AWS_Certified_Solutions_Architect_Associate_SAA-C03_Slides_Tutorials_Dojo.pdf

• https://portal.tutorialsdojo.com/courses/aws-certified-
solutions-architect-associate-exam-video-course/
COURSE LINK
COURSE AUTHOR
• https://au.linkedin.com/in/jonbonso
Jon Bonso

AWS Solutions Architect Associate
Exam Overview
Tutorials Dojo
www.tutorialsdojo.com

Multiple Choice
Multiple Response
Has 1 correct response and 3 incorrect responses
Has 2 correct responses out of 5 response options

Score Performance
Section
% of Scored
Items
Needs
Improvement
Meets
Competencies
Section 1.0: Design Secure Architectures 30%
Section 2.0: Design Resilient Architectures 26%
Section 3.0: Design High-Performing Architectures 24%
Section 4.0: Design Cost-Optimized Architectures 20%

AWS Certified Solutions Architect Associate
Exam Domains

Domain 1:
Design Secure
Architectures
Domain 3:
Design High-Performing
Architectures
Domain 4:
Design Cost-Optimized
Architectures
Design Architectures
Domain 2:
Design Resilient
Architectures

• TASK STATEMENT #1
EXAM DOMAIN

24%
30%
20%
26%
Domain 3:
Architectures
Domain 1:
Design Secure
Architectures
Domain 2:
Design Resilient
Architectures
Domain 4:
Architectures

Domain 1:
Design Secure
Architectures
Domain 3:
Architectures
Domain 2:
Design Resilient
Architectures
Domain 4:
Architectures
๏ Design secure access to AWS resources
๏ Design secure workloads and applications
๏ Determine appropriate data security controls

Domain 1:
Design Secure
Architectures
Domain 3:
Architectures
Domain 2:
Design Resilient
Architectures
Domain 4:
Architectures
๏ Design scalable and loosely coupled architecture
๏ Design highly available and/or fault-tolerant architectures

Domain 1:
Design Secure
Architectures
Domain 3:
Architectures
Domain 2:
Design Resilient
Architectures
Domain 4:
Architectures
๏ Determine high-performing and/or scalable storage solutions
๏ Design high-performing and elastic compute solutions
๏ Determine high-performing database solutions
๏ Determine high-performing and/or scalable network architectures
๏ Determine high-performing data ingestion and transformation solutions

Domain 1:
Design Secure
Architectures
Domain 3:
Architectures
Domain 2:
Design Resilient
Architectures
Domain 4:
Architectures
๏ Design cost-optimized storage solutions
๏ Design cost-optimized compute solutions
๏ Design cost-optimized database solutions
๏ Design cost-optimized network architectures

AWS_Certified_Solutions_Architect_Associate_SAA-C03_Slides_Tutorials_Dojo.pdf

AWS Overview
Tutorials Dojo

WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?

Amazon
WHAT WHEN WHY
Web
Services

WHAT WHEN WHY
Amazon Web Services

WHEN WHY
Amazon
Web
Services
WHAT

WHAT WHEN WHY
=
Amazon
Web
Services
• provides a cloud-based platform or cloud services
• Allows you to rent out virtual servers that you access remotely
Cloud Service Provider

WHAT WHEN WHY
Cloud Service Provider Car Rental
is like a
$40,000
$100
I need a car
for just
3 days
for my trip
$40,000
vs
$100 ?
Brand New Car

WHAT WHEN WHY
Virtual Machines
Physical Servers
Storage Appliances
Network Devices
With different types of CPU, Storage, Network
and other components that you can choose from!
Cloud Service Provider Car Rental
Available for RENT and accessible online via Web Service interfaces (REST, SOAP etc…)

WHAT WHEN WHY
2004
• AWS started out as a department within Amazon Inc.
• Used only by early Amazon customers
• Web services are not available publicly

WHAT WHEN WHY
2004
2006
•AWS officially started its operation as a public cloud
service provider
•Released Amazon S3 (Simple Storage Service)
•Released Amazon SQS (Simple Queue Service)

WHAT WHEN WHY
2004
2006
Today
•Offers hundreds of fully-featured services that are available
globally
•Provides a highly reliable, scalable, and low-cost
infrastructure platform in the cloud
•Boasts a broad set of cloud-based products

WHAT WHEN WHY
Today
• is the world’s leading cloud platform.
•Used by millions of customers
•Supports various workloads
•Significantly lower your operating costs
•Enables companies to scale globally in minutes!

Has thousands of servers!
Data Center
These physical servers generate
virtual machines or store your data!

Availability Zone Region Edge Networks
Data Center Data Center Data Center Data Center Data Center Data Center
er

Availability Zone
Region
Edge Networks
Data Center Data Center
Data Center
100 kilometers or 60 miles from each other
Improves the “Availability”
of your systems
Literally a
Geographic “Zone”

Edge Networks
Availability Zone 2
Data Center
Availability Zone 3
Data Center
Data Center
Availability Zone
Region
AVAILABILITY ZONE 3
AWS REGION
AVAILABILITY ZONE 2
AVAILABILITY ZONE 1

Edge Networks
Availability Zone 2
Data Center
Availability Zone 3
Data Center
Availability Zone 1
Data Center
US East (Ohio)
us-east-2
Availability Zone
Region
Your system will still run
even if one or more data centers
encountered an outage

Edge Networks
Availability Zone
Region
PoP
PoP
Point of Presence / Edge Location
Origin
Serve
r
Content Delivery Network

Advantages of Cloud Computing
Cloud

Cloud
•Launch solutions and computing resources in a matter of minutes
• No need to buy & maintain costly physical servers or data centers
• On-demand access to a wide range of virtual machines, storage
services, databases, and other IT resources
• Revolutionary Cloud Economics
• Unparalleled Flexibility for your enterprise IT infrastructure
• Better Price-to-Performance Ratio
• Lower Total Cost of Ownership (TCO)

Trade Fixed Expense for Variable Expense
Benefit from Massive Economies of Scale
Stop Guessing Capacity
Increase Speed and Agility
Stop Spending Money Running & Maintaining Data Centers
Go Global in Minutes
Cloud

AWS Shared Responsibility
Model

A model for enabling ubiquitous,
convenient, on-demand network
access to a shared pool of
configurable computing
resources
that can be rapidly provisioned
and released with minimal
management effort
or service provider interaction.
CLOUD COMPUTING

configurable computing resources

configurable computing resources
HYPERVISOR
HOST COMPUTER
GUEST OS
HOST OS

CUSTOMER DATA
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION
CLIENT-SIDE DATA
ENCRYPTION & DATA INTEGRITY
AUTHENTICATION
SERVER-SIDE ENCRYPTION
(FILE SYSTEM AND/OR DATA
NETWORKING TRAFFIC
PROTECTION (ENCRYPTION,
INTEGRITY, IDENTITY)
SOFTWARE
HARDWARE / AWS GLOBAL INFRASTRUCTURE
NETWORKING
DATABASE
STORAGE
COMPUTE
REGIONS AVAILABILITY ZONES EDGE LOCATIONS
CUSTOMER DATA
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION
CLIENT-SIDE DATA
ENCRYPTION & DATA INTEGRITY
AUTHENTICATION
SERVER-SIDE ENCRYPTION
(FILE SYSTEM AND/OR DATA
NETWORKING TRAFFIC
PROTECTION (ENCRYPTION,
INTEGRITY, IDENTITY)
SOFTWARE
COMPUTE STORAGE DATABASE NETWORKING
HARDWARE / AWS GLOBAL INFRASTRUCTURE
REGIONS AVAILABILITY ZONES EDGE LOCATIONS
RESPONSIBLE FOR THE
SECURITY OF THE CLOUD
OF
RESPONSIBLE FOR THE
SECURITY OF THE CLOUD
IN
CUSTOMER

Who is responsible for patching the operating system of your Amazon EC2 instance?
Who is responsible for applying the security patches of the guest operating system that your
EC2 instance is using?
Who is responsible for running the host operating system and the virtualization layer that
powers your Amazon EC2 instances?
Who is responsible for managing all your IAM user access and secret keys?
Who is responsible for maintaining the underlying server of your AWS Lambda functions?
Who is responsible for the Service and Communications Protection or Zone Security of your
data?
Who is responsible for the physical security of the servers and the entire network of data
centers of the AWS Global Infrastructure?
Who is responsible for designing encryption-at-rest strategies and other security features in
your Amazon RDS database?
Who is responsible for the security OF the cloud and the security IN the cloud?
WHO?

HOST OS
CLIENT-SIDE & SERVER-SIDE
DATA ENCRYPTION
CLIENT-SIDE & SERVER-SIDE
DATA ENCRYPTION
ZONE SECURITY
ZONE SECURITY
ABSTRACTED
SERVICES
ABSTRACTED
SERVICES
INFRASTRUCTURE
SECURITY
INFRASTRUCTURE
SECURITY
CONFIGURATION
MANAGEMENT
CONFIGURATION
MANAGEMENT
GUEST OS

PHYSICAL & ENVIRONMENTAL
I T C O N T R O L S
INHERITED
CUSTOMER-SPECIFIC
SHARED
PATCH MANAGEMENT
CONFIGURATION MANAGEMENT
AWARENESS & TRAINING
HOST OS
PHYSICAL
SERVERS
GUEST OS
ZONE
SECURITY
ZONE
SECURITY
CUSTOM APPS

Who is responsible for patching the operating system of your Amazon EC2 instance?
Who is responsible for applying the security patches of the guest operating system that your
EC2 instance is using?
Who is responsible for running the host operating system and the virtualization layer that
powers your Amazon EC2 instances?
Who is responsible for managing all your IAM user access and secret keys?
Who is responsible for maintaining the underlying server of your AWS Lambda functions?
Who is responsible for the Service and Communications Protection or Zone Security of your
data?
Who is responsible for the physical security of the servers and the entire network of data
centers of the AWS Global Infrastructure?
Who is responsible for designing encryption-at-rest strategies and other security features in
your Amazon RDS database?
Who is responsible for the security OF the cloud and the security IN the cloud?
OF IN

TOOLS
TECHNOLOGY
PROGRAMS
PEOPLE

BASIC DEVELOPER BUSINESS
ENTERPRISE
ON-RAMP
ENTERPRISE

ENTERPRISE
ON-RAMP
ENTERPRISE
FREE $ $$ $$$ $$$$

DEVELOPER BUSINESS
ENTERPRISE
ON-RAMP
ENTERPRISE
RESPONSE TIME
ARCHITECTURAL
GUIDANCE
PROGRAMMATIC
CASE MANAGEMENT
3RD-PARTY
SOFTWARE SUPPORT
PROACTIVE SELF SERVICE
PROGRAMS
TECHNICAL ACCOUNT
MANAGEMENT (TAM)
ACCOUNT
ASSISTANCE
30 DAY
MINIMUM TERM
TAM TECHNICAL ACCOUNT
MANAGER
AWS MANAGED SERVICES
TEAM
CONCIERGE SUPPORT
TEAM
CLOUD SUPPORT
ASSOCIATES
CLOUD SUPPORT
ENGINEERS
BASIC

ENTERPRISE
ON-RAMP
ENTERPRISE
• Included for all AWS customers by default
• 24/7 access to the AWS customer service, documentation, whitepapers & AWS re:Post site
• SLOW
• Access to the AWS Personal Health Dashboard
• Access to the core security & service quota checks in AWS Trusted Advisor
RESPONSE TIME
LIMITED ACCESS
FREE

ENTERPRISE
ON-RAMP
ENTERPRISE
• Recommended for testing or for running non-critical production workloads in AWS
• Access to the core security & service quota checks in AWS Trusted Advisor LIMITED ACCESS
ENHANCED TECHNICAL
SUPPORT
• Support provided by:
• Unlimited support cases with 1 primary contact
• Prioritized responses on AWS re:Post
• Support Schedule: Business Hours
CLOUD SUPPORT
ASSOCIATES
MON - FRI
8 AM - 6 PM

ENTERPRISE
ON-RAMP
ENTERPRISE
RESPONSE
TIMES
• General guidance:
• System impaired:
< 24 hours
< 12 hours
CLOUD SUPPORT
ASSOCIATES
MON - FRI
8 AM - 6 PM
• NO Phone or Chat Assistance
ARCHITECTURAL
GUIDANCE BASIC
ENHANCED TECHNICAL
SUPPORT
• Unlimited support cases with 1 primary contact
• Support Schedule: Business Hours

ENTERPRISE
ON-RAMP
ENTERPRISE
SUPPORT AUTOMATION
WORKFLOWS (SAW)
AWS Systems Manager

ENTERPRISE
ON-RAMP
ENTERPRISE
SUPPORT AUTOMATION
WORKFLOWS (SAW)
AWS Systems Manager
BASIC
RUNBOOK
PREMIUM
RUNBOOK
AWSSupport- AWSPremiumSupport-
*NOT SUPPORTED IN THE
DEVELOPER PLAN

ENTERPRISE
ON-RAMP
ENTERPRISE
SUPPORT AUTOMATION
WORKFLOWS (SAW)
AWS Systems Manager
BASIC
RUNBOOK
• AWSSupport-CopyEC2Instance
• AWSSupport-ResetAccess
• AWSSupport-ExecuteEC2Rescue
• AWSSupport-ListEC2Resources

ENTERPRISE
ON-RAMP
ENTERPRISE
FULL ACCESS
• Has all the features of the DEVELOPER support plan
• Recommended if you have one or more production workloads in AWS
• Access to full best practice checks in AWS Trusted Advisor
ENHANCED TECHNICAL
SUPPORT
• Unlimited support cases by Unlimited Contacts (IAM Supported)
• Support Schedule: 24/7
• Access to AWS Support App in
CLOUD SUPPORT
ENGINEERS
ARCHITECTURAL
GUIDANCE CONTEXTUAL

ENTERPRISE
ON-RAMP
ENTERPRISE
RESPONSE
TIMES
• Production system impaired
• Production system outage
< 24 hours
< 12 hours
< 4 hours
< 1 hour
Tutorials Dojo

ENTERPRISE
ON-RAMP
ENTERPRISE
A P I
AWS SUPPORT
• A web service that provides programmatic access to AWS
Support Center operations
• API endpoint:
• Supports the following operations:
https://support.<region>.amazonaws.com
• Support Case Management Operations
• AWS Trusted Advisor operations

ENTERPRISE
ON-RAMP
ENTERPRISE
3RD-PARTY
SOFTWARE SUPPORT
SUPPORT AUTOMATION
WORKFLOWS (SAW)
AWS Systems Manager
PREMIUM
RUNBOOK
AWSPremiumSupport-
BASIC
RUNBOOK
AWSSupport-

ENTERPRISE
ON-RAMP
ENTERPRISE
INFRASTRUCTURE
EVENT MANAGEMENT
•Available for an additional fee.
•Offers architecture guidance and operational support during the
preparation and execution of your planned events (e.g. scheduled
shopping holiday, product launches, system migrations et cetera)
•Prevents unnecessary system degradation or site outages by
optimizing your cloud architecture prior to your event
•Allows you to easily assess operational readiness, mitigate risks, and
execute your planned activity confidently with assistance from AWS
experts

ENTERPRISE
ON-RAMP
ENTERPRISE
AWS MANAGED
SERVICES
TEAM
•Available for an additional fee.
•Helps you operate your AWS infrastructure on your behalf
•Augments your existing internal teams with advanced cloud
operation skills
•Provides you with AWS experts such as a designated Cloud
Service Delivery Manager, a Cloud Architect, an AMS security
team, or all three.

