AWS SA PRO

  1. Data Persistance
    a. Persistent Data Store: Glacier, RDS
    b. Transient Data Store: SQS, SNS
    c. Ephemeral Data Store: EC2 Instance Store, Memcached

  2. IOPS vs Throughput
    a. IOPS: measure of how fast we can read and write to a device
    b. Throughput: measure of how much data can be moved at a time

  3. Consistency Models
    a. ACID: Atomic (all or nothing); Consistent (must be valid), Isolated (can't mess with one another), Durable (Completed transaction must stick around)
    b. BASE: Basic Availability (values availability even if stale), soft-state (might not be instantly consistent across stores), eventual consistency (will achieve consistency at some point)

  4. S3
    a. an Object Store
    b. Maximum object size is 5TB; largest object in a single PUT is 5 TB
    c. multi-part uploads is recommended if larger than 100MB
    d. Consistency: read-after-write consistency for PUTs of new objects; HEAD or GET requests of the key before an object exists will result in eventual consistency; s3 offers eventual consistency for overwrite PUTs and DELETEs; updates to a single key are atomic.
    e. S3 Security: user-based (IAM policies) -> resource based (bucket policy)-> resource based (object ACL); optional MFA before delete or changing the version state
    f. versioning: new version each write, enable "roll-back" and "un-delete" capabilities; old versions count as billable size until they are permanently deleted; integrated with Lifecycle Management (optimize storage cost; adhere to data retention policies; keep s3 volumes well-maintained)
    g. Cross-Region Replication: security, compliance, latency
    h. Analytics: Data Lake Concept (Athena, Redshift Spectrum, QuickSight); IoT Streaming Data Repo (Kinesis Firehose); Machine Learning and AI Storage (Rekognition, Lex, MXNet); Storage Class Analysis (S3 Management Analytics)
    i. S3 Encription at Rest (SSE-S3 (AES-256); SSE-C (AES-256 your own); SSE-KMS; Client-Side (your own local encryption)
    j. Transfer Acceleration: Speed up data uploads using Cloud Front in reverse
    k. Requester Pays: the requester rather than the bucket owner pays for requests and data transfer
    l. Tags: assign tags to objects for use in costing, billing, security, etc.
    m. Events: trigger notification to SNS, SQS or Lambda when certain events happen in your bucket
    n. Static Web Hosting
    o. BitTorrent: Use the BitTorrent protocol to retrieve any publicly available object by automatically generating
    a .torrent file

  5. Glacier
    a. Cheap, slow to respond, seldom accessed
    b. Used by AWS Storage Gateway Virtual Tape Library
    c. Integrated with S3 via Lifecycle Management
    d. Faster retrieval speed options if you pay more (still archive option)
    e. Glacier Vault: IAM manages acces; Glacier Vault Lock manages policies (e.g. no deletes or MFA, immutable); Archive (File, zip, tar, etc. Max size 40TB, Immutable)
    f. Glacier Vault Lock: you can initiate it and then decide whether to abort or complete it within 24 hours

  6. EBS ("virtual hard drives" can only be used with EC2 and Tied to a single AZ, variety of optimized choices for IOPS, Throughput and Cost, Snapshots are great)
    a. Compared with Instance (Instance - temporary; ideal for caches, buffers, work areas; dta goes away when EC2 is stopped or terminated)
    b. Amazon EBS Snapshots (Cost-effective and easy backup strategy, share data sets with other users or accounts, migrate a system to a new AZ or region, converted unencrypted volume to an encrypted volume; incremental snapshot)
    c. Schedule snapshots from volumes or instance every X hours by creating Snapshot Lifecycle Policy; retention rules to remove stale snapshots

  7. EFS
    a. Implementation of NFS file share
    b. Elastic storage capacity, and pay for only what you use (in contrast to EBS)
    c. Multi-AZ metadata and data storage
    d. Configure mount-points in one or many AZs
    e. can be mounted from on-premises systems (security concern though)
    f. alternatively, use Amazon DataSync
    g. 3x more expensive than EBS and 20x more expensive than S3

