EC2 lifecycle hooks → something that can be triggered during EC2 scale-out and scale-in like install software during startup before getting traffic, or copy files to somewhere before the instance is terminated.
AWS Global Accelerator → redirect traffic from users to the nearest edge location and routes the data the Amazon global network
Direct Connect → increase data transfer between on-prem and AWS
Elastic Beanstalk can create Webserver (handle HTTP requests) and Worker (pull task from a queue) environments. Nothing else.
Bastion host → deployed on public subnet to allow external users to access our private subnet via SSH or RDP.
NAT instance → deployed on public subnet to allow private subnet to access the internet.
AWS Storage Gateway → hybrid cloud storage service to share and access data between on-prem and AWS resources
S3 Transfer Acceleration → accelerate data transfer to S3 using CloudFront
DataSync → service to transfer data between on-prem storage to S3, EFS, FSx
VPC Flow Logs → capture info about IP traffic going to and from network interfaces in your VPC. The logs is stored in CloudWatch Logs which can be retrieved for further analysis.
NAT Gateway should be launched in multiple AZs to avoid network inaccessibility from the internet due to failure of a NAT Gateway in one AZ
CloudWatch and CloudWatch Logs are different services - CloudWatch Logs is for monitoring and analysis log files from other services while CloudWatch is for monitoring other info like CPU usage, API calls, etc.
ELB can only balance traffic in one region, not across multiple regions
RDS multi-AZ deployment → allow high availability in different AZs
RDS with read-replica → allow offloading DB reads → high performance
DataSync - storage
Server Migration Service - EC2
DB Migration Service - DB
Schema Conversion Tool → heterogeneous DB conversion
Engine Conversion Tool → homogeneous DB conversion
Migration Hub - Track migration
Restricted content in S3
used by AWS resources
whole bucket → bucket policy
file → ACL
used by external users
whole bucket or sections → CloudFront origin with signed cookies
file → CloudFront origin with signed URL
used by CloudFront and do not allow users to use by direct URL
set Origin Of Access (OIA) to CloudFront and set permission to allow only this OIA
DynamoDB Streams stores time-ordered sequence of time-level changes in a table for 24 hours
DynamoDB Global Tables → DynamoDB Streams forward records to multi-region redundant DynamoDBs
Unencrypted RDS instance cannot be encrypted directly → need a snapshot with encryption enable and do encryption.
Direct Connect does not provide IPSEC connectivity like VPN
Logging for medical/financial compliance
enable CloudFront access logs
Capture requests that are sent to the CloudFront API using CloudTrail
RDS is suitable for OLTP task, not OLAP. Use Redshift for OLAP
1 subnet is limited to 1 AZ
NAT Gateway is not limited to 1 AZ, but it is better to have 1 NAT Gateway in each AZ for high availability
Security group is stateful (if outbound to something, its inbound is then allowed regardless of inbound rules), Network ACL is stateless (inbound and outbound need separated rules)
Default Network ACL allows all inbound and outbound traffic by default
Custom Network ACL denies all inbound and outbound traffic by default
1 NACL → multiple subnets
1 subnet → only 1 NACL
PrivateLink → use instead of VPC Peering for 10++ VPCs. Require only Network Load Balancer and ENI
For domain name questions, select Alias Record over CNAME always.
Service Control Policy (SCP) is the only way to restrict root account
AWS SSO → internal user management
Cognito → external user management
CloudFormation requires 3 sections:
parameters - user-dependent questions to be filled
mappings - values that fill themselves based on diff conditions
resources - all resources to deploy
outputs - what to report after deployment
Application Load Balancer and Network Load Balancer support dynamic port mapping
Upon VPC peering, using another VPC’s NAT Gateway is not allowed
Blue-Green deployment → a deployment that allows 2 versions to live simultaneously. This need Weighted routing policy to route the majority to the new one and minority to the old one in order to ensure everything works fine.
Virtual Network for EC2
ENI → day-to-day networking
EN → faster than ENI, use ENA or VF technology. Always select ENA over VF
EFA → like ENA but with OS-bypassing functionality but cannot use with Windows instances
If there is no private subnet to connect to the internet, there is no need to use NAT Gateway
SQS is no need for Highly Available Architecture in static website, but for dynamic website that need to process orders, it is.
Even though the snapshot is incremental, only the latest snapshot is required for restoration.
EC2 instance retains its private IPv4 address and any IPv6 addresses when hibernated and started. Only public IPv4 address is re-issued.
Want to print your doc? This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (