run all the time unlike a
traditional virtual machine

Will only run once you invoked it

Start up time ranges from several

milliseconds to less than a second
Serverless
Can only run your function
continuously for 15 minutes
 Amazon Aurora
Amazon DynamoDB
Serverless
Serverless Computing
Serverless Computing
Architectures
Serverless
Less Server Management
Function as a Service (FaaS)

Amazon EventBridge

Scheduled Actions

AWS Step Functions

Orchestration

AWS Lambda@Edge

AWS Lambda
Edge Computing at
Regional Edge Locations

CloudFront Functions

Edge Computing at
Edge Locations
Function as a Service (FaaS)

Amazon EventBridge

Scheduled Actions

AWS Step Functions

Orchestration

AWS Lambda@Edge

AWS Lambda
Edge Computing at
Regional Edge Locations

CloudFront Functions

Edge Computing at
Edge Locations
SERVERLESS CONTAINERS SERVERLESS APPLICATION INTEGRATION

App App
Container 1 Container 2

Amazon EventBridge AWS Step Functions

AWS Fargate

Amazon SQS Amazon SNS

CONTAINER ENGINE

Amazon API Gateway AWS AppSync

SERVERLESS DATA STORES SERVERLESS ETL & ANALYTICS

STATIC DATA
Extract, Transform &
Load (ETL)
Amazon S3
AWS Glue

DYNAMIC DATA
Analytics Services

Amazon Amazon Aurora

DynamoDB Serverless

DATA
WAREHOUSE Amazon Kinesis
Amazon Athena Amazon QuickSight
Data Analytics
Amazon Redshift Spectrum
 Virtual Machine Container MicroVM

Service
A EXECUTION
ENVIRONMENT

Service
GUEST B
Docker Kubernetes
Container Pod MICRO VM KERNEL
KERNEL Service
C

AWS NITRO HYPERVISOR / Firecracker Virtualization /

VIRTUAL MACHINE MONITOR (VMM) CONTAINER ENGINE VIRTUAL MACHINE MONITOR (VMM)

HOST

KERNEL

HARDWARE / MEMORY
BARE-METAL SERVER
CPU (RAM)
NETWORK SSD/HDD STORAGE
 Serverless Architecture Types

Static Single Page Application Service-Oriented Architecture

Amazon S3 Amazon CloudFront AWS Lambda API Gateway

Containerized Application Serverless Architecture

AWS Fargate Amazon

AWS Lambda API Gateway AWS Fargate
DynamoDB
SERVERLESS DATABASES

• For applications that have sporadic or infrequent

database usage patterns

• No need to choose a particular DB instance type

or do any advanced capacity planning

• Automatically increases and decreases the

compute and storage capacity of your database
Amazon Amazon Aurora
DynamoDB Serverless
• Unlike RDS, there’s no need to downgrade your
database instance if your demand decreases

• Costs way less than a regular server-based

database
Serverless
Amazon Route 53 Overview
• A global Domain Name System (DNS) service

• Provides different Routing Policies

• Allows you to register your own domain name

• Transfer a domain from another domain

registrar

• Create health checks

• Route traffic flows

• Configure DNS resolvers

• . . . and many more!

 Domain Name System (DNS) Elastic IP Amazon S3
address Static Website

Domain Name
49.143.173.201

Amazon EC2 Instance

Elastic Load Amazon CloudFront

Balancers Web Distributions
 🏴☠
DNS Spoofing Attacks Man-In-The-Middle Attacks

DNS Security Extensions

The “apex” (summit) of the Hosted

Root Domain Zone Apex Zone
Also known as Naked Domain

Subdomains
Hosted Zone

www.tutorialsdojo.com portal.tutorialsdojo.com cebu.tutorialsdojo.com bengaluru.tutorialsdojo.com

NS Name Server NS Name Server

Public Hosted Zone Private Hosted Zone

SOA Start of Authority SOA Start of Authority

Query Logging

On-premises data center

 ALIAS RECORD NON-ALIAS RECORD

49.143.173.201
Hosted
Zone
Record

• Route traffic to selected AWS

• Allows you to specify the IP
resources
addresses or the custom domain
• Works like a CNAME (Canonical names of your servers or resources
Name) Record
• Visible to DNS resolvers
• Not visible to DNS resolvers
• Points to a particular IP address
• Points to a specific AWS resource
 ALIAS
DNS RECORD
TYPES A IPv4 Host Address PTR Pointer

ALIAS

AAAA IPv6 Host Address SRV Service Locator

NS Name Server
CNAME Canonical Name SPF Sender Policy Framework

SOA Start of Authority

MX Mail Exchange NAPTR Naming Authority Pointer

Certification Authority
TXT Text CAA
Authorization
 A IPv4 Host Address AAAA IPv6 Host Address