  8. Amazon Storage Gateway
    a. VM that run on-premises with VMWare or Hyper V or via a specially configured Dell hardware appliance
    b. Provides local storage resources backed by S3 and Glacier
    c. Often used in disaster recovery preparedness to sync to AWS
    d. Useful in cloud migrations
    e. modes


    AWS SA PRO_第1张图片
    Storage Gateway Modes
  9. Amazon WorkDocs
    a. Secure, fully managed file collaboration service
    b. Can integrate with AD for SSO
    c. Web, mobile and native clients (no Linux client)
    d. HIPAA, PCI DSS and ISO compliance requirements
    e. Available SDK for creating complementary apps

  10. Database on EC2
    a. Run any database with full control and ultimate flexibility
    b. Must manage everything like backups, redundancy, patching, scale
    c. Good option if you require a database not yet supported by RDS, such as IBM DB2 or SAP HANA
    d. Good option if it is not feasible to migrate to AWS-managed database

  11. RDS (managed database option for MySQL, Maria, PostgreSQL, Microsoft SQL Server, Oracle and MySQL-compatible Aurora)
    a. Best for structured, relational data store needs
    b. Aims to be drop-in replacement for existing on-prem instances of same databases
    c. Automated backups and patching in customer-defined maintenance windows
    d. Push-button scaling, replication and redundancy
    e. RDS anti-patterns


    AWS SA PRO_第2张图片
    RDS anti-patterns

    f. multi-AZ RDS
    g. Read-replicas service regional (non-transactional database does not support replication)
    h. Sync Replication (multi-az, between master and standby) vs Async Replication (read-replica, second/min delay)
    i. One AZ fails, standy-by in another AZ assumes role of master, read replicas keep on keeping on
    j. Whole region failed, read replica promoted to Stand-Alone (single-AZ), single AZ reconfigured to Multi-AZ

  12. Dynamo DB
    a. Managed, multi-AZ noSQL data store with cross-region replication option
    b. defaults to eventual consistency reads but can request strongly consistent read via SDK parameter
    c. Priced on throughput, rather than compute
    d. Provision read and write capacity in anticipation of need
    e. Auto scale capacity adjust per configured min/max levels
    f. On-Demand capacity for flexible capacity at a small premium cost
    g. Achieve ACID compliance with DynamoDB transactions
    h. Partition key: A simple primary key which must be unique, to create an internal hash mapping
    i. A composite primary key: a partition key + sort key, can have occurrences of the same partition key so long as the sort key is different
    j. Secondary indexes (there is a limit to the number of indexes and attributes per index; it takes up storage space as well)


    AWS SA PRO_第3张图片
    Secondary indexes

    AWS SA PRO_第4张图片
    Secondary indexe use cases

    k. Attribute Projections (like view in traditional database, not more than 20 attributes across all indexes)

    l.
    AWS SA PRO_第5张图片
    Global Secondary Index use cases

    m.
    AWS SA PRO_第6张图片
    Sample Data

    m. Sparse Indexes
    AWS SA PRO_第7张图片
    Sparse Indexes

    n. Replicas via Secondary Indexes
    AWS SA PRO_第8张图片
    Use case 1

    AWS SA PRO_第9张图片
    Use case 2
  13. Redshift


    AWS SA PRO_第10张图片
    Redshift
  14. Data Lake
    a. Query raw data without extensive pre-processing
    b. Lessen time from data collection to data value
    c. Identify correlations between disparate data sets

    d.
    AWS SA PRO_第11张图片
    Data lake example
  15. Neptune
    a. Fully-managed graph database
    b. Supports open graph APIs for both Gremlin and SPARQL

  16. Elasticache
    a. Fully managed implementation of two popular in-memory data stores - Redis and Memcached
    b. Push-button scalability for memory, writes and reads
    c. In Memory key/value store - not persistent in the traditional sense
    d. Use cases


