- Centralized control of AWS account.
- Shared access to AWS account.
- Create granular permissions.
- Identity Federation (i.e. log in with Google, Facebook, etc).
- Multi-factor authentication
- Can create temporary access for user/devices and services.
- Can create password rotation policy.
- Supports PCI DSS Compliance: payment card security standards.
- User: the end user, such as an employee or bot (Jenkins brewmaster).
- Group: a collection of Users. The Users in the Group inherit the permissions of the Group.
- Policy: a collection of specific permissions to use delineated AWS resources (aka Policy Documents).
- Role: a set of Policies that can be assigned to Users, Groups, or directly to certain AWS Resources (such as EC2).
- IAM resources are universal; they are not tied to specific regions.
- The Root account is created for every new AWS account and has full admin access (dangerous).
- General AWS protocol is to provide the least permissions.
- All subsequent users are created with no access, and so must be assigned Roles and/or Policies to become useful.
- New users are assigned (1) an Access Key ID; and (@) Secret Access Keys when first created. Store these safely as they cannot be viewed again from AWS console. These credentials can be used for programmatic (CLI) access to AWS.
- Always set up MFA for the root user of a new account because duh.
- One of the first services offered by AWS.
- S3 provides secure, durable, highly scalable object storage.
- Object storage is not suitable for operating system installations. See EBS and EFS instead.
- Object storage: Object storage (also known as object-based storage) is a computer data storage architecture that manages data as objects, as opposed to other storage architectures like file systems which manage data as a file hierarchy, and block storage which manages data as blocks within sectors and tracks.
- Key: the name of the object.
- Value: the data.
- Version Id: for versioned buckets, a reference to a given version.
- Metadata: such as creation date, tags.
- Access Control Lists: fine-grained controls on storage accesss.
- Files can range from 0 bytes to 5 terabytes.
- Files are stored in buckets. There is no limit on bucket size.
- Universal namespace, so all bucket names must be globally unique.
- The largest object that can be uploaded in a single PUT is 5 gigabytes. For objects larger than 100 megabytes, customers should consider using the Multipart Upload capability.
- When a file is uploaded, if successful then you will receive an HTTP 200 response.
- S3 provides (1) tiered storage; (2) lifecycle management; (3) versioning; and (4) encryption, as additional services.
- Access can be provided at the bucket-level (via Bucket Policies) or object-level (via Access Control Lists).
- Read-after-write Consistency for PUTs of new objects.
- Eventual Consistency for overwrite PUTs and DELETEs (can take time to propagate).
- 99.9% guaranteed availability (three 9's) --> the data is accessible.
- Eleven 9's guaranteed durability --> the data won't be deleted.
- Three 9's availability.
- Eleven 9's durability.
- Stored redundantly multiple devices in multiple facilities, i.e. across different Availability Zones.
- Designed to withstand the loss of 2 facilities concurrently.
- Designed for data that is infrequently accessed, but requires rapid access when needed.
- Lower base fee than S3, but charged for data retrieval.
- Same redundancies as S3 Standard.
- Designed for users who want an even lower cost than S3 IA and who do not require the same level of data resiliency.
- It's more or less all in the name.
- The cheapest storage but has longest retrieval time (standard is 3 to 5 hours)
- Intended for data archiving.
- Comes in three models: Expedited (minutes); Standard (3 to 5 hours); and Bulk (5 to 12 hours).
- Storage (amount of space)
- Requests (how many times an object is accessed)
- Storage Management (object tags, etc)
- Data Transfer (e.g. cross region replication)
- Transfer Acceleration (a service that uses AWS CloudFront edge locations to dramatically speed up file transfer rates.
- From the FAQ: Versioning allows you to preserve, retrieve, and restore every version of every object stored in an Amazon S3 bucket. Once you enable Versioning for a bucket, Amazon S3 preserves existing objects anytime you perform a PUT, POST, COPY, or DELETE operation on them. By default, GET requests will retrieve the most recently written version. Older versions of an overwritten or deleted object can be retrieved by specifying a version in the request.
- Not enabled by default.
- Once enabled, cannot be disabled; only suspended.
- Once enabled, stores all versions of an object (includes all writes, including deletes).