ENTERPRISE
ON-RAMP
ENTERPRISE
• Recommended if you have business-critical production workloads with strict SLA
(high RTO and RPO requirements)
• Has all the features of the BUSINESS support plan
RESPONSE
TIMES
• Business-critical system outage
< 24 hours
< 12 hours
< 4 hours
< 1 hour
< 30 mins

ENTERPRISE
ON-RAMP
ENTERPRISE
INFRASTRUCTURE
EVENT MANAGEMENT
• Included without any additonal fees
• Use for 1 Event per year only
• Primary contact for AWS Billing & AWS Support
ARCHITECTURAL
GUIDANCE
• Consultative review
• Architectural Guidance based on your
applications (one-per-year only)
• Access to a pool of Technical Account Managers
to provide proactive guidance and assistance
TA
M
TECHNICAL ACCOUNT
MANAGER
CONCIERGE SUPPORT
TEAM

ENTERPRISE
ON-RAMP
ENTERPRISE
• Recommended if you have mission-critical production workloads with strict SLA
(high RTO and RPO requirements)
• Has all the features of the ENTERPRISE ON-RAMP support plan
• Most expensive AWS Support Plan
• Access to the premium AWS Trusted Advisor Priority feature

ENTERPRISE
ON-RAMP
ENTERPRISE
RESPONSE
TIMES
• Business/Mission-critical system
outage
< 24 hours
< 12 hours
< 4 hours
< 1 hour
< 15 mins

ENTERPRISE
ON-RAMP
ENTERPRISE
INFRASTRUCTURE
EVENT MANAGEMENT
•Can be used for multiple corporate events

ENTERPRISE
ON-RAMP
ENTERPRISE
• Provide a hands-on learning environment based on
real-world scenarios.
ONLINE SELF-PACED
LABS
• Available for an additional fee
• 24/7 proactive monitoring & incident management for
your selected production workloads that are regularly
conducted by AWS experts.
• Access to a dedicated Technical Account Manager
TA
M
TECHNICAL ACCOUNT
MANAGER
AWS SUPPORT
PROACTIVE SERVICES
• Workload reviews, best practices workshops, and deep
dives delivered by AWS Experts

ENTERPRISE
ON-RAMP
ENTERPRISE
AWS Support Plans

AWS Well-Architected
Framework

Conceptualized from extensive
years of cloud research,
development, and real-world
experience
A knowledge base of design
principles, best practices and
architectural guidance
Helps you avoid costly mistakes
Allows you to establish key
performance indicators (KPIs) to
measure workload
performance

QUESTIONS
cloud architectural
?

Pillars
Pillar 1
Pillar 2
Pillar 3
Pillar 4
Pillar n...
Pillar 5
Key Topics
Design Principles
Best Practices
Design Patterns
Anti-Patterns
Implementation Guide
Risks
Benefits

HOW DOES IT WORK?
Security Pillar
Your App
COMPUTE
DATA
LAYER
NETWORK
DATA TRANSPORT
FIREWALL
Your Cloud Solution
USER
ROLE
IDENTITY & ACCESS
MANAGEMENT
GROUP
GROUP

HOW DOES IT WORK?
Security Pillar
Your App
COMPUTE
DATA
LAYER
NETWORK
DATA TRANSPORT
FIREWALL
Your Cloud Solution
USER
ROLE
IDENTITY & ACCESS
MANAGEMENT
GROUP
GROUP
How do you protect your data at rest?
How do you protect your data in transit?
How do you manage identities for people
and machines?

TRADE-OFFS
DO YOU REALLY NEED
TO FOLLOW
ALL THE GUIDELINES
OF THE
AWS WELL-ARCHITECTED
FRAMEWORK?
R E Q U I R E M E N T S
It depends on your

TRADE-OFFS
ENVIRONMENT
PROD
PRE PROD
DEV
SCALABILITY
MUST
OPTIONAL
RELIABILITY
HIGH
MID
LOW
DATA SECURITY
AT REST
IN TRANSIT
COMPLIANCE
HIPAA
GDPR
PCI-DSS
NONE
PROD
MID
AT REST
IN TRANSIT
MUST
PCI-DSS
AVERAGE COST

TRADE-OFFS
TRADE-OFF
LOW COST
over
ENVIRONMENT
DEV
RELIABILITY
RELIABILITY
Tutorials Dojo

TRADE-OFFS
ENVIRONMENT
PROD
DEV
SCALABILITY
MUST
OPTIONAL
HIGH
MID
LOW
DATA SECURITY
AT REST
IN TRANSIT
COMPLIANCE
HIPAA
GDPR
PCI-DSS
NONE
TEST LOW NONE
OPTIONAL
PCI-DSS
PRE PROD
RELIABILITY
LOW COST

TRADE-OFFS
ENVIRONMENT
PROD
DEV
SCALABILITY
MUST
OPTIONAL
HIGH
MID
LOW
DATA SECURITY
AT REST
IN TRANSIT
COMPLIANCE
HIPAA
GDPR
PCI-DSS
NONE
PRE PROD
RELIABILITY
PROD HIGH AT REST
IN TRANSIT
MUST
PCI-DSS
MISSION-CRITICAL
APPLICATIONS
MISSION-CRITICAL
APPLICATIONS
HIGH COST
MORE REDUNDANT
RESOURCES
MORE COMPUTE &
STORAGE
RESOURCES

TRADE-OFFS
ENVIRONMENT
PROD
DEV
SCALABILITY
MUST
OPTIONAL
HIGH
MID
LOW
DATA SECURITY
AT REST
IN TRANSIT
COMPLIANCE
HIPAA
GDPR
PCI-DSS
NONE
PRE PROD
RELIABILITY
IN PRODUCTION, SECURITY IS
NOT USUALLY
TRADED-OFF WITH ANY OTHER
FACTORS

Covers Data Sovereignty
requirements
Abide by the Regional Rules that
needs to be strictly followed
Quickly establish a digital
presence in other countries while
being compliant with its data
protection and privacy laws
Example: General Data Protection
Regulation (GDPR)
Each country has its own data
privacy law with a unique data
residency and data sovereignty
requirements
Foreign Laws &
Security Requirements

The Pillars of the
Framework
Tutorials Dojo

Framework Pillars

OPERATIONAL EXCELLENCE
SECURITY
RELIABILITY
PERFORMANCE EFFICIENCY
COST OPTIMIZATION
SUSTAINABILITY
Framework Pillars

Revolves around how you run your operations to deliver business value
Allows you to verify that your AWS workloads are operating excellently or
poorly
Provides the ability to:
• Effectively run workloads in AWS
• Gain helpful insight into your cloud operations
• Continuously improve your supporting processes & procedures
Example of an Operationally Excellent AWS solution:
•An AWS workload with loosely-coupled components which can be updated on a
regular basis and where the changes can be made in small, reversible
increments.
PILLAR

Can be achieved by establishing protocols in place to continuously
improve the supporting processes of your cloud operations
Supporting Processes:
• Continuous Improvement
• Knowledge Management
• Post-incident Analysis
• Feedback Loops
• Other protocols that support your primary processes
Includes the concepts of Risk Mitigation, Disaster Recovery Exercises,
Game Days or Team Drills to test your Disaster Recovery Action Plan
PILLAR

Perform Operations as Code
Make Frequent, Small, Reversible
Changes
Refine Operations Procedures
Frequently
Anticipate Failure
Learn from All Operational Failures
Organization
Prepare
Operate
Evolve
DESIGN PRINCIPLES BEST PRACTICE AREAS
PILLAR

SECURITY
Covers the overall security of your AWS workloads
Not usually traded off over other aspect of your system
Checks the use of various security-related AWS services to protect the
data, systems, and assets of your cloud solutions
Includes the concept of Traceability (monitoring & tracking the changes
made to your environment and resources)
Root Cause Analysis and Remediation Automation of production incidents
Aims to improve your overall Security Posture
PILLAR

SECURITY
Examples of Secure AWS solutions:
Enabling Traceability via AWS Config to record, audit, and evaluate
changes to AWS resources in your production environment.
Implementing data encryption, tokenization, SSL, and firewalls to
protect your sensitive data in transit and data at rest
Granting the least privilege to your staff with the minimum permissions
required to perform a task
PILLAR

SECURITY
Implement a Strong Identity
Foundation
Enable Traceability
Apply Security at All Layers
Automate Security Best Practices
Protect Data in Transit and at Rest
Keep People Away from Data
Prepare for Security Events
Foundations for Security
Identity and Access Management
Detection
Infrastructure Protection
Data Protection
Incident Response
PILLAR

RELIABILITY
Focused on the ability of your systems to recover and work consistently &
accurately
Ensures your applications remain reliable even if there are traffic surges,
unexpected system changes, or natural disasters
Includes the ability to operate and test your AWS workloads throughout its
entire lifecycle
Accentuates the concept of Recovery to your cloud solutions in AWS to meet
your strict Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
requirements
Verifies that your application has the ability to recover from service
disruptions, natural disasters, application failures, and other type of outages
Checks if your cloud architecture can dynamically acquire computing resources
to meet the changing demand of your application
PILLAR

RELIABILITY PILLAR
Examples of Reliable AWS solutions:
• A system that is able to recover from infrastructure or service disruptions
by using redundant AWS resources such as an Amazon RDS database in
Multi-AZ Deployments configuration, Amazon Aurora Global Database
or an application deployed in multiple Availability Zones or AWS
Regions.
• Implementing Amazon EC2 Auto Scaling on multiple Availability Zones
behind an Application Load Balancer to automatically recover from
outages and dynamically acquire computing resources to avoid system
degradation.
• Using Cross-Region Replication for databases, S3 buckets, and other
resources to increase the ability of your systems to recover.

RELIABILITY
Automatically Recover from Failure
Test Recovery Procedures
Scale Horizontally to Increase
Aggregate Workload Availability
Stop Guessing Capacity
Manage Change through
Automation
Foundations for Reliability
Workload Architecture
Change Management
Failure Management
PILLAR

Covers the ability to improve the performance factors efficiently to meet your
system requirements
Focuses on achieving and maintaining a high level of efficiency even as your
customer demand changes
Adopting new technologies (e.g. Serverless, Containerization)
Re-factoring/re-architecting the existing design of your system to improve
application performance
Example AWS solution that demonstrates Performance Efficiency:
• Re-architecting an on-premises monolithic system to become a Serverless
Application to efficiently lessen the operating cost, enhance scalability and
further improve other performance factors.
PILLAR

Democratize Advanced Technologies
Go Global in Minutes
Use Serverless Architectures
Experiment More Often
Consider Mechanical Sympathy
Selection
Review
Monitoring
Trade-offs
PILLAR
Tutorials Dojo

COST OPTIMIZATION
Focuses on the ability to run your systems and deliver business value at the
lowest price point possible
A continual process of improving your AWS workloads while minimizing costs
to achieve the outcomes expected of the business in a cost-effective manner
Aims to increase revenue and maximize return on investment (ROI)
Example of a Cost-Optimized AWS Solution:
Adopting a Consumption Model via Pay-as-you-go pricing where you only
pay for the resources that you actually consume or by using AWS Serverless
services.
PILLAR

COST OPTIMIZATION
Removes the reliance on elaborate forecasting to determine what would be
the expected usage of your compute resources
Less dependency on extremely inaccurate forecasting and guesswork in terms
of capital expenditures (CAPEX) or operating expenses (OPEX)
Trade Fixed Expense with Variable Expense by choosing Pay-As-You-Go Pricing
and adopting a cost-effective Serverless Architecture
Have the ability to dynamically increase or decrease resource usage to meet
the ever-changing requirements of the business
PILLAR

COST OPTIMIZATION
Implement Cloud Financial
Management
Adopt a Consumption Model
Measure Overall Efficiency
Stop Spending Money on
Undifferentiated Heavy Lifting
Analyze and Attribute Expenditure
Practice Cloud Financial Management
Expenditure & Usage Awareness
Cost-effective Resources
Manage Demand & Supplying Resour
Optimize over Time
PILLAR

SUSTAINABILITY
All about sustainable development, which addresses the long-term
environmental, economic, and societal impact of your business operations as
you use the AWS Cloud
A Sustainable Development is:
•“...a type of development that meets the needs of the present without compromising the
ability of future generations to meet their own needs”
Aims to lessen negative environmental impacts such as carbon emissions,
unrecyclable waste, and damage to shared natural resources
Focuses on Environmental Sustainability which is a shared responsibility
between you & AWS
PILLAR

SUSTAINABILITY PILLAR

SUSTAINABILITY
Understand your Impact
Establish Sustainability Goals
Maximize Utilization
Anticipate and Adopt New, More
Efficient Hardware & Software
Offerings
Use Managed Services
Reduce the Downstream Impact of
your Cloud Workloads
Region Selection
User Behavior Patterns
Software & Architecture Patterns
Data Patterns
Hardware Patterns
Development & Deployment Process
PILLAR

Host
Web Apps
Develop
Mobile Apps
Run Real-Time
Data Analytics
Store Data
for Backup

COMPUTE SERVICES
PER CATEGORY
Amazon EC2 AWS Lambda
AWS Outposts Amazon Lightsail

Amazon Elastic Compute Cloud
Amazon S3 Amazon Simple Storage Service
Amazon RDS Amazon Relational Database Service
Amazon EC2

Fully Managed
Amazon Elastic Kubernetes Service (EKS)
Amazon FSx for Lustre (FSx)
Amazon Elasticsearch Service
By: Open Source Technology

Amazon Route 53
What’s the
meaning of
this
number?
PORT
Routes Traffic
The number 53 is the TCP and UDP Port Number
used for the Domain Name System (DNS) protocol transport

Amazon Elastic Kubernetes
Service
Amazon Elastic Container
Service
Amazon EC2

AWS Outposts
AWS Elastic Beanstalk
Amazon LightSail AWS Batch Amazon ECS
Amazon EKS
AWS Fargate
Virtual Machines Serverless Orchestration Container
AWS Compute Services

VIRTUALIZATION
Used by MULTIPLE Tenants / Customers Used by a SINGLE Customer
DEFAULT
VIRTUALIZATION
CUSTOM
VIRTUALIZATION
Instance
Also called a
Virtual Machine Monitor
or a
Hypervisor
Storage
Virtual
CPU
Network
SHARED DEDICATED

On-premises data center
Serverless Hybrid
Fully Managed By:
SSH or RDP
Unlike
Amazon EC2
NO DIRECT
Server access
via:
CPU

Amazon EC2
• A computing service that runs virtual servers in AWS
• Allows you to launch Windows, Linux or even MacOS virtual
machines
• A type of an Infrastructure as a Service (IaaS)
• A basic building block for your cloud architecture
• Used by other AWS services as an underlying compute service

Amazon EC2
Shared Responsibility Model
Host
OS
Guest
OS

Elastic Compute Cloud
Amazon EC2
• Flexible
• Customizable
• Scalable

Amazon EC2
EC2

Lambda function
Fully Managed By:
RUNTIME ENVIRONMENT
CUSTOM
RUNTIME
Serverless
AWS Lambda
SSH connection
Remote Desktop connection

AWS Batch AWS Elastic Beanstalk
Orchestration

AWS Batch
• Enables you to run batch computing workloads
• Dynamically provisions the optimal quantity and type of compute
resources, based on the volume and specific resource
requirements.
• Does the planning, scheduling, and execution of your batch
computing workloads using Amazon EC2 instances.

AWS Elastic
Beanstalk
• Automates the deployment, management, scaling, and monitoring
of your custom applications in AWS
• Just upload your application and it will automatically handle the
common tasks to run your application.
• Handles capacity provisioning, load balancing, database
management, auto-scaling, and health monitoring

Jack
Beanstalk
and the
AWS Elastic
Beanstalk
Your Applications

Your Applications
AWS Elastic
Beanstalk
Beanstalk

• An easy-to-use Virtual Private Server (VPS)
• Has its own web management console
• Also provides other services like databases, load balancers, DNS
records and many more.
Amazon LightSail

AWS Outposts
• A hybrid service that allows you to run AWS services, like Amazon
EC2, in your on-premises data center

AWS Container Services
Overview

Amazon ECS Amazon EKS AWS Fargate
AWS Container Services
Amazon ECR
A2C
AWS Copilot
AWS App2Container
(A2C)
CLI Tools

Virtual Machine Container
App
Container 1
App
Container 2
App
Container 3
Can also
run…
Guest
OS
CONTAINER ENGINE
Host
OS
App
Container 1
App
Container 2
HYPERVISOR
Bare Metal
Host
OS
Hosted
Firmwar
e
HYPERVISOR
Host
OS

• Amazon Elastic Container Service (Amazon ECS)
• A container orchestration service that supports Docker
containers.
• Allows you to easily install, operate, and scale your cluster
management infrastructure in AWS
• Containers are defined in a task definition which you use to run
an ECS task or are grouped together as an ECS service
• Runs your ECS tasks using:
• An IAM Role can be attached to your ECS task in the TaskRoleArn
property of your task definition for security control
• Store your Docker Images to:
Amazon ECS
Amazon EC2 AWS Fargate
Amazon ECR

Amazon SQS
ECS Task 1
ECS Task 2
Amazon EFS Amazon FSx
Storage Integration Scaling
Amazon ECS
Service Auto Scaling
Data
Data
Data
Amazon ECS

Amazon EKS
• Amazon Elastic Kubernetes Service (Amazon EKS)
• A fully-managed Kubernetes service
• Portable, extensible, and open-source platform for managing
containerized workloads and services
• Containers are grouped into Pods — the basic operational unit for
Kubernetes.
• Launches and orchestrates a cluster of compute resources using:
• Considered as Cloud-agnostic as it allows you to easily move
your workloads to your on-premises network or to other cloud
service providers like Microsoft Azure, Google Cloud Platform
(GCP) et cetera.

AWS Fargate
• A serverless compute engine
• Works on:
• Allows you to focus on building your applications without worrying
about server provisioning, scaling, and management
• Provides a more cost-effective solution than a container running
on Amazon EC2 launch type
• Runs each ECS task or Kubernetes pod in its own kernel.
• Provides the tasks and pods in their own isolated compute
environment.
Amazon ECS Amazon EKS

Amazon ECR
• Amazon Elastic Container Registry (Amazon ECR)
• A fully-managed Docker container registry
• Allows you to store, manage, and deploy Docker container
images.
• Integrated with Amazon ECS
• Stores your docker images in a highly available and scalable
architecture
• You can use IAM to provide resource-level control of each
repository.

• A command-line tool
• Transforms .NET & Java applications to containerized applications
• Packages the application artifact and dependencies into container
images.
• Configures the network ports and generates the ECS task and
Kubernetes pod definitions.
AWS App2Container
(A2C)
A2C

AWS Copilot
• Also a command-line tool, just like AWS App2Container (A2C)
• Transforms .NET & Java applications to containerized applications
• Enables you to quickly launch and easily manage containerized
applications on AWS
• Automates the deployment lifecycle of your containers

Built-in component and NOT
a full-fledged AWS Service
AWS Storage Services
Amazon Elastic File
System
(Amazon EFS)
Amazon Elastic Block
Store
(Amazon EBS)
Amazon Simple Storage
Service
(Amazon S3)
Amazon EC2
Instance Store
Amazon S3 Glacier
Amazon FSx for Lustre Amazon FSx for Windows
File Server
AWS Backup AWS Storage Gateway

• A temporary or ephemeral block-level storage
• Uses the local disks or storage volumes that are physically attached to
the underlying host computer of the Amazon EC2 instance.
• Provides low-latency access to your data
• Loses its stored data if:
• The underlying local storage fails
Amazon EC2
Instance Store
Amazon EC2 Instances
Underlying Host Computer that
powers your .
• The Amazon EC2 Instance:
STOP Stops Hibernates Terminates

• A persistent block-level storage service
• Your data will still be there even if you stop, restart, or terminate
your Amazon EC2 instance, unlike:
• Also called EBS Volumes
• Mounted or attached to your Amazon EC2 instances
• Zonal in scope — you can only attach a volume to any EC2
instances in the same Availability Zone.
• Can be encrypted at rest using:
Amazon Elastic Block Store
(Amazon EBS)
AWS Key Management Service
(AWS KMS)
Amazon EC2
Instance Store

(Amazon EBS)
IOPS
Input/Out operations Per Second
Throughput
Megabit per second (Mbps)
Dominant Performance
Attribute
Read & Write Speeds
Use Case
Solid State Drive
(SSD)
Hard Disk Drive
(HDD)
For workloads with
frequent read/write operations
For data archiving, backups
or throughput-oriented storage
Amazon EC2
Can be used as
Boot Volume for ? Yes No
Fast ! Slow…

Provisioned IOPS SSD
Throughput Optimized HDD
Cold HDD
T Y P E S
Solid State Drive
(SSD)
Hard Disk Drive
(HDD)
Amazon S3
Amazon EFS
Faster data retrieval than:
io
General Purpose SSD
gp st
sc
Can only be attached to a single at a time
Amazon EC2
Amazon EC2
Can be used as
Boot Volume for
Amazon EC2
Cannot be used
as a Boot Volume
(Amazon EBS)

EBS
Multi-Attach
io
Amazon EC2
Nitro-based
Instance
Amazon EC2
Nitro-based
Instance
Amazon EC2
Nitro-based
Instance
Amazon EC2
Nitro-based
Instance
No concurrent file modification
File-Manila.txt
Amazon EFS
(Amazon EBS)
Tutorials Dojo

• An object storage service
• Highly durable and scalable
• Can store virtually unlimited amounts of data
• The files are called “objects” that you upload to an S3 Bucket
• Access files via a REST API call
Service
(Amazon S3)

Amazon S3 Storage Classes
S3 Standard S3 Intelligent-Tiering
S3 Standard-IA
(Infrequent Access)
S3 One Zone-IA
(Infrequent Access)
S3 Glacier S3 Glacier Deep Archive
For frequently accessed data
For changing or
unknown access patterns
For storing long-lived,
yet less frequently accessed data
For low-cost long-term storage
and data archiving

Lifecycle Policy
S3 Standard
S3
Intelligent-Tiering
S3 Standard-IA S3 One Zone-IA S3 Glacier S3 Glacier
Deep Archive
30 Days 90 Days 180 Days
Access Control List
(ACL)
Bucket Policy
- Secure access to your S3 buckets and objects
- Control external access to your Amazon S3 bucket.

- Prevent accidental data deletion in Amazon S3.
- Automatically replicate objects to a different
AWS Region for backup purposes
Cross Region Replication (CRR)
Transfer Acceleration Multipart Upload
S3 Versioning Multi-Factor Authentication
(MFA)
Version
x.*
- Accelerate or expedite the data transfer
(upload/download) of S3 objects
…and many more S3 features!

• One of the storage classes in Amazon S3
• Has its own web management console apart from Amazon S3
• Based on the word — Glacier:
Amazon S3 Glacier
Cold HDD
sc
• Rarely Accessed Data (Cold)
• Frequently Accessed (Hot)
• Low-cost storage for data archiving and long-term backup.

Vault
S3 Glacier
Deep Archive
COST
MINIMUM STORAGE
DURATION
S3 Glacier vs
DATA DELETED AFTER
1 DAY (24 HOURS)
DATA DELETED AFTER
90 DAY
DATA DELETED AFTER
180 DAYS
LOW
90 Days
$ $
You will be billed for the entire 90 Days
Normal storage usage charge
LOWEST
180 days
$
S3 Standard

S3 Glacier
COST
MINIMUM STORAGE
DURATION
S3 Standard vs
DATA DELETED AFTER
1 DAY (24 HOURS)
DATA DELETED AFTER
30 DAYS
DATA DELETED AFTER
90 DAYS
HIGHEST
None
$ $
Regular storage usage charge
(30 days)
(90 days)
$ $ LOWEST
90 days
$
(90 Days)
Timed Storage - Byte Hours
(24 hours)

S3 Glacier
Deep Archive
S3 Glacier
EXPEDITED STANDARD BULK
1 - 5 minutes 3 - 5 hours 5 - 12 hours
NOT AVAILABLE
Within
12 Hours
Within
48 hours
Archive Retrieval Options

• A scalable shared file storage service
• Provides a POSIX-compliant (Portable Operating System Interface)
shared file system
• Can be simultaneously accessed by multiple Amazon Linux EC2
instances in different Availability Zones.
• Uses the Network File System (NFS) protocol. Works as a file share
• Only supports:
Amazon Elastic File System
(Amazon EFS)
Linux Servers
Amazon FSx for
Windows File Server
=

(Amazon EFS)
Lifecycle Policy
EFS STANDARD EFS INFREQUENT ACCESS
IA
30 Days

Amazon FSx for
Windows File Server
Amazon FSx for Lustre
Amazon FSx

• A scalable shared file storage service
• Provides a POSIX-compliant (Portable Operating System Interface)
shared file system
• Can be simultaneously accessed by multiple Amazon Linux EC2
instances in different Availability Zones.
• Uses the Network File System (NFS) protocol
• Only supports:
Linux Servers
(Amazon EFS)

• a parallel file system used for large-scale cluster computing.
• Primarily used for High-Performance Computing, Machine Learning,
or HPC applications
• For workloads that need high-performance parallel storage for
frequently accessed hot 🥵 data.
• Provides a throughput of hundreds of gigabytes per second
• Offers millions of IOPS
• You can mount an Amazon FSX for Lustre file share to:
• Use the Container Storage Interface (CSI) to connect to your
Amazon EKS cluster.
open-source, parallel file system
L Clu
=
in x
u ster
Amazon EC2 Amazon ECS Amazon EKS

• A fully managed Microsoft Windows file server service
• Uses the Server Message Block (SMB) protocol
• Can be integrated to your existing:
• Can be used as shared file storage for your:
Amazon FSx for
Windows File Server SQL Server
Microsoft
SharePoint
Microsoft
Containers
Microsoft
Active Directory
Microsoft AWS Managed
Microsoft AD

• A fully managed backup service
• Automates your server and database backup processes.
AWS Backup Amazon Aurora Amazon RDS Amazon EBS AWS Storage
Gateway
Service-level snapshots
Amazon EC2
Amazon DynamoDB
Amazon FSx Amazon EFS
Service-level backups
7 Days (Default) 35 Days (Maximum)
90 Days, One Year or even more!

• A hybrid cloud storage service
• Connects your on-premises applications and data storage to the AWS
Cloud.
• Integrate your local & cloud storage systems by using a gateway.
AWS Storage Gateway
VIRTUAL MACHINE
On-premises applications

File Gateway Tape Gateway
Provides block storage to your on-premises apps
with low-latency via the
Internet Small Computer System Interface (iSCSI)
Store and retrieve objects in
using NFS and SMB protocols
Amazon S3
Active Directory
Microsoft
AWS Managed
Microsoft AD
Can be integrated with:
Provides a hardware appliance
hosted on-premises
To replicate your local data to Amazon S3
Uses
Amazon S3
for point-in-time snapshots of your
EBS Volumes
- Stores a subset of frequently
accessed data locally
- Uses S3 as the primary storage
VM
CACHED
VM
STORED
- Stores entire dataset
- Asynchronously back up the data
to AWS.
A cloud-based Virtual Tape Library
Uses
Amazon S3
to back up the tapes
Can store the archived tapes in:
S3 Glacier
Deep Archive
S3 Glacier
- Reduce costs by eliminating the use of
physical backup tapes
- On-premises apps can connect to the
tape gateway as iSCSI devices
Storage Area
Network
Volume Gateway

AWS Storage Gateway AWS DataSync
MIGRATION
INTEGRATION
Storage Area
Network
VM
Tutorials Dojo
MOVE
REPLICATE DATA DATA
On-premises data will
still be actively used
On-premises data would not
be utilized anymore/will be
decommissioned
VM

AWS Database Services
Overview

Data warehouse
Relational NoSQL In-Memory
Atomicity
Consistency
Isolation
Durability
A C I D
Amazon Aurora
Amazon RDS
emcached
Amazon Neptune
Amazon Quantum
Ledger
Amazon Keyspaces
Amazon Timestream
Amazon Redshift
Other
Databases
Amazon DocumentDB
Amazon DynamoDB
Amazon ElastiCache

DB Instance
Amazon Relational Database Service
(Amazon RDS)
• A relational database that is managed by both you (limited access)
and AWS.
• The time-consuming tasks are handled by AWS — such as
hardware provisioning, patching, backups, and maintenance.
• You can configure the underlying EC2 instance used by Amazon
RDS
Amazon EC2
Instance Type Network Access
Amazon VPC
VPC Endpoint
Storage

DB Instance
(Amazon RDS)
• You decide the actual time for the patches to be applied on
its maintenance window
• Can run various types of database engines:
SQL Server
Microsoft
PostgreSQL
security patch
Amazon
Aurora
Tutorials Dojo

VPC A
AWS Cloud
Availability Zone (AZ) 1
Single AZ Multi-AZ
PRIMARY PRIMARY
Availability Zone (AZ) 2 Availability Zone (AZ) 3
READ REPLICA
Synchronous Replication
STANDBY
N. Virginia Region
Asynchronous Replication

AWS Cloud
VPC A
Single AZ Multi-AZ
PRIMARY
PRIMARY
READ REPLICA
STANDBY
N. Virginia Region
READ REPLICA
VPC B
Ohio Region

Amazon Aurora
• A type of a database engine (that you can run on Amazon RDS) and
a fully managed database service.
• Compatible with:
• Scales automatically, performs faster, and costs lower than other
databases
• Can automatically grow its data storage
• Deployed as a database cluster that consists of:
• Similar to Multi-AZ Deployments in Amazon RDS
• A cluster has a single-master configuration where applications can
only write data to a single, master DB instance.
• In a multi-master cluster, all DB instances have read/write
capability.
PostgreSQL
READ REPLICA
PRIMARY

(Amazon RDS)
Amazon Aurora
• Suitable for applications that read or write constantly changing data,
such as Online Transaction Processing applications or OLTP.