    AWS SA PRO_第12张图片
    Elasticache use cases

    e. Memcached vs Redis


    AWS SA PRO_第13张图片
    Memcached vs Redis
  17. Amazon Athena: SQL Engine overliad on S3 base on Presto; Query raw data objects as they sit in an S3 bucket; Use or convert your data to Parquet format if possible for a big performance jump; Similar in concept to Redshift but Athena does not need to perform joins with other data sources while Redshit Spectrum want to join S3 data with exsiting RedShift tables or create union products

  18. Amazon Quantum Ledger Database
    a. Based on blockchain concepts
    b. Provides an immutable and transparent journal as a service without having to setup and maintain an entire blockchain framework
    c. Centralized design allows for higher performance and scalability
    d. Append-only concept where each record contributes to the integrity of the chain

  19. Amazon Managed Blockchain
    a. Fully managed blockchain framework supporting open source frameworks of Hyperledger Fabric and Ethereum
    b. Distributed consensus-based concept consisting of a network, members, nodes and potentially applications
    c. Uses the Amazon QLDB ordering service to maintain complete history of all transactions

  20. Amazon Timestream Database
    a. Fully managed database service specifically built for storing and analyzing time-series data
    b. Alternatively to DynamoDB or RedShift and includes some built-in analytics like interpoloation and smoothing
    c. Use cases: industrial machinery; sensor networks and equipment telemetry

  21. DocumentDB (MongaDB compatibility)


    AWS SA PRO_第14张图片
    Document DB
  22. Elastic Search


    AWS SA PRO_第15张图片
    ES
  23. Database Options


    AWS SA PRO_第16张图片
    How to choose database options
  24. Storage options


    AWS SA PRO_第17张图片
    Storage options
  25. Pro Tips:
    a. Use archiving and backup as the pilot for AWS business case
    b. Make use of the S3 endpoints within your VPC
    c. Learn how to properly secure your S3 bucket
    d. Encrypt, Encrypt, Encrypt
    e. Consider Aurora for your production MySQL/Maria or PostgreSQL needs
    f. Consider NoSQL if you don't need relational database features
    g. Database on EC2 cost less on the surface than RDS, but remember to factor in management (backup, patching, OS-level hardening)
    h. There can be a performance hit when RDS backups run if you have only a single AZ instance

  26. Questions

    a.
    AWS SA PRO_第18张图片
    Gaming DL

    AWS SA PRO_第19张图片
    Answers

    b.


    AWS SA PRO_第20张图片
    Gov data storage

    c. AWS Glue -> Crawler -> Specify data store -> Create an IAM role to access the data->Add Database to store the output -> Run the crawler -> One table will be added -> Athena-> Query against the table->quicksight to visualize the data
  27. Network Protocols


    AWS SA PRO_第21张图片
    Network Protocols
  28. Ephemeral Ports


    AWS SA PRO_第22张图片
    Ephemeral Ports

    AWS SA PRO_第23张图片
    TCP example

    AWS SA PRO_第24张图片
    UDP example
  29. Reserve IP Addresses


    AWS SA PRO_第25张图片
    Reserve IP Addresses for 10.0.0.0/24
  30. The Physical to Logical assignment of AZ's is done at the account level. AZ with the same name may refer to different physical AZ in a different account.

  31. AWS Managed VPN


    AWS SA PRO_第26张图片
    VPN Overview

    AWS SA PRO_第27张图片
    AWS VPN Architecture

    AWS SA PRO_第28张图片
    Redundant connection
  32. Direct Connect


    AWS SA PRO_第29张图片
    AWS Direct Connect

    AWS SA PRO_第30张图片
    AWS Direct Connect Architecture
  33. Direct Connect + VPN


    AWS SA PRO_第31张图片
    Direct Connect + VPN

    Direct Connect + VPN Architecture
  34. VPN CloudHub (MPLS)


    AWS SA PRO_第32张图片
    CloudHub

    AWS SA PRO_第33张图片
    CloudHub Architecture
  35. Software VPN (unmanaged VPN)


