AWS SAA-C01 Architecture Fundamentals

AWS Certified Solutions Architect -
Course Navigation Associate (SAA-C01)

AWS an d SA
Fu n dam en t als
Section 1
I den t it y an d Access
Con t r ol
Section 2
Com pu t e
Section 3
Net w or k in g
Section 4
Go To Par t 2
Exam Pr epar at ion

AWS and SA Fundam entals
Course Navigation
Ar ch it ect u r e 101
AWS an d SA
Fu n dam en t als
Section 1
Ar ch it ect u r e101
Architecture 101
AWS Architecture 101
Product Fundam entals
I den t it y an d Access Welcom e to the Architecture 101 topic

Con t r ol of the course, where we will cover
Section 2
gen er al architecture.
Com pu t e This topic will walk through som e key

Section 3
system s architecture, preparing you for
the exam an d helping you use AWS
Net w or k in g effectively.
Section 4
St ar t
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als Access M an agem en t Basics
Section 1 1
Architecture 101 A person or application that can
Pr in cipal
m ake an au t h en t icat ed or
an on ym ou s request to perform
Product Fundam entals an action on a system
2
Con t r ol
Section 2 Au t h en t icat ion The process of authenticating a
principal against an identity. This
could be via usernam e and
Com pu t e password or API keys.
Section 3
I den t it y Objects that require

Net w or k in g
Section 4 au t h en t icat ion and are
au t h or ized to access r esou r ces
Au t h or izat ion The process of checking and

allow in g or den yin g access to a
resource for an identity
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als Sh ar ed Respon sibilit y M odel
Section 1
Architecture 101
Cu st om er Dat a
Product Fundam entals Plat f or m , Applicat ion , I den t it y an d Access

Cu st om er M an agem en t
Security I N
I den t it y an d Access the Cloud Oper at in g Syst em , Net w or k an d Fir ew all
Con t r ol Con f igu r at ion
Section 2
En cr ypt ion ? At Rest
Net w or k Pr ot ect ion
an d in Tr an sit
Com pu t e
Section 3
SOFTWARE
AWS Com pu t e St or age Dat abase Net w or k

Net w or k in g
Section 4 Security OF
the Cloud
HARDWARE/ AWS GLOBAL I NFRASTRUCTURE
Availabilit y
Region s Edge Locat ion s
Zon es
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als Dat a
Section 1
Architecture 101
Applicat ion
Product Fundam entals Ru n t im e

You
I den t it y an d Access Oper at in g Syst em (OS)
Con t r ol
Section 2
Vir t u alizat ion
Com pu t e
Host / Ser ver s
Section 3
Pr ovider
Net w or k an d St or age
Net w or k in g
Section 4 Dat a Cen t er
I aaS PaaS SaaS
Service m odels define how a service or product is delivered, h ow you

pay, and w h at you r eceive. They also define which part of the product
you m an age and accept the risks for, as well as which part the ven dor
is r espon sible for.
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Section 1
Architecture 101
Applicat ion

You
Con t r ol
Section 2
Vir t u alizat ion
Com pu t e
Host / Ser ver s
Section 3
Pr ovider
Net w or k in g
I aaS PaaS SaaS

Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Section 1
Architecture 101
Applicat ion

You
Con t r ol
Section 2
Vir t u alizat ion
Com pu t e
Host / Ser ver s
Section 3
Pr ovider
Net w or k in g
I aaS PaaS SaaS

Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Section 1
Architecture 101
Applicat ion

You
Oper at in g Syst em (OS)
Con t r ol
Section 2
Vir t u alizat ion
Com pu t e
Host / Ser ver s
Section 3
Pr ovider
Net w or k in g
Section 4
Dat a Cen t er
I aaS PaaS SaaS

Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA 1
Fu n dam en t als Hardware, software, and
Section 1 High Availabilit y
configuration allowing a system
101
to r ecover qu ick ly in the event
Architecture
of a failure
Con t r ol
Section 2
Instance Failure Term inate Recovery

Com pu t e
Section 3 2
System designed to oper at e
Fau lt Toler an ce
t h r ou gh a f ailu r e with n o u ser
im pact . More expensive and
Net w or k in g
com plex to achieve.
Section 4
Load
Balancer
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA 1
Fu n dam en t als How m uch a business can
Section 1 Recover y Poin t tolerate to lose, expressed in
Object ive (RPO) t im e. The m axim um tim e
Architecture 101
between a failure and the last
AWS Architecture 101 successful backup.
Con t r ol
Section 2
Recover y
TI M E
Com pu t e
Section 3 Back u p
Disast er
Even t
Net w or k in g
Section 4
Recover y Tim e The m axim um am ount of tim e a

Object ive (RTO) system can be dow n . How long
a solution takes to r ecover .
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101
Con t r ol
Section 2
Com pu t e
Section 3
Net w or k in g
Section 4
Ver t ical Scalin g Hor izon t al Scalin g
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Medium
Architecture 101
I den t it y an d Access Large

Con t r ol
Section 2
Com pu t e
Section 3
X-Large
Net w or k in g
Section 4
Ver t ical scalin g is achieved by adding additional resources in
the form of CPU or m em ory to an existing m achine. By doing
so, the m achine is able to service additional custom ers or
perform com pute tasks quicker. Eventually, m axim u m
m ach in e sizes will constrain your ability to scale ? either
t ech n ically or from a cost perspective.
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101
Con t r ol
Section 2
Com pu t e
Section 3
Net w or k in g
Section 4
Hor izon t al scalin g is achieved by adding additional m achines
into a pool of resources, each of which provide the sam e
service. Horizontal scaling suffers none of the size lim itations of
vertical scaling and can scale to nearly infinite levels but
requires application support to scale effectively.
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1 PRESENTATION
Architecture 101 LOGIC
AWS Architecture 101 DATA
Architecturally, applications consist of three tiers: the
pr esen t at ion t ier , which interacts with the consum er of the
application; the logic t ier , which delivers the application
Con t r ol functionality; and the dat a t ier , which controls interaction with
Section 2
a database of som e kind. If these tiers are im plem ented in the
sam e code base and not separated, we refer to it as a
m on olit h ic applicat ion . A m onolithic application is hard to
Com pu t e scale and generally has to be done vertically.
Section 3
PRESENTATION
Net w or k in g
Section 4 LOGIC
DATA
Applications, if designed correctly, im plem ent the tiers as

isolat ed com pon en t s. Architecturally, these can be provisioned
on separ at e m achines or pools of m achines. As each tier has
differing dem ands on CPU, m em ory, and disk I/O, it allows each
tier 's perform ance to be m anaged independently.
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101
Con t r ol
Section 2
Com pu t e
Section 3
Net w or k in g
Section 4
Tigh t ly Cou pled Loosely (De)Cou pled
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101 Upload
Processed Videos The upload com ponent
relies directly on the
conversion worker
I den t it y an d Access com ponent.
Con t r ol
Section 2
Com pu t e
Section 3
In a t igh t ly cou pled system or architecture, com ponents are
not only dir ect ly lin k ed to each other but also depen den t on
each other. All com ponents share the workload, and the overall
Net w or k in g system speed is dependent on its slowest part.
Section 4
A com ponent failure typically m eans the entire system is
im pacted, and the system can generally only scale as a single
entity.
In this exam ple, m edia conversion delays could im pact the

ability to accept uploads.
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Messages
Architecture 101
AWS Architecture 101 Upload

Message
Queue
Con t r ol
Section 2
Com pu t e
Section 3
In a loosely or decou pled architecture, each com ponent can
oper at e in depen den t ly. The com ponents com m unicate using
an interm ediate entity, such as a m essage qu eu e. This process
Net w or k in g is asynchronous, m eaning m essages can be added to and taken
Section 4 from the queue at different rates and/or tim es.
This allows for failure or scaling of one com ponent without

directly im pacting others.
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA Encryption is the process of taking plain t ext and converting it into
ciph er t ext , and converting ciphertext into plaintext. Plaintext and
Fu n dam en t als
ciphertext can be text, im ages, or any other data.
Section 1
Architecture 101 Encryption generally uses an algor it h m and one or m ore k eys. It is
com m only used to encrypt data at r est or in t r an sit .
Con t r ol
Section 2 Cats are amazing Encrypt
Com pu t e
Section 3
Algorithm 0f55sdb!nfgersd
Net w or k in g
Section 4
Cats are amazing Decrypt
The process can be sym m et r ical (where the sam e key is used for
encryption and decryption) or asym m et r ical (where dif f er en t keys ?
called pu blic and pr ivat e keys ? are used).
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
There are a num ber of term s you m ight hear in this course and the
Fu n dam en t als
exam that you need to understand at a high level:
Section 1
Architecture 101 Cost ef f icien t or cost ef f ect ive: Im plem enting a solution within AWS
using products or product features that provide the required service
for as little initial and ongoing cost as possible. Using your funds
Product Fundam entals effectively and knowing if product X is better or worse than product Y
for a given solution.
Secu r e: In a system s architecture context, im plem enting a given
Con t r ol solution that secures data and operations as m uch as possible from
Section 2
an internal or external attack.
Applicat ion session st at e: Data that represents what a custom er is

Com pu t e doing, what they have chosen, or what they have configured.
Section 3 Exam ples include item s and quantities in a shopping cart, notes on
an X-ray, and 3D position of a real-tim e heart scan. Session state can
be stored on a server (st at ef u l server) or externally to a server
(st at eless server).
Net w or k in g
Section 4
Un dif f er en t iat ed h eavy lif t in g: A part of an application, system , or
platform that is not specific to your business. Allowing a vendor
(AWS) to handle this part frees your staff to work on adding direct
value to your custom ers.
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101
I den t it y an d Access So far, we have covered generic

Con t r ol architecture concepts and term s.
Section 2
In the following topic, we will discuss

Com pu t e AWS-specific fundam entals.
Section 3
Net w or k in g
Section 4
Back Next Topic
Go t o Par t 2
Back t o M ain
Course Navigation
AWS Ar ch it ect u r e 101
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101
AWSArchitecture
AWS Ar ch it ect u r e101
101
I den t it y an d Access This topic will explore som e AWS

Con t r ol architecture fundam entals, introducing
Section 2
concepts unique to AWS.
Com pu t e
Section 3
Net w or k in g
Section 4
Pr eviou s Topic St ar t
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
AWS Account 1
Architecture 101
AWSArchitecture
101
Con t r ol
Section 2
Com pu t e
Section 3 AWS Account 2
Net w or k in g
Section 4
Au t h en t icat ion Au t h or izat ion Billin g
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101
Root User
AWSArchitecture
101
Account 1
Con t r ol
Section 2
Com pu t e
Section 3
Net w or k in g Root User

Section 4 Account 2
AWS accounts are isolat ed. They are created initially with a single
r oot u ser . This user, via its usernam e/password/APIKeys, is the on ly
iden t it y that can use (authenticate to) the account. If account
credentials are leaked, the im pact (blast radius) is lim ited to that
account.
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101
AWSArchitecture
101
Con t r ol
Section 2
Com pu t e
Section 3
Net w or k in g
Section 4
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101
Root User
AWSArchitecture
101
Account 1
Con t r ol
Section 2
Com pu t e
Section 3
Net w or k in g Root User

Section 4 Account 2
Authorization is controlled on a per-account basis. The root user

starts with f u ll con t r ol of the account and its resources. Additional
identities can be created or external identities (AWS or otherwise)
can be gr an t ed access. Unless defined otherwise, n o iden t it y
except the account root user has access to resources.
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101
AWSArchitecture
101

Credit Card or Invoice
Accounts can be linked and configured to
Con t r ol
allow con solidat ed billin g where a
Section 2
m ast er account is charged for all
m em ber account resource usage.
Com pu t e
Section 3
Net w or k in g
Section 4
Every AWS account has its own isolated billing inform ation. This is
initially in the form of an attached credit card, but established
accounts can be converted to use traditional, term -based invoicing.
By default, you are only billed for resources in your account. Billing
or security exploits are lim ited to a single account.
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als ap-southeast-2 (Sydney)
Section 1
Regions contain m ultiple Availability Zones (AZs),
Architecture 101 which are separated and isolated networks. A failure
in one AZ generally w on't im pact an ot h er .
AWSArchitecture
101

Availability Zone (AZ) A Availability Zone (AZ) B
Con t r ol
Section 2
EC2
Com pu t e
Section 3
AZs in the sam e region are connected with r edu n dan t ,

Net w or k in g h igh -speed, low -lat en cy network connections.
Section 4
Most AWS services run within AZs. Som e series operate from one
AZ, while others replicate between AZs. Som e services allow you
to choose the AZ to use, and som e don't.
Edge locat ion s are sm all pockets of AWS

com pute, storage, and networking close to
m ajor populations and are generally used
for edge com pu t in g and con t en t deliver y.
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1 Well-Architected Fram ework
Architecture 101
AWSArchitecture
101
Per f or m an ce Oper at ion al Cost
Con t r ol Secu r it y Reliabilit y Ef f icien cy Excellen ce Opt im izat ion
Section 2
Com pu t e
Section 3
Net w or k in g
Section 4
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Architecture 101
AWSArchitecture
101
Section 2
Com pu t e
Section 3
The secu r it y pillar includes the ability to protect inform ation,
system s, and assets while delivering business value through risk
assessm ents and m itigation strategies.
Net w or k in g
Section 4 Design Pr in ciples
- Im plem ent a strong identity foundation.
- Enable traceability.
- Apply security at all layers.
- Autom ate security best practices.
- Protect data in transit and at rest.
- Prepare for security events.
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Architecture 101
AWSArchitecture
101
Section 2
Com pu t e
Section 3
The r eliabilit y pillar includes the ability of a system to recover from

infrastructure or service disruptions, dynam ically acquire com puting
Net w or k in g resources to m eet dem and, and m itigate disruptions, such as
Section 4
m isconfigurations or transient network issues.
Design Pr in ciples
- Test recovery procedures.
- Autom atically recover from failure.
- Scale horizontally to increase aggregate system availability.
- Stop guessing capacity.
- Manage change in autom ation.
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Architecture 101
AWSArchitecture
101
Con t r ol
Secu r it y Reliabilit y Ef f icien cy Excellen ce Opt im izat ion
Section 2
Com pu t e
Section 3
The per f or m an ce ef f icien cy pillar includes the ability to use

com puting resources efficiently to m eet system requirem ents and to
Net w or k in g m aintain that efficiency as dem and changes and technologies evolve.
Section 4
Design Pr in ciples
- Dem ocratize advanced technologies.
- Go global in m inutes.
- Use serverless architectures.
- Experim ent m ore often.
- Mechanical sym pathy.
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Architecture 101
AWSArchitecture
101
Con t r ol
Section 2
Com pu t e
Section 3
The oper at ion al excellen ce pillar includes the ability to run and
m onitor system s to deliver business value and to continually im prove
Net w or k in g supporting processes and procedures.
Section 4
Design Pr in ciples
- Perform operations as code.
- Annotate docum entation.
- Make frequent, sm all, reversible changes.
- Refine operations procedures frequently.
- Anticipate failure.
- Learn from all operational failures.
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Architecture 101
AWSArchitecture
101
Con t r ol
Section 2
Com pu t e
Section 3
The cost opt im izat ion pillar includes the ability to avoid or elim inate
unneeded cost or suboptim al resources.
Net w or k in g
Section 4
Design Pr in ciples
- Adopt a consum ption m odel.
- Measure overall efficiency.
- Stop spending m oney on data center operations.
- Analyze and attribute expenditure.
- Use m anaged services to reduce cost of ownership.
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als Ver t ical Hor izon t al Elast ic
Section 1
Architecture 101
AWSArchitecture
101
Con t r ol
Section 2
Com pu t e
Section 3
Net w or k in g
Section 4
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101
AWSArchitecture
101
Dem and
Capacity
Con t r ol
Section 2
Purchase too
early
Com pu t e Capacity
Section 3 Wasted
Net w or k in g Purchase too late

Section 4 Perform ance
Im pacted
Traditional legacy system s use ver t ical scalin g. An attem pt is

m ade to f or ecast dem and and purchase servers ideally bef or e
the dem and passes current capacity. Purchase too ear ly and
capacity is w ast ed. Purchase too lat e and perform ance is
im pact ed.
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101
AWSArchitecture
101
Dem and
Capacity
Con t r ol
Section 2
Com pu t e
Section 3
Net w or k in g
Section 4
When horizontal scaling is used (m or e, sm aller servers), capacity

can be m aintained closer t o dem an d. There is less waste because
servers are sm aller and there's less risk of perform ance im pact as
each increase is less expensive, so it generally requires less
approval.
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101
AWSArchitecture
101
Dem and
Traditional Capacity
Elastic Capacity
Con t r ol
Section 2
Com pu t e
Section 3
Net w or k in g
Section 4
Elast icit y, or elast ic scalin g, is where au t om at ion and

h or izon t al scalin g are used in conjunction to m atch capacity with
dem and. Dem and is rarely so linear ? it can increase or decrease,
often in a rapid and sudden way. An efficient platform should
scale OUT and I N, m atching dem ands on that system .
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101
AWSArchitecture
101
I den t it y an d Access This topic has covered som e sim ple but
Con t r ol essential to understand AWS
Section 2
Architecture concepts.
Com pu t e In the next topic, we will go over som e

Section 3
fundam ental products and prepare you
to begin the in-depth part of the course.
Net w or k in g
Section 4
Back Next Topic
Go t o Par t 2
Back t o M ain
Course Navigation
Pr odu ct Fu n dam en t als
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101
AWSArchitecture
101
Product
Pr odu ctFundam
Fu n damentals
en t als
I den t it y an d Access This topic will introduce the AWS

Con t r ol Managem ent Console and a num ber of
Section 2
key foundational products you will need
right away.
Com pu t e
Section 3
Net w or k in g
Section 4
Pr eviou s Topic St ar t
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101
AWSArchitecture
101
Product
Pr odu ctFundam
Fu n damentals
en t als
Con t r ol
Section 2
Com pu t e
Section 3
Net w or k in g
Section 4
AWS ser vices allows quick

navigation to any AWS
service via the Fin d
Ser vices box or the All
Ser vices dr opdow n .
Recently visited services
are available for quick
access.
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101
AWSArchitecture
101 Clicking the AWS button
Product
Pr odu ctFundam
Fu n damentals
en t als will always return you to
the m ain AWS con sole
regardless of your current
I den t it y an d Access location.
Con t r ol
Section 2
Com pu t e
Section 3
Net w or k in g
Section 4

access.
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101
AWSArchitecture
101 Clicking the Ser vices dr opdow n will
Product
Pr odu ctFundam
Fu n damentals
en t als display a categorized breakdown of
AWS services and allow access to
frequent services. Using this, and
I den t it y an d Access opening a given service in a n ew
Con t r ol br ow ser t ab, is often the preferred
Section 2 way to access a given service via the
console.
Com pu t e
Section 3
Net w or k in g
Section 4

access.
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101
AWSArchitecture
101
The pin allows you to dr ag
Product
Pr odu ctFundam
Fu n damentals
en t als frequently used services to the
m enu bar on a long-term , project,
I den t it y an d Access or task basis.
Con t r ol
Section 2
Com pu t e
Section 3
Net w or k in g
Section 4

access.
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101
AWSArchitecture
101
Product
Pr odu ctFundam
Fu n damentals
en t als
Con t r ol
Clicking n ot if icat ion s will display any relevant AWS events for your
Section 2
account. This can include open issu es (support tickets), sch edu led
ch an ges that will im pact your account, and any other AWS
notifications.
Com pu t e
Section 3
Net w or k in g
Section 4

access.
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
The accou n t s dr opdow n will allow
Architecture 101
quick access to account-related
AWSArchitecture
101 areas of the AWS console. This
includes the AWS account page,
Product
Pr odu ctFundam
Fu n damentals
en t als
AWS organizations (if applicable),
billing dashboard (if available), and
I den t it y an d Access your personal security credentials
Con t r ol page (IAM user or root user).
Section 2
Com pu t e
Section 3
Net w or k in g
Section 4

access.
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
The r egion dr opdow n is where
Architecture 101
you can change the region you are
AWSArchitecture
101 interacting with. For any services
that are "per region," this will show
Product
Pr odu ctFundam
Fu n damentals
en t als
the r egion n am e for the AWS
region (e.g., US East (N. Vir gin ia)
I den t it y an d Access rather than u s-east -1).
Con t r ol
Section 2 When you use services such as S3,
IAM, or Route 53, this will show
Global.
Com pu t e
Section 3
Net w or k in g
Section 4

access.
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101
AWSArchitecture
101 The Su ppor t dr opdow n provides quick
access to the support center, forum s, and
Product
Pr odu ctFundam
Fu n damentals
en t als
docum entation regardless of where you
are located within the AWS console.
Con t r ol
Section 2
Com pu t e
Section 3
Net w or k in g
Section 4

access.
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA Sim ple St or age Ser vice (S3) is a global object storage platform that
Fu n dam en t als can be used to store objects in the form of text files, photos, audio,
Section 1 m ovies, large binaries, or other object types.
Architecture 101
AWS Cloud
AWSArchitecture
101
Product
Pr odu ctFundam
Fu n damentals
en t als
Region
I den t it y an d Access catpics dogpics m ovies

Con t r ol Bucket Bucket Bucket
Section 2
Com pu t e
Section 3
Bu ck et
Object Object Object

Net w or k in g
Section 4
- Sim ilar to a file

Object - Has a key (nam e) and value (data)
- Can contain 0 bytes ?> 5 TB
- Has a unique nam e in a bucket
Object
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als Exam Fact s an d Figu r es: S3 Fu n dam en t als
Section 1
- Bucket nam es have to be globally u n iqu e
Architecture 101
AWSArchitecture
101 - M in im u m of t h r ee and m axim u m of 63 characters ? no
uppercase or underscores
Product
Pr odu ctFundam
Fu n damentals
en t als
- Must start with a low er case let t er or n u m ber and can't be
I den t it y an d Access form atted as an IP address (1.1.1.1)
Con t r ol
Section 2 - Default 100 bu ck et s per account, and h ar d 1,000-bu ck et lim it
via support request
- Un lim it ed object s in buckets

Com pu t e
Section 3
- Un lim it ed t ot al capacit y for a bucket
- An object 's k ey is its n am e

Net w or k in g
Section 4 - An object 's valu e is its dat a
- An object 's size is from 0 t o 5 TB
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA CloudForm ation is an Infrastructure as Code (I aC) product ? you can
Fu n dam en t als cr eat e, m an age, and r em ove infrastructure using JSON or YAM L.
Section 1
1
Architecture 101
AWSArchitecture
101 Tem plat e A CFN tem plate is JSON or YAML.
AWS
It contains logical r esou r ces and
Product
Pr odu ctFundam
Fu n damentals
en t als configuration.
Con t r ol
Section 2 2
St ack Stacks are created and m odified

based on tem plates, which can
Com pu t e be changed and used to update
Section 3 a stack.
Net w or k in g 3
Section 4
Ph ysical Resou r ces Stacks take logical r esou r ces
from a tem plate and create,
update, or delete the ph ysical
r esou r ces in AWS.
CloudForm ation is effective if you f r equ en t ly deploy the sam e

infrastructure or you require gu ar an t eed con sist en t con f igu r at ion .
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als Exam Fact s an d Figu r es: Clou dFor m at ion Fu n dam en t als
Section 1
A CloudForm ation (CFN/cfn) tem plate is used to initially create a CFN
Architecture 101 stack. A stack cr eat es, u pdat es, and delet es physical AWS resources
AWSArchitecture
101 based on its logical r esou r ces, which are based on the contents of a
t em plat e.
Product
Pr odu ctFundam
Fu n damentals
en t als
- A CFN tem plate is written in JSON or YAM L.
Con t r ol - A tem plate can create up to 200 r esou r ces.
Section 2
- If a st ack is delet ed, then, by default, any r esou r ces it has
created are also delet ed.
Com pu t e
- A stack can be u pdat ed by uploading a n ew ver sion of a
Section 3
tem plate.
- New logical resources cause n ew physical resources.

Net w or k in g
Section 4 - Rem oved logical resources cause the stack to delet e physical
resources.
- Ch an ged logical resources u pdat e with som e disr u pt ion or

r eplace physical resources.
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Architecture 101
AWSArchitecture
101
Product
Pr odu ctFundam
Fu n damentals
en t als
I den t it y an d Access Lab tim e! In the Get t in g St ar t ed w it h

Con t r ol Clou dFor m at ion hands-on lab, we will
Section 2
explore together how to use
CloudForm ation to create som e sim ple
Com pu t e AWS resources.
Section 3
Net w or k in g
Section 4
Back Next Sect ion
Go t o Par t 2
Back t o M ain
Identity and Access Control
Course Navigation
I den t it y an d Access M an agem en t
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
I AM
IAM Identity and Access Managem ent (IAM)
Multi-Account and Orgs is the prim ary service that handles
authentication and authorization within
Com pu t e AWS environm ents.
Section 3
System s architecture is incom plete

without being able to control access in a
Net w or k in g
Section 4 granular way.
St ar t
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
IAM controls access to AWS services via policies that can be attached to
Fu n dam en t als u ser s, gr ou ps, and r oles. Users are given long-term credentials to
Section 1
access AWS resources (usernam e and password or access keys).
Roles allow for short-term access to resources when assum ed, using
tem porary access credentials.
Con t r ol
Section 2 External
Principal
I AM
IAM
Multi-Account and Orgs
IAM
AWS
Com pu t e Role
Service IAM
Section 3
Group
IAM
IAM User
Policy
Net w or k in g AWS
Section 4 Console UI
IAM CLI
Credentials
Account
Root User
Full Access
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als Am azon Resou r ce Nam e (ARN)
Section 1
ARNs always begin w it h :
I den t it y an d Access ar n: par t i t i on: s er v i c e: r egi on: ac c ount - i d:

Con t r ol
Section 2 par t i t i on = aws or aws - c n (for China)
s er v i c e = the AWS service: s 3 , ec 2 , r ds , dy namodb
I AM
IAM r egi on = region code: us - eas t - 1 , ap- s out heas t - 2
And, depending on service, f in ish w it h :
Com pu t e r es our c e
Section 3 r es our c et y pe/ r es our c e
r es our c et y pe/ r es our c e/ qual i f i er
r es our c et y pe/ r es our c e: qual i f i er
r es our c et y pe: r es our c e
r es our c et y pe: r es our c e: qual i f i er
Net w or k in g
Section 4 Exam ple ARNs:
ar n: aws : i am: : 123456789012: us er / r of f l e

ar n: aws : s 3: : : my amaz i ngc at pi c s / t r uf f s . j peg
ar n: aws : dy namodb: us - eas t - 1: 123456789012: t abl e/ r at emy c at s
In som e cases, w ildcar ds ar e su ppor t ed:
ar n: aws : ec 2: us - eas t - 1: 123456789012: i ns t anc e/ *
Fields with : : om it the value, and * is a wildcard m atch.
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA An I AM policy (policy docum ent) is known as an iden t it y policy when
Fu n dam en t als attached to an identity or a r esou r ce policy when attached to a resource.
Section 1 They have no effect until they are attached to som ething.
A policy docum ent is a list of st at em en t s:

Con t r ol {
Section 2 " Ver s i on" : " 2012- 10- 17" ,
" St at ement " : [ { . . . } , { . . . } , { . . . } ]
I AM
IAM }

Each statem ent m atches a request to AWS. Requests are m atched based
on their Act i on (or actions), which are the API calls or operations being
Com pu t e attem pted and the Resour ce (or resources) the request is against. A given
Section 3 statem ent results in an Al l ow or Deny for the request.
{
" Si d" : " Spec i f i c Tabl e" ,
Net w or k in g
" Ef f ec t " : " Al l ow" ,
Section 4 " Ac t i on" :
[
" dy namodb: Bat c hGet * " ,
" dy namodb: Des c r i beSt r eam" ,
" dy namodb: Des c r i beTabl e" ,
" dy namodb: Get * " , " dy namodb: Quer y " ,
" dy namodb: Sc an" , " dy namodb: Bat c hWr i t e* " ,
" dy namodb: Cr eat eTabl e" ,
" dy namodb: Del et e* " , " dy namodb: Updat e* " ,
" dy namodb: Put I t em"
],
" Res our c e" : " ar n: aws : dy namodb: * : * : t abl e/ Cat Pi c s"
}
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als Exam Tips: I AM Policies
Section 1
- If a request isn't explicitly allowed, it 's im plicitly (def au lt ) denied.
- If a request is explicitly denied, it over r ides ever yt h in g else.