• A fully managed data warehouse
• Allows you to analyze all your data using standard SQL or
through your existing Business Intelligence tools
• Optimized to analyze relational data coming from transactional
systems, business applications, and other sources for fast SQL
queries.
• Offers a concurrency scaling feature that supports virtually
unlimited concurrent users and concurrent queries
• Has a feature called Redshift Spectrum that allows you to query
and retrieve structured and semistructured data from files stored in:
Amazon Redshift
Data warehouse
Amazon S3

Amazon Redshift
• Primarily used for Online Analytical Processing or OLAP
applications like data reporting and analytics.

NoSQL Databases
Amazon DocumentDB
Amazon DynamoDB

• A fully managed NoSQL database service
• A non-relational database that does not have a rigid schema or
extensive table relationships.
RELATIONAL DATABASE
NON-RELATIONAL DATABASE
Amazon DynamoDB
Dynamo Table #1
Dynamo Table #2
ATTRIBUTE ITEM
ATTRIBUTE ITEM
NO RELATIONSHIP
JOINS
Relationship
Foreign Key
Relationship

Amazon DocumentDB
• A fast, scalable, highly available MongoDB-compatible
database service.
• A document-oriented database program
• Cross-platform, NoSQL database
• Each document contains fields and values in JSON format with
no rigid schema enforced
RELATIONAL DATABASE
DOCUMENT DATABASE
COLLECTION
{
id: 1898,
gid: “tutorialsdojo1898”,
firstName: "Jose",
lastName: "Rizal",
profile: {
nationality: “Filipino,
country: “Philippines,
birthPlace: “Laguna"
}
}
DOCUMENT

IN-MEMORY DATABASE
Amazon ElastiCache
• A caching service
• Allows you to set up, run, and scale open-source in-memory
databases like:
• Faster than disk-based databases
• Useful for database caching that eliminates unnecessary
frequent calls to the database just to return identical datasets
• Useful for real-time analytics, distributed session management,
geospatial services, and many more
NO CACHE
emcached
CACHED

emcached
Amazon ElastiCache
Sub-millisecond latency
Can be integrated
to your apps with
minimal code change
Data Partitioning

Amazon ElastiCache for
Memcached
emcached • Based on the open-source Memcached in-memory data store.
• Suitable for building a simple, scalable caching layer for your data-
intensive apps.
• Multithreaded — it can utilize multiple processing cores.
• Lacks data replication capability
• Does not:
• Support Advanced Data Structures
• Provide Highly Available Caching Layer

Amazon ElastiCache for
Redis
• Based on the open-source Redis in-memory data store.
• Provides:
• Advanced Data Structures
• Pub/Sub messaging
• Geospatial support
• Point-in-Time Snapshot support
• Has a replication feature that provides high availability via data
replication.
• You can enable the Cluster Mode in Redis to have multiple
primary nodes and replicas across two or more Availability Zones.
REmote DIctionary Server
stands for

Amazon KeySpaces
• A scalable, highly available, and managed Apache Cassandra–
compatible database service
• An open-source, wide column data store that is
designed to handle large amounts of data.
• Run your Cassandra workloads on AWS without having to provision,
patch, or manage servers.

Amazon Neptune
• A fast, reliable, fully-managed graph database service
• Makes it easy for you to build and run applications that work with
highly connected datasets
• Allows you to store billions of relationships and query your
data graphs with milliseconds latency.
• Uses nodes to store data entities and edges to store
relationships between entities.

Amazon Timestream
• A fast, scalable, and serverless time series database service
• Primarily used for Internet-of-Things and operational
applications.
• Track the changes of your data
• Can be used to track stock prices, temperature measurements,
and the CPU utilization of an EC2 instance over a specific amount
of time.
9 AM 10 AM 11 AM 12 PM
Time Series

Amazon Quantum Ledger
(Amazon QLDB)
• A fully managed ledger database service.
• Provides a transparent and immutable transaction log that is
owned by a central trusted authority.
• Creates logs that are cryptographically verifiable
• Provide an auditable history of all changes made to your
application data.
• Can be used to track each and every application data change.

AWS Deployment Services
Overview

Infrastructure as Code
(IaC)
DEFINITION FILE

Hybrid Multi-Cloud

AWS Deployment Services
AWS CloudFormation AWS Elastic Beanstalk AWS CodeDeploy Amazon ECS
Anywhere
Amazon EKS
Anywhere
AWS OpsWorks AWS Proton

• Provisions and manages your AWS resources using a
custom code template in JSON or YAML format
• Has a built-in graphical drag-n-drop online tool called
CloudFormation designer
• Primary Infrastructure as Code (IaC) service in AWS
• Provides different features such as Nested Stacks,
Change Sets, StackSets and others
AWS CloudFormation

STACK
APPLICATION STACK
DATABASE STACK
NESTED STACK
ROOT STACK

CHANGE
CHANGE SET
DOJO DB DOGGO DB
PROVIDES A PREVIEW BEFORE
THE ACTUAL CHANGE

AWS CloudFormation
AWS Cloud Development Kit
(AWS CDK)
AWS Serverless Application Model
(AWS SAM)
AWS Serverless Application Repository

AWS Elastic
Beanstalk
• Allows you to upload your application code in AWS and
provision the required cloud environment easily
• Automatically deploys the necessary AWS resources and
components to run your application
• Environment Tiers:
Worker
Web Server
• Uses a configuration file to automatically deploy and configure
your applications. All configuration files are stored in the
.ebextensions folder

AWS CodeDeploy
• A fully managed deployment service
• Automates your application deployments to Amazon EC2
instances, Amazon ECS clusters, AWS Lambda functions, and
other computing services in AWS
• Capable of doing hybrid deployment of your applications to
your on-premises data center and to AWS
• Does NOT create or provision AWS resources, unlike the AWS
CloudFormation service

• A container orchestration service that supports Docker
containers
• Automates the process of installing, operating, managing,
networking and scaling your cluster management
infrastructure in AWS
Amazon ECS
Tutorials Dojo

Amazon VPC AWS Fargate Amazon ECS Anywhere
Amazon EC2
Instances
Serverless
internally powered by:
Amazon CloudWatch Container Insights

Amazon EKS
• A managed orchestration service that supports
Kubernetes containers
• Automates the process of installing, operating, managing,
networking and scaling your Kubernetes control plane, pods
and nodes in AWS

Amazon EKS on AWS
Amazon EKS
on AWS Outposts
Kubernetes Cluster running
on-premises via
Amazon EKS Anywhere
on-premises via
Amazon EKS Distro
Physical Servers supplied
by AWS
Support provided by
AWS Support
Kubernetes Control Plane
managed by AWS
Kubernetes Data Plane
managed by AWS

Control Plane by AWS
Physical Rack Server supplied by
AWS but managed by you
Support provided by
AWS Support
managed by you
managed by AWS
Physical Server supplied
and managed by you
Support provided by
AWS Support
managed by you
managed by you
Physical Servers supplied
by AWS
Support provided by
AWS Support
managed by AWS
managed by AWS
Physical Server supplied
and managed by you
No AWS Support
managed by you
managed by you
Amazon EKS
on AWS Outposts
AWS Outposts
on-premises via
Amazon EKS Anywhere
on-premises via
Amazon EKS Distro
Amazon EKS Anywhere Amazon EKS Distro
Amazon EKS on AWS

AWS OpsWorks
• A configuration management service
• Provides managed instances for your automation platforms
based on:
• Automates how your servers are provisioned, configured, and
managed across:
Amazon EC2
Instances
On-premises
Servers

AWS OpsWorks
AWS OpsWorks Stacks
AWS OpsWorks for Chef Automate
AWS OpsWorks for Puppet Enterprise

AWS Proton
• A service that automates container & serverless deployment
• Ensures that you have consistent development standards and
best practices across your AWS account
• Deploys container and serverless applications using pre-
approved stacks that your platform team manages.
• Grants developers the freedom to innovate but still within the set
guardrails that the security team implemented
• Offers a self-service portal for your developers
• Provides AWS Proton template which contains all the
information required to deploy your custom environments and
services

AWS Monitoring Services
Overview

Logs
Forecast
High
CPU Utilization
Today!
CPU STORAGE NETWORK

AWS Service Health Dashboard
AWS Personal Health Dashboard
AWS Health API
Amazon CloudWatch

• A suite of AWS services used in monitoring your systems on
both:
• A metrics repository that collects system data from AWS services
as well as your custom metrics
• Monitors and analyzes system metrics
• Notifies you if a certain threshold has been reached
• Triggers an action based on a specific threshold or events that
you define
Amazon CloudWatch

Metrics
Logs
Logs Alarms
Dashboards
Events
Amazon CloudWatch

L
o
g
s
Amazon CloudWatch
M E T R I C S
• Collect metrics from various AWS Services and your custom
applications
• Aggregate (combine) metrics across multiple resources
• Most AWS services send metric data to CloudWatch every 1 minute
by default
• For Amazon EC2, the default frequency is every 5 minutes
• Detailed Monitoring sends EC2 metrics data every 1 minute

Amazon CloudWatch
L O G S
L
o
g
s
• Primarily used for logs monitoring
• Allows you to monitor, store, access, analyze or query the logs
from your AWS resources or from your custom applications
• Install CloudWatch Logs agent to your EC2 instances to
automatically collect and publish your application logs to
CloudWatch

CloudWatch
Logs Agent
Amazon EC2 Instance
Logs
Amazon CloudWatch Logs

Amazon CloudWatch
A L A R M S
L
o
g
s
• Allows you to create alarms for your monitoring
• Performs one or more actions based on a system metric and a
specific threshold
• Can notify you or other systems/services using Amazon SNS
• Can trigger a custom action, such as:
• Auto Scaling your EC2 instances
• Sending a billing alert
• Invoking a Lambda function
• … and many more!

Amazon CloudWatch
L
o
g
s
E V E N T S
• Monitors and responds to the system/service events of your
AWS resource in near real-time
• Allows you to create a CloudWatch Event rule to track the
changes or the state of your services
• Invokes a certain action if a specific event matched your Event
rule
• Allows you to create a scheduled job that invokes a Lambda
function on a regular basis, like every hour, every day, every week,
or any schedule that you like.
Amazon EventBridge
CloudWatch Events and Amazon EventBridge
have the same underlying service and API,
but the latter provides more features.

Amazon CloudWatch
L
o
g
s
D A S H B O A R D S
• A customizable dashboard containing your AWS system metrics
• Monitor your resources in a single view, even if those resources
are located across different AWS Regions
• Allows you to publish and view your custom metrics

AWS Service Health
Dashboard
REGIONS
RSS
SERVICE STATUS

• A personalized dashboard that shows the status of the AWS
services that you are using
• Does NOT show you the status of all the AWS services globally but
only the status of the AWS services that you have in your account.
• Shows the AWS Health events that might affect your applications
running on AWS such as scheduled maintenance or system outages
• Allows you to create alerts and notifications based on the health
of your AWS resources
AWS Personal Health
Dashboard

• Provides programmatic access to the AWS Health information
that appears in your AWS Personal Health Dashboard
• A RESTful web service that you can access via HTTPS
• NOT available by default
• Only available in Business or Enterprise support plans
AWS Health API

AWS Audit & Compliance Services
Overview

RESOURCE CHANGES

AWS CloudTrail AWS Artifact AWS Security Hub

• Tracks user activity and API usage in your AWS account
• Stores the audit log data in:
AWS CloudTrail
Amazon S3 Bucket
• Enables risk auditing by continuously monitoring and logging
account activities, such as user actions:
AWS Command Line
Interface (CLI)
AWS Management
Console
AWS SDK AWS API

MANAGEMENT EVENTS DATA EVENTS
AWS CloudTrail
Control Plane Data Plane
Provide information about the
management operations
performed on your AWS resources
Provide information about the resource operations
performed ON (e.g. S3 bucket) your resources
or
performed IN (e.g. S3 objects) your resources
• Attaching an IAM Role
• Creating a new VPC
• Creating a subnet
• Amazon S3 object-level API activities
• Invoking an AWS Lambda function

• Provides on-demand AWS security and compliance reports
• Acts as a self-service portal to find compliance-related information
and reports for:
AWS Artifact
• ISO Reports
• Payment Card Industry (PCI) reports
• Service Organization Control (SOC) reports
• . . . and many more!
• Allows you to download AWS security and compliance documents
such as SOC 1 report, ISO certifications, and other reports
Tutorials Dojo

• Provides a centralized & comprehensive view of the
security posture of your cloud infrastructure across multiple
AWS accounts
• Helps you to comply with your company’s specific security
standards and best practices
• Collects security alerts and findings from:
AWS Security Hub
Amazon GuardDuty Amazon Inspector Amazon Macie AWS Firewall
Manager
AWS IAM Access
Analyzer

AWS Networking & Content Delivery Services
Overview

Amazon VPC Elastic Load
Balancing
Amazon
Route 53
AWS
Global Accelerator
Amazon
CloudFront
AWS PrivateLink
AWS VPN AWS Direct
Connect
AWS
Transit Gateway
Amazon
API Gateway
AWS App Mesh AWS Cloud Map
Also categorized as an
Application Integration Service
AWS Networking & Content Delivery Services

10.0.0.0/24
Private subnet
IPv4 CIDR Range: 10.0.0.0/16
IPv6 CIDR Range: 2001:db8:1234:1a00::/56
REGION
Amazon VPC
CLOUD
Amazon
Amazon RDS
Virtual Private Cloud
ROUTE TABLE
10.0.1.0/24
Public subnet
Amazon EC2
INTERNET GATEWAY
VIRTUAL PRIVATE GATEWAY

Amazon Virtual Private Cloud
10.0.0.0/24
Private subnet
Amazon VPC
Amazon RDS
ROUTE TABLE
10.0.1.0/24
Public subnet
Amazon EC2
REGION
CLOUD
Public Internet
I’m an
Customer!
CUSTOMER GATEWAY
INTERNET GATEWAY

US EAST (Northern Virginia)
ASIA PACIFIC (Singapore)
CLOUD
Amazon Virtual Private Cloud
VPC Peering
VPC A - Manila Branch VPC B - New York Branch
10.0.0.0/24
Private subnet
Amazon
EFS
Amazon
FSx
Amazon
RDS
ROUTE TABLE
10.0.1.0/24
Public subnet
Amazon VPC
VPC
Amazon
EC2

NETWORK VIRTUALIZATION
Physical Devices
Virtual Devices
Nitro Card for VPC
Amazon VPC
PCIe Network Interface Card

Amazon VPC
Public Internet
CUSTOMER GATEWAY
AWS Outpost
Local
Gatewa
y
VPC Extension
INTERNET GATEWAY

Also located within
CLOUD
Amazon EC2
Amazon VPC
Other
Services
Amazon S3
Amazon
DynamoDB
Auto Scaling
Amazon FSx
VPC Endpoint The traffic does NOT
pass through the
CLOUD

Elastic Load Balancing
• Automatically distributes incoming traffic across multiple targets
such as:
• It distributes (load balances) the incoming traffic to your underlying
resources
• Provides high-availability to your web applications
• if one of your servers or EC2 instances fails (unhealthy resource), the
request will be routed to another server (healthy resource)
• Routes incoming traffic across multiple Availability Zones, within a
single AWS Region only.
Amazon EC2
Instance
AWS Lambda
Function
Amazon ECS
Task
AWS Fargate
Task
IP Address