    AWS SA PRO_第34张图片
    Software VPN

    AWS SA PRO_第35张图片
    Software VPN Architecture
  36. Transit VPC


    AWS SA PRO_第36张图片
    Transit VPC

    AWS SA PRO_第37张图片
    Transit VPC Architecture
  37. VPC to VPC Connectivity
    a. VPC Peering


    AWS SA PRO_第38张图片
    VPC Peering

    AWS SA PRO_第39张图片
    VPC Peering Architecture

    b. AWS PrivateLink


    AWS SA PRO_第40张图片
    AWS PrivateLink

    AWS SA PRO_第41张图片
    VPC Endpoints

    AWS SA PRO_第42张图片
    S3 example without public interface
  38. Internet Gateways: horizontally scaled, redundant and highly available component that allows communication between your VPC and the Internet; No availablility risk or bandwidth constraints; If your subnet is associated with a route to the Internet, then it is a public subnet; Support IPv4and IPV5.
    Use case: provide route table target for Internet-bound traffic; perform NAT for instances with public IP addresses (not for instances with prviate IP's only)

  39. Egress-Only Internet Gateway (only for IPv6)
    a. IPv6 addresses are globally unique and are therefore public by default
    b. Provides outbound Interenet access for IPv6 addressed instances
    c. Prevents inbound access to those IPv6 instances
    d. Must create a custom route for ::/0 to the Egress-Only Internet Gateway
    e. Use Egress-only Internet Gateway instead of NAT for IPv6

  40. NAT Instance: EC2 instance from a special AWS-provided AMI; translate traffic from many private IP instance to a single public IP and back; doesn't allow public internet initiated connection into private instances; not supported for IPv6 (use Egress-Only Gateway instead); NAT instance must live on a public subnet with route to Internet Gateway; Private instances in private subnet must have route to the NAT instance, usually the default route destination of 0.0.0.0/0

  41. NAT Gateway: fully managed NAT service; must be created in a public subnet; uses an Elstatic IP for public IP for the life of the Gateway; Private instances in private subnet must have route to the NAT instance, usually the default route destination of 0.0.0.0/0; Created in specified AZ with redundancy in that zone; For multi-AZ redundancy, create NAT Gateways in each AZ with routes for private subnets to use the local Gateway; Up to 5Gbps bandwidth that can scale up to 45 Gbps; Cannot use a NAT Gateway to access VPC peering, VPN or Direct Connect, so be sure to include specific routes to those in your route table

  42. NAT Gateway vs NAT Instance


    AWS SA PRO_第43张图片
    NAT Gateway vs NAT Instance
  43. VPC Routing
    a. Routing tables: VPC have an implicit router and main routing table; you can modify the main routing table or create new tables; each route table contains a local route for the CIDR block; most specific route for an adress wins


    AWS SA PRO_第44张图片
    Routing table example

    b. BGP: propagates info about network to allow for dynamic routing; required for direct connect and optional for VPN; alternative of not using BGP with AWS VPC is static routes; AWS supports BGP community tagging as a way to control traffic scope and route preference; required TCP port 179 + ephemeral ports; autonomous system number (ASN) = unique endpoint identifier; weighting is local to the router and higher weight is preferred path for outbound traffic


    AWS SA PRO_第45张图片
    BGP Example
  44. Route 53 Routing (Register domain names, check the health of your domain resources, route internet traffic for your domain)
    a. Route 53 Routing Policies


    AWS SA PRO_第46张图片
    Route 53 Routing Policies

    b. Route 53 is a global service

  45. ELB Routing
    a. Distribute inbound connections to one or many backend endpoints
    b. Three different options: Application Load Balancer (Layer 7); Network Load Balancer (Layer 4); Classic Load Balancer (Layer 4 or Layer 7)
    c. Can be used for public/private workloads
    d. Consume IP addresses within a VPC subnet for scaling

    e.
    AWS SA PRO_第47张图片
    Load Balancer overview

    f.
    AWS SA PRO_第48张图片
    Load Balancer Comparison

    g. Network Load Balancer Routing: Port Number/ TCP connections to backend are persisted for the duration of the connection
    AWS SA PRO_第49张图片
    Network Load Balancer Example

    h. Application Load Balancer Routing: Host-base routing/Path-based outing/Http header-based routing/Http method-based routing/Query string parameter based routing/Source IP address CIDR-based routing
    AWS SA PRO_第50张图片
    Path based routing example

    i. Stick Sessions (important feature for web application)