Root Domain / Zone Apex

CNAME Canonical Name

• An open-source program that you can use
as a fully customizable domain name
server

• Usually launched by companies as their

internal DNS service

• Stands for Berkeley Internet Name

Domain server

• Has a BIND DNS forwarder that allows you

to resolve the domain names in the
private hosted zones in AWS from your
on-premises network

• Can be migrated to Amazon Route 53 by

importing the BIND zone file
 ACTIVE PASSIVE
Live Traffic Failover
 ACTIVE ACTIVE ACTIVE PASSIVE

• Improves fault tolerance and

performance of your applications • Provides a basic fault tolerance

• Entails additional cost • More cost-effective than ACTIVE ACTIVE

• Has several active environments that • Has one active environment and one
accepts live production traffic backup environment on standby

• Ensures the high availability and • Primarily implemented by using the:

resiliency of your global applications

• Can be implemented by using a

single policy, or a combination of Failover Policy

routing policies such as:

Geolocation Geoproximity Latency

Multivalue Answer Weighted …other routing types!

Amazon CloudFront
Overview
 Content
Delivery
CloudFront
Network
C
Content
D
Delivery
Origin
Server

N
Network
 🇺🇸
Origin
Server

🇵🇭
 Trans-Pacific Submarine Cables

🇺🇸
🇵🇭 Origi
n
Serve
r
 🇺🇸
🇵🇭 LOAD TIME 10
0
9
8
7
6
5
4
3
2
1 seconds
Origin
Server
 🇺🇸
PoP
PoP

NY
Trans-Atlantic Submarine Cables
PoP
Origin Mid
Server West
 🇺🇸
LOAD TIME 1 second!
Origi
n
Serve
PoP
r

🇵🇭
PoP

PoP

PoP

PoP

PoP
 🇺🇸
EDGE LOCATIONS LOAD TIME 5 seconds
Origi
n
Serve

🇵🇭
PoP
r

PoP

The data does NOT need to be fetched

from the remote origin server
PoP

PoP

PoP

PoP

LOAD TIME 1 second!

 Internet Service Provider #1

Edge Location
Edge/Boundary of ISP 1

• Refers to the ‘edge’ or the

boundary of the network
PoP

• Connects the different

Edge/Boundary of ISP 2 networks of various
Internet Service Providers
(ISPs) or
Telecommunications
companies
Internet Service Provider #2
 Content
Delivery
CloudFront
Network
 ORIGIN

DISTRIBUTION

CloudFront VIEWER
 ORIGIN

AWS Elemental AWS Elemental Amazon EC2 Instance or

Amazon S3 Bucket Elastic Load Balancer MediaPackage Endpoint MediaStore Container Your On-Premises Server
 Amazon CloudFront Features

OA
I &
Lambda@Edge
ORIGIN ACCESS IDENTITY
GEO-RESTRICTION and
(OAI)
CloudFront Functions

ORIGIN GROUP

primary
ORIGIN A

failover
ORIGIN B

ORIGIN GROUP and ORIGIN FAILOVER

 Amazon CloudFront Features

Custom Domain Name and Custom SSL

Signed URLs Signed Cookies
(SNI / Dedicated IP)

AWS WAF - CloudFront Integration

Amazon CloudFront
Security Features
Content Delivery Network

S T A T I C DYNAMIC
 Content Delivery Network

AWS ORIGINS

AWS Elemental
MediaPackage

AWS Elemental
MediaStore

Amazon S3 Bucket Amazon EC2 Instance or

Elastic Load Balancer
Your On-Premises Server
 Content Delivery Network

Amazon S3 Origin Viewers

Origin Protocol Policy Viewer Protocol Policy

HTTP HTTP

HTTPS HTTPS

Signed URL

Signed Cookies
 Content Delivery Network

Amazon S3 Origin Viewers

Origin Protocol Policy Viewer Protocol Policy

HTTP HTTP

HTTPS HTTPS

Signed URL

Signed Cookies
Content Delivery Network
 • Specifies the allowed protocols for the
Origin and the Viewer (end users)

• Configures the CloudFront distribution to

use HTTP, HTTPS or both

ORIGIN VIEWER
Protocol Policy Types Protocol Policy Types

• HTTPS Only
• HTTP Only
• Redirect HTTP to
• HTTPS Only
HTTPS
• Match Viewer
PROTOCOL POLICY • HTTP and HTTPS