Con t r ol - If a request is explicitly allowed, it 's allowed unless denied by an
Section 2
explicit deny.
I AM
IAM - Rem em ber: DENY -> ALLOW -> DENY
- Only attached policies have any im pact.
- When evaluating policies, all applicable policies are m erged:

Com pu t e
- All identity (user, group, role) and any resource policies
Section 3
- Managed policies allow the sam e policy to im pact m any identities.
- Inline policies allow exceptions to be applied to identities.

Net w or k in g - AWS-m anaged policies are low overhead but lack flexibility.
Section 4
- Custom er-m anaged policies are flexible but require
adm inistration.
- Inline and m anaged policies can apply to users, groups, and
roles.
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA I AM u ser s are a type of IAM identity suitable for lon g-t er m access for a
Fu n dam en t als k n ow n en t it y (hum an, service, application).
Section 1
Principals authenticate to IAM users either with a u ser n am e and
passw or d or using access k eys.
Con t r ol Auth
Section 2 Access Keys
I AM Auth
IAM
Usernam e and
Multi-Account and Orgs Password AWS software
developm ent kits (SDKs)
and CLI use access keys
Com pu t e during authentication.
Section 3
Console access authentication

is achieved using usernam e,
Net w or k in g password, and optional MFA.
Section 4
Authenticated identities
are authorized for
resource access based
on any inline or attached
policies.
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als Exam Fact s an d Figu r es: I AM User s
Section 1
- Hard lim it of 5,000 IAM users per account ? this is im por t an t , as
it can im pact architecture

Con t r ol - 10 group m em berships per IAM user
Section 2
- Default m axim um of 10 m anaged policies per user
I AM
IAM
- No inline lim it, but you cannot exceed 2048 characters for all
inline policies on a IAM user
- 1 MFA per user

Com pu t e
Section 3 - 2 access keys per user
Net w or k in g
Section 4
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA An I AM gr ou p is a collect ion of I AM u ser s. Groups allow easier
Fu n dam en t als adm inistration over sets of IAM users. Inline and m anaged policies can
Section 1 be applied to groups that f low on t o m em ber s of that group.
Groups are n ot a true identity ? they cannot be the principal in a policy,

I den t it y an d Access so they can't be used in resource policies.
Con t r ol
Section 2
I AM
IAM
IAM
Felin eI n c AWS Accou n t
Multi-Account and Orgs Policy
Com pu t e
Section 3
Gr ou p: Gr ou p: Gr ou p:
Adm in s Feeder s St r ok er s
Net w or k in g
Section 4
Rof f le Ash ley Ash ley
Bu t t er s Adr ian
M ar k
IAM
Policy
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als Exam Fact s an d Figu r es: I AM Gr ou ps
Section 1
- Groups are an adm in feature to group IAM users.
- Groups can contain m any IAM users, and users can be in m any
Con t r ol groups.
Section 2
- IAM inline policies can be added to IAM groups ? and these flow
I AM
IAM
on to IAM users who are m em bers.
- Managed IAM policies can be attached and flow on to IAM users
who are m em bers.

Com pu t e
Section 3 - Groups are not "t r u e" identities, and they can't be referenced
from resource policies.
- Groups have n o credentials.

Net w or k in g
Section 4
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Access keys are a pair of values used by applications, SDKs, or the
Fu n dam en t als AWS com m and line to authenticate to AWS.
Section 1
Access keys consist of two parts: the access k ey I D and secr et

access k ey. The access key ID is the public part of the key and is
stored by AWS once generated.
Con t r ol
Section 2
I AM
IAM
Access
Multi-Account and Orgs AKI AI OSFODNN7EXAMPLE
Key ID
Com pu t e The secret access key is the sensitive and private part of the access
Section 3
key, available only once when the access key is initially generated.
It 's stored only by the owner and should never be revealed.
Net w or k in g
Section 4 Secret
wJ al r XUt nFEMI / K7MDENG/ bPx Rf i CYEXAMPLEKEY
Access Key
An IAM user is the only identity that uses access keys. They are
allowed two sets. They can be created, deleted, enabled, and
disabled.
They can't be used to log in to the console, and they don't expire.
If anyone finds a set of access keys, they have access to the
perm issions of the IAM user to which they belong.
Back Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA IAM roles are assu m ed by another identity allowed in the t r u st policy
Fu n dam en t als ? IAM user, AWS service, another AWS account, web identity, or even
Section 1
an anonym ous identity. When a role is assum ed, the Security Token
Service (STS) generates a t im e-lim it ed set of access keys (tem porary
security credentials). These access keys have the perm issions defined in
the perm issions policy. IAM roles have no long-term credentials (access
Con t r ol keys or usernam e and password).
Section 2
I AM
IAM STS
Assum eRole
AWS IAM
Service User
Com pu t e AWS
Section 3 Account
Net w or k in g IAM
Section 4 Role
IAM IAM
Perm issions Trust
Policy Policy
Tem porary
Security
Credentials
Back Next Topic
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als Exam Fact s an d Figu r es: I AM Roles
Section 1
- IAM roles have no long-term credentials.
- They are st s: AssumeRol e by another identity:

Con t r ol - IAM users
Section 2
- AWS services
I AM
IAM
- External accounts
- Web identities
- Tem porary security credentials are generated by STS.

Com pu t e
Section 3 - Tr u st policy controls which identities can assum e the role.
- Per m ission s policy defines the perm issions provided.
- Tem porary credentials expire.

Net w or k in g - Exam ple scenarios:
Section 4
- Com pany m erger
- AWS service access
- "Break-glass"-style extra access
- Cross-account access
- Web identity federation
Go t o Par t 2
Back t o M ain
Course Navigation
M u lt i-Accou n t an d Or gs
AWS an d SA
AWS Or gan izat ion s is a service for m anaging m u lt iple accou n t s within
Fu n dam en t als a single business. Rather than m anaging m any accounts, with m any
Section 1
isolated sets of logins and individual bills, Organizations allows
consolidation.
All accounts within an AWS Organization can con solidat e bills into a
Con t r ol
single account ? one bill covering all business usage. Organizations can
Section 2
share bulk discounts and even easily m anage accounts and perm issions
I AM
IAM and lim it account usage using ser vice con t r ol policies.
Multi-Account
M u lt i-Accou n tand
an dOrgs
Or gs
Com pu t e
Section 3
Net w or k in g
Section 4
Consolidated All
Billing Features
Pr eviou s Topic Next
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
I AM
IAM
Multi-Account
an dOrgs
Or gs
M ast er Accou n t TOTAL $ 83

Com pu t e
Section 3
Accou n t 1 Accou n t 1 $ 10
Net w or k in g
Section 4
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
I AM
IAM
Multi-Account
an dOrgs
Or gs
Service
Control ROOT
Com pu t e Policy
Section 3
OU
Master
AWS Account OU
Net w or k in g Account
Section 4
OU
Mem ber
Organizational
Account
Unit
Go t o Par t 2
Back t o M ain
Course Navigation
AWS an d SA
Role sw it ch in g is a m ethod of accessing one account from another
Fu n dam en t als using only one set of credentials. It is used both within AWS
Section 1
Or gan izat ion s and between two u n con n ect ed accou n t s.
1. A role in Account B t r u st s Account A.

2. An identity in Account A can assu m e the role in Account B...
Con t r ol
3. ...and, using that role, it can oper at e in side Account B.
Section 2
I AM
IAM
Multi-Account
an dOrgs
Or gs Master Account (111111111111)
Account A
Com pu t e Identity
Section 3
Net w or k in g
Section 4 s t s : As s umeRol e
Member Account (222222222222)
Account B
Trust
Resource Perm issions Policy
Policy
Back Next Sect ion
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
EC2 Fu n dam en t als
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
EC2 is one of the m ost widely used

Com pu t e services within AWS. As an
Section 3
Infrastructure as a Service (IaaS)
EC2 Fundam
EC2 Fu n damentals
en t als product, it 's responsible for providing
EC2 Interm ediate long-running com pute as a service.
EC2 Advanced
Serverless Com pute

This topic covers the fundam entals of
Containers the service.
Net w or k in g
Pr eviou s Sect ion Next
Section 4
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA
Fu n dam en t als Virtual Private Cloud
Section 1
EC2 AMI
Host AZ-A
Con t r ol
Section 2
Instance
Store EBS
Volum e Snapshot
Com pu t e
Section 3
EC2 Fundam
EC2 Fu n damentals
en t als EC2
Instance EBS
EC2 Interm ediate Volum e
EC2 Advanced
Serverless Com pute Security Group

Containers ENI
Elastic
Am azon
Network
CloudWatch Interface
Net w or k in g
Section 4
AZ-B
Back Next
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA
EC2 in st an ces are grouped into fam ilies, which are designed for a specific
Fu n dam en t als broad type workload. The type determ ines a certain set of features, and
Section 1
sizes decide the level of workload they can cope with.
I den t it y an d Access The current EC2 fam ilies are gen er al pu r pose, com pu t e opt im ized,
m em or y opt im ized, st or age opt im ized, and acceler at ed com pu t in g.
Con t r ol
Section 2
I n st an ce t ypes include:
- T2 and T3: Low-cost instance types that provide burst capability
- M 5: For general workloads
Com pu t e - C4: Provides m ore capable CPU
Section 3
- X1 and R4: Optim ize large am ounts of fast m em ory
- I 3: Delivers fast IO
EC2 Fundam
EC2 Fu n damentals
en t als - P2, G3, and F1: Deliver GPU and FPGAs
EC2 Interm ediate
I n st an ce sizes include nano, m icro, sm all, m edium , large, x.large,
EC2 Advanced 2x.large, and larger.
Serverless Com pute
Special Cases
Containers
- "a": Use AMD CPUs

- "A": Arm based
Net w or k in g
- "n ": Higher speed networking
Section 4
- "d": NVMe storage
Back Next
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA Elastic Block Store (EBS) is a storage service that cr eat es an d m an ages
Fu n dam en t als volu m es based on four underlying storage types. Volum es are
Section 1 per sist en t , can be at t ach ed an d r em oved from EC2 instances, and are
r eplicat ed within a single AZ.
Con t r ol
Section 2 EC2
Host
Instance
Store
Com pu t e Volum es
Section 3
Availability Zone - A
EC2 Fundam
EC2 Fu n damentals
en t als
EBS
EC2 Interm ediate
Volum es
AZ
EC2 Advanced
Replication
Serverless Com pute
Containers
Volu m e Types
- Mechanical sc1 and st 1; Solid State gp2 and io1

Net w or k in g
- sc1: Lowest cost, infrequent access, can't be boot volum e
Section 4
- st 1: Low cost, throughput intensive, can't be a boot volum e
- gp2: Default, balance of IOPS/MiB/s - burst pool IOPS per GB
- io1: Highest perform ance, can adjust size and IOPS separately
To protect against AZ f ailu r e, EBS snapshots (to S3) can be used. Data
is r eplicat ed across AZs in the region and (optionally) internationally.
Back Next
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1 Exam Fact s an d Figu r es: EBS
- EBS supports a m axim um per-instance throughput of 1,750 MiB/s

I den t it y an d Access and 80,000 IOPS. If you need m ore ... instance store volum es.
Con t r ol
Section 2 Gen er al Pu r pose (gp2): (SSD)
Default for most workloads
- 3 IOPS/GiB (100 IOPS ? 16,000 IOPS)
- Bursts up to 3,000 IOPS (credit based)
Com pu t e
Section 3
- 1 GiB ? 16 TiB size, m ax throughput p/vol of 250 MiB/s
Pr ovision ed I OPS SSD (io1): (SSD)
- Used for applications that require sustained IOPS perform ance
EC2 Fundam
EC2 Fu n damentals
en t als
- Large database workloads
EC2 Interm ediate - Volum e size of 4 GiB ? 16 TiB up to 64,000 IOPS per volum e
- Max throughput p/vol of 1,000 MiB/s
EC2 Advanced
Th r ou gh pu t Opt im ized (st 1): (HDD)
Serverless Com pute - Low storage cost
Containers - Used for frequently accessed, throughput-intensive workloads
(stream ing, big data)
- Cannot be a boot volum e
Net w or k in g - Volum e size of 500 GiB ? 16 TiB
Section 4 - Per-volum e m ax throughput of 500 MiB/s and IOPS 500
Cold HDD (sc1): (HDD)
- Lowest cost
- Infrequently accessed data
- Cannot be a boot volum e
- Volum e size of 500 GiB ? 16 TiB
- Per-volum e m ax throughput of 250 MiB/s and 250 IOPS
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA EBS sn apsh ot s are a poin t -in -t im e back u p of an EBS volum e stored in
Fu n dam en t als S3. The initial snapshot is a f u ll copy of the volum e. Future snapshots
Section 1 only store the dat a ch an ged sin ce t h e last sn apsh ot .
Snapshots can be used to create new volum es and are a great way to
I den t it y an d Access m ove or copy instances between AZs. When creating a snapshot of the
Con t r ol root/boot volum e of an instance or busy volum e, it 's recom m ended the
Section 2 instance is powered off, or disks are "flushed."
Snapshots can be copied between regions, shared, and autom ated using
Data Lifecycle Manager (DLM).
Com pu t e
Section 3
Availability Zone - A Availability Zone - B
EC2 Fundam
EC2 Fu n damentals
en t als
EC2 Interm ediate EBS

Volum e
EC2 Advanced (New AZ)
Serverless Com pute
EBS
Containers
Source
Volum e
Net w or k in g
Section 4
Region
Replication (S3)
Snapshots can be copied between

regions and used to create new
resources internationally.
Back Next
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA Secu r it y gr ou ps are software f ir ew alls that can be attached to n et w or k
Fu n dam en t als in t er f aces and (by association) products in AWS. Security groups each
Section 1 have inbound rules and outbound rules. A rule allows traffic t o or f r om a
source (IP, network, nam ed AWS entity) and protocol.
I den t it y an d Access Security groups have a hidden im plicit / def au lt deny rule but can n ot
Con t r ol explicit ly den y t r af f ic.
Section 2
They are stateful ? m eaning for any traffic allowed in/out, the return
traffic is autom atically allowed. Security groups can reference AWS
resources, other security groups, and even them selves.
Com pu t e
Section 3
EC2 Fundam
EC2 Fu n damentals
en t als Public Subnet tcp/22
SSH
EC2 Interm ediate
EC2 Advanced Security Group

EC2 Instance
Serverless Com pute Inbound
Web Server
Containers Rules
tcp/443
HTTPS
Net w or k in g Return Traffic

Section 4 Stateful
Allowed tcp/443
Software
Updates
Outbound
Rules
Back Next
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA I n st an ce M et adat a
Fu n dam en t als
Section 1 Instance m etadata is data relating to the instance that can be
accessed from w it h in t h e in st an ce it self using a utility capable of
accessing HTTP and using the URL:
Con t r ol h t t p:/ / 169.254.169.254/ lat est / m et a-dat a
Section 2
AMI used to createtheinstance:

Com pu t e ht t p: / / 169. 254. 169. 254/ l at es t / met a- dat a/ ami - i d
Section 3 InstanceID:
ht t p: / / 169. 254. 169. 254/ l at es t / met a- dat a/ i ns t anc e- i d
Instancetype:
EC2 Fundam
EC2 Fu n damentals
en t als ht t p: / / 169. 254. 169. 254/ l at es t / met a- dat a/ i ns t anc e- t y pe
EC2 Interm ediate
EC2 Advanced
Instance m etadata is a way that scripts and applications running
Serverless Com pute
on EC2 can get visibilit y of dat a they would norm ally need API
Containers
calls for.
The m etadata can provide the current ext er n al I Pv4 addr ess for
Net w or k in g the instance, which isn't configured on the instance itself but
Section 4 provided by the internet gateway in the VPC. It provides the
Availabilit y Zon e the instance was launched in and the secu r it y
gr ou ps applied to the instance. In the case of spot instances, it
also provides the appr oxim at e t im e the instance will term inate.
For t h e exam : Rem em ber the IP address to access m etadata.
Back Next Topic
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
EC2 I n t er m ediat e
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
This topic continues the EC2 topic series

Com pu t e and introduces som e additional
Section 3
interm ediate concerns that build on
EC2 Fundam
EC2 Fu n damentals
en t als what we've covered so far.
EC2
EC2 Interm
I n t er mediate
ediat e
EC2 Advanced
Serverless Com pute

Containers
Net w or k in g
Section 4
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA AMIs (Am azon Machine Im ages) are used to build instances. They store
Fu n dam en t als sn apsh ot s of EBS volum es, per m ission s, and a block device m appin g,
Section 1 which configures how the instance OS sees the attached volum es. AMIs
can be sh ar ed, f r ee, or paid and can be copied to other AWS r egion s.
I den t it y an d Access 1
Con t r ol
Section 2 Con f igu r e I n st an ce Source instance and attached
EBS volum es are configured
with any required software and
configuration.
Com pu t e
Section 3
2
EC2 Fundam
EC2 Fu n damentals
en t als
Cr eat e I m age Snapshots are created from
EC2
EC2 Interm
I n t er mediate
ediat e volum es. AMI references
sn apsh ot s, per m ission s, and
EC2 Advanced
block device m appin g.
Serverless Com pute
Containers
3
Lau n ch I n st an ce New I n st an ce
Net w or k in g
Section 4
With appropriate lau n ch per m ission s, instances can be created from

an AMI. EBS volum es are created using snapshots as the source, and an
EC2 instance is created using the block device m apping to reference its
new volum es.
Back Next
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA Bootstrapping is a process where in st r u ct ion s ar e execu t ed on an
Fu n dam en t als in st an ce du r in g it s lau n ch pr ocess. Bootstrapping is used to configure
Section 1 the instance, perform software installation, and add application
configuration.
I den t it y an d Access In EC2, user data can be used to run sh ell scr ipt s (Bash or PowerShell)
Con t r ol or run clou d-in it directives.
Section 2
OS
S3 or GitHub Repository
AM I : Contains base OS
Com pu t e
and any "bak ed"
Section 3
com ponents.
EC2 Fundam
EC2 Fu n damentals
en t als
EC2
EC2 Interm
I n t er mediate
ediat e
EC2 Advanced
Serverless Com pute

Instance loads u ser dat a
Containers
script or cloud-init and
continues build.
User data can perform
Net w or k in g installs using internet or
Section 4
local scripts or packages.
Final instance
configuration is ready
for use.
Back Next
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
Com pu t e
Section 3
EC2 Fundam
EC2 Fu n damentals
en t als
EC2
EC2 Interm
I n t er mediate
ediat e
EC2 Advanced
Serverless Com pute

Containers
Net w or k in g
Section 4
Pr ivat e I n st an ce Pu blic I n st an ce
Back Next
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
Com pu t e
Section 3
EC2 Fundam
EC2 Fu n damentals
en t als
EC2
EC2 Interm
I n t er mediate
ediat e
EC2 Advanced
Allocated an
Serverless Com pute
ip-X.X.X.X.ec2.in t er n al DNS
Containers nam e ? only works inside AWS.
10.0.0.20
Net w or k in g Private IP allocated when
Section 4 launching instances.
Unchanged during stop/starts
? released when term inated.
10.0.0.0/ 24
Pr ivat e I n st an ce
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA ec2-X-X-X-X.com pute-1.am azonaws.com
Fu n dam en t als 54.164.90.18
Section 1
Con t r ol Elastic IPs are static.
Section 2 When allocated, they
replace the norm al
public IP, which is
Com pu t e deallocated.
Section 3
The public DNS resolves to
EC2 Fundam
EC2 Fu n damentals
en t als the public address externally,
but the private address
EC2
EC2 Interm
I n t er mediate
ediat e internally.
EC2 Advanced
10.0.2.20 A public IPv4 address can be
Serverless Com pute allocated. This is allocated
Containers when the m achine starts and
deallocated when it stops.
10.0.2.0/ 24
Net w or k in g
Section 4
Sam e private addressing as a private instance. Private
prim ary IP address, optionally private secondary
addresses and internal-only DNS nam e.
Pu blic I n st an ce
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA EC2 in st an ce r oles are IAM roles that can be "assum ed" by EC2 using an
Fu n dam en t als interm ediary called an in st an ce pr of ile. An instance profile is either
Section 1 created autom atically when using the console UI or m anually when using
the CLI. It 's a container for the role that is associated with an EC2
instance.
Con t r ol The instance profile allows applications on the EC2 instance to access the
Section 2 credentials from the role using the in st an ce m et adat a.
Com pu t e
Section 3
STS
EC2 Fundam
EC2 Fu n damentals
en t als Assum eRole
Perm issions policy
EC2
EC2 Interm
I n t er mediate
ediat e determ ines w h at
access is given via
EC2 Advanced
Instance role assum ption.
Serverless Com pute Profile
Containers
Net w or k in g
Section 4
Using the instance Credentials are

profile, instance rotated and can
m etadata provides be used to access
access to tem p AWS resources.
credentials.
Back Next Topic
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
EC2 Advan ced
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
This topic covers advanced EC2

Com pu t e concepts, including encryption,
Section 3
perform ance optim ization, billing
EC2 Fundam
EC2 Fu n damentals
en t als m odels, and dedicated hardware and
EC2
EC2 Interm
I n t er mediate
ediat e bare m etal instances.
EC2
EC2 Advanced
Advan ced
Serverless Com pute

Containers
Net w or k in g
Section 4
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
EC2 Advan ced
AWS an d SA Volum e encryption uses EC2 host hardware to encrypt data at r est and in
Fu n dam en t als t r an sit between EBS and EC2 instances. Encryption generates a data
Section 1 encryption key (DEK) from a custom er m aster key (CM K) in each region. A
u n iqu e DEK encrypts each volum e. Snapshots of that volum e are
encrypted with the sam e DEK, as are any volum es created from that
I den t it y an d Access snapshot.
Con t r ol
Encrypted DEKs stored with
Section 2
volum e are decrypted by KMS
using a CMK and given to the
EC2 host
Com pu t e
Section 3
Encrypted
Volum es
EC2 Fundam
EC2 Fu n damentals
en t als KMS
Encrypted
EC2
EC2 Interm
I n t er mediate
ediat e DEKs
EC2
EC2 Advanced
Advan ced
Serverless Com pute

Containers
EC2
Host
Net w or k in g Plaintext DEKs
Section 4 stored in EC2
m em ory and
The EC2 instance and OS
used to encrypt
see plaintext data as
and decrypt data
EC2 norm al ? no
Instance perform ance im pact
Back Next
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
EC2 Advan ced
AWS an d SA Legacy non-EBS-optim ized instances used a shared networking path for
Fu n dam en t als data and storage com m unications.
Section 1
Con t r ol
Section 2
Shared path resulted in
lower perform ance for
Com pu t e storage and norm al
Section 3 networking.
EC2 Fundam
EC2 Fu n damentals
en t als
EC2
EC2 Interm
I n t er mediate
ediat e EBS-opt im ized m ode, which was h ist or ically opt ion al and is now the
def au lt , adds optim izations and dedicated com m unication paths for
EC2
EC2 Advanced
Advan ced storage and traditional data networking. This allows consistent utilization
Serverless Com pute of both ? and is one required feature to support higher perform ance
Containers
storage.
Storage
Path
Net w or k in g
Section 4
Networking
Path
Back Next
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
EC2 Advan ced
AWS an d SA Traditionally, virtual networking m eant a virtual host (EC2 host)
Fu n dam en t als arranging access for n virtual m achines to access one physical network
Section 1 card ? this m ultitasking is done in software and is typically slow.
Enhanced networking uses SR-I OV, which allows a single physical

I den t it y an d Access network card to appear as m ultiple physical devices. Each instance can
Con t r ol be given one of these (fake) physical devices. This results in f ast er
Section 2 t r an sf er r at es, low er CPU u sage, and low er con sist en t lat en cy. EC2
delivers this via the Elastic Network Adapter (ENA) or Intel 82599
Virtual Function (VF) interface.
Com pu t e
Section 3
EC2 Fundam
EC2 Fu n damentals
en t als
EC2
EC2 Interm
I n t er mediate
ediat e
EC2
EC2 Advanced
Advan ced
Serverless Com pute

Containers
Net w or k in g
Section 4
Clu st er PG Par t it ion PG Spr ead PG
Back Next
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
EC2 Advan ced
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
Com pu t e
Section 3
Availability Zone - A
EC2 Fundam
EC2 Fu n damentals
en t als Cluster Placem ent Group
EC2
EC2 Interm
I n t er mediate
ediat e
EC2
EC2 Advanced
Advan ced
Serverless Com pute

EC2 EC2 EC2
Containers Instances Instances Instances
Net w or k in g Cluster placem ent groups place instances physically near each
Section 4
other in a single AZ. Every instance can talk to every other
instance at the sam e tim e at full speed. Works with enhanced
networking for peak perform ance.
Clu st er PG
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
EC2 Advan ced
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
Com pu t e
Section 3
EC2 Fundam
EC2 Fu n damentals
en t als Partition Placement Group
EC2
EC2 Interm
I n t er mediate
ediat e
EC2
EC2 Advanced
Advan ced
Serverless Com pute

Partition Partition Partition
Containers 1 2 3
Net w or k in g Instances deployed into a partition placem ent group (PPG) are
Section 4 separated into partitions (m ax of seven per AZ), each occupying
isolated racks in AZs/regions. PPG can span m ultiple AZs in a
region. PPGs m inim ize failure to a partition and give you visibility
on placem ent.
Par t it ion PG
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
EC2 Advan ced
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
Com pu t e
Section 3
EC2 Fundam
EC2 Fu n damentals
en t als
Spread Placem ent Group
EC2
EC2 Interm
I n t er mediate
ediat e
EC2
EC2 Advanced
Advan ced
Serverless Com pute

Containers
Net w or k in g Spread placem ent groups (SPGs) are designed for a m ax of seven
Section 4 instances per AZ that need to be separated. Each instance occupies
a partition and has an isolated fault dom ain. Great for em ail
servers, dom ain controllers, file servers, and application HA pairs.
Spr ead PG
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
EC2 Advan ced
AWS an d SA Spot instances allow con su m pt ion of spar e AWS capacit y for a given
Fu n dam en t als instance type and size in a specific AZ. Instances are provided for as long
Section 1 as your bid price is above the spot price, and you only ever pay the spot
price. If your bid is exceeded, instances are term inated with a two-m inute
warning.
Con t r ol
Section 2
Com pu t e
Section 3
EC2 Fundam
EC2 Fu n damentals
en t als
EC2
EC2 Interm
I n t er mediate
ediat e
EC2
EC2 Advanced
Advan ced
Serverless Com pute

Containers
Spot fleets are a container for "capacity needs." You can specify pools of
instances of certain types/sizes aim ing for a given "capacity." A m inim um
percentage of on-dem and can be set to ensure the fleet is always active.
Net w or k in g
Section 4
Spot instances are perfect for non-critical workloads, burst workloads, or
consistent non-critical jobs that can tolerate interruptions without
im pacting functionality.
Spot is n ot suitable for long-running workloads that require stability and

cannot tolerate interruptions.
Back Next
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
EC2 Advan ced
AWS an d SA
Fu n dam en t als
Section 1
No Reservation 1 Year Reserved

On-Dem and Discounted
Rate Rate
Con t r ol
Section 2
Com pu t e
Section 3
EC2 Fundam
EC2 Fu n damentals
en t als
EC2
EC2 Interm
I n t er mediate
ediat e
EC2
EC2 Advanced
Advan ced
1 Year Reserved 1 Year Reserved
Serverless Com pute
Discounted Discounted
Containers Rate Rate ? Used
1 Year Reserved 1 Year Reserved

Net w or k in g Discounted Discounted
Section 4 Rate Rate ? Wasted
Reserved instances lock in a reduced rate for on e or t h r ee years. Zon al

reserved instances include a capacit y reservation. Your com m itm ent
incurs costs even if instances aren't launched. Reserved purchases are
used for long-running, understood, and consistent workloads.
Back Next
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
EC2 Advan ced
AWS an d SA
Exam Fact s an d Figu r es: Reser ved an d Spot
Fu n dam en t als
Section 1
Key Fact s
- Instance size/type have an AZ spot price.
I den t it y an d Access - Bid m ore, instance provisioned for spot price. Less = term ination.
- Spot fleets are containers, allowing capacity to be m anaged.
Con t r ol
- Reservations are zonal (AZ) or regional.
Section 2
- One or three years, no upfront, partial upfront, all upfront.
- You pay regardless of EC2 instance using a reservation.
- Regional is m ore flexible ? but has no capacity reservation.
Com pu t e
Section 3
Wh en t o Use Reser ved Pu r ch ases
- Base/consistent load
EC2 Fundam
EC2 Fu n damentals
en t als - Known and understood growth
EC2
EC2 Interm
I n t er mediate
ediat e
- Critical system s/com ponents
EC2
EC2 Advanced
Advan ced Wh en t o Use Spot I n st an ces/ Fleet s
Serverless Com pute - Burst-y workloads
- Cost-critical, which can cope with interruption
Containers
Wh en t o Use On -Dem an d
- Default or unknown dem and
Net w or k in g
- Anything in between reserved/spot
Section 4
- Short-term workloads that cannot tolerate interruption
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
EC2 Advan ced
AWS an d SA Dedicated hosts are EC2 hosts for a given type and size that can be
Fu n dam en t als dedicated to you. The num ber of instances that can run on the host is
Section 1 fixed ? depending on the type and size.
Con t r ol EC2Host (m 5) EC2Host (m 5)
Section 2
Com pu t e
Section 3
EC2 Fundam
EC2 Fu n damentals
en t als
EC2
EC2 Interm
I n t er mediate
ediat e
EC2
EC2 Advanced
Advan ced
Serverless Com pute

Containers
48 6
Net w or k in g M5.large M5.4xlarge

Section 4
An on-dem and or reserved fee is charged for the dedicated host ? there
are no charges for instances running on the host. Dedicated hosts are
generally used when software is licensed per core/CPU and not
com patible with running within a shared cloud environm ent.
Back Next Topic
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
Ser ver less Com pu t e
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
This topic focuses on the "serverless"

Com pu t e architecture ? both in term s of general
Section 3
architecture and the use of AWS
EC2 Fundam
EC2 Fu n damentals
en t als products and services.
EC2
EC2 Interm
I n t er mediate
ediat e
EC2
EC2 Advanced
Advan ced
Serverless
Ser ver lessCom
Compute
pu t e
Containers
Net w or k in g
Section 4
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA A m icroservices architecture is the inverse of a m onolithic architecture.
Fu n dam en t als Instead of having all system functions in one codebase, com ponents are
Section 1 separ at ed in t o m icr oser vices and operate independently. A
m icroservice does one thing ? and does it well. Operations, updates,
and scaling can be done on a per-m icroservice basis.
Con t r ol
Section 2
Com pu t e
Section 3
EC2 Fundam
EC2 Fu n damentals
en t als
I n f lexible scaling: Either increasing the instance size or duplicating the
EC2
EC2 Interm
I n t er mediate
ediat e instance
EC2
EC2 Advanced
Advan ced
HR
Serverless
Ser ver lessCom
Compute
pu t e Phone
Directory
Containers
HR Finance
Net w or k in g SickDay Payroll
Section 4 HR
OrgStructure
Microservices operate as independent applications. They allow direct

com m unication between com ponents and the end user. If one part of
the system requires m ore capacity, that service can be scaled and
updated as needed.
Back Next
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA You access the AWS Console via a u ser in t er f ace, which is designed for a
Fu n dam en t als hum an being. An API (or applicat ion pr ogr am m in g in t er f ace) is an
Section 1 interface accessed (consum ed) by another ser vice or applicat ion .
Con t r ol Another business or external
Section 2 service interacts via a
published API.
Corp
Staff
Com pu t e REST/SOAP
Section 3 JSON/XML
User
Interface
EC2 Fundam
EC2 Fu n damentals
en t als
EC2
EC2 Interm
I n t er mediate
ediat e
EC2
EC2 Advanced
Advan ced
Serverless HR
Ser ver lessCom
Compute
pu t e
OrgChart
Containers
App App App
Data Process Database
Net w or k in g
Section 4 An API endpoint hosts one or m ore APIs and m akes them available on a
network (private or public internet). APIs rem ain static ? they are
abstracted from what the code inside the service is doing. API consum ers
don't care how things are done ? only that the interface works. That 's
what allows lower-risk changes.
The AWS CLI tools use the AWS APIs.
Back Next
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA When using an event-driven architecture, a system operates around
Fu n dam en t als "events" that represent an act ion or a ch an ge of st at e ? e.g., a button
Section 1 being clicked, a file being uploaded, or a tem perature dropping below a
certain level. It 's efficient because events are generated and pushed,
rather than things being polled. Polling requires always-on com pute and
I den t it y an d Access doesn't scale well.
Con t r ol
Section 2
Com pu t e
Section 3
EC2 Fundam
EC2 Fu n damentals
en t als
EC2
EC2 Interm
I n t er mediate
ediat e
EC2
EC2 Advanced
Advan ced
Serverless
Ser ver lessCom
Compute
pu t e
Containers
Net w or k in g
Section 4
Tr adit ion al Even t -Dr iven
Back Next
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
Com pu t e
Section 3
EC2 Fundam
EC2 Fu n damentals
en t als
EC2
EC2 Interm
I n t er mediate
ediat e Constant polling
of sensors, high Constant
EC2
EC2 Advanced
Advan ced resource usage, polling of
Serverless
Ser ver lessCom
Compute
pu t e and additional heating
Containers sensors results system
in m ore polling
Net w or k in g
Section 4
On/Off API Calls
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
Com pu t e
Section 3
EC2 Fundam
EC2 Fu n damentals
en t als
EC2
EC2 Interm
I n t er mediate
ediat e Even t
EC2 Generated when Changes in
EC2 Advanced
Advan ced
tem p changes ? system
Serverless
Ser ver lessCom
Compute
pu t e generate
can scale to
Containers thousands of event
sensors
Net w or k in g
Section 4
On/Off API Calls
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA Serverless architecture consists of two m ain principles, including BaaS (or
Fu n dam en t als Back en d as a Ser vice), which m eans using third-party services where
Section 1 possible rather than running your own. Exam ples include Auth0 or
Cognito for authentication and Firebase or Dynam oDB for data storage.
I den t it y an d Access Serverless also m eans using an event-driven architecture where possible,
Con t r ol using FaaS (or Fu n ct ion as a Ser vice) products to provide application
Section 2 logic. These functions are only active (invoked) when they are needed
(when an event is received).
Com pu t e Cat m ovie uploaded ? private bucket Transcoder

Section 3 processes m ovies
and uploads new
EC2 Fundam
EC2 Fu n damentals
en t als Download sizes
m ovies
EC2
EC2 Interm
I n t er mediate
ediat e
EC2
EC2 Advanced
Advan ced
Serverless
Ser ver lessCom
Compute
pu t e API call to
Containers Cognito to
authenticate
with Google ID
Net w or k in g
Section 4
Website (HTML+JS)
loaded from S3 Object upload event
bucket invokes a Lam bda
function, which starts a
transcode job and then
Cognito
term inates
Back Next
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA Lam bda is a FaaS product. Functions are code, which run in a runtim e.
Fu n dam en t als Functions are invoked by even t s, perform actions for up to 15 m in u t es,
Section 1 and term inate. Functions are also st at eless ? each run is clean.
I den t it y an d Access Event-based

Con t r ol invocation Public
Section 2 (including tim e) Internet
Functions can consum e

Com pu t e internet API endpoints
Section 3 or other services.
EC2 Fundam
EC2 Fu n damentals
en t als
EC2
EC2 Interm
I n t er mediate
ediat e
EC2 Functions can be

EC2 Advanced
Advan ced Function Runtim e allowed access to a
Serverless Code Environm ent
Ser ver lessCom
Compute
pu t e VPC ? allowing private
Python 3.6
Containers
Runtim e Execution resource access.
Role
Net w or k in g
Section 4 Lam bda supports Access to AWS services is
m any prebuilt provided by the function's
runtim es, and execution role. This role is
custom ones can assum ed by Lam bda, and
be created. tem porary security
credentials are available to
the function via STS.
Back Next
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA API Gateway is a m anaged API endpoint service. It can be used to
Fu n dam en t als create, publish, m onitor, and secure APIs "as a service." API Gateway can
Section 1 use other AWS services for com pute (FaaS/IaaS) as well as to store and
recall data.
I den t it y an d Access Authentication

Con t r ol
Section 2
Static HTML/JS
API
Calls
Com pu t e
Section 3 Authentication
Verification
EC2 Fundam
EC2 Fu n damentals
en t als API
Gateway
EC2
EC2 Interm
I n t er mediate
ediat e
Public
EC2
EC2 Advanced
Advan ced Endpoints
Serverless
Ser ver lessCom
Compute
pu t e
Containers
AWS Services incl. Com pute and DB

Net w or k in g
Section 4
VPN/Direct Connect
Business AWS
Prem ises VPC
Back Next
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA
Fu n dam Pricing
en t alsis based on the
Section 1
num ber of API Calls, the
X
Am azon Am azon
data transfered and any
EC2 EBS
I den t it y ancaching required to
d Access
im prove perform ance.
Con t r ol
Section 2
API Gateway can
access som e v1 : M on olit h
AWS services
Com pu t e
directly using
Section 3 Am azon Am azon
proxy m ode. Fargate Aurora
EC2 Fundam
EC2 Fu n damentals
en t als
EC2
EC2 Interm
I n t er mediate
ediat e
EC2
EC2 Advanced
Advan ced API API
v2: M icr oser vice
Consum er Gateway
Serverless
Ser ver lessCom
Compute
pu t e
Containers AWS Am azon
Lam bda Dynam oDB
Net w or k in g
Section 4
v3: Ser ver less
APIs can be m igrated to API Gateway in a m onolithic form , and gradually m oved to
a m icroservices architecture and then once com ponents have been fully broken up
a serverless & FaaS based architecture.
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
AWS an d SA Step Functions is a ser ver less visu al w or k f low ser vice that provides
Fu n dam en t als st at e m ach in es. A state m achine can orchestrate other AWS services
Section 1 with sim ple logic, branching, and parallel execution, and it m aintains a
st at e. Workflow steps are known as st at es, and they can perform work
via t ask s. Step Functions allows for lon g-r u n n in g ser ver less
I den t it y an d Access w or k f low s. A state m achine can be defined using Am azon States
Con t r ol Language (ASL).
Section 2
State m achine is executed from another service or

com ponent.
Com pu t e
Section 3
EC2 Fundam
EC2 Fu n damentals
en t als AWS Step Functions St ar t
EC2
EC2 Interm
I n t er mediate
ediat e Approve or Reject
Approved Update States
EC2
EC2 Advanced
Advan ced
Serverless
Ser ver lessCom
Compute
pu t e Manual Approval
Containers
Generate
Rejected Em ail
Net w or k in g
Section 4
Without Step Functions, Lam bda functions
could only run for 15 m inutes. Lam bda
functions are stateless. State m achines
m aintain state and allow longer-running
API Send
processes. Step Functions "replaces" SWF
Gateway Em ail
with a serverless version.
Back Next Topic
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
Con t ain er s
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
In this topic, we explore container

Com pu t e com puting ? looking at Docker
Section 3
essentials and Elastic Container Service
EC2 Fundam
EC2 Fu n damentals
en t als (ECS).
EC2
EC2 Interm
I n t er mediate
ediat e
EC2
EC2 Advanced
Advan ced
Serverless
Ser ver lessCom
Compute
pu t e
Containers
Con t ain er s
Net w or k in g
Section 4
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
Con t ain er s
AWS an d SA A container is a package that contains an application, libraries, and file
Fu n dam en t als system required to run it. Containers run on a container engine that
Section 1 generally runs within a single OS, such as Linux. Containers provide the
isolation benefits of virtualization but are m ore lightweight, allowing
faster starts and m ore dense packing within a host.
Con t r ol A popular container
Section 2
engine is Dock er , which is An im age is a collection of
the basis for Elastic file system layers. Docker
Container Service (ECS). file system s are differential
Com pu t e ? each layer stores
Section 3 differences from previous
layers.
EC2 Fundam
EC2 Fu n damentals
en t als App 1 App 2
EC2
EC2 Interm
I n t er mediate
ediat e
App 1 App 2 App 3
EC2
runtim e runtim e
EC2 Advanced
Advan ced
runtim e runtim e runtim e
Serverless
Ser ver lessCom
Compute
pu t e
Containers
libs libs
Con t ain er s libs libs libs
OS OS Container Engine
Net w or k in g
Section 4 Hypervisor OS
Infrastructure Infrastructure
Virtual Machines/Instances Containers
Back Next
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
Con t ain er s
AWS an d SA ECS is a m anaged container engine. It allows Docker containers to be
Fu n dam en t als deployed and m anaged within AWS environm ents. ECS can use
Section 1 infrastructure clusters based on EC2 or Fargate where AWS m anages the
backing infrastructure.
Con t r ol
Section 2
Com pu t e
Section 3
EC2 Fundam
EC2 Fu n damentals
en t als
EC2
EC2 Interm
I n t er mediate
ediat e
EC2
EC2 Advanced
Advan ced
Serverless
Ser ver lessCom
Compute
pu t e
Containers
Con t ain er s
Net w or k in g
Section 4
EC2 M ode Far gat e M ode
Back Next Sect ion
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
Con t ain er s
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol Scheduling and Orchestration
Section 2
Cluster Manager Placem ent Engine
Am azon
ECS
Com pu t e
Section 3
Task definition is
EC2 Fundam
EC2 Fu n damentals
en t als
used to create an
EC2
EC2 Interm
I n t er mediate
ediat e ECS task Im age stored
EC2
EC2 Advanced
Advan ced and retrieved
from registry
Serverless
Ser ver lessCom
Compute
pu t e
Containers
Con t ain er s
Net w or k in g
Section 4
EC2 Instances
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
Con t ain er s
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol Scheduling and Orchestration
Section 2
Cluster Manager Placem ent Engine
Am azon
Com pu t e ECS
Section 3
EC2 Fundam
EC2 Fu n damentals
en t als Fargate is a
EC2 m anaged service,
EC2 Interm
I n t er mediate
ediat e
so tasks are auto Task definition is Im age stored
EC2
EC2 Advanced
Advan ced placed used to create an and retrieved
Serverless ECS task from registry
Ser ver lessCom
Compute
pu t e
Containers
Con t ain er s
Net w or k in g
Section 4
AWS
Fargate
Go t o Par t 2
Back t o M ain
Com pute
Course Navigation
Con t ain er s
AWS an d SA
Fu n dam en t als Exam Hin t s: Elast ic Con t ain er Ser vice (ECS)
Section 1
Clu st er
A logical collection of ECS resources ? either ECS EC2 instances or a
I den t it y an d Access logical representation of m anaged Fargate infrastructure
Con t r ol
Section 2 Task Def in it ion
Defines your application. Sim ilar to a Dockerfile but for running
containers in ECS. Can contain m ultiple containers.
Com pu t e
Section 3 Con t ain er Def in it ion
Inside a task definition, a container definition defines the individual
EC2 Fundam
EC2 Fu n damentals
en t als
containers a task uses. It controls the CPU and m em ory each
container has, in addition to port m appings for the container.
EC2
EC2 Interm
I n t er mediate
ediat e
EC2 Task
EC2 Advanced
Advan ced
A single running copy of any containers defined by a task definition.
Serverless
Ser ver lessCom
Compute
pu t e One working copy of an application (e.g., DB and web containers).
Containers
Con t ain er s
Ser vice
Allows task definitions to be scaled by adding additional tasks. Defines
Net w or k in g m inim um and m axim um values.
Section 4
Regist r y
Storage for container im ages (e.g., ECS Container Registry or
Dockerhub). Used to download im age to create containers.
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
Net w or k Fu n dam en t als
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
In this topic, we cover the networking

Com pu t e fundam entals that will help you
Section 3
architect AWS solutions. They aren't
required for the exam , but they will
help.
Net w or k in g
Section 4
Network
Net w or kFundam entals
Fu n dam en t als
AWS Private Networking
Advanced VPC
AWS DNS Fundam entals Pr eviou s Sect ion Next

Advanced Route 53
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA The Open System s Interconnection (OSI) Model is a standard used by
Fu n dam en t als networking m anufacturers globally. It was created and published in 1984;
Section 1 it splits all network com m unications into seven layers. Each layer serves
the layer that 's above it plus the layer beneath it which adds additional
capabilities. Data between two devices travels down the stack on the
I den t it y an d Access device's A-side (wrapped at each layer) and gets transm itted before m oving
Con t r ol up the stack at the devices B-side (where the wrapping gets stripped away
Section 2 at every stage). This data wrapping process is called encapsulation.
Device Device
A B
Com pu t e
Section 3
Layer 7: Applicat ion Dat a L7
Layer 6: Pr esen t at ion Dat a L6

Net w or k in g
Section 4
Layer 5: Session Dat a L5
Network
Fu n dam en t als

Layer 4: Tr an spor t Dat a L4
Advanced VPC
AWS DNS Fundam entals Layer 3: Net w or k Dat a L3

Advanced Route 53
Layer 2: Dat a Lin k Dat a L2
Layer 1: Ph ysical 0100100.. Dat a L1
Back Next
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
Com pu t e
Section 3
Net w or k in g
Section 4
Network
Fu n dam en t als
Advanced VPC
AWS DNS Fundam entals
Advanced Route 53
Back Next
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA
At Layer 1 (Physical), Layer 1 showcases how
Fu n dam en t als
Section 1 networks use a shared data gets received and
m edium where devices transm itted while taking
01100011
can transm it signals and into consideration the
I den t it y an d Access listen. m edium , voltages, and RF
01100001
Con t r ol details.
Section 2
01110100
01110011
00100000
Com pu t e 01100001
Section 3 01110010
0110001101100001 0111010001110011
01100101
0010000001100001 0111001001100101
00100000
00100000011000010110110101100001
Net w or k in g 01100001
0111101001101001 0110111001100111
Section 4
01101101
0001010
Network
01100001
Fu n dam en t als
01111010
01101001
Advanced VPC
01101110
AWS DNS Fundam entals 01100111
Advanced Route 53 0001010
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA Layer 2 (Data Link) adds MAC addresses (01-23-45-67-89-AB-CD-EF) that
Fu n dam en t als can be used for n am ed com m unication between two devices on a local
Section 1 network. Additionally, layer 2 adds controls over the m edia, avoiding
cross-talk, this allows a back-off tim e and retransm ission.
Con t r ol
Section 2
Fr am e
sr c: 01-23-45-67-89-AB-CD-EF
Com pu t e dst : 11-22-33-44-55-AB-CD-EF
Section 3
Net w or k in g
Section 4
Physical
L1 Connections
Network
Fu n dam en t als
Advanced VPC
66-77-88-99-00-AB-CD-EF
Advanced Route 53
01-23-45-67-89-AB-CD-EF 11-22-33-44-55-AB-CD-EF
L2 com m unications use L1 to broadcast and listen. L2 runs on top of L2.
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA The Network Layer (L3) allows for unique device-to-device
Fu n dam en t als com m unication over interconnected networks. L3 devices can pass
Section 1 packets over tens or even hundreds of L2 networks. The packets rem ain
largely unchanged during this journey ? traveling within different L2
fram es as they pass over various networks.
Con t r ol
Section 2
A client m achine generates an L3 packet with its
IP as the source IP and the destination IP of the
server.
Com pu t e
Section 3
Net w or k in g
Section 4
Network
Fu n dam en t als The packet is encapsulated and
unencapsulated in an L2 fram e at each
step, passing between routers, over
Advanced VPC networks.
Advanced Route 53
The original packet is received by the

server, acted on, and then a reply is sent
back in the sam e way.
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA L3 allows for an IP to com m unicate with another IP ? but only a single
Fu n dam en t als stream , so one conversation between the two.
Section 1
tcp/ 80
I den t it y an d Access tcp/ 22

Con t r ol
Section 2 L4 (Tr an spor t ) adds TCP and UDP. TCP is designed for reliable
transport, and UDP is aim ed at speed. TCP uses segm en t s to ensure
data is received in the cor r ect or der and adds er r or ch eck in g and
"por t s," allowing different stream s of com m unications to the sam e host
Com pu t e (e.g., tcp/22 and tcp/80).
Section 3
tcp/ 80
Net w or k in g
Section 4
L5 (Session ) adds the concept of sessions, so that request and reply
com m unication stream s are viewed as a single "session" of
Network
Fu n dam en t als
com m unication between client and server.
Advanced VPC TLS

Advanced Route 53
L6 (Pr esen t at ion ) adds data conversion, encryption, com pression, and
standards that L7 can use. L7 (Applicat ion ) is where protocols (such as
HTTP, SSH, and FTP) are added. For exam ple, HTTP (L7) running over TLS
(L6) is HTTPS.
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
Com pu t e
Section 3
Net w or k in g
Section 4
Network
Fu n dam en t als
Advanced VPC
Advanced Route 53
Back Next
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA IPv4 addresses are how two devices can com m unicate at layer 4 and
Fu n dam en t als above of the OSI seven-layer m odel. IP addresses (IPs) are actually 32-bit
Section 1 binary values but are represented in dotted-decim al notation to m ake
them easier for hum ans to read and understand.
Con t r ol I Pv4 Addr ess (Dot t ed-Decim al Not at ion )
Section 2
192 . 168 . 10 . 5
Com pu t e
Section 3
11000000 . 10101000 . 00001010 . 00000101
Net w or k in g 1 Byte 1 Byte

4 bytes
Section 4 8 Bits 8 Bits 32 Bits
Network
Fu n dam en t als IPs are split into a n et w or k part and a n ode or h ost part. The netm ask
(e.g., 255.255.255.0) or prefix (e.g., /24) shows where this split occurs.
Advanced VPC IP 192 168 10 5
AWS DNS Fundam entals Binary 11000000 10101000 00001010 00000101

Advanced Route 53 Subnet Mask 255 255 255 0
Prefix /24 11111111 11111111 11111111
Net w or k Par t = 1's Node = 0's
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA Within the IPv4 address space (0.0.0.0 to 255.255.255.255), there are
Fu n dam en t als certain addresses that are r eser ved or special in som e way:
Section 1
- 0.0.0.0 and 0.0.0.0/ 0: Represents all IP addresses
- 255.255.255.255: IP address used to broadcast to all IP addresses
I den t it y an d Access everywhere (this is generally filtered and not passed between
Con t r ol networks)
Section 2 - 127.0.0.1: Localhost or loopback. Whatever the IP address of the
device you are using, it can be referenced by itself as 127.0.0.1. So a
web server on your laptop will always be ip:80 or 127.0.0.1:80
Com pu t e - 169.254.0.1 to 169.254.255.254: A range of IP addresses that a device
Section 3 can auto configure with if it 's using DHCP and fails to autom atically
get an IP from a DHCP server.
Historically IP addresses were split into classes: (including)

Net w or k in g
Section 4 - Class A (/8): 1.0.0.0 to 126.255.255.255 ? 126 networks, 16,777,214
nodes in each (+2 reserved)
Network
Fu n dam en t als - Class B (/16): 128.0.0.0 to 191.255.255.255 ? 16,382 networks,
65,534 nodes in each (+2 reserved).
AWS Private Networking - Class C (/24): 192.0.0.0 to 223.255.255.255 ? 2,097,150 networks,
Advanced VPC 254 nodes in each (+2 reserved)

Class A networks were initially allocated to large organizations, Class B to
Advanced Route 53 m edium , and Class C to sm all businesses. As the supply of IPv4 addresses
becam e low, the class system of IPs were related with CIDR (m or e on t h is
n ext ).
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA IP classes have a num ber of ranges within them used for private
Fu n dam en t als networking only:
Section 1
- 10.0.0.0 to 10.255.255.255: Private networking within the Class A
range
I den t it y an d Access - 172.16.0.0 to 172.31.255.255: Private networking within the Class B
Con t r ol range (16 Class B networks)
Section 2 - 192.168.0.0 to 192.168.255.255: Private networking within the Class C
range (256 Class C networks)
Com pu t e These ranges are often used on private business networks, cloud
Section 3 networks, and hom e networks.
Net w or k in g
Section 4
Network
Fu n dam en t als
Advanced VPC
Advanced Route 53
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA CIDR (Classless Inter-Dom ain Routing) is used for IPv4 IP networking
rather than the class system ? it allows m ore effective allocation and
Fu n dam en t als
Section 1 subnetworking.
Either you are allocated a network range to use, or you decide on it. It will
I den t it y an d Access be represented as network/prefix (e.g., 10.0.0.0/16).
Con t r ol
Section 2 10 0 0 0
00001010 . 00000000 . 00000000 . 00000000
Com pu t e The network address is your starting point. The prefix is the num ber of
Section 3 bits the network uses, the rem aining bits, and the node part is yours to
use. The node (or host) part is yours from all 0's to all 1's.
10 0 0 0
Net w or k in g 00001010 . 00000000 . 00000000 . 00000000
Section 4
/ 16
00001010 . 00000000 . 11111111 . 11111111
Network
Fu n dam en t als
AWS Private Networking 10 0 255 255

Advanced VPC
10 0 0 0
00001010 . 00000000 . 00000000 . 00000000
Advanced Route 53
/ 24
00001010 . 00000000 . 00000000 . 11111111
10 0 0 255
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA Subnetting is a process of breaking a network down into sm aller
Fu n dam en t als subnetworks. You m ight be allocated a public range for your business or
Section 1 decide on a private range for a VPC. Subnetting allows you to break it into
sm aller allocations for use in sm aller networks (e.g., VPC subnets).
I den t it y an d Access If you pick 10.0.0.0/16 for your VPC, it 's a single network from 10.0.0.0 to
Con t r ol 10.0.255.255 and offers 65,536 addresses. That VPC could have a single
Section 2 subnet within it that 's also 10.0.0.0/16.
Public Subnet
Com pu t e 10.0.0.0/ 16
Section 3
10.0.0.0/ 17 10.0.128.0/ 17
Net w or k in g
Section 4
Network
Fu n dam en t als

10.0.0.0/ 18 10.0.64.0/ 18 10.0.128.0/ 18 10.0.192.0/ 18
Advanced VPC

With a certain size of VPC, increasing the prefix creates two sm aller
Advanced Route 53 networks. Increasing again creates four even sm aller networks.
Increasing again creates eight even sm aller ? and so on.
You won't need to know this from m em ory ? there are plenty of
cheat sheets available to help you along the way.
Back Next
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA Local device-to-device com m unication takes place using L1 (Physical) and
Fu n dam en t als L2 (Data Link) using MAC addresses and physical 0's and 1's. This doesn't
Section 1 scale across LANs, so a m ethod of network-to-network transit is needed.
IP routing provides this. The m ethod used depends on if the two devices
are local, in a known rem ote network, or in an unknown network.
Con t r ol
Section 2
Com pu t e
Section 3
Net w or k in g
Section 4
Network
Fu n dam en t als
Advanced VPC
Advanced Route 53
Local Kn ow n Un k n ow n
Back Next
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
Private Subnet
Com pu t e
Section 3
L3 Pack et , sr c:A, dst B
Pack et Pack et
Net w or k in g A B
Section 4
Network
Fu n dam en t als L2 Fr am e, sr c M AC (A), dst
Pack et Pack et
M AC (B)
Ph ysical Cable, Vir t u al Fabr ic
Advanced VPC
AWS DNS Fundam entals IP-to-IP com m unication that occurs locally doesn't use a router. ARP is
used to find the MAC address for the destination IP address. The IP
Advanced Route 53
packet is created at L3 and passed to L2, where it 's encapsulated inside
an ethernet (L2) fram e. The fram e is sent to the destination MAC
address. Once received, the L2 fram e is rem oved and the IP packet is
passed to L3.
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
Private Subnet Private Subnet

Single L3
Com pu t e Connection
Section 3
L2 Connection L2 Connection
A R B
Net w or k in g If Instance A wants to com m unicate with Instance B, it can use its IP and
Section 4 subnet m ask to determ ine if B is local. If it 's not, then the following
process occurs:
Network
Fu n dam en t als - "A" generates an L3 packet ? the SRC is the IP-"A", the DST is IP-"B"
- "A" knows its default gateway (Router) IP, so it uses ARP to find the
Router MAC
Advanced VPC - "A" passes the L3 packet to L2, wraps it in an L2 fram e, and sends
this to the R-MAC address (not the MAC address of B)
- "R" receives this, strips away the Layer 2 fram e, and checks the DST
Advanced Route 53 IP
- It knows the network of IP-"B" because it 's connected to it
- "R" uses ARP to find the MAC of "B," generates a fram e TO "B", puts
the unaltered IP packet inside, and sends to MAC-"B"
- "B" receives the fram e, strips it away, and passes the packet to L3
Go t o Par t 2
Back t o M ain
Rou t in g
Unknown Network
Networking
Course Navigation
AWS an d SA Routing works equally well whether the network of the rem ote
Network-1
Fu n dam en t als instance is known or not. In this case, Instance A is attem pting
Section 1 to com m unicate with Instance C.
Instance A knows Instance C is not local, so it creates an IP

I den t it y an d Access A packet with a dst of Instance C. It passes the packet down to L2
Con t r ol and asks for it to be addressed to the MAC address of Router A
Section 2 (its default router/route).
Router
Com pu t e A
Section 3
Network-2 Router A strips the L2 fram e and reviews the destination
address of the L3 packet. It doesn't know Network 3, so it has
no knowledge of how to get there. It does have a "default
router," which is Router B. It creates an L2 fram e with a dst MAC
Net w or k in g of Router B and wraps it around the unchanged packet.
Section 4
Router
Network
Fu n dam en t als
B
The internet uses a routing protocol called Border
Gateway Protocol (BGP). This protocol exchanges
Advanced VPC routes. Router C would advertise Network 3, and
Internet
Router B would learn about Network 3 via Router C.
Router B would advertise Network 3 via Router C.
Advanced Route 53 Router A would learn all Router B's routes and all
routes it knows about.
Router
C
Network-3
Router C receives the L2 fram e, strips it away, and reviews the
L3 packet. It now knows it 's in the sam e network, and it finds
the MAC address of the DST IP address of C. A new L2 fram e is
created, with a dst MAC address of C, and it forwards it in.
C
Go t o Par t 2
At scale, this is how the internet works: Unchanged packets being passed around from router
to trouter,
Back o M aineach tim e using a new L2 connection.
Networking
Course Navigation
AWS an d SA A firewall is a device that historically sits at the border between
Fu n dam en t als different networks and m onitors traffic flowing between them . A
Section 1 firewall is capable of reading packet data and either allow in g or
den yin g traffic based on that data.
Firewalls establish a bar r ier bet w een n et w or k s of different security
Con t r ol
levels and historically have been the first line of defense against
Section 2
perim eter attacks.
What data a firewall can read and act on depends on the OSI layer the
Com pu t e firewall operates at:
Section 3 - Layer 3 (Net w or k ): Source/destination IP addresses or ranges
- Layer 4 (Tr an spor t ): Protocol (TCP/UDP) and port num bers
- Layer 5 (Session): As layer 4, but understand response traffic
- Layer 7 (Applicat ion ): Application specifics (e.g., HTML paths,
Net w or k in g im ages)
Section 4
Public Internet
Network
Fu n dam en t als
Advanced VPC Custom er Custom er

Unauthorized Authorized
Advanced Route 53 Public Subnet
Server
Back Next
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA A proxy server is a type of gateway that sits between a private and
Fu n dam en t als public network (e.g., the internet). A proxy server is som ething that
Section 1 generally needs application support and is configured in the operating
system , a web browser, or another application.
I den t it y an d Access The client m akes a connection to the proxy server, and the proxy m akes
Con t r ol a connection to the destination server. Proxy servers can provide
Section 2 filtering (child safety, m alware, rem oving adult content) or it can act as a
web cache, speeding up web access for a large organization at a rem ote
site.
Com pu t e
Section 3 Proxy servers can also choose to pass on traffic or not based on things
network layer appliances can't, like usernam e or elem ents of a
corporate identity ? departm ent, age, security privilege, or the DNS
nam e rather than IP (r em em ber t h is f or t h e exam ).
Net w or k in g
Section 4
Public Internet
Network
Fu n dam en t als
Server
Advanced VPC
AWS DNS Fundam entals Proxy

Subnet Server Cache
Advanced Route 53
Custom er Custom er
Unauthorized Authorized
Back Next Topic
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS Pr ivat e Net w or k in g
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
This topic will introduce the concept of a

Com pu t e Virtual Private Cloud (VPC) ? the private
Section 3
networking product within AWS.
Net w or k in g
Section 4
Network
Fu n dam en t als
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g
Advanced VPC

Advanced Route 53
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA
Vir t u al Pr ivat e Clou d (VPC):
Fu n dam en t als - A private network within AWS. It 's your private data center inside
Section 1
the AWS platform .
- Can be configured to be public/private or a m ixture
- Regional (can't span regions), highly available, and can be
connected to your data center and corporate networks
Con t r ol
- Isolated from other VPCs by default
Section 2
- VPC and subnet: m ax /16 (65,536 IPs) and m inim um /28 (16 IPs)
- VPC subnets can't span AZs (1:1 m apping)
- Certain IPs are reserved in subnets (see architecture diagram)
Com pu t e
Section 3 Region Def au lt VPC:
- Required for som e services, used as a default for m ost
- Pre-configured with all required networking/security
- Configured using a /16 CIDR block (172.31.0.0/16)
Net w or k in g - A /20 public subnet in each AZ, allocating a public IP by default
Section 4
- Attached internet gateway with a "m ain" route table sending all
IPv4 traffic to the internet gateway using a 0.0.0.0/0 route
Network
Fu n dam en t als - A default DHCP option set attached.
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g - SG: Default ? all from itself, all outbound
- NACL: Default ? allow all inbound and outbound
Advanced VPC
AWS DNS Fundam entals Cu st om VPC:

- Can be designed and configured in any valid way
Advanced Route 53
- You need to allocate IP ranges, create subnets, and provision
gateways and networking, as well as design and im plem ent
security.
- When you need m ultiple tiers or a m ore com plex set of networking
- Best practice is to n ot use default for m ost production things
Back VPC Ar ch it ect u r e Next
Go t o Par t 2
Back t o M ain
Exam ple Cu st om VPC
2 Availability Zones, 3 Tiers
Networking
Course Navigation
AWS an d SA
Fu n damCustom
en t alsVPC - 10.0.0.0/16
Section 1
us-east-1a us-east-1b
Con t r ol
Section 2 Public Subnet Public Subnet
Com pu t e
Section 3
Bastion NATGateway
10.0.1.0/24 10.0.2.0/24 (NATGW)
Net w or k in g
Section 4
Private Subnet - App Tier Private Subnet - App Tier
Network
Fu n dam en t als Reserved IPs
AWS .0 - Network
AWSPrivate
Pr ivat eNetworking
Net w or k in g
.1 - Router
Advanced VPC .2 - DNS
.3 - Future App Server
.X - Broadcast
10.0.11.0/24 10.0.12.0/24
Advanced Route 53
Private Subnet - DB Tier Private Subnet - DB Tier
Database Database
10.0.21.0/24 10.0.22.0/24
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA
VPC Rou t in g:
Fu n dam en t als - Every VPC has a virtual routing device called the VPC router.
Section 1
- It has an interface in any VPC subnet known as the "subnet+1"
address ? for 10.0.1.0/24, this would be 10.0.1.1/32.
I den t it y an d Access - The router is highly available, scalable, and controls data entering
and leaving the VPC and its subnets.
Con t r ol
- Each VPC has a "m ain" route table, which is allocated to all subnets
Section 2
in the VPC by default. A subnet m ust have one route table.
- Additional "custom" route tables can be created and associated
with subnets ? but only one route table (RT) per subnet.
Com pu t e - A route table controls what the VPC router does with traffic leaving
Section 3
a subnet.
- An internet gateway is created and attached to a VPC (1:1). It can
route traffic for public IPs t o and f r om the internet.
Rou t es:
Net w or k in g
- A RT is a collection of routes that are used when traffic f r om a
Section 4
subnet arrives at the VPC router.
- Every route table has a local route, which m atches the CIDR of the
Network
Fu n dam en t als VPC and lets traffic be routed between subnets.
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g - A route contains a dest in at ion and a t ar get . Traffic is forwarded
to the target if its destination m atches the route destination.
Advanced VPC
- If m ultiple routes apply, the m ost specific is chosen. A /32 is
AWS DNS Fundam entals chosen before a /24, before a /16.
- Default routes (0.0.0.0/0 v4 and ::/0 v6) can be added that m atch
Advanced Route 53
any traffic not already m atched.
- Targets can be IPs or AWS networking gateways/objects
- A subnet is a public subnet if it is (1) configured to allocate public
IPs, (2) if the VPC has an associated internet gateway, and (3) if that
subnet has a default route t o that internet gateway.
Back Rou t in g Ar ch it ect u r e Next
Go t o Par t 2
Back t o M ain
VPC Rou t in g an d I n t er n et Gat ew ay
2 Availability Zones, 3 Tiers
Networking
Course Navigation
AWS Pr ivat e
igw-12345678 Net w or k in g
AWS an d SA
Fu n damCustom
en t alsVPC - 10.0.0.0/16
Section 1
Con t r ol publicIP
Section 2 Public Subnet Public Subnet
Com pu t e Bastion
Section 3
10. 0. 0. 0/ 16 Loc al
0. 0. 0. 0/ 0 i gw- 12345678
Net w or: :k/ in
0
g i gw- 12345678
Section 4
Network
Fu n dam en t als
10.0.1.1
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g 10.0.2.1
Advanced VPC
Advanced Route 53
10.0.1.0/24 10.0.2.0/24
Private Subnet - App Tier Private Subnet
Private Subnet - DB Tier Private Subnet

Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA Bast ion Host s (or Ju m pboxes):
Fu n dam en t als - A host that sits at the perim eter of a VPC
Section 1 - It functions as an entry point to the VPC for trusted adm ins.
- Allows for updates or configuration tweaks rem otely while allowing
the VPC to stay private and protected
I den t it y an d Access - Generally connected to via SSH (Linux) or RDP (Windows)
Con t r ol - Bastion hosts m ust be kept updated, and security hardened and
Section 2 audited regularly
- Multifactor authentication, ID federation, and/or IP blocks.
Com pu t e
FROM
Section 3 VPC Trusted IPs
PublicA PublicB
Net w or k in g
Section 4
Network
Fu n dam en t als
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g
Bastion
Advanced VPC
PrivateA PrivateB
Advanced Route 53
FROM FROM
BASTION BASTION
Instances Instances
Back Next
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA Network address translation (NAT) is a m ethod of rem apping source IPs
Fu n dam en t als or destination IPs of packets. It can be used in a num ber of ways.
Section 1
- St at ic NAT: A private IP is m apped to a public IP (what IGWs do)
- Dyn am ic NAT: A range of private addresses are m apped onto one or
I den t it y an d Access m ore public (used by your hom e router and NAT gateways)
Con t r ol
Section 2 LinuxAcadem y.com
1.3.3.7
src natgwpub src 1.3.3.7

Com pu t e dst natgwpub
dst 1.3.3.7
Section 3
src natgwpriv src 1.3.3.7

dst 1.3.3.7 dst natgwpriv
Net w or k in g
Section 4 NATGW
Network
Fu n dam en t als src 10.0.0.10 src 1.3.3.7
dst 1.3.3.7 dst 10.0.0.10
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g
Advanced VPC
Advanced Route 53
Traffic Traffic
Outgoing Return Only

Private Private
10.0.0.10 10.0.0.20
Back Next
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA
Net w or k Access Con t r ol List s (NACLs):
Fu n dam en t als - NACLs operate at Layer 4 of the OSI m odel (TCP/UDP and below).
Section 1
- A subnet has to be associated with a NACL ? either the VPC
default or a custom NACL.
I den t it y an d Access - NACLs only im pact traffic crossing the boundary of a subnet.
- NACLs are collections of rules that can explicitly allow or den y
Con t r ol
Section 2
traffic based on its protocol, port range, and source/destination.
- Rules are processed in num ber order, lowest first. When a m atch is
found, that action is taken and processing stops.
- The "* " rule is processed last and is an im plicit den y.
Com pu t e - NACLs have two sets of rules: in bou n d and ou t bou n d.
Section 3
Eph em er al Por t s:
- When a client initiates com m unications with a server, it is t o a
well-known port num ber (e.g., tcp/443) on that server.
Net w or k in g
- The response is from that well-known port to an ephem eral port
Section 4
on the client. The client decides the port.
- NACLs are stateless, they have to consider bot h initiating and
Network
Fu n dam en t als
response traffic ? state is a session-layer concept.
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g
Advanced VPC
AWS DNS Fundam entals YOU Linux Academ y

dest in at ion por t 443
This Video HTTPS
sou r ce por t 22000
Advanced Route 53
sou r ce por t 443

dest in at ion por t 22000
Back NACL Hin t s Next Topic
Go t o Par t 2
Back t o M ain
Net w or k Access Con t r ol List (NACL)
Exam Hints
Networking
Course Navigation
AWS an d SA
Fu n damCustom
en t alsVPC - 10.0.0.0/16
Section 1
NACL1
Con t r ol
Section 2
Com pu t e If com m unications

Section 3 occur inside a
subnet, no NACLs
are involved.
Response
traffic uses
Net w orephem
k in g eral
Section 4 ports.
Network
Fu n dam en t als
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g
NACL2
Advanced VPC
Advanced Route 53
4 NACL checks ... Initiating

traffic outbound NACL1,
inbound NACL2
Response traffic outbound

NACL2, inbound NACL1
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
Advan ced VPC
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
This topic will introduce advanced VPC

Com pu t e concepts such as VPC peering,
Section 3
endpoints, IPv6 use within a VPC,
egress-only gateways, and subnet/VPC
sharing.
Net w or k in g
Section 4
Network
Net w or kFundam
Fu n damentals
en t als
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g
Advanced
Advan cedVPC
VPC
Advanced Route 53
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
Advan ced VPC
AWS an d SA VPC Peer in g:
Fu n dam en t als - Allows direct com m unication between VPCs.
Section 1 - Services can com m unicate using private IPs from VPC to VPC.
- VPC peers can span AWS accounts and even regions (with som e
lim itations).
I den t it y an d Access - Data is encrypted and transits via the AWS global backbone.
Con t r ol - VPC peers are used to link two VPCs at layer 3: com pany m ergers,
Section 2 shared services, com pany and vendor, auditing.
I m por t an t Lim it s an d Con sider at ion s:

Com pu t e - VPC CIDR blocks cannot overlap.
Section 3 - VPC peers connect two VPCs ? routing is not transitive.
- Routes are required at both sides (rem ote CIDR -> peer connection).
- NACLs and SGs can be used to control access.
- SGs can be referenced but n ot cross-region.
Net w or k in g - IPv6 support is not available cross-region.
Section 4 - DNS resolution to private IPs can be enabled, but it 's a setting
needed at both sides.
Network
Net w or kFundam
Fu n damentals
en t als
Tr an sit ive Rou t in g
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g
Advanced
Advan cedVPC
VPC
AWS DNS Fundam entals VPCA VPCB
Advanced Route 53
Peering
Connection
pcx-xxxxxx
Instance Instance
10.0.1.10/ 32 10.1.10.27/ 32
Back Next
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
Advan ced VPC
AWS an d SA
Fu n dam en t als
Section 1
Transitive Routing
Con t r ol
Section 2
VPC A VPC C
Com pu t e
Section 3
Net w or k in g
Section 4
Network
Net w or kFundam
Fu n damentals
en t als PeerAB VPC B PeerBC
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g
Advanced
Advan cedVPC
VPC
Advanced Route 53
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
Advan ced VPC
AWS an d SA VPC en dpoin t s are gateway objects created within a VPC. They can be
Fu n dam en t als used to connect to AWS public services without the need for the VPC to
Section 1 have an attached internet gateway and be public.
VPC En dpoin t Types:

I den t it y an d Access - Gateway endpoints: Can be used for Dynam oDB and S3
Con t r ol - Interface endpoints: Can be used for everything else (e.g., SNS, SQS)
Section 2
Wh en t o Use a VPC En dpoin t :
- If the entire VPC is private with no IGW
Com pu t e - If a specific instance has no public IP/NATGW and needs to access
Section 3 public services
- To access resources restricted to specific VPCs or endpoints (private
S3 bucket)
Net w or k in g Lim it at ion s an d Con sider at ion s:

Section 4 - Gateway endpoints are used via route table entries ? they are
gateway devices. Prefix lists for a service are used in the destination
Network
Net w or kFundam
Fu n damentals
en t als field with the gateway as the target.
- Gateway endpoints can be restricted via policies.
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g
- Gateway endpoints are HA across AZs in a region.
Advanced
Advan cedVPC
VPC - Interface endpoints are interfaces in a specific subnet. For HA, you
need to add m ultiple interfaces ? one per AZ.
- Interface endpoints are controlled via SGs on that interface. NACLs
Advanced Route 53 also im pact traffic.
- Interface endpoints add or replace the DNS for the service ? no
route table updates are required.
- Code changes to use the endpoint DNS, or enable private DNS to
override the default service DNS.
Back En dpoin t Ar ch it ect u r e Next
Go t o Par t 2
Back t o M ain
VPC En dpoin t s
Interface and Gateway
Networking
Course Navigation
Advan ced VPC
AWS Cloud
AWS an d SA
Fu n dam en t als
Section 1
S3 SQS
Con t r ol
Section 2
VPC
Com pu t e
Section 3 us-east-1a us-east-1b
Private Subnet Private Subnet
Net w or k in g Gateway
Section 4 Endpoint
Network
Net w or kFundam
Fu n damentals
en t als Standard path
Default DNS
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g
Advanced
Advan cedVPC
VPC
AWS DNS Fundam entalsApp Server App Server
Advanced Route 53
Endpoint
Route Table
Private DNS Endpoint
Prefix List
Override Endpoint
DNS
RouteTable-
PrefixList Interface
Endpoint
Go t o Par10.0.11.0/24
t 2 10.0.12.0/24
Back t o M ain
Networking
Course Navigation
Advan ced VPC
AWS an d SA IP version 6 (IPv6) is supported within AWS but not across every product
Fu n dam en t als and not with every feature.
Section 1
I Pv6 VPC Set u p:
- It is currently opt-in ? it is disabled by default.
I den t it y an d Access - To use it, the first step is to request an IPv6 allocation. Each VPC is
Con t r ol allocated a /56 CIDR from the AWS pool ? this cannot be adjusted.
Section 2 - With the VPC IPv6 range allocated, subnets can be allocated a /64
CIDR from within the /56 range.
- Resources launched into a subnet with an IPv6 range can be
Com pu t e allocated a IPv6 address via DHCP6.
Section 3
Lim it at ion s an d Con sider at ion s:
- DNS nam es are not allocated to IPv6 addresses.
- IPv6 addresses are all publicly routable ? there is no concept of
Net w or k in g private vs. public with IPv6 (unlike IPv4 addresses).
Section 4 - With IPv6, the OS is configured with this public address via DHCP6.
- Elastic IPs aren't relevant with IPv6.
Network
Net w or kFundam
Fu n damentals
en t als - Not currently supported for VPNs, custom er gateways, and VPC
endpoints.
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g
Advanced
Advan cedVPC
VPC
Advanced Route 53
Back VPC I Pv6 Next
Go t o Par t 2
Back t o M ain
I Pv6 in a VPC
Networking
Course Navigation
Advan ced VPC
AWS an d SA
IPv6CIDR
Fu n damVPC
en t-als
IPv4 10.0.0.0/16
Section 1 2001:db8:1234:1a00::/ 56
Con tAll
r olIPv6 addresses used within Route tables can contain IPv6
Section 2
AWS are publicly routable. routes with the default route
Resources have public IPv6 being ::/0 (all 0's)
addresses directly attached to
Com pu t e , unlike IPV4.
them
Section 3
Private SN Private SN
Net w or k in g
Section 4
Network
Net w or kFundam
Fu n damentals
en t als
VPCs optionally have a
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g fixed /56 range allocated
Advanced
by AWS. Each subnet uses a
Advan cedVPC
VPC
fixed /64. The /64 can be
AWS DNS Fundam entals chosen from the /56, but
Instance the VPC range cannot be
Advanced Route 53
adjusted.
Instances can be allocated
IPv6 addresses at launch in
the sam e way as IPv4 ?
RouteTable
they are static by default.
Go t o Par t 2 SUBNETSIPv6CIDR SUBNETSIPv6CIDR

2001:db8:1234:1a01::/ 64 2001:db8:1234:1a02::/ 64
Back t o M ain
Networking
Course Navigation
Advan ced VPC
AWS an d SA Egr ess-on ly in t er n et gat ew ays provide IPv6 instances with outgoing
Fu n dam en t als access to the public internet using IPv6 but prevent the instances from
Section 1 being accessed f r om the internet.
NAT isn't required with IPv6, and so NATGW's aren't com patible with
I den t it y an d Access IPv6. Egress-only gateways provide the outgoing-only access of a
Con t r ol NATGW but do so without adjusting any IP addresses.
Section 2
Architecturally, they are otherwise the sam e as an IGW.
Com pu t e Incom ing traffic

Section 3 Disallowed
Egress-Only
VPC Internet Gateway
Net w or k in g VPC
Section 4 Router Default IPv6 route
of ::/0 to eigw-id
Network
Net w or kFundam
Fu n damentals
en t als
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g
Subnet
Advanced
Advan cedVPC
VPC
AWS DNS Fundam entals RouteTable
Advanced Route 53
Instance(IPv6)
Back Next Topic
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS DNS Fu n dam en t als
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
This topic will introduce the basics of

Com pu t e DNS and dom ain registration, look at
Section 3
the difference between private and
public Route 53 zones, and finish up
with record set types and health checks.
Net w or k in g
Section 4
Network
Fu n dam en t als
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g
Advanced
Advan cedVPC
VPC
AWS
AWSDNS
DNSFundam
Fu n damentals
en t als Pr eviou s Sect ion Next
Advanced Route 53
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
St ep 2: The ISP queries the DNS

root servers. If they don't know,
Con t r ol they help by providing servers
Section 2
au t h or it at ive for .com .
Com pu t e St ep 3: The .com servers are

Section 3 queried. If they don't have an IP,
they provide the linuxacademy.com
authoritative servers.
Net w or k in g
St ep 1: Query your ISP.
Section 4
If it doesn't know, it
handles it for you.
Network
Fu n dam en t als
AWS
St ep 4: These servers are
AWSPrivate
Pr ivat eNetworking
Net w or k in g
run by LA. They will know
Advanced
Advan cedVPC
VPC and return one or m ore IPs.
AWS
AWSDNS
DNSFundam
Fu n damentals
en t als
Advanced Route 53 The dom ain nam e system (DNS) does m any
things, but the com m on use case is to turn DNS
nam es into IP addresses ? like turning
YOU
asking for lin u xacadem y.com into 52.86.183.13. It 's a
linuxacadem y.com distributed system ? no one part knows all.
Back DNS Ter m s Next
Go t o Par t 2
Back t o M ain
DNS Ter m s
Networking
Course Navigation
DNS Root Ser ver s: AWS DNS Fu n dam en t als
Trust starts som ewhere. The DNS root servers are that trust ? a group of servers that are
AWS an d SA
authoritative to give answers about the root zone. TLDs are controlled by the root zone.
Fu n dam en t als
Section 1
Top-Level Dom ain (TLD):
The top tier in the DNS hierarchy. Generally structured into geographic codes ? such as .au, .us,
.uk ?t itand
I den y angeneric TLDs ? such as .com , .org, and .edu. Large orgs or country orgs are delegated
d Access
control of these by the root servers to be authoritative.
Con t r ol
Section 2
Su bdom ain :
Anything between a host and a TLD is a subdom ain. Linuxacademy.com is a .com subdom ain. .co.uk
is a subdom ain of .uk ? an organization is delegated control of subdom ains and is authoritative.
Com pu t e
Section 3
Zon e an d Zon e File:
A zone or zone file is a m apping of IPs and hosts for a given subdom ain. The zone file for
linuxacadem y.com would contain a record for www.
Net w or k in g
Recor ds:
Section 4
DNS has lots of record types ? A, MX, AAAA, CNAME, TXT, NS (explained later) ? and each does
different things.
Network
Fu n dam en t als
Nam
AWS ePrSer
ivatver
AWSPrivate : w or k in g
eNetworking
Net
A nam e server is a server that runs a DNS service and can either store or cache inform ation for the
Advanced
Advan cedVPC
VPC
DNS platform . Whether a nam e server caches or acts as an authority depends on if it 's referenced
AWS
from DNS Fundam
a higher
AWS DNS entals
level.
Fu n dam en t(See
als authoritative below.)
Advanced Route 53
Au t h or it at ive:
The root servers are authoritative for the root zone ? they are trusted by every operating system
and networking stack globally. The root servers delegate ownership of a part of the hierarchy, such
as .com , to an organization. That organization runs nam e servers that becom e authoritative ?
they can answer queries with authority. Because the root points at these servers, they are
authoritative. These .com nam e servers can point at servers for sub dom ains (e.g.,
linuxacademy.com) that then becom e authoritative.
Host s:
A record in a zone file: www, m ail, catgifserver, doggowebserver.
Go t o Par t 2
FQDN: Fully qualified dom ain nam e ? the host and dom ains: www.linuxacademy.com.
Back t o M ain
Networking
Course Navigation
AWS an d SA Registering a dom ain within DNS consists of a few steps and
Fu n dam en t als com ponents. With m any services ? such as Route 53, Hover.com , and
Section 1 even GoDaddy ? these steps appear to happen together.
STEP 1: Ch eck t h e dom ain is available:

I den t it y an d Access This step is usually done during registration, but for a given dom ain, a
Con t r ol check needs to occur against the database of the TLD or subdom ain
Section 2 operator. Registering bestcatpicsintheworldever.com requires a check
with Verisign who operate .com , and registering amazingcats.co.uk
would need a check against .co.uk.
Com pu t e
Section 3 STEP 2: Pu r ch ase t h e dom ain via a r egist r ar :
The dom ain operator allows com panies to sell dom ains within the
dom ain it m anages. Buying a something.com dom ain via Route 53
m eans Route 53 taking paym ent and then contacting Verisign (.com
Net w or k in g operator) and adding a record into the .com zone that represents your
Section 4 dom ain.
Network
Fu n dam en t als STEP 3: Host in g t h e dom ain :
Registering a .com dom ain gives you the rights to specify nam e servers
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g (NS) to be authoritative for that dom ain. You need to m anage or pay for
Advanced
Advan cedVPC
VPC
DNS hosting or nam e servers that are configured for your dom ain, and
inform the .com operator to link those servers with your dom ain record.
AWS
AWSDNS
DNSFundam
Fu n damentals
en t als Route 53 allows you to register a dom ain an d host it, or just h ost it, or
Advanced Route 53 just r egist er it.
STEP 4: Recor ds in t h e zon e f ile:

On the Nam e Servers that are authoritative/host the dom ain, you need
to add records into the zone file ? www, m ail, ftp, etc. This com pletes
the chain, and these are accessible from the internet.
Back Next
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA A zone or hosted zone is a container for DNS records relating to a
Fu n dam en t als particular dom ain (e.g., linuxacademy.com). Route 53 supports public
Section 1 hosted zones, which influence the dom ain that is visible from the
internet and VPCs. Private hosted zones are sim ilar but accessible only
from the VPCs they are associated with.
Con t r ol Pu blic Zon es:
Section 2 - A public hosted zone is created when you register a dom ain with
Route 53, when you transfer a dom ain into Route 53, or if you
create one m anually.
Com pu t e - A hosted zone (zone) has the sam e nam e as the dom ain it relates to
Section 3 ? e.g., linuxacademy.com will have a hosted zone called
linuxacademy.com.
- A public zone is accessible either from internet-based DNS clients
(e.g., your laptop) or from within any AWS VPCs.
Net w or k in g - A hosted zone will have "nam e servers" ? these are the IP
Section 4 addresses you can give to a dom ain operator, so Route 53 becom es
"authoritative" for a dom ain.
Network
Fu n dam en t als
Pr ivat e Zon es:
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g
- Private zones are created m anually and associated with one or
Advanced
Advan cedVPC
VPC m ore VPCs ? they are only accessible from those VPCs.
- Private zones need enabl eDnsHost names and
AWS
AWSDNS
DNSFundam
Fu n damentals
en t als
enabl eDnsSuppor t enabled on a VPC.
Advanced Route 53 - Not all Route 53 features supported ? lim its on heath checks
- Split-view DNS is supported, using the sam e zone nam e for public
and private zones ? providing VPC resources with different records
(e.g., testing, internal versions of websites).
- With split view, private is preferred ? if no m atches, public is
used.
Back Next
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA DNS supports different types of records, each providing different
Fu n dam en t als functionality. At an associate level, the im portant ones are:
Section 1
A Recor d (an d AAAA): For a given host (www), an A record provides an
IPv4 address (e.g., 10.0.0.1) and an AAAA provides an IPv6 address.
Con t r ol CNAM E Recor d: Allows aliases to be created (not the sam e as an alias
Section 2 record). A m achine such as allthethings.linuxacademy.com m ight have
CNAMES for www, ftp, and im ages. Each of these CNAMEs points at an
existing record in the dom ain. www -> allthethings.linuxacademy.com.
Com pu t e CNAMEs cannot be used at the APEX of a dom ain (e.g.,
Section 3 linuxacademy.com).
M X Recor d: MX records provide the m ail servers for a given dom ain.
Each MX record has a priority. Rem ote m ail servers use this to locate the
Net w or k in g server to use when sending to someuser@linuxacademy.com.
Section 4
NS Recor d: Used to set the authoritative servers for a subdom ain. .com
Network
Fu n dam en t als would have NS servers for linuxacademy.com.
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g
TXT Recor d: Used for descriptive text in a dom ain ? often used to verify
Advanced
Advan cedVPC
VPC dom ain ownership (Gm ail/Office365).
AWS
AWSDNS
DNSFundam
Fu n damentals
en t als
Alias Recor ds: An extension of CNAME ? can be used like an A record,
Advanced Route 53 with the functionality of a CNAME and none of the lim itations. Can refer
to AWS logical services (load balancers, S3 buckets), and AWS doesn't
charge for queries of alias records against AWS resources.
Back Next
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA Health checks can be created within Route 53 and are used to influence
Fu n dam en t als Route 53 routing decisions. There are three type of health checks:
Section 1
- Health checks that m onitor the health of an endpoint ? e.g., IP
address or hostnam e
I den t it y an d Access - Health checks that m onitor the health of another health check
Con t r ol (these are referred to as calculated health checks)
Section 2 - Health checks that m onitor CloudWatch alarm s ? you m ight want
to consider som ething unhealthy if your Dynam oDB table is
experiencing perform ance issues
Com pu t e
Section 3 Rou t e 53 Healt h Ch eck er s:
- Global health check system that checks an endpoint in an agreed
way with an agreed frequency.
- >18% of checks report healthy = healthy, <18% healthy = unhealthy
Net w or k in g
Section 4 Types of Healt h Ch eck :
- HTTP and HTTPS: tcp/80 or tcp/443 connection check in less than
Network
Fu n dam en t als four seconds. Reporting 2XX or 3XX code within two seconds.
- TCP health check: tcp connection within 10 seconds
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g
- HTTP/S with string m atch: All the checks as with HTTS/HTTPS but the
Advanced
Advan cedVPC
VPC body is checked for a string m atch
AWS
AWSDNS
DNSFundam
Fu n damentals
en t als
Rou t e 53 an d Healt h Ch eck s:
Advanced Route 53 - Records can be linked to health checks. If the check is unhealthy, the
record isn't used.
- Can be used to do failover and other routing architectures (m ore in
the next topic)
Back Ar ch it ect u r e Next Topic
Go t o Par t 2
Back t o M ain
Rou t e 53 Healt h Ch eck s an d Failover
Networking
Course Navigation
EC2 instance is the prim ary
AWSrecord.
an d SAIf the health check is
Fu n dam en t als
healthy, it 's always used.
Section 1
Health
I den t it y an us-east-1
d Access Check ap-southeast-2
Con t r ol
Section 2
Com pu t e State
Section 3 Website Healthy S3Standby
Page
Net w or k in g
Section 4
Network
Fu n dam en t als
AWS
AWSPrivate
When
Pr ivat eNetworking
the
Net check
w or k in g is
unhealthy, the failover
Advanced
Advan cedVPC
VPC
record is used ? an S3
AWS
AWSDNS
DNSFundam
Fu n damentals
bucket. en t als
Advanced Route 53 Health
us-east-1 Check ap-southeast-2
State State
Unhealthy Healthy
Website S3Standby
Page
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
Advan ced Rou t e 53
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
This topic introduces advanced Route