Application
Load Balancer
( ALB )
Classic
Load Balancer
( CLB )
Network
Load Balancer
( NLB )
Gateway
Load Balancer
( GWLB )
TYPES
PROTOCOL LISTENERS
USE CASES
HTTP / HTTPS
gRPC
For web apps,
microservices
& containers
Handling
millions of requests
per second
while maintaining
ultra-low latencies
TCP / UDP
TLS
Running third-party
virtual appliances
in AWS
IP
For implementing
Custom Security Policies
and
TCP passthrough
configuration
HTTP / HTTPS
TCP
SSL/TLS
For legacy applications
in AWS

Amazon Route 53
• A Domain Name System (DNS) web service
• DNS is a system that routes a domain name to a particular IP address
• Map domain names to:
Elastic IP
address
Amazon EC2
Instance
Amazon S3
Static Website
Elastic Load
Balancers
Amazon CloudFront
Web Distributions

Amazon Route 53
Elastic IP
address
Amazon EC2
Instance
Amazon S3
Static Website
Elastic Load
Balancers
Amazon CloudFront
Web Distributions
Buy Domains Manage Domains
Root Domain
Also known as
Zone Apex or Naked
Domain
cdn.tutorialsdojo.com
portal.tutorialsdojo.com
philippines.tutorialsdojo.com manila-datacenter.tutorialsdojo.com
blog.tutorialsdojo.com
Subdomains

ROUTING POLICIES
Amazon Route 53
Elastic IP
address
Amazon EC2
Instance
Amazon S3
Static Website
Elastic Load
Balancers
Amazon CloudFront
Web Distributions
Root Domain
cdn.tutorialsdojo.com
philippines.tutorialsdojo.com manila-datacenter.tutorialsdojo.com
blog.tutorialsdojo.com
Subdomains
Failover Geolocation Geoproximity Latency-Based Multivalue Answer Weighted
Simple

• Provides a set of static anycast IP addresses
• The static IP address serves as a single fixed entry point to:
AWS Global Accelerator Elastic IP
address
Elastic IP
address
Amazon EC2
Instance
Network
Load Balancer
Application
Load Balancer

AWS Global Accelerator
Amazon EC2
Instance
Amazon EC2
Instance
Application
Load Balancer
Network
Load Balancer
🇦🇺 Sydney Region
Amazon EC2
Instance
Amazon EC2
Instance
🇺 US East Region
static anycast IP address

• A content delivery network (CDN) service
• Quickly delivers static content and video stream to your clients.
• A CDN is a globally-distributed network of services/servers
spread around the globe that stores or caches your files.
• Reduces latency by shortening the time it takes to deliver your
data to your users
• Improves the response time of your application.
• Caches your images, videos, media files, or software packages
Amazon CloudFront

• Allows private connectivity to various AWS services
• Does not pass through the public Internet.
• Provides a private endpoint that you can use for your:
AWS PrivateLink
Amazon S3 Amazon
DynamoDB
Amazon EC2
Amazon VPC
Other
Services

Amazon S3
Amazon
DynamoDB
Other
Services
Amazon VPC
All are located within CLOUD
Amazon EC2
VPC Endpoint
AWS PrivateLink

• AWS Virtual Private Network, or AWS VPN
• Enables you to connect your on-premises network to AWS.
• An encrypted connection that passes through the public Internet.
• Uses the IPsec protocol to authenticate and encrypt your data in
transit.
AWS VPN

AWS VPN
AWS Client VPN
AWS Site-to-Site VPN
Client VPN
Software
Amazon VPC
AWS Transit Gateway
Site-to-Site VPN Endpoint
AWS VPN
CUSTOMER GATEWAY
Client VPN Endpoint
ENDPOINTS
Tutorials Dojo

• Allows you to establish a dedicated network connection from
your on-premises network to AWS
• Provides a more consistent network experience over
Internet-based connections such as a VPN, and a higher
bandwidth.
• You can create a private virtual interface to enable your on-
premises servers to connect to the virtual private gateway of your
Amazon VPC.
• You can group your virtual private gateways and private virtual
interfaces using a Direct Connect Gateway.
• You can also use a public virtual interface to connect to your
Amazon S3 buckets and other public resources in AWS.
• The traffic does NOT pass through the public Internet.
AWS Direct Connect
Amazon VPC
Amazon EC2 Amazon EC2

Customer Router
Amazon VPC
Amazon EC2
AWS Direct Connect

• Connects your cloud networks (e.g. Amazon VPCs, VPNs, Direct
Connect Gateways, and on-premises networks) to a single gateway.
• Recommended for large organizations with hundreds of Amazon
VPCs, site-to-site VPNs, and external networks.
• Reduces the complexity of your infrastructure and makes scaling
easier
100s
AWS Transit Gateway
AWS Direct Connect
Gateway
AWS
Site-to-Site VPN
Amazon VPC
100s

• Allows you to publish, maintain, monitor, and secure your
RESTful APIs.
• Also supports WebSockets for real-time message communication
• Acts as a front door for your back-end services that are
running on:
• Works as a Proxy — similar to APIGEE, Mulesoft and other
proxies/integration platforms
Amazon API Gateway
Amazon ECS AWS Fargate AWS Elastic
Beanstalk

• A service mesh (an infrastructure layer that handles communication
between microservices)
• Provides application-level networking for the different types of
containerized applications in AWS.
• Allows your services to communicate with each other across
multiple types of computing infrastructure.
• Uses (an open-source service mesh proxy)
• Can be used with microservice containers managed by:
AWS App Mesh
Amazon EC2
Amazon ECS AWS Fargate
Amazon EKS

• A cloud resource discovery service.
• Commonly used in microservices and containerized applications that
have dynamically changing resources.
• You can name your containerized application resources with
custom names.
• Improves your containerized applications in AWS by always
discovering the most up-to-date locations of your resources
• Improves the availability of your system.
AWS Cloud Map

Application Integration Services
Overview

M O N O L I T H I C
USER INTERFACE
BUSINESS LOGIC
DATA ACCESS LAYER
M I C R O S E R V I C E S
SERVICE 2
SERVICE 3
SERVICE 4
QUEUE
SERVICE 1 SERVICE 5
UI
UI
UI

Amazon Simple Notification
Service (Amazon SNS)
Amazon MQ
AWS
AppSync
Amazon EventBridge
AWS Step Functions
Amazon AppFlow
Amazon Simple Queue Service
(Amazon SQS)

QUEUE
• A fully managed message queueing service
• The messages can be consumed or processed by:
Amazon Simple Queue
Service (Amazon SQS)
Amazon EC2 AWS Lambda Amazon ECS Other Consumers
• Can replace your traditional message-oriented middleware
without having to manage any servers or resources

Amazon SQS
THROUGHPUT
DELIVERY
ORDERING
STANDARD FIFO
First In, First Out
At Least Once
2 3 4
1
1
2 3
4 6
5
Possible Duplicate Messages!
Exactly Once
TYPES
Best Effort
Messages might be delivered in a different order
Preserves the exact order
in which the messages are received
ChangeMessageVisibility API
HIGH LIMITED
4

Amazon SQS
2 3 4
1
Auto Scaling group
• Age of the Oldest Message
• Queue Depth
• Number of Messages
EC2 EC2 EC2
EC2 EC2 EC2
EC2 EC2 EC2
Target Tracking
Policy

Amazon SQS
ECS Task 1
ECS Task 2
Data
Amazon ECS
Amazon Simple Notification Service
(Amazon SNS)
Amazon SQS
Amazon S3 Bucket

• A fully managed messaging and notification service
• Enables you to communicate between systems through
publish/subscribe patterns or pub/sub messaging
• Messaging via mobile push, email, or SMS
Amazon Simple Notification
Service (Amazon SNS)
TOPIC
Amazon CloudWatch
Car Insurance
Queue
Home Insurance
Queue
Pet Insurance
Queue

TOPIC
Home Insurance Queue
Pet Insurance
Queue
Car Insurance Queue
Message Filtering
Filter by
QUOTE Type
FANOUT EVENT NOTIFICATIONS
Amazon RDS Events
Amazon EC2
Amazon ECS
AWS Lambda

Tutorials Dojo
SNS TOPIC
Home Insurance
Queue
Pet Insurance
Queue
Car Insurance
Queue
Filter by
QUOTE Type
Custom Events
Amazon EC2
Amazon ECS
AWS Lambda
Amazon CloudWatch
Amazon SNS with Message Filtering
Message Filter
CONSUMERS
SQS QUEUES

• A serverless function orchestrator for:
AWS Step Functions
AWS Lambda
• Allows you to orchestrate multiple AWS Lambda functions, in
order to achieve a specific workflow
• Enables you to create a state machine containing a combination
of steps, activities and service tasks
STEP 1
STEP 2
STEP 3
Lambda
Register
Lambda
Verification
Lambda
Send Report

• A managed message broker service
• Uses the open-source message broker
Amazon MQ
• The “MQ“ in Amazon MQ stands for Message Queue, which is a
form of asynchronous communication
• Works like but supports more messaging protocol types
Amazon SQS
• Supports Java Message Service (JMS), .NET Message Service
(NMS), AMQP, MQTT, WebSocket and many others.

• A serverless event bus service
• Enables you to connect applications together using data from
your own applications, Software-as-a-Service (SaaS)
applications, and other AWS services.
Amazon EventBridge
• Uses the same service API, endpoint, and
the underlying service infrastructure of:
Amazon CloudWatch
E V E N T S
• Recommended to be used for your own applications, 3rd party
Software-as-a-Service apps, and other external sources
• Suitable for building event-driven applications

• A managed service that uses
AWS AppSync
• GraphQL is a data query language that basically allows you
to query your REST APIs
• Has different types of schema
GraphQL
QUERY Read Data
MUTATION Write Data
SUBSCRIPTION
Download/Upload
Data
• Only fetches the data that you want and not the entire data set
• Unlike REST API, you can query different APIs or resources
easily using a single API call
• Uses a Resolver which populates the data in your schema
• Simplifies application development by easily integrating
GraphQL with your applications

• A fully managed integration service
• Enables you to securely transfer data between various systems
such as your Software-as-a-Service (SaaS) applications and
different AWS Services
• Supports different SaaS apps such as Salesforce, Marketo, Slack,
ServiceNow and many more
• Can be integrated with other AWS services
• Allows you to run your data flows on-demand, by schedule or as
a response to a business event
• Provides you with powerful data transformation capabilities like
filtering and validation
Amazon AppFlow

AWS Security Services
Overview

Distributed Denial-Of-Service Attack
DDOS
Open Systems Interconnection
(OSI) Model Layers
7
IP
UDP TCP
ACK ACK
ACK
SYN ACK
SYN
SYN
SYN
SYN SYN
SYN SYN SYN

AWS Security Services
AWS Web Application
Firewall (AWS WAF)
AWS Firewall
Manager
AWS Shield Amazon GuardDuty AWS CloudHSM AWS Key Management
Service (AWS KMS)
1.
AWS Secrets Manager AWS Certificate Manager
(AWS ACM)
Amazon
Macie
Amazon
Inspector
Amazon
Detective
AWS Web Application
Firewall (AWS WAF)

AWS Web Application Firewall
(AWS WAF)
• A web application firewall service
• Protects your web applications from common web exploits
• Allows you to create custom rules that block common attack patterns
such as:
< / >
XSS
• Can be integrated with:
Amazon CloudFront
Application Load
Balancer
Amazon API
Gateway
Tutorials Dojo

🇬🇧
🇩🇪
🇧🇷
🇨🇦
🇵🇭 🇮🇳
🇦🇺
• Has an IP Match condition feature, you can block malicious requests
from a recurring set of IP addresses.
• Can protect your application from illegitimate requests sent by
illegitimate external systems, through its rate-limiting rule.
Geo Match condition
Web Access Control List (ACL)
Rate-based
Web Access Control List
(Web ACL)
Amazon CloudFront
AWS Web Application Firewall
(AWS WAF)
🇵🇭
Only Minimizes DDoS Attacks
(not entirely mitigate)

AWS Firewall Manager
• A security management service designed for:
• Allows you to centrally configure and manage WAF rules across
multiple AWS accounts and applications.
• Enables you to roll out your custom rules to your AWS Organization
AWS WAF Rules
Web ACL
Amazon
CloudFront
Application Load
Balancer
Amazon API
Gateway
Your AWS
Organization
Amazon
CloudFront
Application Load
Balancer
Amazon API
Gateway
AWS Account
Manila
AWS Account
New Clark City
Web ACL

AWS Shield
• A managed DDoS protection service
• Provides detection and automatic mitigations that minimize
application downtime and latency.
• Mitigate different types of flood attacks such as UDP reflection,
SYN flood, DNS Query flood, and HTTP flood attacks.
• Protects your applications that use:
• Two Tiers:
• Standard
• Advanced
• Built-in by default
• No extra charge
• Has an additional charge
• Provides access to real-time DDoS attack notification
• DDoS Response Team (DRT) supports you during
DDoS Attack
Amazon EC2 Elastic Load
Balancer
Amazon
CloudFront
AWS Global
Accelerator
Amazon
Route 53

Amazon GuardDuty
• A managed threat detection service
• Identifies malicious or unauthorized activities in your AWS
accounts and workloads.
• Monitors activities such as unusual API calls, cryptocurrency
mining, or potentially unauthorized deployments that indicate a
possible account compromise.
• Also detects potentially compromised:
• Produces security reports called:
• Able to send notifications using CloudWatch Events when a
change was detected
• NOT capable of doing any resource changes by itself, like rate-
limiting protection or DDoS attack mitigation.
Findings

AWS CloudHSM
AWS Key Management
Service (AWS KMS)
1.