- Integrates with Lifecycle Management, e.g.
- Deletes are denoted by a delete flag.
- Versioning must be enabled on both source and destination buckets.
- Regions must be different (obviously).
- Existing files in source bucket are not replicated automatically; however, all subsequent updates are replicated automatically.
- Can use CLI to manually copy existing files in source bucket.
- Cannot replicate to multiple destination buckets or daisy chain (at this time).
- Delete markers are not replicated.
- Deletion of individual versions or delete markers are not replicated.
- Use case: at set time intervals, move a file from S3 to S3 IA to Glacier, as the file's immediacy changes.
- Versioning is not required, but can be used.
- Can transition from S3 to S3 IA after a minimum of 30 days.
- Can transition from S3 IA to Glacier after a minimum of 30 days (or net 60 days from S3 --> S3 IA --> Glacier).
- Can use Lifecycle Management to permanently delete objects.
- By default, all new buckets are private. Therefore, cannot access publicly.
- Security Levels
- Bucket Policy: bucket-level permissions.
- Access Control Lists: object-level permissions.
- S3 buckets can be configured to create access logs, which log all requests made to the bucket. The logs can be sent to a destination bucket and this destination bucket can reside in another account.
- Encryption Types
- In Transit using HTTPS SSL/TLS.
- At Rest Server Side Encryption (SSE): (1) S3 Managed Keys; (2) KMS Managed Keys; and (3) customer provided keys.
- At Rest Client Side Encryption: data is encrypted on client and then uploaded to S3.
- S3 Managed Keys (SSE-S3): every object gets as unique key, and the key itself encrypted.
- Key Management Service (SSE-KMS): Separate permissions for envelop key. Provides audit trail for key usage and by whom.
- Customer Provided Keys (SSE-C): Customer can use their own key(s).
- Storage Gateway is a virtual machine image that can be installed on a host in your data center. Once installed and associated with an AWS account, the gateway can be configured and provides a direct line into AWS.
- File Gateway (NFS): store flat files in S3.
- The file gateway enables you to store and retrieve objects in Amazon S3 using file protocols, such as NFS. Objects written through file gateway can be directly accessed in S3.
- Use cases for file gateway include: (a) migrating on-premises file data to Amazon S3, while maintaining fast local access to recently accessed data, (b) Backing up on-premises file data as objects in Amazon S3 (including Microsoft SQL Server and Oracle databases and logs), with the ability to use S3 capabilities such as lifecycle management, versioning and cross region replication, and, (c) Hybrid cloud workflows using data generated by on-premises applications for processing by AWS services such as machine learning, big data analytics or serverless functions.
- Volumes Gateway (iSCSI): The volume gateway provides block storage to your applications using the iSCSI protocol. Data on the volumes is stored in Amazon S3. To access your iSCSI volumes in AWS, you can take EBS snapshots which can be used to create EBS volumes. The snapshots capture the incremental changes to save space.
- Stored Volumes: store files on premise, back up to AWS.
- Cached Volumes: only store recently accessed data on premise, back up everything else to AWS. Helps minimize the need to scale at the local data center, while still providing low latency to frequently accessed data.
- Tape Gateway (VTL): The tape gateway provides your backup application with an iSCSI virtual tape library (VTL) interface, consisting of a virtual media changer, virtual tape drives, and virtual tapes. Virtual tape data is stored in Amazon S3 or can be archived to Amazon Glacier.
- Formerly known as Import/Export Disk
- Essentially a standard piece of storage hardware for manually delivering (potentially) huge amounts of data directly into (and out of) AWS. Bypass the internet tubes!
- In their own words: AWS Snowball is a data transport solution that accelerates moving terabytes to petabytes of data into and out of AWS using storage devices designed to be secure for physical transport. Using Snowball helps to eliminate challenges that can be encountered with large-scale data transfers including high network costs, long transfer times, and security concerns.
- Snowball Types
- Snowball
- Snowball Edge: the same as Snowball, but with compute capability. Basically a mini AWS, so you can bring compute capacity to places where it does not typically exist. E.g., you can run a lambda from a Snowball Edge.
- Snowmobile: it's a truck.