Com pu t e 53 routing policies. Routing policies
Section 3
provide granular control over how
Route 53 responds to queries against
records.
Net w or k in g
Section 4
Network
Fu n dam en t als
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g
Advanced
Advan cedVPC
VPC
AWS
AWSDNS
DNSFundam
Fu n damentals
en t als Pr eviou s Sect ion Next
Advanced
Advan cedRoute
Rou t e53
53
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA A sim ple routing policy is a single record within a hosted zone that
Fu n dam en t als contains one or m ore values. When queried, a sim ple routing policy
Section 1 record returns all the values in a random ized order.
DNS
Response
Con t r ol
Section 2
DNS
Query
R53 associatecat.com
Com pu t e
Section 3
DNS
Query
Net w or k in g
Section 4
1. 1. 1. 1
www 2. 2. 2. 2
Network
Fu n dam en t als 3. 3. 3. 3
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g Instances
Advanced
Advan cedVPC
VPC
AWS
The DNS client (the laptop) receives a random ized list of IPs as a result.
AWSDNS
DNSFundam
Fu n damentals
en t als
The client can select the appropriate one and, in this exam ple, initiate an
Advanced
Advan cedRoute
Rou t e53
53 HTTP session with a resource.
Pr os: Sim ple, the default, even spread of requests

Con s: No perform ance control, no granular health checks, for alias type
? only a single AWS resource
Back Next
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA Failover routing allows you to create two records with the sam e nam e.
Fu n dam en t als One is designated as the prim ary and another as secondary. Queries
Section 1 will resolve to the prim ary ? unless it is unhealthy, in which case Route
53 will respond with the secondary.
DNS
I den t it y an d Access Response
Con t r ol
Section 2
DNS
Query
Route53 associatecat.com
Com pu t e
Section 3
DNS
Query
www (Prim ary)

Net w or k in g
Section 4 1. 1. 1. 1
2. 2. 2. 2
Network
Fu n dam en t als 3. 3. 3. 3
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g Instances
www (Secondary)
Advanced
Advan cedVPC
VPC
AWS
AWSDNS
DNSFundam
Fu n damentals
en t als
Advanced
Advan cedRoute
Rou t e53
53
S3Bucket
Failover can be com bined with other types to allow m ultiple prim ary and
secondary records. Generally, failover is used to provide em ergency
resources during failures.
Back Next
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA Weighted routing can be used to control the am ount of traffic that
Fu n dam en t als reaches specific resources. It can be useful when testing new software
Section 1 or when resources are being added or rem oved from a configuration
that doesn't use a load balancer.
Con t r ol
Section 2
Com pu t e
associatecat.com
Section 3
Weight Total Weight Weight

10 100 90
Net w or k in g
Section 4
Returned Returned
Network
Fu n dam en t als 10% 90%
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g
Instance1 Instance2
Advanced
Advan cedVPC
VPC
AWS
AWSDNS
DNSFundam
Fu n damentals
en t als
Advanced
Advan cedRoute
Rou t e53
53
Records are returned based on a ratio of their weight to the total weight,
assum ing records are healthy.
Back Next
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA With latency-based routing, Route 53 consults a latency database each
Fu n dam en t als tim e a request occurs to a given latency-based host in DNS from a
Section 1 resolver server. Record sets with the sam e nam e are considered part of
the sam e latency-based set. Each is allocated to a region. The record set
returned is the one with the lowest latency to the resolver server.
Con t r ol
Section 2
Source Destination
Latency
Region Region
Resolver London us-east-1 200 ms
Com pu t e London
Section 3 London eu-central-1 120 ms
Net w or k in g
Section 4
www.associatecat.com
Network
Fu n dam en t als
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g
Region Region
Advanced
Advan cedVPC
VPC
us-east-1 eu-central-1
AWS
AWSDNS
DNSFundam
Fu n damentals
en t als
Advanced
Advan cedRoute
Rou t e53
53
Instance1 Instance2
Back Next
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA Geolocation routing lets you choose the resources that serve your traffic
Fu n dam en t als based on the geographic region from which queries originate. A record
Section 1 set is configured for a continent or country. That record set is used for
queries in that sam e region, with m ore specific m atches taking priority.
I den t it y an d Access A record set can be set as the default that gets returned if the IP
Con t r ol m atching process fails or if no record set is configured for the originating
Section 2
query region.
Location Location
Com pu t e Am erica UK
Section 3 3
1 2 1
Net w or k in g
Section 4
www www www
United States North Am erica Default
Network
Fu n dam en t als
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g
Advanced
Advan cedVPC
VPC
AWS
AWSDNS
DNSFundam
Fu n damentals
en t als A no-result is returned if no m atch
exists between a record set and
Advanced
Advan cedRoute
Rou t e53
53
the query location. Geoproxim ity
allows a bias to expand a
geographic area.
US-Instance UK-Instance
Back Next Sect ion
Go t o Par t 2
Back t o M ain
Networking
Course Navigation
AWS an d SA
Fu n dam en t als
Section 1
Con t r ol
Section 2
Com pu t e
Section 3
Net w or k in g
Section 4
Network
Fu n dam en t als
AWS
AWSPrivate
Pr ivat eNetworking
Net w or k in g
Advanced
Advan cedVPC
VPC
AWS
AWSDNS
DNSFundam
Fu n damentals
en t als
Advanced
Advan cedRoute
Rou t e53
53
Back Next Sect ion
Go t o Par t 2
Back t o M ain
Storage and Content Delivery
Course Navigation
S3 Ar ch it ect u r e
St or age an d Con t en t
Deliver y
Section 5
Ar ch it ect u r e
S3 Architecture
S3 Perform ance and HA
CloudFront
Network File System s

This topic explores som e key S3
architectural concepts in additional
Dat abases
Section 6 detail. The topics covered will be a key
part of m ost S3 architectures.
Hybr id an d Scalin g
Section 7
Applicat ion , An alyt ics,

an d Oper at ion s
Section 8
Go t o Par t 1
Back t o M ain
Course Navigation
St or age an d Con t en t Bucket authorization within S3 is controlled using iden t it y policies on
Deliver y AWS identities, as well as bu ck et policies in the form of resource
Section 5 policies on the bucket and bucket or object ACLs.
Ar ch it ect u r e
S3 Architecture
CloudFront Bucket Settings

IdentityPolicies
Network File System s Block Public Access
Dat abases
Section 6
Section 7
Bucket Policy
Applicat ion , An alyt ics, ac-catpics1337 ACL

an d Oper at ion s
Section 8
Final authorization is a com bination of all applicable policies. Priority

order is (1) Explicit Deny, (2) Explicit Allow, (3) Im plicit Deny.
Back Next
Go t o Par t 1
Back t o M ain
Course Navigation
Deliver y
Section 5
Ar ch it ect u r e
S3 Architecture
CloudFront
Dat abases
Section 6
Block pu blic access is a setting applied on top of any existing

settings as a protection.
It can disallow all public access granted to a bucket and objects
Section 7
using ACLs or bucket policies.
It can also block new public access grants using bucket policies or
Applicat ion , An alyt ics, ACLs.
an d Oper at ion s
Section 8
I M PORTANT: Block public access overrules any other public grant.
Go t o Par t 1
Back t o M ain
Course Navigation
{
Deliver y
" Ver s i on" : " 2012- 10- 17" ,
Section 5
" St at ement " : [
Ar ch it ect u r e
S3 Architecture {
" Si d" : " Fi r s t St at ement " ,
S3 Perform ance and HA " Ef f ec t " : " Al l ow" ,
CloudFront " Ac t i on" : [ " i am: ChangePas s wor d" ] ,
" Res our c e" : " * "
Network File System s },
{
" Si d" : " Sec ondSt at ement " ,
Dat abases " Ef f ec t " : " Al l ow" ,
Section 6
" Ac t i on" : " s 3: Li s t Al l My Buc k et s " ,
" Res our c e" : " * "
},
{
" Si d" : " Thi r dSt at ement " ,
Section 7
" Ef f ec t " : " Al l ow" ,
" Ac t i on" : [ " s 3: Li s t * " , " s 3: Get * " ] ,
" Res our c e" : [
Applicat ion , An alyt ics, " ar n: aws : s 3: : : ac - c at pi c s 1337" ,
an d Oper at ion s " ar n: aws : s 3: : : ac - c at pi c s 1337/ * "
Section 8 ]
}
]
}
Identity policies attached to IAM users, roles, or groups
can include S3 elem ents. This only works for identities in
the sam e account as the bucket.
Go t o Par t 1
Back t o M ain
Course Navigation
Deliver y {
Section 5 " Ver si on" : " 2012- 10- 17" ,
" St at ement " : [
Ar ch it ect u r e
S3 Architecture
{
S3 Perform ance and HA " Si d" : " AddPer m" ,
CloudFront " Ef f ect " : " Al l ow" ,
Network File System s " Pr i nci pal " : " * " ,
" Act i on" : [ " s3: Get Obj ect " ] ,
" Resour ce" : [
Dat abases " ar n: aws: s3: : : ac- cat pi cs1337/ * "
Section 6
]
}
]
Hybr id an d Scalin g }
Section 7
Resource policies apply to a resource. They can be used to authorize

Applicat ion , An alyt ics, access to a bucket or objects inside a bucket to large num bers of
an d Oper at ion s identities. Bucket policies can also apply to anonym ous accesses
Section 8 (public access).
Go t o Par t 1
Back t o M ain
Course Navigation
St or age an d Con t en t Uploads to S3 are generally done using the S3 console, the CLI, or
Deliver y directly using the APIs. Uploads either use a single operation (known as
Section 5 a single PUT upload) or m ultipart upload.
Ar ch it ect u r e
S3 Architecture
Sin gle PUT Upload
CloudFront
Object is uploaded in a single stream of data
Dat abases Object Bucket

Section 6
Lim it of 5 GB, can cause perform ance issues, and if the upload fails the
w h ole u pload fails
Hybr id an d Scalin g M u lt ipar t Upload

Section 7
An object is broken up into parts (up to 10,000), each part is 5 M B to 5
GB, and the last part can be less (the rem aining data)

an d Oper at ion s
Section 8
Object
Bucket
Multipart upload is f ast er (parallel uploads), and the individual parts

can fail and be retried individually. AWS recom m ends m ultipart for
anything over 100 M B, but it 's required for anything beyond 5 GB.
Back Next
Go t o Par t 1
Back t o M ain
Course Navigation
St or age an d Con t en t Am azon S3 buckets can be configured to host websites. Content can be
Deliver y uploaded to the bucket and when enabled, st at ic w eb h ost in g will
Section 5 provide a unique endpoint URL that can be accessed by any web
browser. S3 buckets can host m any types of content, including:
Ar ch it ect u r e
S3 Architecture
S3 Perform ance and HA - HTML, CSS, JavaScript

- Media (audio, m ovies, im ages)
CloudFront
Network File System s S3 can be used to host front-end code for serverless applications or an
offload location for static content. CloudFront can also be added to
im prove the speed and efficiency of content delivery for global users or
Dat abases to add SSL for custom dom ains.
Section 6
Route 53 and alias records can also be used to add hum an-friendly
nam es to buckets.
Cr oss-Or igin Resou r ce Sh ar in g (CORS)
Section 7
CORS is a security m easure allowing a web application running in one

dom ain to reference resources in another.
an d Oper at ion s
Section 8
CORS ENABLED
S3 S3
www.linuxacadem y.com secretcatim ages.com
Back Next
Go t o Par t 1
Back t o M ain
Course Navigation
St or age an d Con t en t Data between a client and S3 is encrypted in t r an sit . Encryption at r est
Deliver y can be configured on a per -object basis.
Section 5
- Clien t -Side En cr ypt ion : The client/application is responsible for
Ar ch it ect u r e
S3 Architecture
m anaging both the encryption/decryption process and its keys. This
S3 Perform ance and HA m ethod is generally only used when strict security com pliance is
required ? it has significant adm in and processing overhead.
CloudFront
- Ser ver -Side En cr ypt ion w it h Cu st om er -M an aged Keys (SSE-C): S3
Network File System s handles the encryption and decryption process. The custom er is
still responsible for key m anagem ent, and keys m ust be supplied
with each PUT or GET request.
Dat abases - Ser ver -Side En cr ypt ion w it h S3-M an aged Keys (SSE-S3): Objects
Section 6 are encrypted using AES-256 by S3. The keys are generated by S3
(using KMS on your behalf ). Keys are stored with objects in an
encrypted form . If you have perm issions on the object (e.g., S3
Read or S3 Adm in), you can decrypt and access it.
- Ser ver -Side En cr ypt ion w it h AWS KM S-M an aged Keys (SSE-KM S):
Section 7
Objects are encrypted using individual keys generated by KMS.
Encrypted keys are stored with the encrypted objects. Decryption of
an object needs both S3 and KMS key perm issions (role separation).
an d Oper at ion s Bu ck et Def au lt En cr ypt ion
Section 8
Objects are encrypted in S3, not buckets. Each PUT operation needs to
specify encryption (and type) or not. A bucket default captures any PUT
operations where no encryption m ethod/directive is specified. It doesn't
enforce what type can and can't be used. Bucket policies can enforce.
Back Next
Go t o Par t 1
Back t o M ain
Course Navigation
St or age an d Con t en t Versioning can be enabled on an S3 bucket. Once enabled, any
Deliver y operations that would otherwise m odify objects generate new versions
Section 5 of that original object. Once a bucket is version-enabled, it can never be
fully switched off ? only su spen ded.
Ar ch it ect u r e
S3 Architecture
S3 Perform ance and HA With versioning enabled, an AWS account is billed for all versions of all
objects. Object deletions by default don't delete an object ? instead, a
CloudFront
delete m arker is added to indicate the object is deleted (this can be
Network File System s undone). Older versions of an object can be accessed using the object
nam e and a version ID. Specific versions can be deleted.
Dat abases
Section 6
cat.jpg cat.jpg cat.jpg
id=null id=111111 id=111112
cat.jpg
Bucket
Hybr id an d Scalin g id=111111
Version-Enabled
Section 7
cat.jpg
delete m arker
cat.jpg
id=111112 Delete Marker
an d Oper at ion s
Section 8
cat.jpg Current Version
id=111111
M FA Delet e is a feature designed to prevent accidental deletion of

objects. Once enabled, a one-tim e password is required to delete an
object version or when changing the versioning state of a bucket.
Back Next
Go t o Par t 1
Back t o M ain
Course Navigation
St or age an d Con t en t A pr esign ed URL can be created by an identity in AWS, providing access
Deliver y to an object using the creator 's access perm issions. When the presigned
Section 5 URL is used, AWS verifies the cr eat or 's access to the object ? not
yours. The URL is encoded with authentication built in and has an expiry
Ar ch it ect u r e
S3 Architecture
tim e.
Presigned URLs can be used to dow n load or u pload objects.
CloudFront
Network File System s Any identity can create a presigned URL ? even if that identity doesn't
have access to the object.
Dat abases Exam ple presigned URL scenarios:

Section 6
- Stock im ages website ? m edia stored privately on S3, presigned
URL generated when an im age is purchased
- Client access to upload an im age for process to an S3 bucket
Section 7
When using presigned URLs, you m ay get an error. Som e com m on
situations include:
Applicat ion , An alyt ics, - The presigned URL has expired ? seven-day m axim um
an d Oper at ion s - The perm issions of the creator of the URL have changed
Section 8
- The URL was created using a role (36-hour m ax) and the role's
tem porary credentials have expired (aim to never create presigned
URLs using roles)
Back Next Topic
Go t o Par t 1
Back t o M ain
Course Navigation
S3 Per f or m an ce an d HA
Deliver y
Section 5
Ar ch it ect u r e
S3 Architecture
S3 Perform
Per f or mance
an ceand
an dHA
HA
CloudFront

This topic will walk through the
perform ance, high availability, and
Dat abases
Section 6 resilience features of S3.
Section 7

an d Oper at ion s
Section 8
Go t o Par t 1
Back t o M ain
Course Navigation
St or age an d Con t en t All objects within an S3 bucket use a st or age class, also known as a
Deliver y st or age t ier . Storage classes influence the cost, durability, availability,
Section 5
and "first byte latency" for objects in S3. The class used for an object
can be changed m anually or using lifecycle policies.
Ar ch it ect u r e
S3 Architecture
S3 Perform
Per f or mance
an ceand
an dHA
HA St an dar d
CloudFront - Default, all-purpose storage or when usage is unknown
- 99.999999999% (11 nines) durability and four nines availability
Network File System s - Replicated in + AZs ? no m inim um object size or retrieval fee
St an dar d I n f r equ en t Access (St an dar d-I A)

Dat abases
- Objects where real-tim e access is required but infrequent
Section 6
- 99.9% availability, 3+ AZ replication, cheaper than Standard
- 30-day and 128 KB m inim um charges and object retrieval fee
Hybr id an d Scalin g On e Zon e-I A

Section 7 - Non-critical and/or reproducible objects
- 99.5% availability, only 1 AZ, 30-day and 128 KB m inim um charges
- Cheaper than Standard and Standard-IA
Glacier
an d Oper at ion s
Section 8
- Long-term archival storage (warm or cold backups)
- Retrievals could take m inutes or hours (faster = higher cost)
- 3+ AZ replication, 90-day and 40 KB m inim um charge and retrieval
Glacier Deep Ar ch ive

- Long-term archival (cold backups) ? 180-day and 40 KB m inim um s
- Longer retrievals but cheaper than Glacier ? replacem ent for
tape-style storage
Back Next
Go t o Par t 1
Back t o M ain
Course Navigation
St or age an d Con t en t Storage classes can be controlled via lif ecycle r u les, which allow for the
Deliver y autom ated transition of objects between storage classes, or in certain
Section 5 cases allow for the expiration of objects that are no longer required.
Rules are added at a bucket level and can be enabled or disabled based
Ar ch it ect u r e
S3 Architecture on business requirem ents.
S3 Perform
Per f or mance
an ceand
an dHA
HA STANDARD_IA
CloudFront
Network File System s STANDARD
Dat abases INTELLIGENT_TIERING

Section 6
ONEZONE_IA
GLACIER
Section 7 Objects sm aller than 128 KB cannot be transitioned into
I NTELLI GENT_TI ERI NG. Objects m ust be in the original storage class for
a m inim um of 30 days before transitioning them to either of the IA
Applicat ion , An alyt ics, storage tiers. Instead of transitioning between tiers, objects can be
an d Oper at ion s configured to expire after certain tim e periods. At the point of expiry,
Section 8 they are deleted from the bucket.
Objects can be archived into Glacier using lifecycle configurations. The

objects rem ain inside S3, m anaged from S3, but Glacier is used for
storage. Objects can be restored into S3 for tem porary periods of tim e ?
after which, they are deleted. If objects are encrypted, they rem ain
encrypted during their transition to Glacier or tem porary restoration into
S3.
Back Next
Go t o Par t 1
Back t o M ain
Course Navigation
Deliver y
Section 5
Ar ch it ect u r e
S3 Architecture
S3 Perform
Per f or mance
an ceand
an dHA
HA I n t elligen t -Tier in g
CloudFront
Intelligent-Tiering is a special type of storage class designed for
unknown or unpredictable access patterns. It m oves objects
autom atically between two tiers ? one designed for frequent
Dat abases access, the other for infrequent.
Section 6
Objects that aren't accessed for 30 days are m oved to the
infrequent tier, which offers lower costs. If an object in this tier
is accessed, it 's m oved to the frequent access tier at no cost.
Hybr id an d Scalin g Intelligent-Tiering adds a m onthly autom ation and m onitoring
Section 7 fee ? but does away with any retrieval costs.

an d Oper at ion s
Section 8
Go t o Par t 1
Back t o M ain
Course Navigation
St or age an d Con t en t S3 cross-region replication (S3 CRR) is a feature that can be enabled on
Deliver y S3 buckets allowing one-way replication of data from a source bucket to
Section 5 a destination bucket in another region.
Ar ch it ect u r e
S3 Architecture By default, replicated objects keep their:
- Storage class
S3 Perform
Per f or mance
an ceand
an dHA
HA
- Object nam e (key)
CloudFront - Owner
- Object perm issions
Replication configuration is applied to the source bucket, and to do so

Dat abases requires versioning to be enabled on both buckets. Replication requires
Section 6 an IAM role with perm issions to replicate objects. With the replication
configuration, it is possible to override the storage class and object
perm issions as they are written to the destination.
Section 7
SSLReplication
Applicat ion , An alyt ics, SourceBucket Destination

an d Oper at ion s Bucket
Section 8
Role S3
Exclu ded f r om Replicat ion
- System actions (lifecycle events)
- Any existing objects from before replication is enabled
- SSE-C encrypted objects ? only SSE-S3 and (if enabled) KMS
encrypted objects are supported
Back Next Topic
Go t o Par t 1
Back t o M ain
Course Navigation
Clou dFr on t
Deliver y
Section 5
Ar ch it ect u r e
S3 Architecture
S3 Perform
Per f or mance
an ceand
an dHA
HA
CloudFront
Clou dFr on t

This topic covers the architecture of
CloudFront, a content delivery network
Dat abases
Section 6 (CDN) frequently paired with S3.
Section 7

an d Oper at ion s
Section 8
Go t o Par t 1
Back t o M ain
Course Navigation
Clou dFr on t
St or age an d Con t en t CloudFront is a content delivery network (CDN). A CDN is a global cache
Deliver y that stores copies of your data on edge caches, which are positioned as
Section 5 close to your custom ers as possible. It has three m ain benefits: lower
latency, higher transfer speeds, and reduced load on the content server.
Ar ch it ect u r e
S3 Architecture
Clou dFr on t Com pon en t s
S3 Perform
Per f or mance
an ceand
an dHA
HA
- Or igin : The server or service that hosts your content. Can be an S3
CloudFront
Clou dFr on t bucket, web server, or Am azon MediaStore.
Network File System s - Dist r ibu t ion : The "configuration" entity within CloudFront. It 's
where you configure all aspects of a specific "im plem entation" of
CloudFront from .
Dat abases - Edge Locat ion : The local infrastructure that hosts caches of your
Section 6 data. Positioned in over 150 locations globally in over 30 countries.
- Region al Edge Cach es: Larger versions of edge locations. Less of
them but have m ore capacity and can serve larger areas.
Hybr id an d Scalin g Cach in g Pr ocess

Section 7 - Create a distribution and point at one or m ore origins. A distribution
has a DNS address that is used to access it.
- The DNS address directs clients at the closest available edge
Applicat ion , An alyt ics, location.
an d Oper at ion s - If the edge location has a cached copy of your data, it 's delivered
Section 8 locally from that edge location.
- If it 's not cached, the edge location attem pts to download it from
either a regional cache or from the origin (known as an origin fetch).
- As the edge location receives the data, it im m ediately begins
forwarding it and caches it for the next visitor.
Content can expire, be discarded, and be recached. Or you can explicitly

invalidate content to rem ove it from caches.
Back Ar ch it ect u r e Next
Go t o Par t 1
Back t o M ain
Viewer is directed to the
Course Navigation
closest edge location based Clou dFr on t
on the distribution settings
St or age an d Con t en t Custom er
and using DNS.
Object
Deliver y
Delivery
Section 5
Ar ch it ect u r e
S3 Architecture
S3 Perform
Per f or mance
an ceand
an dHA
HA
CloudFront
Clou dFr on t
Distribution
Network File System s EdgeLocation EdgeLocation EdgeLocation
Dat abases
Section 6
If the content is not If content ages on

cached at the edge edge locations
location, the edge because of infrequent
locationSection
perform
7 s an access, it can still exist
origin fetch ? a at a regional cache.
retrieval of the Origin
Fetch
object from the Regional Cache
origin.
an d Oper at ion s
Section 8 Transfer to
Regional Cache
Virtual Private Cloud Corporate Data Center
Go t o Par t 1
EC2 S3 Server
Back t o M ain
Course Navigation
Clou dFr on t
St or age an d Con t en t By default, CloudFront is fully pu blicly accessible ? anyone with the
Deliver y DNS endpoint address can access content cached by the distribution.
Section 5
A distribution can be configured to be pr ivat e where each access
Ar ch it ect u r e
S3 Architecture requires a signed URL or cookie. This is done by setting the t r u st ed
sign er s on the distribution.
S3 Perform
Per f or mance
an ceand
an dHA
HA
CloudFront
Clou dFr on t Private distributions can be bypassed by going straight to the origin
Network File System s (e.g., an S3 bucket).
An origin access identity (OAI ) is a virtual identity that can be associated

Dat abases with a distribution. An S3 bucket can then be restricted to only allow this
Section 6 OAI to access it ? all other identities can be denied.
Section 7 Internet
Custom ers
Web Browser

an d Oper at ion s
Section 8
EdgeLocation EdgeLocation
S3 Bucket Policy
Back Next Topic
Go t o Par t 1
Back t o M ain
Course Navigation
Clou dFr on t
{
Deliver y
" Ver s i on" : " 2008- 10- 17" ,
Section 5
" I d" : " Pol i c y For Cl oudFr ont Pr i v at eCont ent " ,
Ar ch it ect u r e
S3 Architecture " St at ement " : [
S3 Perform
Per f or mance
an ceand
an dHA
HA {
" Si d" : " 1" ,

CloudFront
Clou dFr on t
" Ef f ec t " : " Al l ow" ,
" Pr i nc i pal " : {
" AWS" : " ar n: aws : i am: : c l oudf r ont : us er / Cl oudFr ont