AWS CloudHSM
• A fully managed, cloud-based hardware security module or HSM.
• The HSM in CloudHSM means: Hardware Security Module
• Enables you to easily generate and use your own encryption keys.
• Encryption keys can be in 128-bit or 256-bit

AWS CloudHSM
• A physical hardware device
• Performs cryptographic operations
• Securely stores cryptographic key material
Hardware Security Module
HSM
• A random, Base64 or hexadecimal string
• Binary format ( .bin )
• Used by your encryption key.
Leading HSM Providers

• The CloudHSM clients is installed and hosted in your:
• The HSM cluster is deployed in your:
• Single Tenant — Only used by one tenant or user (you)
• Can be used to:
• Offload SSL Processing
• Enabling Transparent Data Encryption (TDE) for Oracle databases
• Protecting the private keys for an Issuing Certificate Authority
(CA).
• Integrate CloudHSM and to create a custom key store.
AWS KMS
Amazon EC2
Instances
Amazon VPC
AWS CloudHSM

• A managed service that works like:
• Internally, it also uses hardware security modules (HSMs) for
creating and controlling your encryption keys.
• Has multi-tenant access
• Unlike CloudHSM, you cannot launch the HSM to Amazon VPC or
EC2 instances (as clients with direct HSM access) that you own.
• Can be integrated with other AWS services to help you protect the
data you store with these services.
AWS CloudHSM
AWS Key Management
Service (AWS KMS)
1.
AWS KMS key
You share the HSM with other
tenants or AWS customers
Shared HSM
Amazon S3
Encryption
Amazon EBS
Snapshots
Other
Services
Amazon RDS
Encryption

• AWS KMS automatically rotates your
AWS Key Management
Service (AWS KMS)
1.
ENVELOPE ENCRYPTION
Plaintext
Data
Data Key
Master Key
Customer
Master Key
CMK
CMK

• Provides complete control over your
encryption key lifecycle management
• Allows you to remove the key material
of your encryption keys.
AWS Key Management
Service (AWS KMS)
1.
AWS CloudTrail
• You can also create a custom key store in AWS KMS with
AWS CloudHSM
• You can audit key usage independently of:
AWS KMS

AWS Secrets Manager
• Protect the secrets of your applications, services, and IT resources.
• Enables you to easily rotate, manage, and retrieve your secrets
• A secret can be:
• A database password
• API key
• Authentication token
• Other sensitive data
• Eliminates hardcoded sensitive information in plain text in:
• Offers secret rotation with built-in integration for:
• Control access to secrets using fine-grained permissions and
centrally audit your secrets.
• Not recommended for storing encryption keys or key materials
since it does not use an HSM
* * * * * *
AWS Lambda
Amazon RDS Amazon Redshift Amazon DocumentDB Other Services

Amazon Macie
• A fully managed data security and data privacy service
• Automatically recognizes and classifies sensitive data or intellectual
property
• Uses machine learning to automatically discover, classify, and protect
sensitive data stored in your:
• Recognizes sensitive data such as personally identifiable information
or PII.
• Provides dashboards and alerts that give visibility into how sensitive
data is being accessed or moved.
Amazon S3
bucket Other Services
Jon Bonso
06-12-1898
PH18981206
12061898
AdoBonGM4n0k
jon@tutorialsdojo.com
Name:
Social Security #:
Driver License #:
Bank Account #:
Password:
Email Address:

AWS Certificate Manager
(AWS ACM)
• Provisions, manages, and deploys public and private Secure Sockets
Layer/Transport Layer Security (SSL/TLS) certificates
• Enables you to create private certificates for your internal
resources and manage the certificate lifecycle centrally
• SSL Certificates are free of charge for ACM-integrated services
such as:
Amazon API
Gateway
Elastic Load
Balancing
Tutorials Dojo

Amazon Inspector
• An automated security assessment service
• Improves the security and compliance of applications deployed on
your AWS cloud infrastructure
• Automatically assesses applications for vulnerabilities or
deviations from best practices.
• Produces a detailed list of security findings prioritized by level of
security risk severity
• Provides an automated security assessment report that will
identify unintended network access to your:
• The detailed assessment reports are available via the Amazon
Inspector console or API

Amazon Detective
• Helps you detect the root cause of your security issues easier
• It analyzes, investigates, and quickly identifies the potential security
issues or suspicious activities in your AWS infrastructure
• Automatically collects log data from various AWS resources
such as:
• Uses machine learning to analyze and conduct security
investigations.
AWS CloudTrail VPC Flow Logs GuardDuty Findings

AWS Management & Governance.
Overview
Services

AWS Management & Governance.Services
H I P A A
Health Insurance Portability and
Accountability Act of 1996
G D P R
General Data Protection Regulation
S O P
Standard Operating Procedures

AWS Management & Governance.Services
AWS Command Line
Interface
(AWS CLI)
AWS Management
Console
AWS Console
Mobile Application
AWS Systems Manager
(SSM)
AWS Config
AWS Service Catalog
AWS Organizations
AWS Control Tower
— enforce standards
— ensure compliance
— control resources
AWS Resource
Access Manager
MANAG
E
GOVERN

• A web interface to control your AWS resources
• Accessible through your web browser
• Log in using your IAM username and password
• Supports Multi-Factor Authentication (MFA)
• Accessible via this URL: https://console.aws.amazon.com
AWS Management
Console

• A command-line interface to control your AWS resources
• Accessible through your terminal, command prompt or Windows
PowerShell
AWS Command Line
Interface
(AWS CLI)
• Allows you to develop custom shell scripts that invoke
different AWS CLI commands

• The official mobile app provided by Amazon Web Services
• Allows you to monitor your resources through a dedicated dashboard
• Enables you to view your configuration details, metrics, and alarms of
select AWS services (not all services) on your mobile device
• Provides an overview of the account status, real-time CloudWatch
metrics, Personal Health Dashboard, and AWS Billing
• Has limited capabilities compared with:
AWS Console
Mobile Application
AWS CLI
AWS Management
Console
Tutorials Dojo

AWS Systems Manager
(SSM)
• A suite of services that allows you to manage your resources
• Allows you to control both of your AWS Cloud and on-premises
infrastructure
• Composed of:
Session Manager State Manager Patch Manager Automation
Maintenance
Windows
Run Command Parameter Store Others
• Also has an SSM agent that you can install on your
EC2 instances or on-premises servers to centrally
manage your resources
Amazon EC2
Instances
On-premises
Servers

PREDEFINED OR CUSTOM PATCH BASELINE
AWS Systems Manager
(SSM)
State Manager
Patch Manager
Parameter Store
Maintenance Windows
STATE
OS OS OS
OS Patches
• Installed softwares (e.g. startup script, antivirus etc)
• Server configurations
• Firewall settings
• Associate Ansible playbooks, Chef recipes, PowerShell
modules, and other SSM Documents
• Passwords
• Database Strings
• Amazon Machine Image (AMI) IDs
• License Codes
• Environment Variables
PARAMETER
Secure String
AWS KMS
Amazon EC2
Instances
On-premises
Servers
PREDEFINED OR CUSTOM PATCH BASELINE

• Enables you to easily and securely share your AWS resources
with any AWS account or within your AWS Organization
• Allows you to share:
AWS Resource
Access Manager
(AWS RAM)
• Eliminates the need to create duplicate resources in multiple
accounts
• Reduces the operational overhead of managing multiple
resources in each and every single account you own.
AWS Transit
Gateway
AWS License
Manager
Amazon Route 53
Resolver
Private subnet Public subnet
Subnets Other
AWS Resources

AWS Config
AWS Service Catalog
AWS Organizations
AWS Control Tower
GOVERN

• Enables you to assess, audit, and evaluate the configurations
of your AWS resources
• Automates your compliance assessment process
• Provides visibility on the existing configurations of your
various AWS services and third-party resources (such as your on-
premises servers)
• Enables you to identify the changes made to a specific resource
over time
AWS Config

AWS Config
C H A N G E S
The AMI was shared to the
AWS Marketplace
The bucket was set
to public
The associated Elastic IP
address was removed
Config Rule 1
Periodic or change-based
configuration collectors
Amazon
CloudWatch Events
AWS
Lambda
Config Rule 2
R E S O U R C E S
AMI
S3 Bucket
EC2 Instance
on-premises
AWS Systems Manager
Automation
REMEDIATE
NON-COMPLIANT
RESOURCES
R E M E D I A T I O N
N O T I F I C A T I O N

• Consolidate and centrally manage multiple AWS accounts
AWS Organizations
ORGANIZATIONAL UNIT (OU)
Manila
Bangalore
ACCOUNT
1
ACCOUNT
2
ACCOUNT
3
ACCOUNT
4
• Combines the bills of multiple AWS accounts
• Provides volume discounts to further lower
down your costs
• Uses Service Control Policies (SCP) to control access and
ensure organizational compliance across your AWS accounts
• Offers Central Logging to monitor all activities performed across
your organization using AWS CloudTrail
• Aggregate data from all your AWS Config rules to quickly
audit your environment for compliance.
Consolidated Billing
SCP
SCP
I’ll pay
all the
bills!

AWS Organizations
Manila
ORGANIZATIONAL UNIT
(OU) Bangalore
ACCOUNT
1
ACCOUNT
2
ACCOUNT
3
ACCOUNT
4
Consolidated Billing
SCP
SCP
I’ll pay
all the
bills!
A single AWS Organization can have
two or more Organizational Unit (OU)
and underlying AWS accounts with
Service Control Policies (SCPs)
attached
Tutorials Dojo

AWS Service Catalog
• Empowers you to set up and centrally manage catalogs of
approved IT services
• Allows you to manage various IT services, referred to as
"products" in Service Catalog then group them in a portfolio
• Machine image (AMI)
• Application server
• Program
• Tool
• Database
• Other services
• Assists you in meeting your compliance requirements
• Enforce granular access control to your resources
P R O D U C T

AWS Control Tower
• Helps you set up and govern a secure multi-account AWS
environment
• Automates the setup of your multi-account AWS environment
• Uses blueprints that follow AWS best practices for security and
management
• Provides mandatory high-level rules called guardrails
• Help enforce your policies using service control policies (SCPs)
• Detect policy violations using AWS Config rules

AWS Identity Services
Overview

AWS Identity & Access
Management (IAM)
AWS Single Sign-On
Amazon Cognito
AWS Directory
Service
AWS Identity Services

• The primary identity service in AWS
• Allows you to manage access to various AWS services
and resources
Management (IAM)
Tutorials Dojo

Management (IAM)
IAM USER
IAM POLICY
PASSWORD
ACCESS KEYS
IAM ROLE
IAM GROUP
Permission 3
Permission 1 Permission 2 Permission 4
Permission 3
Permission 1 Permission 2 Permission 4

• Let you add user sign-up, sign-in, and access control features
to your web or mobile apps
• Allows users to log in to your application with their:
Amazon Cognito
Active Directory
Microsoft
Security Assertion Markup Language
S A M L
and other
social media accounts!

Amazon Cognito
IDENTITY POOL
USER POOL
For Authentication For Authorization
Users can sign in by
authenticating through their
social identity providers
Users can obtain temporary and limited-
privilege AWS credentials that authorize
access to other AWS services

• A single sign-on service in AWS
• Allows a user to log in with a single ID and password to
access multiple and independent, software systems
• Provides a user portal that allows users to access the roles that
they can assume
• Offers pre-configured SAML integrations to many business
applications
AWS Single Sign-On

• A managed
AWS Directory Service
Active Directory
Microsoft
• Does not require you to synchronize or replicate data from your
existing Active Directory to the cloud
• No need to install and manage an Active Directory domain
controller
• Improves security and minimizes administrative overhead
• Allows you to assign IAM roles to your Active Directory users
and groups
• Allows you to assign IAM roles to your on-premises Microsoft
Active Directory using:
AD Connector

AWS Transfer & Migration.
Overview
Services
Tutorials Dojo

AWS Transfer & Migration.Services

AWS Transfer & Migration.Services
AWS DataSync
AWS Transfer
Family
AWS Snowball
Family
AWS Application
Discovery Service
AWS Database
Migration Service
(AWS DMS)
AWS Server
Migration Service
(AWS SMS)
Migration Hub Migration Evaluator

• An online data transfer service
• Automate and accelerate the replication of data between your
on-premises storage systems and AWS storage services
• Copy large amounts of data to and from AWS storage
services over the Internet or via AWS Direct Connect
• Can copy data between:
• Transfers your data from your on-premises data center to AWS
through the use of:
• Shared file servers
• Self-managed object storage
• AWS Snowcone
• Amazon S3 buckets
• Amazon EFS file systems
• Amazon FSx for Windows File Server file systems
DataSync Agent
AWS DataSync

Storage Area
Network
AWS Storage Gateway
VM VM
MIGRATION
INTEGRATION
AWS DataSync

AWS Transfer
Family
AWS Transfer for FTPS
AWS Transfer for SFTP
AWS Transfer for FTP
A suite of services that provides a simple and seamless file transfer
to Amazon S3
SFTP
FTPS
FTP
Amazon S3
Secure File Transfer Protocol
File Transfer Protocol over SSL
File Transfer Protocol

Provides physical storage devices and capacity points to help you
move your on-premises data to AWS
AWS Snowball
Family
AWS Snowcone AWS Snowball AWS Snowmobile

AWS Snowcone
4.5 lbs / 2.1 kgs Load data via NFS mount
8 TB of Usable Storage Uploads data to Amazon S3
Tutorials Dojo

AWS Snowball
Around 50 lbs / 22.5 kgs 80 TB of Usable Storage Uploads data to Amazon S3
- Over 1 foot in height
- 11 inches wide
- 2.3 inches in length

AWS Snowmobile
- Move 100 Petabytes of data
- Exabyte-scale data transfer
Uploads data to Amazon S3
45-foot long ruggedized
shipping container
Pulled by
a semi-trailer truck

• Helps enterprise customers plan migration projects
• Gathers information about the customer’s on-premises resources
• Enable customers to understand the configuration, usage, and
behavior of servers in their IT environments
• An AWS Discovery Agent is required to be installed to your on-
premises servers or virtual machines to capture system configuration,
system performance, running processes et cetera
• Helps you Discover the technical details of your Applications running
on your on-premises data center
AWS Application Discovery
Service

• Helps you migrate your databases to AWS quickly and securely
• Allows the source database to remain fully operational during the
migration, which minimize the downtime
• Migrates your data to and from the most widely used commercial and
open-source databases
• Allows continuous data replication via change data capture (CDC)
• Can be used along with AWS Schema Conversion Tool (AWS SCT)
• Supports both homogeneous (e.g. Oracle to Oracle, MySQL to MySQL) and
heterogeneous (e.g. Oracle to MySQL, MS SQL to Amazon Aurora) database
migrations
AWS Database Migration
Service
(AWS DMS)

AWS Database Migration
Service
(AWS DMS)
SOURCE DATABASE TARGET DATABASE
PostgreSQL
Amazon
Aurora
Amazon
DynamoDB
HETEROGENEOUS DATABASE MIGRATION

• An agentless service that migrates on-premises workloads and
resources to AWS
• NO NEED to install and set up an agent like a System Manager or
DataSync agent on-premises
• Uses an SMS connector, which can be installed on your VMware
vCenter environment, to establish connection to your AWS resources
• Automate, schedule, and track incremental replications of your
live server volumes
AWS Server Migration
Service
(AWS SMS)

• A single place to discover your existing servers, plan migrations,
and track the status of each application migration
• DOES NOT execute actual data migration — only track its progress
• Provides visibility into your application portfolio and streamlines
planning and tracking
• Shows the status of the servers and databases that you are
migrating
Migration Hub

• A migration assessment service
• Helps customers to make the best business case for their mission-
critical AWS cloud planning and migration activities
• Provides a clear baseline of what workloads you’re running today
• Recommends future-state configurations
• Creates a statistical model of compute patterns for all your
instances, that shows:
• How much is being spent
• Which AWS resources are over-provisioned
• Specific opportunities to realize significant savings
Migration Evaluator

AWS Machine Learning Services
Overview

COMPUTER VISION
AUTOMATED DATA EXTRACTION & ANALYSIS
CUSTOMER EXPERIENCE IMPROVEMENT
LANGUAGE AI
BUSINESS METRICS
DEVOPS & MLOPS

AUTOMATED DATA EXTRACTION & ANALYSIS
LANGUAGE AI
BUSINESS METRICS
DEVOPS & MLOPS
Amazon Rekognition Amazon Lookout for
Vision
AWS Panorama
Amazon Augmented
AI (A2I)
Amazon Textract
Amazon Comprehend
Amazon Comprehend
Medical
Amazon Lex Amazon Transcribe Amazon Polly
Amazon Personalize Amazon Translate
Amazon Kendra
COMPUTER VISION CUSTOMER EXPERIENCE IMPROVEMENT
Amazon SageMaker
AWS ML Platform
Amazon Forecast Amazon Fraud Detector
Amazon Lookout for
Metrics
Amazon DevOps Guru
Amazon CodeGuru
Reviewer & Profiler
Amazon
CodeWhisperer