- A CDN is a system of distributed servers that deliver content to a user based on geographic locations of (1) the user; (2) the origin of the content; and (3) the content delivery server.
- Edge Location: The location where the content is cached. Edge Locations are different than Regions and Availibility Zones.
- Edge Locations support both read and write operations. If write, then changes are replicated back to Origin.
- Origin: The origin of all the files that the CDN will distribute, e.g. an S3 bucket, an EC2 instance, an ELB, or Route53.
- Distribution: The name of your CDN.
- Objects are cached for the Time To Live (TTL).
- Cache can be manually cleared, for a charge.
- Web Distribution: for distributing websites, derrrrrr.
- Real-Time Messaging Protocol (RTMP): for media streaming.
- EC2 is a web service that provides resizable compute capacity in the cloud. EC2 = speed in provisioning or eliminating capacity.
- Purchase and Pricing Options
- On Demand: pay fixed rate by the hour with no commitment.
- Reserved: provides reserved capacity in 1- or 3-years terms for significantly reduced costs.
- Spot: bid for capacity; no guarantees.
- If spot instance is terminated by AWS, no charge to consumer for partial hour. However, if consumer terminates instance with partial hour, consumer is charged.
- Dedicated Hosts: dedicated physical EC2 server.
- Assign an IAM Role (i.e. limit permitted actions) to an EC2 in order to lock down blast radius from security breach.
- Mnemonic: "Fight Dr McPx"
- F - Field Programmable Gate Array: financial analytics, big data, real-time video processing.
- I - IOPS: high-speed storage, e.g. NoSQL DBs, data warehousing.
- G - Graphics: for video encoding, 3D application streaming.
- H - High Disk Throughput:
- T - t???: Cheap general purpose, e.g. T2 Micro
- D - Density: dense storage, e.g. fileservers, data warehousing
- R - RAM: for memory-intensive apps
- M - Main: general purpose applications.
- C - Compute: for CPU-intensive apps.
- P - general Purpose gpu: e.g. machine learning, bitcoin mining
- X - eXtreme Memory: memory optimized, e.g. SAP HANA or Apache Spark
- All Inbound Traffic is blocked by default.
- All Outbound Traffic is allowed by default.
- Changes to Security Groups take effect immediately.
- A Security Group can contain any number of EC2 instances.
- Multiple Security Groups can be attached to an EC2 instance.
- Security Groups are stateful: if an inbound rule allows traffic in, then that traffic (response) is allowed back out again.
- Security Group cannot block a specific IP address; to do so, use Network Access Control Lists.
- Security Groups whitelist. Network Access Control Lists blacklist.
- An AMI provides the information required to launch an instance, which is a virtual server in the cloud. You must specify a source AMI when you launch an instance.
- AMI selection criteria include: (1) Region; (2) operating system; (3) architecture (e.g. 32-bit or 64-bit); (4) launch permissions; (5) root device storage / volume (e.g. instance store or EBS).
- All AMIs are caterogized as backed by either (1) EBS; or (2) instance store.
- EBS-backed
- The root device store is an EBS volume created from an EBS snapshot.
- EBS stores can be stopped. No data is lost on stop and start.
- No data loss on reboot.
- By default, root volume is deleted on instance termination; however, root device volume protection can be toggled on.
- Instance store-backed
- The root device store is an instance store volume created from a template stored in S3.
- Instance stores cannot be stopped; if the underlying host fails, then the data is lost.
- No data loss on reboot.
- No means to preserve on instance termination.
- Use case: An instance store provides temporary block-level storage for your instance. This storage is located on disks that are physically attached to the host computer. Instance store is ideal for temporary storage of information that changes frequently, such as buffers, caches, scratch data, and other temporary content, or for data that is replicated across a fleet of instances, such as a load-balanced pool of web servers.
- You can launch or start instances in a placement group, which determines how instances are placed on underlying hardware.
- Permitted instance types: (1) compute optimized; (2) GPU; (3) memory optimized; (4) storage optimized.
- Cluster: clusters instances into a low-latency group in a single Availability Zone. Recommended for applications that require low network latency, high network throughput, or both.
- CANNOT span multiple AZs.