Or i gi n Ac c es s I dent i t y XXXXXXXXXXXX"
Dat abases
},
Section 6
" Ac t i on" : " s 3: Get Obj ec t " ,
" Res our c e" : " ar n: aws : s 3: : : my buc k et / * "
}
]
Section 7
}

an d Oper at ion s
Section 8
Go t o Par t 1
Back t o M ain
Course Navigation
Net w or k File Syst em s
Deliver y
Section 5
Ar ch it ect u r e
S3 Architecture
S3 Perform
Per f or mance
an ceand
an dHA
HA
CloudFront
Clou dFr on t
Network
Net w or kFile
FileSystem ss
Syst em
This topic will review network file
system products available within AWS.
Dat abases
Section 6
Section 7

an d Oper at ion s
Section 8
Go t o Par t 1
Back t o M ain
Course Navigation
St or age an d Con t en t Am azon EFS is an im plem entation of the Network File System (NFSv4)
Deliver y delivered as a service. File system s can be created and m ounted on
Section 5 m ultiple Linux instances at t h e sam e t im e.
Ar ch it ect u r e
S3 Architecture
VPC EFS POSIX
S3 Perform
Per f or mance
an ceand
an dHA
HA File System Perm issions
CloudFront
Clou dFr on t
Network
Net w or kFile
FileSystem ss
Syst em
AZ-A NFS AZ-B

v4/v4.1
Dat abases
Section 6
Section 7
Mount Target Mount Target
10.0.11.20 10.0.12.27

an d Oper at ion s
Section 8
Corporate Data Center Direct Connect
Server
Back Next Sect ion
Go t o Par t 1
Back t o M ain
Course Navigation
St or age an d Con t en t Exam Fact s an d Figu r es: Elast ic File Syst em
Deliver y
Section 5
EFS is an im plem entation of the NFSv4 protocol within AWS. Use EFS
Ar ch it ect u r e
when you need a "file system" that can be accessed from m ultiple
S3 Architecture
instances (e.g., shared m edia, hom e folders, docum entation, shared
S3 Perform
Per f or mance
an ceand
an dHA
HA logs).
CloudFront
Clou dFr on t
- Its base entity is a file system .
Network
Net w or kFile
FileSystem ss
Syst em - The file system is accessed via "m ount targets" that are placed in
subnets inside a VPC and have an IP address.
- The file system is "m ounted" on Linux instances. (I m por t an t : EFS is
Dat abases
currently only supported in Linux.)
Section 6
- File system s are accessible from a VPC or from on-prem ises locations
via a VPN or Direct Connect.
Hybr id an d Scalin g EFS has two perform ance m odes: Gen er al Pu r pose (the default and
Section 7 suitable for 99% of needs) and M ax I / O (which is designed for when a
large num ber of instances [as in, hundreds] need to access the file
system ).
EFS has two throughput m odes: Bu r st in g Th r ou gh pu t and Pr ovision ed
an d Oper at ion s
Section 8 Th r ou gh pu t .
- Bursting = 100 MiB/s base burst. 100 MiB/s per 1 TiB size. Earning 50
MiB/s per TiB of storage.
- Throughput m ode allows control over throughput independently of
file system size.
Security groups are used to control access to NFS m ount targets.
EFS supports two storage classes: St an dar d and I n f r equ en t Access (I A).
Lifecycle m anagem ent is used to m ove files between classes based on
access patterns.
Go t o Par t 1
Back t o M ain
Databases
Course Navigation
DB Fu n dam en t als
Deliver y
Section 5
Dat abases
Section 6
DB Fundam
DB Fu n damentals
en t als
SQL: RDS
fundam entals of database platform s,
SQL: Aurora
engines, data m odeling, and access
NoSQL Databases
m ethods.
In-Mem ory Caching
Section 7

an d Oper at ion s
Section 8 Pr eviou s Sect ion Next
Go t o Par t 1
Back t o M ain
Databases
Course Navigation
St or age an d Con t en t Relational database m anagem ent system s (RDBM S) are used when the
Deliver y data to be m anaged has form al and fixed relationships. Data is stored on
Section 5 disk as "rows," and entire rows m ust be parsed even if individual
attributes are all that 's needed. Reading one attribute from 10,000
records requires 10,000 rows to be read from the disk.
Dat abases
Every table has a sch em a that defines a fixed layout for each row, which is
Section 6
defined when the table is created. Every row in the table needs to have all
the attributes and the correct data types.
DB Fundam
DB Fu n damentals
en t als
SQL: RDS RDBMS conform s to the ACI D syst em : Atom icity, Consistency, Isolation,
and Durability. This im pacts the ability to achieve high perform ance levels
SQL: Aurora
and lim its scalability, but for m ore applications of an RDBMS, the trade-off
NoSQL Databases is worth it. SQL (Structured Query Language) is used to interact with m ost
In-Mem ory Caching SQL (relational) database products.
ID H_ID Human Underling

Section 7 ID Name Color 0001 0001 Adrian
0001 Roffle B/W
0001 0002 Nat
0002 Penny All
Applicat ion , An alyt ics, 0002 0001 Adrian
0003 Winkie White
an d Oper at ion s
0002 0002 Nat
Section 8 0004 Truffles Mixed
0003 0001 Adrian
Fixed relationships exist
0003 0002 Nat
between tables based on keys.
Queries join tables to use 0004 0001 Adrian
inform ation from both.
0004 0002 Nat
Back Next
Go t o Par t 1
Back t o M ain
Databases
Course Navigation
Deliver y Key Valu e Docu m en t
Section 5 Data is stored as key and value Data is stored as structured key
pairs. Super fast queries and ability and value pairs called docum ents.
to scale. No relationships and weak Operations on docum ents are
schem a. highly perform ant.
Dat abases
Section 6 0001 Rof f le
{
name : " t r uf f l es " ,
DB Fundam
Fu n damentals
en t als 0002 Pen n y age : " 6" ,
DB s t at us : " c at " ,
under l i ngs : [ " Adr i an, " Nat " ]
SQL: RDS 0003 Win k ie }
SQL: Aurora
Am azon
NoSQL Databases MongoDB
Dynam oDB
In-Mem ory Caching
Hybr id an d Scalin g Colu m n Gr aph

Section 7 Data is stored in colum ns rather Designed for dynam ic relationships.
than rows. Queries against Stores data as nodes and
attribute sets, such as all DOBs or relationships between those nodes.
all surnam es, are fast. Great for Ideal for hum an-related data, such
Applicat ion , An alyt ics, data warehousing and analytics. as social m edia.
an d Oper at ion s
w it h Jam es
Section 8 :w o rk s_
Adrian :w o r
k s_w
it h
:w
o rk Tia
s_
wi
th
Am azon
Redshift Neo4j Mark
Back Next Topic
Go t o Par t 1
Back t o M ain
Databases
Course Navigation
SQL: RDS
Deliver y
Section 5
Dat abases
Section 6
DB Fundam
DB Fu n damentals
en t als
This topic will review the fundam entals
SQL:
SQL: RDS
RDS
of RDS (Relational Database Service)
SQL: Aurora
within AWS. RDS is a Database as a
NoSQL Databases
Service (DBaaS) product.
In-Mem ory Caching
Section 7

an d Oper at ion s
Go t o Par t 1
Back t o M ain
Databases
Course Navigation
SQL: RDS
St or age an d Con t en t RDS is a Database as a Service (DBaaS) product. It can be used to provision a fully
functional database without the adm in overhead traditionally associated with DB
Deliver y platform s. It can perform at scale, be m ade pu blicly accessible, and can be
Section 5
configured for dem anding availability and durability scenarios.
Dat abases us-east-1

Section 6
DB Instance
vpc1 CNAME
DB Fundam
DB Fu n damentals
en t als
SQL:
SQL: RDS
RDS AZ-A AZ-B
SQL: Aurora
NoSQL Databases
In-Mem ory Caching
Hybr id an d Scalin g S3 Standby Prim ary

Section 7
DBStorage DBStorage
an d Oper at ion s
Section 8
ap-southeast-2
vpc1 AZ-A
Read Replica
Back Next
Go t o Par t 1
Back t o M ain
Exam Hin t s an d Key Fact s: RDS
Databases
RDSCourse
su ppor t s a n u m ber of dat abase en gin es:
Navigation
SQL: RDS
- MySQL, MariaDB, PostgreSQL, Oracle, Microsoft SQL Server
St or
- age an dAnCon
Aurora: t en t developed engine with substantial feature and perform ance enhancem ents
in-house
Deliver y
RDS canSection
be deployed
5 in sin gle AZ or M u lt i-AZ m ode (f or r esilien ce) an d su ppor t s t h e f ollow in g
in st an ce t ypes:
- General purpose (currently DB.M4 and DB.M5)
- Mem ory optim ized (currently DB.R4 and DB.R5, and DB.X1e and DB.X1 for Oracle)
Dat abases
- Burstable (DB.T2 and DB.T3)
Section 6
Tw o t ypes of st or age ar e su ppor t ed:

DB Fundam
DB Fu n damentals
en t als
- General Purpose SSD (gp2): 3 IOPS per GiB, burst to 3,000 IOPS (pool architecture like EBS)
-SQL:
Provisioned
SQL: RDS
RDS IOPS SSD (io1): 1,000 to 80,000 IOPS (engine dependent) size, and IOPS can be
configured
SQL: Aurora
independently
NoSQL
RDS in stDatabases
an ces ar e ch ar ged based on :
-In-Mem
Instance size
ory Caching
- Provisioned storage (not used)
- IOPS
Hybr if using
id an io1 g
d Scalin
- Data transferred
Section 7 ou t
- Any backups/snapshots beyond the 100% that is free with each DB instance
RDS su ppor t s en cr ypt ion w it h t h e f ollow in g lim it s/ r est r ict ion s/ con dit ion s:
- Encryption can be configured when creating DB instances.
an d Oper at ion s
- Encryption can be added by taking a snapshot, m aking an encrypted snapshot, and creating a
Section 8
new encrypted instance from that encrypted snapshot.
- Encryption cannot be rem oved.
- Read Replicas need to be the sam e state as the prim ary instance (encrypted or not).
- Encrypted snapshots can be copied between regions ? but a new destination region KMS CMK is
used (because they are region specific).
Network access to an RDS instance is controlled by a secu r it y gr ou p (SG) associated with the RDS
instance.
Go t o Par t 1
Back t o M ain
Databases
Course Navigation
SQL: RDS
St or age an d Con t en t RDS is capable of a num ber of different types of backups. Autom ated
Deliver y backups to S3 occur daily and can be retained from 0 to 35 days (with 0
Section 5 being disabled). Manual snapshots are taken m anually and exist until
deleted, and point-in-tim e log-based backups are also stored on S3.
Dat abases
Synchronous data replication
Section 6
from prim ary to standby
DB Fundam
DB Fu n damentals
en t als
SQL:
SQL: RDS
RDS
Prim ary Standby
SQL: Aurora
Backups occur once per
NoSQL Databases
day if enabled. Backups are
Log backups occur to S3 every 5 taken from the standby
In-Mem ory Caching
m inutes, allowing point-in-tim e instance. Retention is from
recovery at any point in the 0 to 35 days, with 0
Hybr id an d Scalin g backup retention window. disabling backups.
Section 7

an d Oper at ion s S3
Section 8 Prim ary
Restores create a new RDS

instance with a new Manual snapshots can be
endpoint address ? this S3 perform ed at any tim e and
will require application are retained until explicitly
changes (or DNS changes). deleted.
Back Next
Go t o Par t 1
Back t o M ain
Databases
Course Navigation
SQL: RDS
St or age an d Con t en t RDS M u lt i-AZ
Deliver y
Section 5 - RDS can be provisioned in single or Multi-AZ m ode.
- Multi-AZ provisions a prim ary instance and a standby instance in a different AZ
of the sam e region.
- Only the prim ary can be accessed using the instance CNAME.
Dat abases - There is no perform ance benefit, but it provides a better RTO than restoring a
Section 6 snapshot.
DB Fundam
DB Fu n damentals
en t als Applicat ion
SQL:
SQL: RDS
RDS
CNAM E
SQL: Aurora AZ-A AZ-B
NoSQL Databases
In-Mem ory Caching Replication

Synchronous
Prim ary Standby
Section 7
CNAM E
AZ-A AZ-B
an d Oper at ion s
Replication
Section 8
Synchronous
(new)Standby NewPrim ary
Replication of data is synchronous ? it 's copied in real tim e from the prim ary to
the standby as it 's written. The prim ary and m aster each have their own storage.
Backups are taken using the standby, ensuring no perform ance im pact.
Maintenance is perform ed on the standby first, which is then prom oted to
m inim ize downtim e.
Back Next
Go t o Par t 1
Back t o M ain
Databases
Course Navigation
SQL: RDS
St or age an d Con t en t Read Replicas are read-only copies of an RDS instance that can be created in the
Deliver y sam e region or a different region from the prim ary instance.
Section 5
Read Replicas can be addressed independently (each having their own DNS nam e)
and used for read workloads, allowing you to scale reads. Five Read Replicas can be
created from a RDS instance, allowing a 5x increase in reads. Read Replicas can be
Dat abases created from Read Replicas, and they can be prom oted to prim ary instances and
Section 6 can be them selves Multi-AZ.
DB Fundam
DB Fu n damentals
en t als Region 1
AZ-A AZ-B
SQL:
SQL: RDS
RDS
Read Replicas
SQL: Aurora don't scale writes,
which have to
NoSQL Databases
occur on the
In-Mem ory Caching prim ary instance. Prim ary Standby
Hybr id an d Scalin g AWS handles the connection between regions

Section 7 autom atically ? data in transit is encrypted.
Region 2
Applicat ion , An alyt ics, AZ-A AZ-B
an d Oper at ion s
Section 8
Prim ary Standby
Reads from a Read Replica are eventually consistent ? norm ally seconds, but the
application needs to support it.
Back Next Topic
Go t o Par t 1
Back t o M ain
Databases
Course Navigation
SQL: Au r or a
Deliver y
Section 5
Dat abases
Section 6
DB Fundam
DB Fu n damentals
en t als
This topic will review the key features of
SQL: RDS
SQL: RDS
Aurora and Aurora serverless,
SQL:
SQL: Aurora
Au r or a com paring both to the traditional RDS
NoSQL Databases
database engines.
In-Mem ory Caching
Section 7

an d Oper at ion s
Go t o Par t 1
Back t o M ain
Databases
Course Navigation
SQL: Au r or a
St or age an d Con t en t Au r or a Ar ch it ect u r e
Deliver y
Section 5 Aurora is a database engine developed by AWS that is com patible with MySQL,
PostgreSQL and associated tools.
Aurora operates with a radically different architecture as opposed to the other RDS
Dat abases database engines:
Section 6 - Aurora uses a base configuration of a "cluster "
- A cluster contains a single prim ary instance and zero or m ore replicas
DB Fundam
DB Fu n damentals
en t als
Clu st er St or age
SQL: RDS
SQL: RDS
- All instances (prim ary and replicas) use the sam e shared storage ? the cluster
SQL:
SQL: Aurora
Au r or a volum es.
NoSQL Databases - Cluster volum e is totally SSD based, which can scale to 64 TiB in size.
- Replicates data six tim es, across three Availability Zones.
In-Mem ory Caching - Aurora can tolerate two failures without writes being im pacted and three
failures without im pacting reads.
- Aurora storage is auto-healing.
Section 7
Clu st er Scalin g an d Availabilit y
- Cluster volum e scales autom atically, only bills for con su m ed dat a, and is
Applicat ion , An alyt ics, constantly backed up to S3.
an d Oper at ion s - Aurora replicas im prove availability, can be prom oted to be a prim ary instance
Section 8 quickly, and allow for efficient read scaling.
- Reads and writes use the clu st er en dpoin t .
- Reads can use the r eader en dpoin t , which balances connections over all
replica instances.
Back Ar ch it ect u r e Next
Go t o Par t 1
Back t o M ain
Au r or a Clu st er Ar ch it ect u r e
Databases
Course Navigation
VPC Aurora is not just an enhancem ent of RDS ? it 's a new architecture with
SQL: Au r or a
shared storage, addressable replicas, and parallel queries.
Deliver y
Section 5 AZ-A AZ-B AZ-C
Dat abases
Section 6
DB Fundam
DB Fu n damentals
en t als
SQL: RDS
SQL: RDS Writes Writes Reads
Reads Reads
SQL:
SQL: Aurora
Au r or a
Reads
NoSQL Databases
In-Mem ory CachingWrites
Section 7

an d Oper at ion s
Section 8
Dat a Copies Dat a Copies Dat a Copies
Clu st er Volu m e: M ax 64 TiB, 6 Replicas, 3 AZs
To im prove resilience, use additional replicas. To scale w r it e workloads, scale u p the instance
size. To scale r eads, scale ou t (adding m ore replicas).
Go t o Par t 1
Back t o M ain
Databases
Course Navigation
SQL: Au r or a
St or age an d Con t en t Au r or a Ser ver less
Deliver y
Aurora Serverless is based on the sam e database engine as Aurora, but
Section 5
instead of provisioning certain resource allocation, Aurora Serverless
handles this as a service. You sim ply specify a m inim um and m axim um
num ber of Aurora capacity units (ACUs) ? Aurora Serverless can use the
Dat abases Dat a API .
Section 6
Applicat ion s
DB Fundam
DB Fu n damentals
en t als
SQL: RDS
SQL: RDS
SQL:
SQL: Aurora
Au r or a
............ Pr oxy Fleet
NoSQL Databases
In-Mem ory Caching
Section 7
Applicat ion , An alyt ics, Instance
an d Oper at ion s
Section 8
Instance Instance Instance
Instance Instance
Instance Instance
Instance
Au r or a Ser ver less Clu st er Pool
Back Next Topic
Go t o Par t 1
Back t o M ain
Databases
Course Navigation
NoSQL Dat abases
Deliver y
Section 5
Dat abases
Section 6
DB Fundam
DB Fu n damentals
en t als
This topic explores the architecture of
SQL:
SQL: RDS
RDS
Dynam oDB - a core NoSQL product
SQL:
SQL: Aurora
Au r or a within AWS.
NoSQL
NoSQLDatabases
Dat abases
In-Mem ory Caching
Section 7

an d Oper at ion s
Go t o Par t 1
Back t o M ain
Databases
Course Navigation
NoSQL Dat abases
St or age an d Con t en t Dynam oDB is a NoSQL database service. It 's a global service, partitioned regionally
Deliver y and allows the creation of tables.
Section 5
A TABLE is a collection of item s that share the sam e partition key (PK) or partition
key and sort key (SK) together with other configuration and perform ance settings.
Dat abases An I TEM is a collection of attributes (up to 400 KB in size) inside a table that shares
Section 6 the sam e k ey st r u ct u r e as every other item in the table.
An ATTRI BUTE is a k ey and valu e ? an attribute nam e and value.

DB Fundam
DB Fu n damentals
en t als
SQL:
SQL: RDS
RDS
SQL: {
SQL: Aurora
Au r or a
" i d" : " 25D19749- 6196- 4500- A4A3- 17DA46DEE3B4" ,
NoSQL
NoSQLDatabases
Dat abases " Name" : " Adr i an" ,
" Age" : 40
In-Mem ory Caching Table1 " Fav Foods " : [
I t em " i c ec r eam" , Par t it ion (Hash ) Key (PK)
" c hees ec ak e"
]
Section 7 }
At t r ibu t es
Nest ed
Applicat ion , An alyt ics, At t r ibu t es
an d Oper at ion s {
Section 8 " c us t omer " : " 0001" ,
" dat eandt i me" : " 2019- 12- 25T00: 00: 00Z" ,
" t i t l e" : " 101 bes t x mas gi f t s "
Table2 " pay ment " : [ {
I t em " c c name" : " S. Ant a"
" c c number " : " 1234567812345678"
" ex pi r y " : " 12/ 50" Sor t (Ran ge) Key
}] (SK)
}
Back Next
Go t o Par t 1
Back t o M ain
Databases
Course Navigation
NoSQL Dat abases
St or age an d Con t en t Dynam oDB has two read/write capacity m odes: pr ovision ed t h r ou gh pu t
Deliver y (default) and on -dem an d m ode.
Section 5
When using on-dem and m ode, Dynam oDB autom atically scales to handle
perform ance dem ands and bills a per-request charge.
Con sist en cy
Dat abases
When using provisioned throughput m ode, each table is configured with
Section 6
read capacity units (RCU) and write capacity units (WCU).
DB Fundam
DB Fu n damentals
en t als Every operation on ITEMS consum es at least 1 RCU or WCU ? partial
SQL:
SQL: RDS
RDS RCU/WCU cannot be consum ed.
SQL:
SQL: Aurora
Au r or a
Read Capacit y Un it s
NoSQL
NoSQLDatabases
Dat abases
In-Mem ory Caching One RCU is 4 KB of data read from a table per second in a strongly
consistent way. Reading 2 KB of data consum es 1 RCU, reading 4.5 KB of
data takes 2 RCU, reading 10* 400 bytes takes 10 RCU. If eventually
Section 7
consistent reads are okay, 1 RCU can allow for 2 x 4 KB of data reads per
second. Atom ic transactions require 2x the RCU.
Wr it e Capacit y Un it s
an d Oper at ion s
One WCU is 1 KB of data or less written to a table. An operation that
Section 8
writes 200 bytes consum es 1 WCU, an operation that writes 2 KB
consum es 2 WCU. Five operations of 200 bytes consum es 5 WCU. Atom ic
transactions require 2x the WCU to com plete.
Pr ovision ed Th r ou gh pu t
Exam ple Calcu lat ion s
Back Next
Go t o Par t 1
Back t o M ain
Databases
Course Navigation
NoSQL Dat abases
Deliver y
Section 5
Dyn am oDB Con sist en cy

Dat abases
Section 6 Dynam oDB is highly resilient and replicates data across
m ultiple AZs in a region. When you receive a HTTP 200 code, a
DB Fundam
DB Fu n damentals
en t als write has been com pleted and is durable. This doesn't m ean
it 's been written to all AZs ? this generally occurs within a
SQL:
SQL: RDS
RDS second.
SQL:
SQL: Aurora
Au r or a
An eventually consistent read will request data, preferring
NoSQL
NoSQLDatabases
Dat abases
speed. It 's possible the data received m ay not reflect a recent
In-Mem ory Caching write. Eventual consistency is the default for read operations
in DDB.
Section 7 A strongly consistent read ensures Dynam oDB returns the
m ost up-to-date copy of data ? it takes longer but is
som etim es required for applications that require consistency.
an d Oper at ion s
Section 8
Go t o Par t 1
Back t o M ain
Databases
Course Navigation
NoSQL Dat abases
Deliver y
Section 5
Pr ovision ed Th r ou gh pu t Calcu lat ion s

Dat abases
Section 6 A system needs to store 60 patient records of 1.5 KB, each, every
m inute. What WCU should you allocate on the patient record
DB Fundam
DB Fu n damentals
en t als table?
SQL:
SQL: RDS
RDS
- 60 records per m inute = ~1 per second (and the DDB
SQL:
SQL: Aurora
Au r or a RCU/WCU buffer can sm ooth this out if not)
NoSQL
NoSQLDatabases
Dat abases - Each record is 1.5 KB. 1 WCU = 1 KB per second, so each
record requires 2 WCU.
In-Mem ory Caching
- A WCU setting of 2 is required on the table.
Hybr id an d Scalin g A weather application reads data from a Dynam oDB table. Each
Section 7
item in the table is 7 KB in size. How m any RCUs should be set on
the table to allow for 10 reads per second?
Applicat ion , An alyt ics, - 1 item is 7 KB, which is 2 RCU (1 RCU is 4 KB).
an d Oper at ion s - 10 reads per second for 7 KB item s = 20 RCU
Section 8 - But the question didn't specify if eventual or strong
consistency is required. The default is eventual, which allows
for 2 reads of 4 KB per second for 1 RCU.
- Assum ing eventually consistent reads, the answer is 10 RCU.
Go t o Par t 1
Back t o M ain
Databases
Course Navigation
NoSQL Dat abases
St or age an d Con t en t When enabled, stream s provide an ordered list of changes that occur to
Deliver y item s within a Dynam oDB table. A stream is a rolling 24-hour window of
Section 5 changes. Stream s are enabled per t able and only contain data from the
point of being enabled.
Dat abases Every stream has an ARN that identifies it globally across all tables,
Section 6 accounts, and regions.
Stream s can be configured with one of four view types:

DB Fundam
DB Fu n damentals
en t als
- KEYS_ONLY: Whenever an item is added, updated, or deleted, the
SQL:
SQL: RDS
RDS key(s) of that item are added to the stream .
SQL:
SQL: Aurora
Au r or a
- NEW_I M AGE: The entire item is added to the stream "post-change."
- OLD_I M AGE: The entire item is added to the stream "pre-change."
NoSQL
NoSQLDatabases
Dat abases - NEW_AND_OLD_I M AGES: Both the new and old versions of the item
In-Mem ory Caching are added to the stream .
Hybr id an d Scalin g Tr igger s

Section 7
Stream s can be integrated with AWS Lam bda, invoking a function
whenever item s are changed in a Dynam oDB table (a DB trigger).
an d Oper at ion s
Section 8
Dynam oDB Dynam oDB

AWS
Table Stream
Lam bda
Records
Back Next
Go t o Par t 1
Back t o M ain
Databases
Course Navigation
NoSQL Dat abases
St or age an d Con t en t Indexes provide an alternative representation of data in a table, which is useful for
applications with varying query dem ands. Indexes com e in two form s: local
Deliver y secondary indexes (LSI) and global secondary indexes (GSI). Indexes are interacted
Section 5
with as though they are tables, but they are just an alternate representation of data
in an existing table.
Local secondary indexes m ust be created at the sam e tim e as creating a table. They
Dat abases
use the sam e partition key but an alternative sort key. They share the RCU and WCU
Section 6
values for the m ain table.
DB Fundam
DB Fu n damentals
en t als Global secondary indexes can be created at any point after the table is created. They
can use different partition and sort keys. They have their own RCU and WCU values.
SQL:
SQL: RDS
RDS
SQL:
SQL: Aurora
Au r or a
UserID Game HighScore DateandTime
NoSQL Efficient queries can
NoSQLDatabases
Dat abases 0001 Beat Saber 10 2019-07-21T00:01:00Z only be done on
In-Mem ory Caching 0001 WoW 458 2019-07-21T13:37:00Z user ID and filtered
0002 Beat Saber 100000 2019-07-21T13:38:00Z or sorted using
gam e.
Hybr id an d Scalin g 0003 RapBattle 67 2019-07-23T13:38:00Z
Section 7
UserID DateandTime Game HighScore An LSI lets you use
0001 2019-07-21T00:01:00Z Beat Saber 10 an alternative sort
0001 2019-07-21T13:37:00Z Wow 458 key to allow filtering
on date and tim e
an d Oper at ion s 0002 2019-07-21T13:38:00Z Beat Saber 100000
instead.
Section 8 0003 2019-07-23T13:38:00Z RapBattle 67
Game DateandTime UserID HighScore A GSI can use an

Beat Saber 2019-07-21T00:01:00Z 0001 10
alternative PK and
SK ? in this
Beat Saber 2019-07-21T13:38:00Z 0002 100000
exam ple, m aybe for
RapBattle 2019-07-23T13:38:00Z 0003 67 a high score table
WoW 2019-07-21T13:37:00Z 0001 458 per gam e.
Back Next Topic
Go t o Par t 1
Back t o M ain
Databases
Course Navigation
I n -M em or y Cach in g
Deliver y
Section 5
Dat abases
Section 6
DB Fundam
DB Fu n damentals
en t als
This topic will finish off this section of
SQL:
SQL: RDS
RDS
the course by looking at in-m em ory
SQL:
SQL: Aurora
Au r or a caching, which can provide significant
NoSQL
NoSQLDatabases
Dat abases perform ance boosts for suitable
In-Mem
I n -M emory
or yCaching
Cach in g applications.
Section 7

an d Oper at ion s
Go t o Par t 1
Back t o M ain
Databases
Course Navigation
St or age an d Con t en t Dynam oDB Accelerator (DAX) is an in-m em ory cache designed specifically for
Dynam oDB. Results delivered from DAX are available in m icroseconds rather than
Deliver y in the single-digit m illiseconds available from Dynam oDB.
Section 5
Virtual Private Cloud