• Full-fledged machine learning platform in AWS
• Allows you to build, train, and deploy machine learning
(ML) models for any use case with fully managed
infrastructure, tools, and workflows
• Provides a suite of features and modules, such as:
Amazon SageMaker
Amazon SageMaker
Built-In Models
Amazon SageMaker
Ground Truth
Amazon SageMaker
Studio Lab
Amazon SageMaker
Notebook
Amazon SageMaker
Canvas
and many more!
AWS Machine Learning Platform

• Extract information and insights from your images and videos
using computer vision
• It can recognize:
• Objects, texts, scenes, labels, and other attributes
• Face of a person or a popular celebrity
• Personal Protective Equipment (e.g. mask, helmet)
• Has a feature called Amazon Rekognition Custom Labels that
allows you to classify custom components or products from
your dataset
Amazon Rekognition
COMPUTER VISION

• One of the services in the Amazon Lookout Family
• Detects defects on industrial products
• Used in factories and manufacturing lines to identify defects
• Actual images of defect-free products are used as a dataset.
These images can be stored in Amazon S3 and used as
baseline images to build a custom ML model for you
• Can automatically detect anomalies in your product like dents,
cracks, scratches et cetera
Amazon Lookout for Vision
COMPUTER VISION

• Its name is a portmanteau of the words ”text” and “extract”
• Extract texts from scanned documents, PDFs, Word
documents, hand-written notes, receipts, passports, IDs, and
many others
• Can generate the results into a table form or a CSV file
• Has a query feature that extracts a particular field using
natural language questions
• Can batch upload your documents to Amazon S3 and
automate the text analysis process
Amazon Textract
AUTOMATED DATA EXTRACTION
& ANALYSIS

• Provides human review workflows for common machine
learning use cases
• The review is done by actual people and not by a computer
• Ensures the accuracy of prediction results and helps provide
continuous improvements to your machine learning model
• Can be directly integrated to Amazon Rekognition, Amazon
Textract and other services
• Useful for image moderation such as explicit adult or violent
content
• Allows you to to run a human review with a custom machine
learning workflow of your choice
Amazon Augmented AI (A2I)
& ANALYSIS

• A natural language processing service
• Finds insights and relationships from text documents
• Can extract key phrases, sentiment, language, syntax, topics,
and even Personally Identifiable Information (PII) from
unstructured data
• Can implement patient data privacy solutions and identify
protected health information (PHI) using:
Amazon Comprehend
& ANALYSIS
• Can comprehend or understand the information written in
your text documents
• Raw text data must be supplied first in order to use the
Amazon Comprehend service
Amazon
Comprehend
Medical

• Enables you to develop conversational chatbots
• Allows you to build Voice-based or Text-based chatbots
• Useful for developing a self-service bot or a virtual agent for
your conversational Interactive Voice Response (IVR) system,
corporate website, or others
• Reduces costs in maintaining a contact center
Amazon Lex
LANGUAGE AI

• A speech-to-text transcription service
• Transcribes, or makes a written record of, a speech, a phone
call, or any spoken language
• Can generate call transcripts and provide conversation insights
to improve customer experience and agent productivity
• Offers real-time transcription
Amazon Transcribe
LANGUAGE AI

• Converts text into speech
• Generates a lifelike speech in different voices based on a raw
text file you uploaded
• If you typed: Beautiful Philippine Islands, the Amazon Polly
service will generate an audio file saying that phrase in a male
voice, a female voice, a kid’s voice, or in any voice that you
want your text to be spoken
• Allows you to upload custom lexicon files which can help you
to customize the pronunciation of specific words and phrases
Amazon Polly
LANGUAGE AI

• An intelligent search service in AWS
• Can search items from multiple data sources containing both
structured and unstructured data
• Supports natural language processing:
• "Who is the founder of the EdTech startup: Tutorials Dojo?"
• "Where is the JP Rizal Hospital located?"
• "How much did Mr. Jon Bonso earn a year ago?"
Amazon Kendra
CUSTOMER EXPERIENCE
IMPROVEMENT
• Searches all of the documents in your S3 bucket, FSx file
systems, RDS databases, Github repository, Jira, Slack,
Sharepoint and other data sources
• Uses machine learning to provide context to your search
results for a better customer experience

Amazon Personalize
CUSTOMER EXPERIENCE
IMPROVEMENT
• Provides personalized recommendations to your customers
based on their past activity and behavior
• Similar to the recommendation feature in Amazon Prime,
Netflix and other online streaming platforms
• Gives recommendations based on the customer's profile,
viewing history and past activities
• Improves customer experience and sales since you can offer
products that your customers wanted

• A real-time language translation service
• Works like Google Translate
• Enables you to create custom terminologies based on a
company-specific and domain-specific vocabulary
• For example:
• Set the acronym "TD" as "Tutorials Dojo"
• Enter the Tagalog phrase: "Magandang umaga, TD"
• It will return: "Good morning, Tutorials Dojo" as an output
Amazon Translate
CUSTOMER EXPERIENCE
IMPROVEMENT
• Has a Formality option that controls whether the translation
output uses a formal tone
• Can mask profane words or phrases

• Helps you forecast a future outcome based on your historical
records and other relevant data
• You can either import or stream your time-series data to the
Amazon Forecast service
• Can provide intelligent predictions to your sales, web traffic,
inventory, revenue, cloud resource capacity, weather, future
AWS bill et cetera
• Has a range of built-in datasets such as Weather Index, national
holidays for various countries and many more
• Uses a Predictor machine learning model that consumes all the
time-series data that you provide to make a prediction
Amazon Forecast
BUSINESS METRICS

• Automates the fraud detection process in your applications
• Identifies potential fraudulent activity, fake reviews and spam
account creation in neal-real-time
• Use cases:
• Detecting the IP addresses with a history of spamming,
hacking attempts, and DDoS attacks
• Blocking users with exactly the same IP address are posting
spam and fraudulent review on your website
• Preventing a malicious user who uses an offending IP
address, an email domain, or a key attribute
Amazon Fraud Detector
BUSINESS METRICS

• One of the services of the Amazon Lookout family
• Detects anomalies in your business metrics, such as:
• A sudden nosedive in your sales revenue
• Unexpected drop in your customer acquisition rates
• Causal relationships
• Identifies unusual variances in your business metrics
• Can be integrated with Amazon SNS to send alerts whenever an
anomaly is detected
Amazon Lookout for Metrics
BUSINESS METRICS

• A machine learning service that detects abnormal behavior in
your application or AWS resources
• Prevents unexpected downtimes or operational issues in the
near future
• Monitors applications and AWS resources within your own
account or on all accounts across your AWS Organization
• Identifies operational defects such as:
• An unusually high DB load that is more than three times or 5
times its normal value
• Extremely high number of invocations in your Lambda
function beyond the provisioned concurrency
• Overprovisioned write capacity on your DynamoDB tables
Amazon DevOps Guru
DEVOPS & MLOPS

• A suite of development services in AWS with different tools
and features such as:
Amazon CodeGuru
DEVOPS & MLOPS
• Provide intelligent recommendations for improving your
application performance, efficiency, and code quality
• Scans your code and detect a range of code defects like bad
exception handling, insecure CORS policy, path traversal,
hardcoded credentials et cetera
• Can be integrated with your CI/CD workflow to automate the
code review process
• A component that collects CPU data and analyzes the runtime
performance data from your live applications
• Identifies expensive lines of codes that inefficiently use the CPU,
which causes CPU bottlenecks.
Amazon CodeGuru Reviewer
Amazon CodeGuru Profiler

• Automatically generates code and functions in real-time
• Similar to Github CoPilot
• Installed in your Visual Studio IDE
• The lines of codes are generated right from your IDE editor
based on the comments that you write
Amazon CodeWhisperer
DEVOPS & MLOPS

Amazon CodeWhisperer
DEVOPS & MLOPS
COMMENTS
GENERATED LINES
OF CODES

AWS Analytics Services
Overview

Data Lake
Data Warehouse
STRUCTURED DATA UNSTRUCTURED DATA
STRUCTURED DATA
Tutorials Dojo

Open Source Technologies used by AWS Analytics Services
…and many other open-source projects!

3rd Party Technologies used by AWS Analytics Services
…and many more!

S E R V E R L E S S
Extract Transform Load

AWS Analytics Services
Amazon Kinesis
Amazon Elasticsearch
(Amazon ES)
Amazon Athena
Amazon Elastic MapReduce
(Amazon EMR)
Amazon QuickSight Amazon CloudSearch
Amazon Redshift AWS Data Pipeline AWS Glue
Amazon Managed
Streaming for Apache Kafka
AWS Lake Formation

Amazon Kinesis
• A suite of services for processing your data streams
• Analyzes your data streams in real-time
• Allows you to collect, transform, process, load, and
analyze the streaming data in real-time to help you
acquire the data insights and respond to data changes

Amazon Kinesis
Amazon Kinesis
Data Streams
Amazon Kinesis
Data Firehose
Amazon Kinesis
Data Analytics
Amazon Kinesis
Video Streams

Amazon Kinesis
Data Streams
• A massively scalable, durable, secure and low-cost
real-time data streaming service
• Can continuously capture gigabytes of data per
second from thousands of different sources
• Collects and sends data to your data analytics
applications and consumers in real-time

Amazon Kinesis
Data Streams
• Provides ordering of records
• Can read & replay records in the same order
• Suitable if you have a requirement where:
‣ The data events must be received in an ordered manner
‣ There’s a need to process the data stream of your web
applications, or mobile game updates, in order of receipt
• Can be used in:
‣ Real-time Applications
‣ Website Clickstreams
‣ Database Event Streams
‣ IoT Telemetry
‣ Location-tracking Events
‣ Predictive Maintenance
‣ Mobile Game Data Streams
‣ Online Marketplaces
‣ Real-time Recommendations Systems
‣ …and many more!

Amazon Kinesis
Data Streams
• Can be used to decouple your cloud architecture like
Amazon SQS by accepting data from your data sources
and forward it to different compute resources
• Similar to Amazon SQS with notable
differences:
‣ SQS can’t process data in real-time
‣ SQS Standard queue doesn’t maintain the
order of data records by default
‣ SQS FIFO queue maintains the order of data
records but is significantly slower than SQS
Standard and doesn’t perform in real-time
Amazon SQS

Amazon Kinesis
Data Streams
• If you need a solution that captures the clickstream
data from multiple websites in real-time and analyzes
it using batch processing
• For setting up and building a scalable, near-real-time
recommendations for your users
• For mobile games that stream score updates to a
backend system and post the results on a leaderboard
• For collecting the mobile game scores in order of receipt
which can then be processed by an AWS Lambda function
and stored in DynamoDB
USE CASES

Amazon Kinesis
Data Streams
• For implementing predictive maintenance on different
types of machinery equipment using IoT sensors
• For sending data to AWS in real-time wherein the data
stream will receive events in an ordered manner for
each connected device, data producer or machinery asset
• For implementing a scalable, near-real-time solution in
processing millions of financial transactions
• For launching a data stream that can be consumed by
Amazon Kinesis Data Analytics which can be queried using
SQL queries
USE CASES

Amazon Kinesis
Firehose
• A fully managed service that reliably transforms and
loads your streaming data into data stores and analytics
tools
• Directly delivers data to Amazon S3, Amazon Redshift,
Amazon Elasticsearch Service, and any HTTP endpoint
• Can be integrated with your third-party service providers
• Enables your data producers to directly send data to a
specific destination or data store that without any
custom applications or consumers
• Can transform your data before sending it to a
specified destination to remove sensitive data or for data
pre-processing procedures

Amazon Kinesis
Firehose
• Similar to Amazon Kinesis Data Stream but with certain
differences:
‣ Both service can accept streaming data in real-time
‣ However, Kinesis Data Stream requires an external consumer
to store the records while Kinesis Data Firehose does not
• Acts like a ”firehose” to immediately send the streams
of data to your data store
• Delivers your data stream directly to your Amazon S3
buckets, Redshift databases, Amazon ES clusters, and
others without the need for a consumer

Amazon Kinesis
Firehose
• Can transform the data before it is sent to its
destination
• Internally invokes an AWS Lambda function to
transform the incoming source data and deliver the
processed data to its destination
• Recommended if you need to parse the data stream to
remove any sensitive data such as personal data
or protected health information (PHI)

Amazon Kinesis
Video Streams
• A service that securely streams video from
connected devices or sources to AWS
• Commonly used for data analytics, machine learning,
video playback, and other types of media processing
• Automatically provisions and scales all the required
infrastructure to ingest streaming video data from
millions of devices
• Stores, encrypts, and indexes video data in your
streams to improve performance
• Provides access to your video data through a collection
of easy-to-use APIs

Amazon Kinesis
Data Analytics
• A serverless service that enables you to analyze your
streaming data, acquire actionable insights, and
respond to events in real-time
• Reduces the complexity of building, managing, and
integrating streaming applications with your custom
applications and other AWS services
• Serverless
• Uses Apache Flink to process and analyze streaming
data
• Eliminates the manual tasks of setting up and
maintaining Apache Flink

Amazon Kinesis
Data Analytics
• Enables you to author and run code against
streaming sources
• The data can be analyzed using SQL queries and
the results can be delivered to Amazon S3, Amazon
Redshift, and other data stores using Kinesis Data
Firehose
• Java or Scala can be used to process and analyze your
streaming data
Tutorials Dojo

Amazon Kinesis
Data Analytics
• In near-real-time data processing and data querying
for acquiring timely insights of your application
• For processing your streaming data with minimal
effort and operational overhead
• For providing scalable and near-real-time data querying
with minimal data loss
• For analyzing the location data points of your GPS
application that tracks the movement of people, bikes,
automobiles, or any other moving object
• You can expose a REST API using API Gateway that can
be used as an Amazon Kinesis proxy
USE CASES

Amazon Athena
• An interactive query service for your data that is
stored in Amazon S3
• Simplifies data analysis in Amazon S3 using standard
SQL queries
• Unlike S3 Select, you can query the entire data in
your Amazon S3 bucket with Amazon Athena and
not just its subset
• Serverless

Amazon Athena
• Sample use case:
‣ A global eCommerce website stores 250 gigabytes of
transactional data each month in Amazon S3
‣ You need to identify the number of items sold in each particular
region for the previous month in the most cost-effective way
• Athena costs less than Amazon Redshift, Amazon
EMR, or Amazon ES since it’s serverless
• Can use an AWS Glue Data Catalog to store and
retrieve table metadata for your Amazon S3 data and
provide data visualization using Amazon QuickSight

Service
• A fully managed Elasticsearch service
• Elasticsearch is a distributed, multitenant-capable full-
text search engine based on the Apache Lucene library
• Provides an HTTP web interface that can store data as
a schemaless JSON document
• Provisions the necessary infrastructure and
automatically manages the resources needed to run
the Amazon ES cluster
(Amazon ES)

Service
• Also allows you to launch an ELK (Elasticsearch,
Logstash, and Kibana) stack in AWS
• ELK Stack:
‣ Elasticsearch - full-text search engine
‣ Logstash - server-side data processing pipeline
‣ Kibana - user interface to visualize Elasticsearch data
• Provides support for open-source Elasticsearch APIs,
managed Kibana, integration with Logstash and other
AWS services
• Lets you pay only for what you use (no upfront costs or
usage requirements)
(Amazon ES)

Amazon
Elastic MapReduce
• Allows you to run different types of big data
frameworks in AWS
• A managed big data platform for processing vast
amounts of data using open source tools such as:
(Amazon EMR)
Apache Zeppelin

Amazon
Elastic MapReduce
• Runs your big data framework on Amazon EC2
instances, Amazon Elastic Kubernetes Service clusters,
or in your on-premises EMR cluster via AWS Outposts
• The compute resources launched by Amazon EMR are
deployed in your VPC and then grouped as an Amazon
EMR cluster
• You can directly access and control the underlying
EC2 instances of your EMR cluster
• NOT serverless
• Automates the server provisioning and management
process for you and allows your data to interact with
other AWS data stores such as Amazon S3 and Amazon
DynamoDB
(Amazon EMR)

Amazon QuickSight
• A scalable, serverless, embeddable, machine learning-
powered business intelligence service
• Allows you to create and publish interactive
dashboards that can be accessed from different
browsers or mobile devices
• Allows you to embed dashboards into your
applications
• Highly scalable and can easily scale up to thousands of
users globally
• Serverless

Amazon CloudSearch
• A managed search service in AWS
• Can be used to add a search feature in your application
or websites
• You can use this to:
‣ Retrieve contents of selected fields
‣ Provide facet information to categorize results
‣ Provide statistics for numeric fields
‣ Provide highlights showing search hits in the field data
‣ Autocomplete suggestions
‣ Geospatial search
‣ and many more!