- Spread: spreads instances across underlying hardware. Recommended for applications that have a small number of critical instances that should be kept separate from one another.
- Partition: spreads instances across logical partitions, ensuring that instances in one partition do not share underlying hardware with instances in other partitions.
- AWS recommends that placement groups contain homogeneous instances (same size and same instance type family).
- Placement groups cannot be merged.
- Cannot move an existing instance into a placement group. Work-around: Create an AMI from the existing instance, then launch a new instance from the AMI into the placement group.
- EBS is used to create storage volumes and attach them to an EC2 instance. Once attached, you can (1) create a file system on top of the volume, (2) run a database, or (3) use it in any way you would use a normal block device.
- EBS volumes live in a specific AZ but are automatically replicated to protect against single component failure.
- General Purpose SSD (GP2): balances price and performance.
- Provisioned IOPS SSD (IO1): designed for I/O intensive applications, such as large relational or NoSQL databases.
- Use if you need more than 10,000 IOPS.
- Can provision up to 20,000 IOPS.
- Throughput Optimized HDD (ST1): designed for big data, data warehouses, log processing. Cannot be a boot volume.
- Cold HDD, aka Magnetic: designed for workloads where data is accessed infrequently and applications where the lowest storage cost is important.
- A snapshot is a static copy of an EBS volume.
- In order to snapshot a root device EBS volume, best practice is to stop the instance first. However, a snapshot can be taken from a running instance.
- Users can create AMI's from EBS-backed instances and snapshots.
- Users can change EBS volumes on the fly, including both size and storage type.
- An EBS volume is always in the same AZ as its attached EC2; in order to move it to another AZ or Region, take a snapshot and copy it to the new AZ or Region.
- Snapshots of encrypted volumes are encrypted automatically.
- Volumes restored from encrypted snapshots are encrypted automatically.
- Only unencrypted snapshots can be shared; can be shared with other AWS accounts or made public.
- RAID = Redundant Array of Independent Disks
- RAID 0: disks are striped. Good for performance but no redundancy.
- RAID 1: disks are mirrored. Complete redundancy, no performance gains.
- RAID 5: 3 disks or more and writing parity. Good for reads, bad for writes. RAID 5 is never the recommended solution.
- RAID 10: disks are striped and mirrored. Good performance and good redundancy.
- RAID is used when you need higher I/O (usually go with 0 or 10).
- RAID Snapshots
- Problem: the full snapshot is actually spread across several volumes. Some data is held in cache.
- Solution: take an "application consistent snapshot." Stop the application from writing to disk and flush all caches to disk. Options: (1) Freeze the file system; (2) unmount the RAID array; or (3) shut down the associated EC2 instance.
- Three types: (1) Application (ALB); (2) Network (NLB); (3) Classic (ELB)
- Application: best suited for load balancing HTTP and HTTPS traffic. ALBs operate at Layer 7 (...) and are application-aware. ALBs can have advanced request routing that sends specified requests to specific web servers.
- Network: best suited for load balancing TCP traffic where extreme performance is required. NLBs operate at Layer 4 (...). NLBs are capable of handling millions of requests per second while maintaining ultra-low latencies.
- Classic: legacy ELBs. Classics can load balance HTTP and HTTPS with Layer 7-specific features or can load balance on TCP with Layer 4-specific features. Not recommended anymore.
- If the underlying application stops, a Classic ELB responds with a 504 error (i.e. a timeout).
- A load balancer forwards requests, but from a private IP. If you need the IPv4 address of an end user, look at the X-Forwarded-For header.
- Healthchecks: generally a simple ping to see if a 200-level response is received. Instances monitored by an ELB are either InService or OutofService.
- ELBs only provide DNS name, never an IP address.
- Dashboards: monitor AWS resources.
- Alarms: receive alerts when thresholds are hit.
- Events: programmatically respond to state changes in AWS resources.
- Logs: aggregate, monitor, and store logs from AWS resources.
- EFS is a fully-managed service that automatically scales file storage in the Amazon Cloud.
- Supports Network File System Version 4 (NFSv4) protocol.
- Pricing: only pay for what you use; no pre-provisioning (in contrast to EBS).
- Scales up to petabytes.