HTTP HTTP

HTTPS HTTPS
 S3 URL

CloudFront URL

• Primarily used for CloudFront distributions

with an Amazon S3 bucket as the origin
OAI

• Restricts access to the content that you

serve from your S3 bucket
ORIGIN ACCESS IDENTITY
(OAI) • Works like an IAM User which you can
associate to the Origin or Origin Group of
your CloudFront distribution

• After OAI has been created, the Amazon S3

bucket policy must be configured too
 • Allows you to encrypt the specific data fields

• Protects sensitive information in your origin

and the data being sent by your customers

• Suitable for securing Credit Card numbers,

Personal Health Information (PHI) and
Personally Identifiable Information (PII)

• Encrypts the sensitive fields using a public

FIELD-LEVEL ENCRYPTION key

• Provides you with a private key that can be

used to decrypt the protected fields
 • Primarily used for distributing private
content over the Internet

• Restrict access to your confidential or

private data to authorized users only
SIGNED URLs &
SIGNED COOKIES
 CloudFront Distribution with Custom Domain Name

https://tutorialsdojo.com/report.pdf

?Expires=13570344005

&Signature=nitfHRCrtziwO2HwPfWw~yYDhUF5EwRunQA...
SIGNED URLs &Key-Pair-Id=K2JCJMDEHXQW5F

Set-Cookie HEADER

SIGNED COOKIES
 CloudFront Distribution with Custom Domain Name

https://tutorialsdojo.com/report.pdf

?Expires=13570344005

&Signature=nitfHRCrtziwO2HwPfWw~yYDhUF5EwRunQA...
SIGNED URLs &Key-Pair-Id=K2JCJMDEHXQW5F

Set-Cookie HEADER

SIGNED COOKIES
 • Restricts access to your content based on
the specific country (geographic location) of
your users

• Allows you to select the specific countries

where you want to deliver your content and
which countries to block

GEO-RESTRICTION
 SNI (Server Name Indication)
Dedicated IP address

ALTERNATE DOMAIN NAME &

SSL CERTIFICATE

AWS Certificate Manager

 AWS WAF - CloudFront Integration

AWS Shield

INTEGRATIONS TO OTHER
AWS SERVICES Different from the Origin Shield feature
HIGH AVAILABILITY VS FAULT TOLERANCE
 Are these two exactly the same?

HIGH AVAILABILITY FAULT TOLERANCE

HIGH AVAILABILITY FAULT TOLERANCE

SAME OBJECTIVE

Both of them aims to ensure

the application runs all the time
without any system degradation,
data loss or outage
 SINGLE SERVER HIGH FAULT
DESIGN
ARCHITECTURE AVAILABILITY TOLERANCE

UPTIME LOW 99.99% 100%

HAS AT LEAST ONE HAS A LOT

REDUNDANCY NONE REDUNDANT RESOURCE

FOR FAILOVER
OF REDUNDANT
RESOURCES

COST LOW MODERATE HIGH

 HIGH FAULT
AVAILABILITY TOLERANCE

99.99% UPTIME 100% UPTIME

HAS AT LEAST ONE HAS A LOT

REDUNDANT RESOURCE OF REDUNDANT
FOR FAILOVER MORE RESOURCES RESOURCES
CAUSES

MODERATE COST HIGH COST

 RTO
Recovery Time Objective

VS
RPO
Recovery Point Objective
 DISASTER RECOVERY
OBJECTIVES

RTO RPO
Recovery Time Objective Recovery Point Objective
9:00 AM ALL DATA
BEFORE 11 AM
RPO 1 HOUR

10:00 AM MUST BE Recovery Point Objective

RECOVERABLE
11:00 AM
ACCEPTABLE
12:00 NN D I S A S T E R 11 AM - 12 NN DATA LOSS

1:00 PM

2:00 PM

3:00 PM SERVICE RESTORED

RTO 3 HOURS

Recovery Time Objective

4:00 PM

5:00 PM
 3:00 PM – 1 HOUR = 02:00 PM

12:00 NN

1:00 PM
ALL DATA
BEFORE 2 PM
RPO 1 HOUR

MUST BE
RECOVERABLE Recovery Point Objective
2:00 PM
ACCEPTABLE DATA LOSS
3:00 PM D I S A S T E R 2 PM - 3 PM

4:00 PM

5:00 PM SERVICE RESTORED RTO 2 HOURS

6:00 PM Recovery Time Objective

7:00 PM
3:00 PM + 2 HOURS = 05:00 PM
Network Access Control List
VS
Security Group
( Network ACL )
 Network ACL Security Group