Dat abases Cache Miss
Section 6 App
Cache Hit ~5 m s
DAX ~400 us
DB Fundam
DB Fu n damentals
en t als Clien t Am azon
Multi-AZ Dynam oDB
SQL:
SQL: RDS
RDS High Availability
Instance
SQL:
SQL: Aurora
Au r or a
NoSQL
NoSQLDatabases
Dat abases
DAX m aintains two distinct caches: the item cache and the query cache. The item
In-Mem
I n -M emory
or yCaching
Cach in g cache is populated with results from Get I t emand Bat c hGet I t em and has a
five-m inute default TTL. The query cache stores results of Quer y and Sc an
Hybr id an d Scalin g operations and caches based on the param eters specified.
Section 7
Item Cache
an d Oper at ion s App
Section 8
DAX
Clien t
Query Cache
Am azon
Instance Dynam oDB
Back Next
Go t o Par t 1
Back t o M ain
Databases
Course Navigation
St or age an d Con t en t ElastiCache is a m anaged in-m em ory data store supporting the Redis or
Deliver y Mem cached engines. ElastiCache is used for two com m on use cases:
Section 5 - Offloading database reads by caching responses, im proving
application speed and reducing costs
- Storing user session state, allowing for stateless com pute instances
(used for fault-tolerant architectures)
Dat abases
Section 6
DB Fundam
DB Fu n damentals
en t als
SQL:
SQL: RDS
RDS
SQL:
SQL: Aurora
Au r or a
NoSQL
NoSQLDatabases
Dat abases
In-Mem
I n -M emory
or yCaching
Cach in g
Hybr id an d Scalin g LB
Generally, ElastiCache is
Section 7
used with key value
databases or to store
sim ple session data, but
Applicat ion , An alyt ics, it can be used with SQL
an d Oper at ion s database engines.
Section 8 Am azon
App
ElastiCache
DataStore
Back Next Sect ion
Go t o Par t 1
Back t o M ain
Hybrid and Scaling
Course Navigation
LB an d Au t o Scalin g
Deliver y
Section 5
Dat abases
Section 6
This topic will walk through the load

Hybr id an d Scalin g balancing and Auto Scaling features of
Section 7
AWS, which support scalable and elastic
architectures.
LB
LB and
an d Auto-Scaling
Au t o Scalin g
VPN and Direct Connect
Snowball and Snowm obile
Data and DB Migration
ID Federation and SSO

an d Oper at ion s Pr eviou s Sect ion Next
Section 8
Go t o Par t 1
Back t o M ain
Hybrid and Scaling
Course Navigation
- Load balancing is a m ethod used to distribute incom ing connections across a group of
St or age an d Con t en t servers or services.
Deliver y - Incom ing connections are m ade to the load balancer, which distributes them to associated
Section 5 services.
- Elastic Load Balancing (ELB) is a service that provides a set of highly available and scalable
load balancers in one of three versions: Classic (CLB), Application (ALB), and Network (NLB).
- ELBs can be paired with Auto Scaling groups to enhance high availability and fault tolerance
? autom ating scaling/elasticity.
Dat abases - An elastic load balancer has a DNS record, which allows access at the external side.
Section 6
Client Client
Section 7
Each Node Each Node
50% 50%
LB
LB and
an d Auto-Scaling
Au t o Scalin g

A node is placed in each AZ the load balancer is active in. Each node gets 1/N of the traffic, where N
is the num ber of nodes. Historically, each node could only load balance to instances in the sam e
Applicat ion , An alyt ics, AZ. This results in uneven traffic distribution. Cross-zone load balancing allows each node to
distribute traffic to all instances.
an d Oper at ion s
Section 8 An elastic load balancer can be public facing, m eaning it accepts traffic from the public internet, or
internal, which is only accessible from inside a VPC and is often used between application tiers.
An elastic load balancer accepts traffic via listeners using protocol and ports. It can strip HTTPS at
this point, m eaning it handles encryption/decryption, reducing CPU usage on instances.
Back Next
Go t o Par t 1
Back t o M ain
Hybrid and Scaling
Course Navigation
St or age an d Con t en t Classic Load Balancers are the oldest type of load balancer and generally
Deliver y should be avoided for new projects.
Section 5 - Support Layer 3 & 4 (TCP and SSL) and som e HTTP/S features
- It isn't a Layer 7 device, so no real HTTP/S
- One SSL certificate per CLB ? can get expensive for com plex projects
- Can offload SSL connections ? HTTPS to the load balancer and HTTP
Dat abases
to the instance (lower CPU and adm in overhead on instances)
Section 6
- Can be associated with Auto Scaling groups
- DNS A Record is used to connect to the CLB
Section 7
LB
LB and
an d Auto-Scaling
Au t o Scalin g

Healt h Ch eck
Route53 ELB
an d Oper at ion s
Section 8
A1 A2 B1 B2
Back Next
Go t o Par t 1
Back t o M ain
Hybrid and Scaling
Course Navigation
Deliver y LB Healt h Ch eck s
Section 5 Health checks can be configured to check the health of any attached
services. If a problem is detected, incom ing connections won't be
routed to instances until it returns to health.
Dat abases
Section 6 CLB health checks can be TCP, HTTP, HTTPS, and SSL based on ports
1-65535. With HTTP/S checks, a HTTP/S path can be tested.
Section 7
LB
LB and
an d Auto-Scaling
Au t o Scalin g

an d Oper at ion s
Section 8
Go t o Par t 1
Back t o M ain
Hybrid and Scaling
Course Navigation
St or age an d Con t en t - Application Load Balancers (ALBs) operate at Layer 7 of the OSI
Deliver y m odel. They understand HTTP and HTTPS and can load balance based
Section 5 on this protocol layer.
- ALBs are now recom m ended as the default LB for VPCs. They perform
better than CLBs and are alm ost always cheaper.
Dat abases - Content rules can direct certain traffic to specific target groups.
Section 6 - Host-based rules: Route traffic based on the host used
- Path-based rules: Route traffic based on URL path
- ALBs support EC2, ECS, EKS, Lam bda, HTTPS, HTTP/2 and WebSockets,
and they can be integrated with AWS Web Application Firewall (WAF).
Hybr id an d Scalin g - Use an ALB if you need to use containers or m icroservices.
Section 7 - Targets -> Target Groups -> Content Rules
- An ALB can host m ultiple SSL certificates using SNI.
LB
LB and
an d Auto-Scaling
Au t o Scalin g
pet s.com
VPN and Direct Connect / dog
/ cat Listener
Snowball and Snowm obile Listener and
and Rule
Rule
Data and DB Migration ALB

an d Oper at ion s
Section 8
Container Container
Instance Instance Instance
Tar get Gr ou ps
Back Next
Go t o Par t 1
Back t o M ain
Hybrid and Scaling
Course Navigation
St or age an d Con t en t Network Load Balancers (NLBs) are the newest type of load balancer and
Deliver y operate at Layer 4 of the OSI network m odel. There are a few scenarios
Section 5 and benefits to using an NLB versus an ALB:
- Can support protocols other than HTTP/S because it forwards upper
layers unchanged
- Less latency because no processing above Layer 4 is required
Dat abases
- IP addressable ? static address
Section 6
- Best load balancing perform ance within AWS
- Source IP address preservation ? packets unchanged
- Targets can be addressed using IP address
Section 7
TCP8080 TCP80
LB
LB and
an d Auto-Scaling
Au t o Scalin g Listener and Listener and
Rule Rule
NLB

an d Oper at ion s 10.0.1.126 10.0.1.128 10.0.2.126 10.0.2.128
Section 8
Tar get Gr ou ps
Back Next
Go t o Par t 1
Back t o M ain
Hybrid and Scaling
Course Navigation
St or age an d Con t en t Lau n ch t em plat es and lau n ch con f igu r at ion s allow you to configure
Deliver y various configuration attributes that can be used to launch EC2
Section 5 instances. Typical configurations that can be set include:
- AMI to use for EC2 launch

Dat abases - Instance type
Section 6 - Storage
- Key pair
- IAM role
- User data
Hybr id an d Scalin g - Purchase options
Section 7 - Network configuration
- Security group(s)
LB
LB and
an d Auto-Scaling
Au t o Scalin g
Launch tem plates address som e of the weaknesses of the legacy launch
VPN and Direct Connect configurations and add the following features:
- Versioning and inheritance
Data and DB Migration - Tagging
ID Federation and SSO - More advanced purchasing options
- New instance features, including:
Applicat ion , An alyt ics, - Elastic graphics
an d Oper at ion s - T2/T3 unlim ited settings
Section 8 - Placem ent groups
- Capacity reservations
- Tenancy options
Launch tem plates should be used over launch configurations where

possible. Neit h er can be edit ed af t er cr eat ion ? a new version of the
tem plate or a new launch configuration should be created.
Back Next
Go t o Par t 1
Back t o M ain
Hybrid and Scaling
Course Navigation
St or age an d Con t en t Auto Scaling groups use launch configurations or launch tem plates and
Deliver y allow autom atic scale-out or scale-in based on configurable m etrics. Auto
Section 5 Scaling groups are often paired with elastic load balancers.
Dat abases
Section 6
Section 7
Auto Scaling groups can be

LB
LB and
an d Auto-Scaling
Au t o Scalin g Minim um Size configured to use m ultiple Availability
1 Zones to im prove high availability.
Unhealthy instances are term inated
Desired Capacity
and recreated. ELB health checks or
Data and DB Migration 2 EC2 status can be used.
Maxim um Capacity
4
an d Oper at ion s
Section 8 Metrics such as CPU utilization or network transfer can be used either to
scale out or scale in using scaling policies. Scaling can be m anual,
scheduled, or dynam ic. Cooldowns can be defined to ensure rapid in/out
events don't occur.
Scaling policies can be sim ple, step scaling, or target tracking.
Back Next Topic
Go t o Par t 1
Back t o M ain
Hybrid and Scaling
Course Navigation
VPN an d Dir ect Con n ect
Deliver y
Section 5
Dat abases
Section 6
Hybr id an d Scalin g This topic walks through the hybrid

Section 7
connectivity options within AWS,
LB
LB and
an d Auto-Scaling
Au t o Scalin g
covering VPC VPN and Direct Connect.
VPN
VPN and
an dDirect
Dir ectConnect
Con n ect

Section 8
Go t o Par t 1
Back t o M ain
Hybrid and Scaling
Course Navigation
St or age an d Con t en t VPC Virtual Private Networks (VPNs) provide a software-based secure connection
between a VPC and on-prem ises networks.
Deliver y
Section 5
VPC VPN Com pon en t s
- A Virtual Private Cloud (VPC)
- Virtual private gateway (VGW) attached to a VPC
- A custom er gateway (CGW) ? configuration for on-prem ises router
Dat abases
- VPN connection (using one or two IPsec tunnels)
Section 6
Best Pr act ice an d HA

- Use dynam ic VPNs (uses BGP) where possible
- Connect both tunnels to your CGW ? VPC VPN is HA by design
Hybr id an d Scalin g - Where possible, use two VPN connections and two CGWs
Section 7
Virtual Private Cloud Data Center

LB
LB and
an d Auto-Scaling
Au t o Scalin g
VPN
VPN and
an dDirect
Dir ectConnect
Con n ect
Data and DB Migration SN Tunnel

VPN1 CGW1
Endpoint A

an d Oper at ion s
Section 8
VPN2
Tunnel CGW2
VPCRouter Endpoint B
Back Next
Go t o Par t 1
Back t o M ain
Hybrid and Scaling
Course Navigation
St or age an d Con t en t A Direct Connect (DX) is a physical connection between your network and
Deliver y AWS either directly via a cross-connect and custom er router at a DX
Section 5 location or via a DX partner.
Dedicat ed Con n ect ion s are direct via AWS and use single-m ode fiber,
running either 1 Gbps using 1000Base-LX or 10 Gbps using 10GBASE-LR.
Dat abases
Section 6
Virtual interfaces (VIFs) run on top of a DX. Public VIFs can access AWS
public services such as S3 only. Private VIFs are used to connect into
VPCs. DX is not highly available or encrypted.
Section 7 AWS Cloud DX Location Customer
LB
LB and
an d Auto-Scaling
Au t o Scalin g
VPC
VPN
VPN and
an dDirect
Dir ectConnect
Con n ect
Private VIF
ID Federation and SSO VGW
Applicat ion , An alyt ics, AWSDirect Custom er or Custom er

an d Oper at ion s Connect Partner On-Prem ises
Section 8 Router Router
Pu blic Ser vices Public VIF
S3 Dynam oDB
Back Next
Go t o Par t 1
Back t o M ain
Hybrid and Scaling
Course Navigation
St or age an d Con t en t Choosing between Direct Connect (DX) and VPC VPN is a critical part of
Deliver y any connectivity-based exam questions.
Section 5
VPN
- Urgent need ? can be deployed in m inutes

Dat abases
- Cost constrained ? cheap and econom ical
Section 6
- Low end or consum er hardware ? DX requires BGP
- Encryption required
- Flexibility to change locations
- Highly available options available
Section 7 - Short-term connectivity (DX generally has physical m inim um s due to
the physical transit connections required) ? not applicable if you are
in a DX location because then it 's alm ost on dem and
LB
LB and
an d Auto-Scaling
Au t o Scalin g
VPN
VPN and
an dDirect
Dir ectConnect
Con n ect Dir ect Con n ect

- Higher throughput
Data and DB Migration - Consistent perform ance (throughput)
ID Federation and SSO - Consistent low latency
- Large am ounts of data ? cheaper than VPN for higher volum e
- No contention with existing internet connection
an d Oper at ion s
Bot h
Section 8
- VPN as a cheaper HA option for DX

- VPN as an additional layer of HA (in addition to two DX)
- If som e form of connectivity is needed im m ediately, provides it
before the DX connection is live
- Can be used to add encryption over the top of a DX (public VIF VPN)
Back Next Topic
Go t o Par t 1
Back t o M ain
Hybrid and Scaling
Course Navigation
Sn ow ball an d Sn ow m obile
Deliver y
Section 5
Dat abases
Section 6
This sm all topic walks through the

Hybr id an d Scalin g architecture and features of Snowball,
Section 7
Snowball Edge, and Snowm obile ?
three services designed to transfer
LB
LB and
an d Auto-Scaling
Au t o Scalin g
large am ounts of data between
VPN
VPN and
an dDirect
Dir ectConnect
Con n ect
business prem ises and AWS.
Snowball
Sn ow balland
an dSnowm obile
Sn ow m obile

Section 8
Go t o Par t 1
Back t o M ain
Hybrid and Scaling
Course Navigation
St or age an d Con t en t AWS provide three m ethods for m oving large am ounts of data quickly in
Deliver y and out of AWS:
Section 5
- Snowball
- Snowball Edge
- Snowm obile
Dat abases
Section 6
With any of the snow* devices, you don't need to worry about writing
code or the speed or data allocation of your internet, VPN, or DX
connection. With snow* , you log a job and receive an em pty device or one
full of the data requested. You can perform a data copy with your usual
Section 7 tooling and ship the device back.
Sn ow ball
LB
LB and
an d Auto-Scaling
Au t o Scalin g
VPN
VPN and
an dDirect
Dir ectConnect
Con n ect - Can be used for in or ou t jobs
- Log a job and an em pty device or device with data is shipped
Snowball
Sn ow balland
an dSnowm obile
Sn ow m obile - Ideal for TB or PB data transfers ? 50 TB or 80 TB capacity per
Data and DB Migration Snowball
ID Federation and SSO - 1 Gbps (RJ45 1Gbase-TX) or 10 Gbps (LR/SR) using a SFP
- Data encryption using KMS
- Generally used from 10 TB -> 10 PB (the econom ical range)
- Larger jobs or m ultiple locations can use m ultiple Snowballs
an d Oper at ion s
- End-to-end process tim e is low for the am ount of data week(s)
Section 8
Back Next
Go t o Par t 1
Back t o M ain
Hybrid and Scaling
Course Navigation
St or age an d Con t en t Sn ow ball Edge
Deliver y
Section 5 - Includes both storage and com pute
- Larger capacity
- 10 Gbps (RJ45), 10/25 Gbps (SFP), 45/50/100 Gbps (QSFP+)
- Com pute can be used for local instances or Lam bda functionality
Dat abases
- Three versions:
Section 6
- Edge Storage Optim ized: 80 TB, 24 vCPU, and 32 GiB RAM
- Edge Com pute Optim ized: 100 TB + 7.68 TB NVMe, 52 vCPUs, and
208 GiB RAM
- Edge Com pute Optim ized with GPU: As above with a GPU
Section 7 equivalent to P3 EC2 instance
- Com pute can be used for local IoT, for data processing prior to
ingestion into AWS, and m uch m ore
LB
LB and
an d Auto-Scaling
Au t o Scalin g - Used in the sam e type of situations as Snowballs but when com pute
VPN
VPN and
an dDirect
Dir ectConnect
Con n ect is required
Snowball
Sn ow balland
an dSnowm obile
Sn ow m obile Sn ow m obile
ID Federation and SSO - Portable storage data center within a shipping container on a sem i
truck
- Available in certain areas via special order from AWS
- Used when single location 10 PB+ is required
an d Oper at ion s
- Each Snowm obile can transfer up to 100 PB
Section 8
- Not econom ical for sub 10 PB and where m ultiple locations are
required
- Situated on side and connected into your data center for the duration
of the transfer
Back Next Topic
Go t o Par t 1
Back t o M ain
Hybrid and Scaling
Course Navigation
Dat a an d DB M igr at ion
Deliver y
Section 5
Dat abases
Section 6
This topic will cover two im portant data

Hybr id an d Scalin g m igration products: Storage Gateway
Section 7
and the Database Migration Service.
LB
LB and
an d Auto-Scaling
Au t o Scalin g
VPN
VPN and
an dDirect
Dir ectConnect
Con n ect
Snowball
Sn ow balland
an dSnowm obile
Sn ow m obile
Data
Dat a and
an dDB
DBMigration
M igr at ion

Section 8
Go t o Par t 1
Back t o M ain
Hybrid and Scaling
Course Navigation
St or age an d Con t en t Storage Gateway is a hybrid storage service that allows you to m igrate
Deliver y data into AWS, extending your on-prem ises storage capacity using AWS.
Section 5 There are three m ain types of Storage Gateway: f ile gat ew ay, volu m e
gat ew ay, and t ape gat ew ay.
Dat abases On-Premises

Section 6
Volum e
Section 7
File VTL
LB
LB and
an d Auto-Scaling
Au t o Scalin g
VPN
VPN and
an dDirect
Dir ectConnect
Con n ect
Snowball
Sn ow balland
an dSnowm obile
Sn ow m obile
Data
Dat a and
an dDB
DBMigration
M igr at ion

an d Oper at ion s
Section 8
S3 S3-IA Glacier
File gateway data can be

accessed directly from S3.
Volum es can use an AWS-
Instances deployed Storage Gateway.
Back Next
Go t o Par t 1
Back t o M ain
Hybrid and Scaling
Course Navigation
St or age an d Con t en t Database Migration Service (AWS DMS) is a service to m igrate relational databases.
It can m igrate t o and f r om any locations with network connectivity to AWS.
Deliver y - DMS is com patible with a broad range of DB sources, including Oracle, MS SQL,
Section 5 MySQL, MariaDB, PostgreSQL, MongoDB, Aurora, and SAP.
- Data can be synced to m ost of the above engines, as well as Redshift, S3, and
Dynam oDB.
- You can also use the Schem a Conversion Tool (AWS SCT) to transform between
Dat abases
different database engines as part of a m igration.
Section 6
Replication
Hybr id an d Scalin g Instance
Section 7
Source Replication Destination
Endpoint Task Endpoint
LB
LB and
an d Auto-Scaling
Au t o Scalin g
VPN Source Target

VPN and
an dDirect
Dir ectConnect
Con n ect
Snowball
Sn ow balland
an dSnowm obile
Sn ow m obile AWS DM S
Data
Dat a and
an dDB
DBMigration
M igr at ion
With DMS at a high level, you provision a replication instance, define source and
destination endpoints that point at source and target databases, and create a
Applicat ion , An alyt ics, replication task. DMS handles the rest, and you can continue using your database
an d Oper at ion s while the process runs. DMS is useful in a num ber of com m on scenarios:
Section 8
- Scaling database resources u p or dow n without downtim e
- Migrating databases from on-prem ises to AWS, from AWS to on-prem ises, or
t o/ f r om other cloud platform s.
- Moving data between different DB engines, including schem a conversion
- Partial/subset data m igration
- Migration with little to no adm in overhead, as a service
Back Next Topic
Go t o Par t 1
Back t o M ain
Hybrid and Scaling
Course Navigation
I D Feder at ion an d SSO
Deliver y
Section 5
Dat abases
Section 6

Hybr id an d Scalin g architecture and ideal scenarios for
Section 7
identity federation and SSO.
LB
LB and
an d Auto-Scaling
Au t o Scalin g
VPN
VPN and
an dDirect
Dir ectConnect
Con n ect
Snowball
Sn ow balland
an dSnowm obile
Sn ow m obile
Data
Dat a and
an dDB
DBMigration
M igr at ion
ID
I D Federation
Feder at ionand
an dSSO
SSO

Section 8
Go t o Par t 1
Back t o M ain
Hybrid and Scaling
Course Navigation
St or age an d Con t en t Identity federation (IDF) is an architecture where identities of an external
Deliver y identity provider (IDP) are recognized. Single sign-on (SSO) is where the
Section 5 credentials of an external identity are used to allow access to a local
system (e.g., AWS).
Types of IDF include:

Dat abases
- Cr oss-accou n t r oles: A rem ote account (IDP) is allowed to assum e a
Section 6
role and access your account 's resources.
- SAM L 2.0 I DF: An on-prem ises or AWS-hosted directory service
instance is configured to allow Active Directory users to log in to the
AWS console.
Section 7 - Web I den t it y Feder at ion : IDPs such as Google, Am azon, and
Facebook are allowed to assum e roles and access resources in your
account.
LB
LB and
an d Auto-Scaling
Au t o Scalin g
VPN
VPN and
an dDirect
Dir ectConnect
Con n ect Cogn it o and the Secu r e Tok en Ser vice (STS) are used for IDF. A
federated identity is verified using an external IDP and by proving the
Snowball
Sn ow balland
an dSnowm obile
Sn ow m obile identity (using a token or assertion of som e kind) is allowed to swap that
Data
Dat a and
an dDB
DBMigration
M igr at ion ID for tem porary AWS credentials by assum ing a role.
ID
I D Federation
Feder at ionand
an dSSO
SSO

an d Oper at ion s
Section 8
SAM L 2.0 Web I den t it y
Back Next
Go t o Par t 1
Back t o M ain
SAM L 2.0 Feder at ion
Hybrid and Scaling
Course Navigation
Enterprise Identity Provider I D Feder at ion an d SSO
Enterprise
St or age an d Con t en t Desktop
Login
Deliver y Authenticate ADFS Portal
Section 5 IDP
Token
IDP(ADFS) SAML Assertion
Dat abases
Section 6
Login Post
AWS Redirect SAML
Console AWS Tem p Assertion
IdentityStore
Hybr id an d Scalin g Credentials
Section 7
AWS Cloud
LB
LB and
an d Auto-Scaling
Au t o Scalin g
VPN
VPN and
an dDirect
Dir ectConnect
Con n ect AWSSSO
Snowball Endpoint
Sn ow balland
an dSnowm obile
Sn ow m obile
Data
Dat a and
an dDB
DBMigration
M igr at ion
ID
I D Federation
Feder at ionand
an dSSO
SSO

STS
an d Oper at ion s
Section 8
Role
Go t o Par t 1
Back t o M ain
Web I den t it y Feder at ion
Anonym ous
Hybrid and Scaling
Course Navigation Usage I D Feder at ion an d SSO
Application
Web or Mobile
Deliver y
Section 5
Redirect
For Login Token
Dat abases
Section 6
Google ID
Hybr id an d Scalin g Provider Token Exchange
Section 7 Google/Cognito
AWS Cloud
LB
LB and
an d Auto-Scaling
Au t o Scalin g
VPN
VPN and
an dDirect
Dir ectConnect
Con n ect
Snowball
Sn ow balland
an dSnowm obile
Sn ow m obile
STSTem p
Am azon
Data
Dat a and
an dDB
DBMigration
M igr at ion Credentials
Cognito
ID
I D Federation
Feder at ionand
an dSSO
SSO Resource Access
Tem p
Credentials
an d Oper at ion s
Section 8 Am azon
Dynam oDB
Go t o Par t 1
Back t o M ain
Hybrid and Scaling
Course Navigation
St or age an d Con t en t What is just as im portant as h ow to use IDF is w h en to use IDF. The
Deliver y exam will test your understanding of situations where IDF should be
Section 5 used versus IAM identities.
En t er pr ise Access t o AWS Resou r ces

Dat abases - Users/staff have an existing pool of identities.
Section 6 - You need those identities to be used across all enterprise system s,
including AWS.
- Access to AWS resources using SSO.
- Potentially tens or hundreds of thousands of users ? m ore than
Hybr id an d Scalin g IAM can handle.
Section 7 - You m ight have an ID team within your business.
M obile an d Web Applicat ion s

LB
LB and
an d Auto-Scaling
Au t o Scalin g
- Mobile or web application requires access to AWS resources.
VPN
VPN and
an dDirect
Dir ectConnect
Con n ect - You need a certain level of guest access ? and extra once logged in.
Snowball
Sn ow balland
an dSnowm obile
Sn ow m obile
- Custom ers have other identities ? Google, Twitter, Facebook, etc.
? and need to use those.
Data
Dat a and
an dDB
DBMigration
M igr at ion - You don't want credentials stored within the application.
ID
I D Federation
Feder at ionand
an dSSO
SSO - Could be m illions or m ore users ? beyond the capabilities of IAM.
- Custom ers m ight have m ultiple third-party logins, but they
Applicat ion , An alyt ics, represent one real person.
an d Oper at ion s
Section 8 Cen t r alized I den t it y M an agem en t (AWS Accou n t s)
- Tens or hundreds of AWS accounts in an organization.
- Need central store of IDs ? either IAM or an external provider.
- Role switching used from an ID account into m em ber accounts.
Back Next Sect ion
Go t o Par t 1
Back t o M ain
Application, Analytics, and Operations
Course Navigation
Applicat ion I n t egr at ion
Deliver y
Section 5
Dat abases
Section 6
In this topic, we will evaluate application

Hybr id an d Scalin g integration products such as SNS, SQS,
Section 7
and Elastic Transcoder.

an d Oper at ion s
Section 8
Applicat ionIntegration
Application I n t egr at ion
Analytics
Logging and Monitoring

Operations
Deploym ent
Go t o Par t 1
Back t o M ain
Course Navigation
Deliver y API Public
Section 5 http/s Internet
Dat abases
Section 6
SNS
Section 7
SNS
Applicat ion , An alyt ics, Publisher SQSQueue

an d Oper at ion s
Section 8 Topic Subscriber
Analytics

Lam bda
Operations
Deploym ent
Private
CloudForm ation VPC
Stack
EC2 ASG
Back Next
Go t o Par t 1
Back t o M ain
Course Navigation
St or age an d Con t en t SNS Essen t ials
Deliver y
Section 5
- SNS coordinates and m anages the sending and delivery of
m essages. Messages sent to a topic are delivered to subscribers.
- SNS is integrated with m any AWS services and can be used for
Dat abases certain event notifications (e.g., CloudForm ation stack creation).
Section 6 - Using SNS, CloudWatch can notify adm ins of im portant alerts.
- SNS can be used for m obile push notifications.
SNS Com pon en t s

Section 7 - Topic
- An isolated configuration for SNS, including perm issions
- Messages (<= 256 KB) are sent to a topic
Applicat ion , An alyt ics, - Subscribers to that topic receive m essages
an d Oper at ion s - Su bscr iber
Section 8 - Endpoints that receive m essages for a topic
- HTTP(S)
Application I n t egr at ion - Em ail and Em ail-JSON
- SQS (m essage can be added to one or m ore queues)
Analytics - Mobile push notifications (iOS, Android, Am azon, MS)
Logging and Monitoring - Lam bda functions (function invoked)
- SMS (cellular m essage)
Operations - Pu blish er
Deploym ent - An entity that publishes/sends m essages to queues
- Application
- AWS services, including S3 (S3 events), CloudWatch,
CloudForm ation, etc.
Go t o Par t 1
Back t o M ain
Course Navigation
Deliver y
Section 5
Front-End Auto Scaling Pool: Scales based
SQS
on incom ing load from custom ers ? CPU
Dat abases utilization
Section 6
Section 7 Auto Scaling
Instances Group

an d Oper at ion s
Section 8 Worker Pool: Scales
based on num ber of
Assets S3 Queue m essages in queue
Bucket
Analytics
Operations
Deploym ent Auto Scaling

Instances Group
Decou pled Ar ch it ect u r e
Back Next
Go t o Par t 1
Back t o M ain
Course Navigation
St or age an d Con t en t SQS Essen t ials
Deliver y
Section 5 - Sim ple Queue Service (SQS) provides fully m anaged, highly
available m essage queues for inter-process/server/service
m essaging.
Dat abases - SQS is used m ainly to create decoupled architectures.
Section 6 - Messages are added to a queue and retrieved via polling.
Pollin g Types
- Short polling: Available m essages are returned ASAP - a short poll
Hybr id an d Scalin g m ight return 0 m essages. Causes increased num ber of API calls.
Section 7 - Long polling: Waits for m essages for a given WaitTimeSeconds
- More Efficient: Less em pty API calls/responses
Applicat ion , An alyt ics, There are two types of queues: st an dar d qu eu es and FI FO qu eu es.
an d Oper at ion s
Section 8 Each SQS m essage can contain up to 256 KB of data but can link data
stored in S3 for any larger payloads.
When a m essage is polled, it is hidden in the queue. It can be deleted
Analytics when processing is com pleted ? otherwise, after a VisibilityTimeout
period, it will return to the queue.
Operations Queues can be configured with a maxReceiveCount, allowing m essages

that are failing to be m oved to a dead-letter queue.
Deploym ent
Lam bda functions can be invoked based on m essages on a queue

offering better scaling and faster response than Auto Scaling groups
for any m essages that can be processed quickly.
Go t o Par t 1
Back t o M ain
Course Navigation
St or age an d Con t en t St an dar d vs. FI FO Qu eu es
Deliver y
Section 5 Standard queues are distributed and scalable to nearly unlim ited
m essage volum e. The order is not guaranteed, best-effort only, and
m essages are guaranteed to be delivered at least once but som etim es
Dat abases m ore than once.
Section 6
6 1
4
Hybr id an d Scalin g 2
Section 7
3 5

an d Oper at ion s FIFO queues ensure f ir st -in , f ir st -ou t delivery. Messages are delivered
Section 8
once only ? duplicates do not occur. The throughput is lim ited to
~3,000 m essages per second with batching or ~300 without by default.
Analytics

6 5 4 3 2 1
Operations
Deploym ent
Go t o Par t 1
Back t o M ain
Course Navigation
St or age an d Con t en t Elast ic Tr an scoder is an AWS service that allows you to convert m edia
Deliver y files from an input form at to one or m ore output form ats. It 's delivered
Section 5 as a service, and you are billed a per-m inute charge while using the
service.
Dat abases A pipeline is a queue for jobs. It

Section 6
stores source and destination
settings, notification, security, and
JOB2 JOB1
other high settings. Jobs are
processed in the order they are
Hybr id an d Scalin g added as resources allow.
Section 7
A job defines the input object and up

OUTPUT#1
Applicat ion , An alyt ics, to 30 output objects/form ats. Jobs
an d Oper at ion s INPUT OUTPUT#2 are added to a pipeline in the sam e
Section 8 region and use the buckets defined
OUTPUT#3 in the pipeline for input/output.
Analytics

Presets contain
Operations transcoding settings and
SNS
can be applied to jobs to
Deploym ent ensure output com patible Pipelines can send notifications as
with various devices, such jobs progress through various states.
as iPhones, tablets, or These m ight notify an adm inistrator
other form factors. or initiate further event-driven
processing.
Back Next Topic
Go t o Par t 1
Back t o M ain
Course Navigation
An alyt ics
Deliver y
Section 5
Dat abases
Section 6
This topic will cover AWS analytics

Hybr id an d Scalin g services, including Athena, EMR,
Section 7
Kinesis. and Redshift.

an d Oper at ion s
Section 8
An alyt ics
Analytics

Operations
Deploym ent
Go t o Par t 1
Back t o M ain
Course Navigation
An alyt ics
St or age an d Con t en t Am azon At h en a is an interactive query service that utilizes
Deliver y sch em a-on -r ead, allowing you to run ad-hoc SQL-like queries on data
Section 5 from a range of sources. Results are returned in seconds, and you are
billed only for the com pute tim e used and any existing storage costs.
XM L JSON CSV/ TSV AVRO ORC PARQUET

Dat abases
Section 6
SOURCE DATA
Section 7 Athena can query m any Athena can be used to
form s of structured, query various AWS logs,
sem i-structured, and including flow logs and
unstructured data in S3. ELB logs.
an d Oper at ion s
Section 8
SCHEM A
TABLE TABLE TABLE TABLE
An alyt ics
Analytics
SCHEM A
Operations Tables are defined in a data

catalog and are applied on
Deploym ent No data is m odified by
read. Athena allows SQL
Athena, and output can be
queries against data stored
sent to visualization tools.
on S3, through the
schem a-on-read tables. Am azon Athena
Back Next
Go t o Par t 1
Back t o M ain
Course Navigation
An alyt ics
St or age an d Con t en t Am azon Elast ic M apRedu ce (EM R) is a tool for large-scale parallel
Deliver y processing of big data and other large data workloads. It 's based on the
Section 5 Apache Hadoop fram ework and is delivered as a m anaged cluster using
EC2 instances. EMR is used for huge-scale log analysis, indexing,
m achine learning, financial analysis, sim ulations, bioinform atics, and
Dat abases m any other large-scale applications.
Section 6 EMR clusters have zero or m ore
cor e n odes, which are m anaged
The m ast er n ode m anages
by the m aster node. They run
the cluster. It m anages HDFS
tasks and m anage data for HDFS.
nam ing, distributes
If they fail, it can cause cluster
Hybr id an d Scalin g workloads, and m onitors
Cor e
instability.
Section 7 health. You log in to the
Node
m aster node via SSH. If the
m aster node fails, the
Cor e
cluster fails.
Node
an d Oper at ion s Master
Section 8 Node
Cor e
Node
Data can be input from Task
An alyt ics
Analytics and output to S3. Node
Task n odes are optional. They can
Interm ediate data can be used to execute tasks, but they
be stored using HDFS in have no involvem ent with
Operations the cluster or EMRFS im portant cluster functions, which
using S3. m eans they can be used with spot
Deploym ent
instances. If task nodes fail, a core
node starts the task on another
task/core node.
Back Next
Go t o Par t 1
Back t o M ain
Course Navigation
An alyt ics
St or age an d Con t en t Kin esis is a scalable and resilient stream ing service from AWS. It is
Deliver y designed to ingest large am ounts of data from hundreds, thousands, or
Section 5 even m illions of producers. Consum ers can access a rolling window of that
data, or it can be stored in persistent storage of database products.
Pr odu cer s
Dat abases
Section 6
Section 7

an d Oper at ion s
Section 8
1 2 N
......
Am azon Kinesis
KinesisEssentials
An alyt ics
Analytics DataFirehose
Operations
Deploym ent Con su m er s
Back Next
Go t o Par t 1
Back t o M ain
Course Navigation
An alyt ics
Deliver y Kin esis Essen t ials
Section 5
Kin esis St r eam
A Kinesis stream can be used to collect, process, and analyze a large

Dat abases am ount of incom ing data. A stream is a public service accessible from
Section 6
inside VPCs or from the public internet by an unlim ited num ber of
producers.
Kinesis stream s include storage for all incom ing data with a 24-hour
default window, which can be increased to seven days for an additional
Section 7
charge. Data records are added by producers and read by consum ers.
Kin esis Sh ar d
an d Oper at ion s Kinesis shards are added to stream s to allow them to scale. A stream
Section 8
starts with at least one shard, which allows 1 MiB of ingestion and 2 MiB
of consum ption. Shards can be added or rem oved from stream s.
Kin esis Dat a Recor d
An alyt ics
Analytics
Logging and Monitoring The basic entity written to and read from Kinesis stream s, a data record
can be up to 1 MB in size.
Operations
Deploym ent You would use Kinesis rather than SQS when you need m any producers
and m any consum ers as well as a rolling window of data. SQS is a
queue; Kinesis allows lots of independent consum ers reading the sam e
data window.
Go t o Par t 1
Back t o M ain
Course Navigation
An alyt ics
St or age an d Con t en t Redsh if t is a petabyte-scale data warehousing solution. It 's a
Deliver y colum n-based database designed for analytical workloads. Generally, a
Section 5 relational store like RDS would be used for OLTP workloads (e.g., queries,
inserts, updates, and deletes), and Redshift would be used for OLAP (e.g.,
retrieval and analytics). Multiple databases becom e source data to be
injected into a data warehouse solution such as Redshift.
Dat abases
Section 6
S3
Redshift Data
Section 7
Load and
LEADER NODE
Unload

an d Oper at ion s
Section 8
COM PUTE NODE COM PUTE NODE COM PUTE NODE
An alyt ics SLI CES SLI CES SLI CES

Analytics
Operations
Deploym ent
Data can be loaded f r om S3 and unloaded t o S3. Additionally, backups

can be perform ed to S3, and various AWS services such as Kinesis can
inject data into Redshift.
Back Next Topic
Go t o Par t 1
Back t o M ain
Course Navigation
Loggin g an d M on it or in g
Deliver y
Section 5
Dat abases
Section 6
This topic will explore the core

Hybr id an d Scalin g m onitoring and logging products and
Section 7
features within AWS.

an d Oper at ion s
Section 8
An alyt ics
Analytics
Loggin
Loggingg and
an d Monitoring
M on it or in g
Operations
Deploym ent
Go t o Par t 1
Back t o M ain
Course Navigation
St or age an d Con t en t Clou dWat ch is a service that provides near real-tim e m onitoring of AWS
Deliver y products. In essence, it 's a m etrics repository. You can im port custom
Section 5 m etric data in real-tim e from som e AWS services and on-prem ises
platform s.
Dat abases Data retention is based on granularity:

Section 6 - One-hour m etrics are retained for 455 days
- Five-m inute m etrics for 63 days
- One-m inute m etrics for 15 days
Hybr id an d Scalin g Metrics can be configured with alarm s that can take actions, and data
Section 7 can be presented as a dashboard.

an d Oper at ion s
Section 8 CloudWatch
Metric Metric
An alyt ics
Analytics
Metric Alarm
Loggin
Loggingg and
an d Monitoring
M on it or in g
Operations Custom
Deploym ent
SNS Auto Scaling Client
Back Next
Go t o Par t 1
Back t o M ain
Course Navigation
Deliver y Clou dWat ch M et r ics an d Alar m s
Section 5
A CloudWatch m etric is a set of data points over tim e. An exam ple is
CPU utilization of an EC2 instance.
Dat abases Alarm s can be created on m etrics, taking an action if the alarm is
Section 6
triggered.
Alarm s have three states:

- I NSUFFI CI ENT: Not enough data to judge the state ? alarm s
are often start in this state.
Section 7
- ALARM : The alarm threshold has been breached (e.g., > 90%
CPU).
- OK: The threshold has not been breached.
an d Oper at ion s Alarm s have a num ber of key com ponents:
Section 8 - M et r ic: The data points over tim e being m easured
- Th r esh old: Exceeding this is bad (static or anom aly)
Application I n t egr at ion - Per iod: How long the threshold should be bad before an alarm
is generated
An alyt ics
Analytics
- Act ion : What to do when an alarm triggers
Loggin
Loggingg and
an d Monitoring
M on it or in g - SNS
- Auto Scaling
Operations
- EC2
Deploym ent
Go t o Par t 1
Back t o M ain
Course Navigation
St or age an d Con t en t CloudWatch Logs provides functionality to store, m onitor, and access
Deliver y logs from EC2, on-prem ises servers, Lam bda, CloudTrail, Route 53, VPC
Section 5 Flow Logs, custom applications, and m uch m ore. Metric filters can be
used to analyze logs and create m etrics (e.g., failed SSH logins).
Dat abases A m et r ic f ilt er pattern

Section 6 m atches text in all log events
in all log stream s of whichever
log group it 's created on,
creating a m etric. Alarm
Section 7
LOGGROUP
Log Events
an d Oper at ion s YYYYMMDDHHMMSS MESSAGE
Section 8 Log Log Log
Stream Stream Stream YYYYMMDDHHMMSS MESSAGE
Application I n t egr at ion YYYYMMDDHHMMSS MESSAGE
An alyt ics
Analytics A log even t is a tim estam p
Loggin
Loggingg and
an d Monitoring
M on it or in g LOGGROUP and a raw m essage.
Operations
Deploym ent A log st r eam is a sequence

A log gr ou p is a container
for log stream s. It controls of log events with the sam e
retention, m onitoring, and source.
access control.
Back Next
Go t o Par t 1
Back t o M ain
Course Navigation
St or age an d Con t en t Clou dTr ail is a governance, com pliance, risk m anagem ent, and auditing
Deliver y service that records account activity within an AWS account. Any actions
Section 5 taken by users, roles, or AWS services are recorded to the service.
Activity is recorded as a CloudTrail event, and by default you can view 90
days via event history. Trails can be created, giving m ore control over
Dat abases logging and allowing events to be stored in S3 and CloudWatch Logs.
Section 6
Events can be m an agem en t even t s that log control plane events (e.g.,
user login, configuring security, and adjusting security groups) or dat a
even t s (e.g., object-level events in S3 or function-level events in
Hybr id an d Scalin g Lam bda).
Section 7
StopInstances

an d Oper at ion s User
Console EC2
Section 8
AuthorizeSecurityGroupIngress
Security
An alyt ics
Analytics Group
Loggin
Loggingg and
an d Monitoring
M on it or in g
Operations
Deploym ent S3
CloudTrail
CloudWatch Logs
Back Next
Go t o Par t 1
Back t o M ain
Course Navigation
St or age an d Con t en t VPC Flow Logs allows you to capture m etadata about the traffic flowing in and out
Deliver y of networking interfaces within a VPC. Flow logs can be placed on a specific network
Section 5 interface, a subnet, or an entire VPC and will capture m etadata from the capture
point and anything within it. Flow logs aren't real-tim e and don't capture the actual
traffic ? only m etadata on the traffic.
Dat abases
Section 6
CWLogs S3
Hybr id an d Scalin g Flow Logs

Section 7
Flow Logs

an d Oper at ion s
Section 8
1 2
An alyt ics
Analytics Flow Logs
Loggin
Loggingg and
an d Monitoring
M on it or in g
Operations
Deploym ent
Flow logs capture ac c ount - i d, Flow logs don't capture som e traffic,
i nt er f ac e- i d, s r c addr , ds t addr , including Am azon DNS server,
s r c por t , ds t por t , pr ot oc ol , Windows license activation,
pac k et s, by t es , s t ar t , end, 169.254.169.254, DHCP traffic, and VPC
ac t i on, and l og- s t at us. router.
Back Next Topic
Go t o Par t 1
Back t o M ain
Course Navigation
Oper at ion s
Deliver y
Section 5
Dat abases
Section 6
This topic will review the architecture of

Hybr id an d Scalin g som e popular operations features of
Section 7
AWS.

an d Oper at ion s
Section 8
An alyt ics
Analytics
Loggin
Loggingg and
an d Monitoring
M on it or in g
Oper at ion s
Operations
Deploym ent
Go t o Par t 1
Back t o M ain
Course Navigation
Oper at ion s
St or age an d Con t en t CloudWatch Events has a near real-tim e visibility of changes that happen
Deliver y within an AWS account. Using rules, you can m atch against certain events
Section 5 within an account and deliver those events to a num ber of supported
targets.
Within rules, m any AWS services are natively supported as event sources
Dat abases
and deliver the events directly. For others, CloudWatch allows event
Section 6
pattern m atching against CloudTrail events. Additional rules support
scheduled events as sources, allowing a cron-style function for
periodically passing events to targets.
Section 7 Som e exam ples of event targets include:
- EC2 instances
- Lam bda functions
- Step Functions state m achines
- SNS topics
an d Oper at ion s
- SQS queues
Section 8
An alyt ics
Analytics
Loggin
Loggingg and
an d Monitoring
M on it or in g
Daily@2a.m . Lam bdaFunction Dynam oDBTable
Oper at ion s
Operations
Deploym ent
CloudTrail Lam bdaFunction

AWSCloudTrail
StopLogging CTReEnable
Back Next
Go t o Par t 1
Back t o M ain
Course Navigation
Oper at ion s
St or age an d Con t en t AWS Key M an agem en t Ser vice (KM S) provides regional, secure key m anagem ent
Deliver y and encryption and decryption services. KMS is FI PS 140-2 level 2 validat ed, and
Section 5 certain aspects support level 3 (exam hint). Everything in KMS is regional. KMS can
use CloudHSM via Custom Key Stores (FIPS 140-2 Level 3)
Dat abases
Section 6 KMS m anages custom er m aster keys (CM K), which are
created in a region and never leave the region or KMS. They
can encrypt or decrypt data u p t o 4 KB. CMKs have key
policies and can be used to create other keys.
CMK
Section 7
- KMS can en cr ypt data up to 4 KB with a CMK ? you supply the data and
specify the key to use.
- It can decr ypt data up to 4 KB ? you provide the ciphertext, and it returns
Applicat ion , An alyt ics, the plaintext.
an d Oper at ion s - You can also r e-en cr ypt up to 4 KB ? you supply the ciphertext, the new
Section 8 key to use, and you are returned new ciphertext (at no point do you see the
plaintext).
KMS can generate a dat a en cr ypt ion k ey
An alyt ics
Analytics (DEK) using a CMK. You or a service can use
Loggin a DEK to encrypt or decrypt data of any size.
Loggingg and
an d Monitoring
M on it or in g
KMS supplies a plaintext version and an
Oper at ion s DataEncryption Key encrypted version.
Operations
Encrypted Data (DEK)
Deploym ent Encryption Key
The encrypted DEK and encrypted data can

be stored together. KMS is used to decrypt
the DEK, which can then decrypt the data.
Encrypted Data Encrypted Data
Encryption Key
Back Next Topic
Go t o Par t 1
Back t o M ain
Course Navigation
Oper at ion s
Deliver y Cu st om er M ast er Keys (CM K)
Section 5
There are three types of CMK:
Type Can View Can Manage Dedicated to MyAccount

Dat abases
Section 6
Custom er Managed Yes Yes Yes
AWSManaged CMK Yes No Yes
AWSOwned CMK No No No
Section 7
AWS M an aged CM K: Used by default if you pick encryption within

m ost AWS services and form atted as aws/service-name. Only the
service they belong to can use them directly.
an d Oper at ion s
Section 8
Cu st om er M an aged CM K: Certain services allow you to pick a CMK
you m anage. Custom er m anaged CMKs allow key rotation
configuration, and they can be controlled via key policies and
An alyt ics
Analytics enabled/disabled.
Loggin
Loggingg and
an d Monitoring
M on it or in g
AWS Ow n ed CM K: Keys used by AWS on a shared basis across m any
Oper at ion s
Operations accounts ? you norm ally don't see these.
Deploym ent
Go t o Par t 1
Back t o M ain
Course Navigation
Deploym en t
Deliver y
Section 5
Dat abases
Section 6
This topic will walk through a num ber of

Hybr id an d Scalin g deploym ent products within AWS.
Section 7

an d Oper at ion s
Section 8
An alyt ics
Analytics
Loggin
Loggingg and
an d Monitoring
M on it or in g
Oper at ion s
Operations
Deploym en t
Deploym ent
Go t o Par t 1
Back t o M ain
Course Navigation
Deploym en t
St or age an d Con t en t Clou dFor m at ion is an Infrastructure as Code (I aC) product ? you can
Deliver y cr eat e, m an age, and r em ove infrastructure using JSON or YAM L.
Section 5
1
Tem plat e A CFN tem plate is JSON or YAML.

Dat abases
It contains logical r esou r ces and
Section 6
configuration.
Section 7 2
St ack Stacks are created and m odified

based on tem plates, which can
Applicat ion , An alyt ics, be changed and used to update
an d Oper at ion s a stack.
Section 8
3
An alyt ics
Analytics
Ph ysical Resou r ces Stacks take logical r esou r ces
Loggin
Loggingg and
an d Monitoring
M on it or in g from a tem plate and create,
update, or delete the ph ysical
Oper at ion s
Operations
r esou r ces in AWS.
Deploym en t
Deploym ent
CloudForm ation is effective if you f r equ en t ly deploy the sam e

infrastructure or you require gu ar an t eed con sist en t con f igu r at ion .
Back Next
Go t o Par t 1
Back t o M ain
Course Navigation
Deploym en t
St or age an d Con t en t Elast ic Bean st alk (EB) is a Platform as a Service product. It allows you to deploy code
and, with very little effort or m odifications, the service will provision the
Deliver y infrastructure on your behalf.
Section 5
Elastic Beanstalk handles provisioning, m onitoring, Auto Scaling, load balancing, and
software updating for you ? you just worry about the cost.
Dat abases
Elastic Beanstalk supports a num ber of languages and platform s:
Section 6
- Java - Go
- .NET - Docker
- Node.js - Apache EB Ar ch it ect u r e
- PHP - IIS Over view
Hybr id an d Scalin g - Ruby - Nginx
Section 7 - Python - Tom cat
Pat t er n s an d An t i-Pat t er n s f or Elast ic Bean st alk
Applicat ion , An alyt ics, - YES: To provision an environm ent for an application with little adm in overhead
an d Oper at ion s - YES: If you use one of the supported languages and can add EB-specific config
Section 8 - NO: If you want low-level infrastructure control
- NO: If you need Chef support
Deploym en t Opt ion s
An alyt ics
Analytics
All at On ce: An updated application version is deployed to all instances. Quick and
Loggin
Loggingg and
an d Monitoring
M on it or in g sim ple but not recom m ended for production deploym ents.
Oper at ion s
Operations Rollin g: Splits instances into batches and deploys one batch at a tim e.
Deploym en t
Deploym ent
Rollin g w it h addit ion al Bat ch : As above, but provisions a new batch, deploying and
testing before rem oving the old batch (im m utable).
Blu e/ Gr een : Maintain two environm ents, deploy, and swap CNAME.
Back Next
Go t o Par t 1
Back t o M ain
Course Navigation
Deploym en t
Deliver y Elast ic Bean st alk (High Level)
Section 5
Dat abases Elastic

Section 6 Beanstalk
Application EBEnvironm ent -Worker Tier
Section 7

an d Oper at ion s
Section 8
EBEnvironm ent -Web Server - EBEnvironm ent -Web Server -
la-blue-env la-green-env
An alyt ics
Analytics
Loggin
Loggingg and
an d Monitoring
M on it or in g
Oper at ion s
Operations
Deploym en t ht t p: / / l a- bl ue- env. . . . . ht t p: / / l a- gr een- env. . . . .

Deploym ent
SWAPURL
Go t o Par t 1
Back t o M ain
Course Navigation
Deploym en t
Deliver y Elast ic Bean st alk (Det ailed)
Section 5
ht t p: / / l a- bl ue- env. . . . .
Elastic
Dat abases Beanstalk Am azon
Section 6 Environm ent Route53
Section 7
Auto Scaling
Applicat ion , An alyt ics, Security Group

an d Oper at ion s
Section 8
HM HM HM HM
An alyt ics
Analytics Instance Instance Instance Instance
Loggin
Loggingg and
an d Monitoring
M on it or in g
Oper at ion s
Operations
HM = Host M an ager
Deploym en t
Deploym ent
- Deploy Applications
- Events and Metrics
- App and Server Logs
Database
Go t o Par t 1
Back t o M ain
Course Navigation
Deploym en t
St or age an d Con t en t - OpsWor k s is an im plem entation of the Chef configuration m anagem ent and
Deliver y deploym ent platform .
Section 5 - OpsWorks m oves away from the low-level configurability of CloudForm ation
but not as far as Elastic Beanstalk.
- OpsWorks lets you create a stack of resources with layers and m anage
resources as a unit.
Dat abases
Section 6 OpsWor k s Com pon en t s
- St ack s
- A unit of m anaged infrastructure
- Can use stacks per application or per platform
Hybr id an d Scalin g - Could use stacks for developm ent , staging, or production environm ents
Section 7 - Layer s
- Com parable to application tiers within a stack
- e.g., database layer, application layer, proxy layer
- Recipes are generally associated with layers and configure what to install
on instances in that layer
an d Oper at ion s - I n st an ces
Section 8 - Instances are EC2 instances associated with a layer
- Configured as 24/7, load based, or tim e based
Application I n t egr at ion - Apps
- Apps are deployed to layers from a source code repo or S3
An alyt ics
Analytics - Actual deploym ent happens using recipes on a layer.
- Other recipes are run when deploym ents happen, potentially to
Loggin
Loggingg and
an d Monitoring
M on it or in g
reconfigure other instances
Oper at ion s
Operations - Recipes
- Set u p: Executed on an instance when first provisioned
Deploym en t
Deploym ent - Con f igu r e: Executed on all instances when instances are added or
rem oved
- Deploy and Un deploy: Executed when apps are added or rem oved
- Sh u t dow n : Executed when an instance is shut down but before it 's
stopped
Back M ain
Go t o Par t 1
Back t o M ain
Exam Preparation
The AWS Certified Solutions Architect - Associate exam ination is intended for individuals who
perform a solutions architect role and have one or m ore years of hands-on experience
designing available, cost-effective, fault-tolerant, and scalable distributed system s on AWS.
Exam Overview:
- Multiple choice, m ultiple answer
- 130 m inutes
- $150 USD
Dom ain %of Exam ination Result
Dom ain 1:Design Resilient Architectures 34%
Dom ain 2:DefinePerform ant Architectures 24%
Dom ain 3:SpecifySecureApplicationsand Architectures 26%
Dom ain 4:Design Cost-Optim ized Architectures 10%
Dom ain 5:DefineOperationallyExcellent Architectures 6%
Back t o M ain Back t o Par t 2

Exam Preparation
Exam Overview:
- 130 m inutes
- $150 USD
Dom ain 1: Design Resilien t Ar ch it ect u r es

- 1.1 Choose reliable/resilient storage.
- 1.2 Determ ine how to design decoupling m echanism s using AWS services.
- 1.3 Determ ine how to design a m ulti-tier architecture solution.
- 1.4 Determ ine how to design high availability and/or fault tolerant architectures.

Exam Preparation
Exam Overview:
- 130 m inutes
- $150 USD
Dom ain 2: Def in e Per f or m an t Ar ch it ect u r es

- 2.1 Choose perform ant storage and databases.
- 2.2 Apply caching to im prove perform ance.
- 2.3 Design solutions for elasticity and scalability.

Exam Preparation
Exam Overview:
- 130 m inutes
- $150 USD
Dom ain 3: Specif y Secu r e Applicat ion s an d Ar ch it ect u r es

- 3.1 Determ ine how to secure application tiers.
- 3.2 Determ ine how to secure data.
- 3.3 Define the networking infrastructure for a single VPC application.

Exam Preparation
Exam Overview:
- 130 m inutes
- $150 USD
Dom ain 4: Design Cost -Opt im ized Ar ch it ect u r es

- 4.1 Determ ine how to design cost-optim ized storage.
- 4.2 Determ ine how to design cost-optim ized com pute.

Exam Preparation
Exam Overview:
- 130 m inutes
- $150 USD
Dom ain 5: Def in e Oper at ion ally Excellen t Ar ch it ect u r es

- 5.1 Choose design features in solutions that enable operational excellence.

AWS SAA-C01 Architecture Fundamentals

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

AWS SAA-C01 Architecture Fundamentals

Încărcat de

Drepturi de autor:

Formate disponibile

AWS Certified Solutions Architect -

Course Navigation Associate (SAA-C01)

Exam Pr epar at ion

AWS Architecture 101

Product Fundam entals

I den t it y an d Access Welcom e to the Architecture 101 topic

Com pu t e This topic will walk through som e key

I den t it y Objects that require

Au t h or izat ion The process of checking and

Product Fundam entals Plat f or m , Applicat ion , I den t it y an d Access

AWS Com pu t e St or age Dat abase Net w or k

Product Fundam entals Ru n t im e

I aaS PaaS SaaS

Service m odels define how a service or product is delivered, h ow you

Product Fundam entals Ru n t im e

I aaS PaaS SaaS

Service m odels define how a service or product is delivered, h ow you

Product Fundam entals Ru n t im e

I aaS PaaS SaaS

Service m odels define how a service or product is delivered, h ow you

Product Fundam entals Ru n t im e

I aaS PaaS SaaS

Service m odels define how a service or product is delivered, h ow you

Product Fundam entals

Instance Failure Term inate Recovery

Recover y Tim e The m axim um am ount of tim e a

AWS Architecture 101

Product Fundam entals

Ver t ical Scalin g Hor izon t al Scalin g

AWS Architecture 101

Product Fundam entals

I den t it y an d Access Large

AWS Architecture 101

Product Fundam entals

Applications, if designed correctly, im plem ent the tiers as

AWS Architecture 101

Product Fundam entals

Tigh t ly Cou pled Loosely (De)Cou pled

In this exam ple, m edia conversion delays could im pact the

AWS Architecture 101 Upload

This allows for failure or scaling of one com ponent without

Product Fundam entals

Applicat ion session st at e: Data that represents what a custom er is

AWS Architecture 101

Product Fundam entals

I den t it y an d Access So far, we have covered generic

In the following topic, we will discuss

Back Next Topic

Product Fundam entals

I den t it y an d Access This topic will explore som e AWS

Product Fundam entals

Au t h en t icat ion Au t h or izat ion Billin g

Net w or k in g Root User

Product Fundam entals

Net w or k in g Root User

Authorization is controlled on a per-account basis. The root user

Product Fundam entals

Product Fundam entals

AZs in the sam e region are connected with r edu n dan t ,

Edge locat ion s are sm all pockets of AWS

Product Fundam entals

Product Fundam entals