- Supports thousands of concurrent NFS connections.
- Data is stored across multiple AZs within a region.
- Read after write consistency.
- Use case: file server; centralized repository use by mutliple EC2s. Can apply user- and directory-level permissions to be universal across EC2 instances.
- DNS converts a human-readable domain name, such as https://example.com, into an IP address, such as https://12.34.56.78.
- Route53 is named for Port 53, which DNS operates on.
- Start of Authority Record (SOA): stores information about (1) the name of the server that supplied data for the zone; (2) the adminstrator of the zone; (3) the current version of the data file; and (4) the default number of seconds for the TTL file resource records.
- Name Server Record (NS): used by top level domain servers to direct traffic to the content DNS server that contains the authoritative DNS records.
- Address Record (A): used by a computer to translate the name of the domain into an IP address.
- Canonical Name (CNAME): used to resolve one domain to another domain. Redirect visitors from https://mobile.example.com to https://m.example.com.
- Alias Records: an AWS concept that is used to map resource record sets in your hosted zone to to ELBs, CloudFront distributions, or S3 buckets that are configured as websites.
- Alias Records are like AWS-interal CNAMEs in that you map a source DNS name to a target DNS name.
- Material difference: CNAME cannot be used for naked domain names (e.g. https://kwhitejr.com); use Alias or A Records instead.
- Time To Live (TTL): the length that a DNS record is cached on either the resolving server or the user's own computer. TTL is described in seconds. The lower the TTL, the faster changes to DNS records propagate.
- Mail Server Record (MX)
- Reverse Lookups (PTR)
- Simple Routing: supports one record with multiple IP addresses. Route53 returns a random value (IP) to the user.
- Weighted Round Robin (WRR): Weighted Round Robin allows you to assign weights to resource record sets in order to specify the frequency with which different responses are served. You may want to use this capability to do A/B testing, sending a small portion of traffic to a server on which you’ve made a software change. For instance, suppose you have two record sets associated with one DNS name—one with weight 3 and one with weight 1. In this case, 75% of the time Route 53 will return the record set with weight 3 and 25% of the time Route 53 will return the record set with weight 1. Weights can be any number between 0 and 255.
- Latency Based Routing (LBR): Latency Based Routing is a new feature for Amazon Route 53 that helps you improve your application’s performance for a global audience. You can run applications in multiple AWS regions and Amazon Route 53, using dozens of edge locations worldwide, will route end users to the AWS region that provides the lowest latency.
- Failover Routing: used when you want to create an active/passive setup. Route53 monitors the health of the active address and if the healthcheck fails, then traffic is routed to the passive endpoint.
- Geolocation Routing: traffic is routed based upon the geographic location of your end user. Use case: EC2s are customized for localities, e.g. with language or currency options.
- Mutlivalue Answer: If you want to route traffic approximately randomly to multiple resources, such as web servers, you can create one multivalue answer record for each resource and, optionally, associate an Amazon Route 53 health check with each record. For example, suppose you manage an HTTP web service with a dozen web servers that each have their own IP address. No one web server could handle all of the traffic, but if you create a dozen multivalue answer records, Amazon Route 53 responds to DNS queries with up to eight healthy records in response to each DNS query. Amazon Route 53 gives different answers to different DNS resolvers. If a web server becomes unavailable after a resolver caches a response, client software can try another IP address in the response.
- Supported RDS types: SQL, MySQL, PostgreSQL, Oracle, MariaDB, Aurora
- Ideal for Online Transaction Processing (OLTP): gathering input information, processing the data and updating existing data to reflect the collected and processed information.
- EC2 and RDS may not be able to talk unless their respective security groups are opened to each other.
- Backups: two flavors, (1) Automated Backups, and (2) Database Snapshots
- Automated Backup: recover database from any point within the retention period (which is 1 to 35 days). Takes a full daily snapshot and also stores transaction logs throughout the day. When a recovery is initiated, AWS chooses the most recent daily back up, then applies the transaction logs from that day. This allows point-in-time recovery down to a second within the retention period.
- Automated Backups are enabled by default. Backup data is stored in S3; user gets free storage equal to the size of the database.
- Elevated latency during backup window (I/O may be suspended); therefore, carefully schedule the backup window.
- By default, Autmated Backups are deleted when the RDS instance is deleted.
- DB Snapshots: manual process (user initiated). These are stored even after the RDS instance is deleted.
- Multi-AZ: When you provision a Multi-AZ DB Instance, Amazon RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ).
- Intended for disaster recovery.
- By pointing to a DNS, rather than an IP, the DB can achieve automatic failover.
- Aurora is Multi-AZ by default.
- Synchronous replication.
- Read Replicas: create one or more replicas of a given source DB Instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. Read replicas can also be promoted when needed to become standalone DB instances.
- Intended for improved performance.
- Supports up to 5 read replica copies of a DB.
- You can have Read Replicas of Read Replicas, but higher latency.
- Each Read Replica gets its own DNS endpoint.
- Asynchronous replication.
- Can create Read Replicas of Multi-AZ source DBs.
- Read Replica can be in a different region from source.
- Encryption at rest is supported for all RDS flavors. Encryption is through Key Management Service (KMS).
- A fast and flexible nonrelational database service for any scale.
- Document and key-value data models.
- Automatically scales throughput capacity to meet workload demands, and partitions and repartitions your data as your table size grows.
- Synchronously replicates data across three facilities in an AWS Region, giving you high availability and data durability.
- Data consistency models:
- Eventually consistent reads (the default) – The eventual consistency option maximizes your read throughput. However, an eventually consistent read might not reflect the results of a recently completed write. All copies of data usually reach consistency within a second. Repeating a read after a short time should return the updated data.
- Strongly consistent reads — In addition to eventual consistency, DynamoDB also gives you the flexibility and control to request a strongly consistent read if your application, or an element of your application, requires it. A strongly consistent read returns a result that reflects all writes that received a successful response before the read.
- Ideal for Online Analytical Processing (OLAP): resource intensive and large-scale group, aggregate and join data.
- Primarily used to perform business analytics while not interfering with production resources.
- Data warehouse cluster options:
- Single Node: enables you to get started with Amazon Redshift quickly and cost-effectively and scale up to a multi-node configuration as your needs grow. A Redshift data warehouse cluster can contain from 1-128 compute nodes, depending on the node type.
- Multi-node: requires a leader node that manages client connections and receives queries, and two compute nodes that store data and perform queries and computations. The leader node is provisioned for you automatically and you are not charged for it.
- Organizes data by columns, which is ideal for data warehousing and analytics, where queries often involve aggregates performed over large data sets. Only the columns involved in the query are processed and columnar data is stored sequentially, column-based systems require fewer I/Os, significantly improving query performance.
- Sequential storage of columnar data permits greater levels of data compression, thus taking less disk space. Additionally, no indexes or materialized views required.
- RedShift samples your data and automatically selects an appropriate compression scheme.
- Massively Parallel Processing (MPP): RedShift automatically distributes data and query load across all nodes. Therefore, adding a node to the data warehouse enables the user to maintain fast query performance as the data warehouse grows.
- Security
- Encrypted in transit using SSL.
- Encrytped at rest using AES-256.
- Default behavior is RedShift manages keys, but can also use own keys or KMS.
- No Multi-AZ; designed for performance in making reports and queries, not production durability.
- Deploy, operate, and scale an in-memory cache in the cloud. Improves web app performance by retrieving information from fast, managed, in-memory caches, instead of relying entirely on slower disk-based databases.
- Use case: one a t-shirt sales site, splash screen always has Top Ten T-shirts of the week. Instead of hitting the db on every load, use cache.
- Supports two open-source engines: (1) Memcached, and (2) Redis
- Exam Tips
- Elasticache is useful in scenarios where a particular DB is under a lot of stress/load.
- Elasticache is useful when a database is read heavy and not prone to frequent changing.
- However, RedShift is a better answer if the DB is under stress because management is running OLAP transactions on it.
- A relational database engine that combines the speed and reliability of high-end commercial databases with the simplicity and cost-effectiveness of open source databases.
- Storage Scaling: start with 10 GB, auto-scale in 10 GB increments to 64 TB.
- Compute Scaling: up to 32vCPUs and 244 GB of memory.