• Created by default when you launch a new VPC and on your default VPC
• Acts as a virtual firewall that protects your AWS resources from unauthorized traffic
• Inbound & Outbound rules can be set to have one IP address or a CIDR range as a source
• Allows you to control the incoming and outgoing traffic to and from your network
 Network ACL Security Group

Ephemeral Ports
STATEFUL
• 1024 – 65535
• 32768 – 61000 STATE STATELESS
Outbound Rules
• 49152 – 65535
 N. Virginia Region
AWS Cloud

Network ACL Network ACL

Subnet 1SUBNET
/ Availability
1 Zone 1 Subnet 2SUBNET
/ Availability
2 Zone 2
VPC A

Security Group

EC2
 Network ACL Security Group

• Can explicitly DENY traffic • Cannot explicitly DENY traffic

WHITELISTING No
only!
explicit DENY Rules

Tutorials Dojo
www.tutorialsdojo.com
 STATELESS STATEFUL
Network ACL Security Group

• Tracks all the status of the incoming requests

• If a traffic is a response to a particular request, then it
• Does not track the status of the request will be allowed automatically regardless of any rules in
your Outbound Rules
• The inbound traffic that has already been
permitted before is still subject to the rules • It is aware if the outgoing traffic is:
for the outbound traffic, and vice versa Initiated from the EC2 instance itself
A response to the request that was initiated
• Provides a more fine-grained control to externally
configure both the inbound and outbound
rules of your Network ACL • Its Outbound Rule can filter:
An API call initiated by an application hosted in
the EC2 instance
A scheduled OS Patch that is initiated by the EC2
instance which automatically fetches updates from
a designated repository
 Network ACL Security Group

• Each rule has a corresponding rule number • No rule number

• Evaluates the rules in order, starting with the • Evaluates ALL of the rules at the same time
lowest numbered rule (no order of precedence)
 Network ACL Security Group

EC2
EC2 EC2

EC2 EC2

• Applies the rules to all EC2 instances and other AWS • Applies the rules to a single EC2 instance only or to a
resources in the subnets that it's associated with group of AWS resources where it is associated with
 Network ACL Security Group

Ephemeral Ports

? • 1024 – 65535 • Does NOT use Ephemeral Ports

• 32768 – 61000
Outbound Rules • 49152 – 65535
Network ACL Security Group

ANOTHER
 AWS Storage Gateway Types Comparison

VS VS
File Volume Tape
Gateway Gateway Gateway
 MIGRATION

On-premises data center

AWS Storage Gateway AWS DataSync

VM VM
INTEGRATION

Storage Area
Network
 *File storage *Block storage * Tape storage

File Gateway Volume Gateway Tape Gateway

VM
NFS file share CACHED GLACIER POOL
Also known as Amazon S3 File
Gateway
Uses Amazon S3 as the
primary storage
Stores data in: Amazon S3
Amazon S3 Glacier
Stores a subset of
Provides a local cache for low-latency frequently accessed
access to your most recently used data locally
data

VM
SMB file share STORED
DEEP ARCHIVE POOL
Also known as Amazon FSx File
Gateway
Amazon FSx for Retains the entire
Stores data in: Windows File Server dataset in your on-
premises data center Amazon S3 Glacier
Provides a low-latency on-premises Asynchronously backs
Deep Archive
access to Windows SMB file shares of up your data to Amazon
the Amazon FSx for Windows File S3
Server service in AWS
File Gateway Volume Gateway Tape Gateway

Amazon FSx for

Windows File Server

Can be integrated with:

Microsoft No Active Directory Support No Active Directory Support

Active Directory

AWS Managed
Microsoft AD
File Gateway Volume Gateway Tape Gateway

NFS iSCSI

SMB VTL
File Gateway Volume Gateway Tape Gateway

An image of an actual AWS Storage Gateway Hardware Appliance

 INTEGRATION MIGRATION

VS
AWS Storage Gateway AWS DataSync
 for
decommission
replication ing existing
via local storage
cache systems
hybrid cloud
storage

for moving
data

INTEGRATION MIGRATION

if your on-
premises
storage ran
out
large amount of space
synchronized of unused
copies on both records or
on-premises data hosted
and AWS on-premises
 REPLICATE DATA MOVE DATA

INTEGRATION MIGRATION

On-premises data center

VM

AWS Storage Gateway AWS DataSync

DataSync Agent

On-premises data will On-premises data would not

still be actively used Storage Area be utilized anymore/will be
Network
decommissioned
 VS VS
Amazon EBS Amazon EFS Amazon S3
BLOCK STORAGE FILE STORAGE OBJECT STORAGE
Amazon Elastic Block Amazon Elastic File Amazon Simple Storage
Store System Service

BLOCK STORAGE FILE STORAGE OBJECT STORAGE

 Total File Size = 16 kb
Block Size = 4 kb

4 kb 4 kb

16 kb 4 kb 4 kb

BLOCK STORAGE
d
l
b
c
Amazon EBS Volume
 Amazon EBS Amazon EFS
- The block storage or
file storage is
Lower latency than physically attached to
the host/server or
located in close
proximity

- The latency is low

Amazon S3
EC2 when transferring
data between 2
systems

Attached/Mounted to the
Amazon EC2 instance
FILE STORAGE
 • Commonly used by multiple servers

• Uses the Portable Operating System Interface (POSIX)

FILE STORAGE
 • Every object usually includes a globally
unique identifier, its custom metadata and
the data itself

• Doesn’t depend on the operating system of

the host/ EC2 instance
OBJECT STORAGE
• Upload or fetch objects using RESTful web
APIs and NOT by mounting it to the host
 DURABILITY

Amazon EBS Amazon EFS Amazon S3

Data is stored
redundantly in a single Data is stored redundantly across multiple AZs
AZ only
 A CD
CUES
R SA BMI L
E IT THYO D

Amazon EBS Amazon EFS Amazon S3

Usually attached/mounted
to a single EC2 instance Can be mounted to thousands
of EC2 instances or on-
A single EBS volume can be premises servers across
multiple AZs Via the public
attached to multiple EC2 Internet by default
instances by using the Multi-
Attach feature
(available on certain EBS types
only) Allows multiple applications or
servers to concurrently access
Two or more applications/ the same files at the same time
EC2 instances can’t access
the exact same file Invoked via a REST API request
concurrently call
 SDCUARLAABBIILLIITTYY

Amazon EBS Amazon EFS Amazon S3

Not highly scalable Both Amazon EFS and Amazon S3 are highly scalable

Need to manually Automatically grows

resize the EBS Volume and shrinks the file Can store virtually unlimited
to increase storage system as you add and amounts of data
capacity remove files
 DU
LART
A EBNI LC IYT Y

Amazon EBS Amazon EFS Amazon S3

if the request
goes through
HIGH the public
Internet
LOWEST MODERATE
if the request goes
through the
MODERATE S3 Gateway Endpoint
or
S3 Interface Endpoint
 DB
UARC
AKBU
I LPI ST Y

Amazon EBS Amazon EFS Amazon S3

Back up data using Transfer your file system to

Amazon EBS Snapshots another EFS file system using
(incremental backups) AWS DataSync

Cross-Region
Replication (CRR)
Allows you to copy your
EBS snapshot to another Perform incremental backups
AWS Region of your EFS file system using
AWS Backup
 D A TDAU ER N
A CB R
I LYIPT TYI O N

Amazon EBS Amazon EFS Amazon S3

Encrypt your volume using Client-side Encryption

Amazon EBS Encryption Encryption in Transit
Via TLS and the EFS mount helper
which is powered by
AWS KMS
Server-side Encryption

Enforce HTTPS connection

Amazon EBS Encryption By Default Encryption at Rest
by setting up the Bucket
(Regional Setting)
Policy
 ACC
D EUSRSA C
BOI LN
I TT Y
ROL

Amazon EBS Amazon EFS Amazon S3

Controlled by the associated Access Control List

security groups and Network
Can associate a security group (ACL)
ACL of the EC2 instance that the to the file system mount target
volume is mounted to
Bucket Policy
Security Group

Network ACL
S3 Access Points
EC2
Security Group NFSv4 endpoint S3 Object Lambda
Access Points
 NFSv4
D U Protocol
R A B I L Support
ITY

Amazon EBS Amazon EFS Amazon S3

NFSv4 Support
POSIX-compliant
 D ADT U
A R LAIBF IELCI Y
TYCLE

Amazon EBS Amazon EFS Amazon S3

Amazon Data Lifecycle Amazon EFS lifecycle

Amazon S3 Lifecycle Policy
Manager (DLM) management

30 Days 180 Days

Standard Standard- One Zone One Zone-

S3 Glacier
IA IA S3 Standard S3 Standard-IA Deep Archive

Snapshot at Snapshot at Snapshot at

1:00 PM 3:00 PM 5:00 PM
 DUUSRE A CB A
I LS IETSY

Amazon EBS Amazon EFS Amazon S3

For static data or for files that are

For storing dynamic data that are frequently accessed and updated NOT usually modified regularly

A storage system accessed by

multiple servers that need For a cost-effective &
LOWEST Latency concurrent access to the same set serverless static web
of files at the same time hosting that can be
integrated with:
POSIX-compliant Amazon CloudFront