    AWS SA PRO_第51张图片
    Stick Sessions example
  46. Enhanced Networking
    a. Generally used for High Performance Computing use-cases
    b. Uses single root I/O virtualization (SR-IOV) to deliver higher performance than traditional virtualised network interfaces
    c. Might have to install drvier if other than Amazon Linux HVM AMI
    d. Intel 82599 VF Interface (10 Gbps) vs Elastic Network Adapter (25 Gbps)

  47. Placement Groups


    AWS SA PRO_第52张图片
    Placement Groups

    AWS SA PRO_第53张图片
    Placement Groups Demo

    AWS SA PRO_第54张图片
    Placement Groups Partition
  48. CloudFront: Distributed connect delivery service for simple static asset caching up to 4k live and on-demand video streaming; integrated with Amazon Certificate Manager and supports SNI (server name indication): allow clients to choose which server it will connect if there are multiple servers share the same IP address

  49. Slow connection between VPC (note that internet gateway does not have a bandwidth limit)


    AWS SA PRO_第55张图片
    Challenge 1
  50. Distribute web application traffic (session sticky, application layer)


    AWS SA PRO_第56张图片
    Challenge 2
  51. Three popular authentication/authorization methods


    AWS SA PRO_第57张图片
    SAML 2.0 vs OAuth 2.0 vs OpenID Connect
  52. AWS Tools for Account Management
    a. AWS Organisations
    b. Service Control Policies (sub-account inherited parent account's policies)
    c. Tagging
    d. Resource Groups
    e. Consolidated Billing

  53. Account Structure
    a. Identity Account Structure


    AWS SA PRO_第58张图片
    Identity Account Structure

    b. Loggin Account Structure


    AWS SA PRO_第59张图片
    Logging Account Structure

    c. Publishing Account Structure
    AWS SA PRO_第60张图片
    Publishing Account Structure

    d. Information Security Account Structure
    AWS SA PRO_第61张图片
    Information Security Account Structure

    e. Central IT Account Structure


    AWS SA PRO_第62张图片
    Central IT Account Structure

    f. Example:
    AWS SA PRO_第63张图片
    Multiple Account Example

    AWS SA PRO_第64张图片
    Consolidated Billing

    AWS SA PRO_第65张图片
    Consolidated Security
  54. AWS Directory Services


    AWS SA PRO_第66张图片
    AWS Directory Service Options
  55. AD Connector vs Simple AD


    AWS SA PRO_第67张图片
    AD Connector vs Simple AD
  56. Credential and Access Management


    AWS SA PRO_第68张图片
    Context

    AWS SA PRO_第69张图片
    Example
  57. Token vending machine concept


    AWS SA PRO_第70张图片
    Token vending machine
  58. AWS Secrets Manager


    AWS SA PRO_第71张图片
    AWS Secret Manager
  59. Encryption
    a. Encryption at Rest: data is encrypted where it is stored such as on EBS, on S3, in an RDS database, or in an SQS queue waiting to be processed
    b. Encryption in Transit: data is encrypted as it flows through a network or process, such as SSL/TLS for HTTPS, or with IPSec for VPN connections

  60. Key management service (KMS)
    a. Key storage, management and auditing
    b. Tightly integrated into Many AWS service

  61. DDoS


    AWS SA PRO_第72张图片
    Mitigate DDoS
  62. Intruder Detection and Prevention


    AWS SA PRO_第73张图片
    Intruder Detection and Prevention Methods

    AWS SA PRO_第74张图片
    IDS and IPS example
  63. Cloud Watch vs Cloud Trail


    AWS SA PRO_第75张图片
    Cloud Watch vs Cloud Trail

你可能感兴趣的:(AWS SA PRO)