AWS Certified Solutions Architect - A Cloud Guru

AWS Certified Solutions Architect - Associate (SAA-C02) - A Cloud Guru

Explore

Random notes from practice exams

EC2 lifecycle hooks → something that can be triggered during EC2 scale-out and scale-in like install software during startup before getting traffic, or copy files to somewhere before the instance is terminated.

AWS Global Accelerator → redirect traffic from users to the nearest edge location and routes the data the Amazon global network

Direct Connect → increase data transfer between on-prem and AWS

Elastic Beanstalk can create Webserver (handle HTTP requests) and Worker (pull task from a queue) environments. Nothing else.

Bastion host → deployed on public subnet to allow external users to access our private subnet via SSH or RDP.

NAT instance → deployed on public subnet to allow private subnet to access the internet.

AWS Storage Gateway → hybrid cloud storage service to share and access data between on-prem and AWS resources

S3 Transfer Acceleration → accelerate data transfer to S3 using CloudFront

DataSync → service to transfer data between on-prem storage to S3, EFS, FSx

VPC Flow Logs → capture info about IP traffic going to and from network interfaces in your VPC. The logs is stored in CloudWatch Logs which can be retrieved for further analysis.

NAT Gateway should be launched in multiple AZs to avoid network inaccessibility from the internet due to failure of a NAT Gateway in one AZ

CloudWatch and CloudWatch Logs are different services - CloudWatch Logs is for monitoring and analysis log files from other services while CloudWatch is for monitoring other info like CPU usage, API calls, etc.

ELB can only balance traffic in one region, not across multiple regions

RDS multi-AZ deployment → allow high availability in different AZs

RDS with read-replica → allow offloading DB reads → high performance

⁠

Migration

DataSync - storage

Server Migration Service - EC2

DB Migration Service - DB

Schema Conversion Tool → heterogeneous DB conversion

Engine Conversion Tool → homogeneous DB conversion

Migration Hub - Track migration

Restricted content in S3

used by AWS resources

whole bucket → bucket policy

file → ACL

used by external users

whole bucket or sections → CloudFront origin with signed cookies

file → CloudFront origin with signed URL

used by CloudFront and do not allow users to use by direct URL

set Origin Of Access (OIA) to CloudFront and set permission to allow only this OIA

DynamoDB Streams stores time-ordered sequence of time-level changes in a table for 24 hours

DynamoDB Streams + Lambda → monitor changes (insert/update/delete) in DynamoDB tables

DynamoDB Global Tables → DynamoDB Streams forward records to multi-region redundant DynamoDBs

Unencrypted RDS instance cannot be encrypted directly → need a snapshot with encryption enable and do encryption.

Direct Connect does not provide IPSEC connectivity like VPN

Logging for medical/financial compliance

enable CloudFront access logs

Capture requests that are sent to the CloudFront API using CloudTrail

RDS is suitable for OLTP task, not OLAP. Use Redshift for OLAP

1 subnet is limited to 1 AZ

NAT Gateway is not limited to 1 AZ, but it is better to have 1 NAT Gateway in each AZ for high availability

Security group is stateful (if outbound to something, its inbound is then allowed regardless of inbound rules), Network ACL is stateless (inbound and outbound need separated rules)

Default Network ACL allows all inbound and outbound traffic by default

Custom Network ACL denies all inbound and outbound traffic by default

1 NACL → multiple subnets

1 subnet → only 1 NACL

PrivateLink → use instead of VPC Peering for 10++ VPCs. Require only Network Load Balancer and ENI

For domain name questions, select Alias Record over CNAME always.

Service Control Policy (SCP) is the only way to restrict root account

AWS SSO → internal user management

Cognito → external user management

⁠

CloudFormation requires 3 sections:

parameters - user-dependent questions to be filled

mappings - values that fill themselves based on diff conditions

resources - all resources to deploy

outputs - what to report after deployment

Application Load Balancer and Network Load Balancer support dynamic port mapping

Upon VPC peering, using another VPC’s NAT Gateway is not allowed

Blue-Green deployment → a deployment that allows 2 versions to live simultaneously. This need Weighted routing policy to route the majority to the new one and minority to the old one in order to ensure everything works fine.

⁠

Virtual Network for EC2

ENI → day-to-day networking

EN → faster than ENI, use ENA or VF technology. Always select ENA over VF

EFA → like ENA but with OS-bypassing functionality but cannot use with Windows instances

If there is no private subnet to connect to the internet, there is no need to use NAT Gateway

SQS is no need for Highly Available Architecture in static website, but for dynamic website that need to process orders, it is.

Even though the snapshot is incremental, only the latest snapshot is required for restoration.

EC2 instance retains its private IPv4 address and any IPv6 addresses when hibernated and started. Only public IPv4 address is re-issued.

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.