- Resiliency: 2 copies of data per AZ across a minimum of 3 AZs, for a minimum of 6 copies of data.
- Designed to handle loss of up to two copies without affecting write availability and up to three copies without affecting read availability.
- Storage is self-healing: data blocks and disks are continuously scanned for errors and repaired automatically.
- Can have up to 15 Aurora Read Replicas; user can determine order of priority (tier).
- AWS provides a single cluster endpoint. In case of failure, Aurora automatically changes over to the next tiered instance.
- DynamoDB offers push-button scaling, meaning that you can scale the DB without downtime.
- RDS requires a bigger instance or addition of a read replica (there will be downtime).
- Create the VPC: name, CIDR block, and tenancy type.
- Create the Subnets.
- Create the Internet Gateway.
- Create custom Route Table for public Subnet(s).
- Point public Subnet's custom Route Table at the Internet Gateway.
- Configure relevant ACL and Security Group traffic rules.
- A VPC is the user's virtual network, hosted by AWS.
- Used as the network layer for EC2 resources.
- Each VPC is logically isolated from other networks and VPCs.
- Every AWS account comes with a default VPC, which is preconfigured for immediate use.
- Without a manually-created VPC, user EC2s are hosted in the default VPC.
- If default VPC is deleted, then user needs to contact AWS support to get it recreated. Don't delete it, dumb dumb.
- VPC can span multiple AZs in a single Region.
- Main reason to create a VPC (and not use default) is granular security controls, such as public and private subnets.
- Connecting VPC to a Datacenter
- Virtual Private Gateway: custom connection point (on VPC) for your datacenter
- VPN Connection: secure tunnel from datacenter to VPC.
- Customer Gateway: a physical device or software that sits on datacenter side of connection.
- Peering Connection: VPCs can talk to each other if connected from both sides. Must be within the same region. Peer connections are 1-to-1; no transitive peering (daisy chaining).
- VPCs with overlapping CIDRs cannot be peered.
- Tenancy: VPC can be created on (1) Default; or (2) Dedicated hardware. Performance and cost are both higher on dedicated.
- Private IP Addresses
- Not accessible from regular internet; only from within the VPC.
- Instances on VPC are automatically assigned a Private IP.
- Public IP Addresses
- Required to access an instance from the general internet.
- Assigned to an instance from AWS's pool of public IPs. When an instance is terminated and restarted, the public IP is returned to the pool and a new one is chosen.
- In order to preserve a Public IP address across termination and restart, user must get an Elastic IP Address (persistent IP address assigned to user account). Charges apply if an EIP is allocated to an account but remains unattached to an instance.
- Associate the EIP with a VPC's NAT Gateway in order to
- Classless Inter-Domain Routing (CIDR)
- In VPC context, the CIDR block
- A VPC CIDR block's subnet mask must be between 16 and 28 (e.g. 10.0.0.0/16)
- A Subnet is a range of IP addresses in a VPC. AWS Resources are launched onto one of a VPC's Subnets.
- Use a public Subnet for resources that must be connected to the internet (e.g. web servers).
- Use a private Subnet for resources that are not connected to the internet (e.g. DBs).
- VPC must have Subnets assigned to it before EC2 instances can be launched on the VPC.
- Subnets in the same VPC (as subparts of the same IP range) can communicate with each other by default.
- Default CIDR block range for a Subnet is /20, or about 4000 IPs.
- A Subnet is always mapped to a single AZ (although a VPC spans a Region).
- Typically use redundant Public and Private Subnets across different AZs for failure recovery.
- Public Subnet
- All traffic is routed through the VPC's Internet Gateway
- Private Subnet
- For resources that don't require internet or should be protected, e.g. DB instances.
- IG is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in a VPC and the wider internet. No availability risks or bandwidth constraints on VPC network traffic.
- IG must be attached to a VPC.
- All instances utilizing an IG must have either a Public IP or an EIP.
- Public Subnets' Route Table must point to the Internet Gateway to allow traffic.
- All network rules (network Access Control Lists and Security Groups) must be configured to allow traffic to and from the relevant VPC instances.
- Default Route Table only permits local traffic.
- Deafult ACL permits all outbound traffic.