Amazon CloudSearch
• Allows you to create a search domain, specify an
index and upload your data as documents
• Provisions and manages all the underlying servers and
resources needed to build and deploy search indexes
• Simply upload your data to any data store, create a
search domain in CloudSearch, and integrate it into
your applications

Amazon Redshift
• A fast, scalable data warehouse
• Allows you to analyze all your data across your data
warehouse and data lake
• Delivers faster performance than other data
warehouses through the use of machine learning,
massively parallel query execution and columnar
storage on high-performance disks
• Can run queries across petabytes of data in your
Redshift data warehouse and analyze exabytes of data
in your S3 data lake
• Primarily used for Online Analytical Processing
(OLAP) applications and reporting tools

Amazon Redshift
• Redshift clusters run in internal Amazon EC2 instances
that are configured as nodes
• You can select the particular node type and instance
size that you prefer
• Not a serverless service
• Has a feature called Redshift Spectrum that allows
you to query data from Amazon S3 without loading the
entire data into Redshift tables
• Redshift Spectrum queries use massive parallelism to
quickly execute large datasets at a fraction of the
cost

Amazon Data Pipeline
• A service that processes and moves your data
between diﬀerent AWS compute and storage
services
• Enables you to process and move your data in speciﬁc
intervals that you define to transfer your data to and
from your on-premises data center
• Allows you to access, transform and process your data
where it's stored at scale
• Empowers you to transfer and store the results to
various AWS services such as Amazon S3, Amazon
RDS, Amazon DynamoDB, and Amazon EMR

AWS Glue
• A fully managed and serverless service that is primarily
used for extract, transform, and load workloads
or ETL
• Simplifies the process of preparing and loading your
data before running your data analytics workload
• Creates a Data Catalog that allows you to specify and
search your data that is stored on Amazon S3 and
other AWS services
• Automatically discovers your data and store the
associated metadata in the AWS Glue Data Catalog
• The data will be immediately searchable, queryable,
and available for ETL once the metadata is stored

Amazon Managed Streaming
for Apache Kafka
• A fully managed Apache Kafka service in AWS
• Apache Kafka is an open-source platform that allows
you to build real-time streaming data pipelines
and applications
• Allows you to use Apache Kafka APIs to stream
changes to and from different databases, populate your
Amazon S3 data lakes, and empower machine learning
and analytics applications

AWS Lake Formation
• Makes it easy for you to set up a secure data lake
• Allows you to create data catalogs for your external
data just like AWS Glue
• Collects and catalogs your data from different data
sources and moves the data into a new Amazon S3
data lake
• Classifies and processes your data using machine
learning algorithms, and secures access to your
sensitive data
• Data can be queried and analyzed using Amazon
Athena, Amazon Redshift, Amazon EMR, and other
services

Identity and Access Management
AUTHENTICATION AUTHORIZATION
Identity

Identity Access Management
AUTHENTICATION AUTHORIZATION
IAM USER
IAM GROUP
IAM ROLE
- Root User
- Regular IAM User
TYPES:
Permission 3
Permission 1 Permission 2
IAM POLICY
AWS-managed Policy
Customer-managed Policy
Inline Policy
IAM ENTITIES

CloudFormation Templates
IAM GROUP
IAM ROLE
Follows the best practice of granting the least privilege
• PowerUserAccess
• AdministratorAccess
IAM ROLE
ROOT USER ACCESS
Does not grant the least privilege
External User

• Use the Instance Profile to pass a specific IAM
role to your Amazon EC2 instance for it to
perform certain actions
• IAM roles attached to your instance can also be
viewed on your EC2 metadata.
curl http://169.254.169.254/latest/meta-data/iam/info
Amazon EC2 and AWS IAM

• You can set up a bucket policy to grant IAM
users and other AWS accounts the access
permissions for your bucket and its objects.
• In AWS Organization, you can set up an S3
bucket policy that allows cross-account access
to other departments of your organization.
Amazon S3 and AWS IAM

• For DynamoDB, you can design an IAM policy
that allows access to put, update, and delete
items in one specific table.
• IAM DB Authentication is a feature available for
Amazon RDS and Aurora. This allows you to use
IAM to centrally manage access to your
database resources
AWS Databases and AWS IAM

Amazon SQS and AWS IAM
• An Access Policy can be provisioned to control
external access to your SQS queue.
• Helps you grant permissions to an external
company to access your queue.
• An SQS access policy can allow external
companies to poll the queue without giving up
the permissions of your own account.

IAM USER
IAM GROUP
IAM ROLE
IAM ENTITIES
IDENTITY-BASED POLICY RESOURCE-BASED POLICY

PERMISSIONS BOUNDARY
• Allows you to set the maximum
permissions that an identity-based policy
can grant to an IAM entity.
• Ensure that the entity can only perform
the actions that are allowed by both its
identity-based policies and its
permissions boundaries.

Permission 3
Permission 1 Permission 2
IAM POLICY
IAM GROUP
IAM ROLE

IAM USER
IAM GROUP
IAM ROLE
IAM IDENTITIES

IAM USER
• An entity that represents an actual
person or a service
• Can interact with your AWS resources
using the AWS command-line interface,
AWS API, or through the AWS
management web console
• Provides someone the ability to sign in to
the AWS Management Console and
programmatic access to AWS APIs

IAM USER
• NAME
Consists of:
• PASSWORD
• ACCESS KEY PAIR
AWS CLI
AWS APIs
AWS SDKs
AWS CDKs
• Access Key ID
• Secret Access Key
Tutorials Dojo

IAM USER
Permission 3
Permission 1
Permission 2
IAM POLICY
OR
Customer-managed
AWS-managed

Customer-managed
AWS-managed
• Managed by you (the customer)
• Can be fully customized
• You have to manually create a
policy for a particular job
function
• Managed by AWS
• Cannot be fully customized
• Has AWS Managed-Policies for
Job Functions that you can
readily use:
• Administrator
• Support User
• Security Auditor
• Network Administrator
• Developer Power User
• Billing
• …and others
IAM POLICY TYPES
IAM USER

IAM USER IAM GROUP
Welcome to
the Group!

• Can contain multiple IAM Users
• A single IAM User can belong to multiple
IAM Groups
• Cannot be nested
• It can only contain IAM users and not
other IAM Groups
• There is no default user group that
automatically includes all of the IAM
Users in your AWS account
IAM GROUP

IAM GROUP
Permission 3
Permission 1
Permission 2
IAM POLICY
Tutorials Dojo Developers
Permission 3
Permission 1
Permission 2

IAM ROLE IAM USER
• Uniquely associated with one
single person only
• Has long-term credentials:
• AWS Management Console
password
• Access Keys
• Intended to be assumed by one
or more AWS resources
• No long-term credentials

IAM ROLE
INDIA - AWS ACCOUNT #2
US - AWS ACCOUNT #1
CROSS-ACCOUNT

IAM ROLE
CROSS-ACCOUNT
AWS SERVICE ROLE
AWS SERVICE-LINKED
ROLE
Grants access to your resources
in one account to a trusted
principal in a different AWS
account
Assumed by an AWS service or
applications running in your EC2
instance
Limited within your AWS account only
The custom applications hosted in
Amazon EC2 can assume an AWS
service role to perform certain actions
A predefined role that is directly linked
to an AWS service

IAM USER
IAM GROUP
IAM ROLE
IAM IDENTITIES
RESOURCES
IAM POLICY

IAM POLICY
• Contains permissions that explicitly ALLOW or
DENY access to certain AWS services
• It provides fine-grained access control to
specific API actions as well as the AWS
resources that the policy should be applied to
Tutorials Dojo

IAM POLICY
API action
ALLOWS THE API ACTIONS
YOU SPECIFY

API actions
IP Condition
DENIES THE API ACTIONS
IAM POLICY

API actions
MFA Condition
Multi-Factor Authentication
(MFA)
IAM POLICY

Standalone Policy Inline Policy
• Remains unchanged even if
you delete its associated IAM
identity
• It doesn’t have a strict one-
to-one relationship to its
associated IAM identity
• Will be automatically be
deleted if you delete its
associated identity
• Has a strict one-to-one
relationship to its associated
IAM identity

• Identity-based Policies
• Resource-based Policies
• Permissions Boundaries
• AWS Organizations SCPs
• S3 Access Control Lists (ACLs)
• Session Policies
Policy Types
IAM

Identity-Based Policy
• A policy that you attach to an IAM
Identity
• Two Types:
Managed
Policies
Inline Policies
• A type of a standalone policy
• Can either be AWS managed or Customer-managed
• Maintains a strict one-to-one relationship between a
policy and an IAM identity.
• Tightly-coupled with its associated IAM Identity

Resource-Based Policy
• Attaches an inline policy to a specific AWS
Resource
• Types:
S3 Bucket
Policy
SQS Access
Policy
Trust Policy

Permissions Boundaries
• Defines the maximum permissions that an
identity-based policy can grant to an IAM
entity
• Does not explicitly grant permissions
• Sets a clear boundary to ensure that a
given IAM policy will not over-provision the
permissions to your AWS resources

Service Control Policies
(SCPs)
• Primarily used in:
• Defines the maximum permissions for
account members of an organization or
organizational unit.
• Limits the permissions that identity-based
policies or resource-based policies grant to
the IAM users or roles within the AWS
account
• IAM policies can't restrict the AWS account
root user. In the contrary, the specified
actions from an attached SCP can affect all
IAM identities, including the root user, of
the member account
AWS Organizations

Access Control List
(ACL)
• Primarily used in:
• Controls which principals in other AWS
accounts can access a particular bucket
• These are cross-account permission policies
that grant certain permissions to a
specified principal that you define
• ACLs cannot grant permissions to entities
within the same account
Amazon S3

Sessions Policies
• Limits the permissions that an identity-
based policy grants to a particular session
• Works like
• Sets a limit of what kind of permission a
session has, without granting any
permissions.
• Aside from an identity-based policy, the
permissions of a session policy can also
come from a resource-based policy
• If there’s an explicit deny in any of the
policies, then it will effectively override any
allowed permissions

L o g i c a l OR
{
"Id": "TutorialsDojoPolicy1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllActionsOnBooksTable",
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/Books"
},
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": ["s3:ListBucket", "s3:DeleteObject"],
"Resource": ["arn:aws:s3:::tutorialsdojo-manila"]
}
]
}
Policy-wide
Information
Statements

IAM Statement Elements
Statement ID
{
“Sid” : "AllowActionsOnBooksTable",
“Effect” : “Allow",
“Principal” : { "AWS": "arn:aws:iam::123456789012:root" }
“Action” : [
“dynamodb:PutItem”,
“dynamodb:UpdateItem”,
“dynamodb:DeleteItem”
“Resource” : “arn:aws:dynamodb:us-east-1:123456789012:table/Books”,
“Condition” : {
“IpAddress”: {
“aws:SourceIp”: "220.110.16.0/20"
}
}
arn:aws:s3:::tutorialsdojo/*
“dynamodb:*”,
“s3:*”,
CONDITION ELEMENT
ALLOW or DENY

• String
• Numeric
• Date
• Boolean
• Binary
• ARN
• IfExists
• IpAddress
• …and many more!
CONDITION ELEMENT

CONDITION ELEMENT
IfExists
• StringEqualsIfExists
• NumericEqualsIfExists
• BoolIfExists
• IpAddressIfExists
• etc…
Tutorials Dojo

. . .
"Action": [
"s3:PutObject"
],
"Resource": “arn:aws:s3:::tutorialsdojo-manila/*”,
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
. . .
Shares the Amazon S3 bucket named tutorialsdojo-manila with an external vendor while ensuring that
the bucket owner is still be able to access all objects

{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DenyAllTDojoUsersNotUsingMFA",
"Effect": "Deny",
"NotAction": “s3:PutObject",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"}
}
}]
}
Users will be denied of all API actions ( except for the s3:PutObject action ) if
their multi-factor authentication (MFA) is not enabled

IAM Policy Evaluation Logic
IAM

{
"Id": "TutorialsDojoPolicy1",
"Version": "2012-10-17",
"Statement": [
{
“Effect“: “Allow“,
“Action“: “lambda:*“,
“Resource“: “*”
},
{
“Effect“: "Deny",
“Action“: ["lambda:CreateFunction", "lambda:DeleteFunction"],
“Resource“: “*”
}
]
}
L o g i c a l OR
Allows the API Action
Denies the API Action
Will the API
action be
Allowed or
Denied?

1. Authentication
2. Process the request context
3. Evaluate all policies within a single account
Tutorials Dojo

If the IAM policies are within a single account…
All requests will be implicitly denied
An explicit DENY in any policy
overrides any type of ALLOW actions
Process the explicit ALLOW statements for
identity-based or resource-based policy
Except for the
AWS account root user
Service Control Policies (SCPs)
Sessions Policies
DENY
ALLOW

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:TerminateInstances",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "49.147.194.0/24"
}
}
},
{
"Effect": "Deny",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"ec2:Region": "us-west-1"
}
}
}
]
}
POLICY 1
POLICY 2
This policy will allow
you to terminate an
Amazon EC2 instance
in the
us-west-1 region as
long as your source IP
is within the
49.147.194.0/24
CIDR block.

POLICY 1
POLICY 2
This policy provides full
access to Amazon EC2.
It also allows creating,
reading and updating
the AWS Directory
Service (DS) directories
but not delete them.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*",
"ds:*"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "ds:Delete*",
"Resource": "*"
}
]
}

POLICY 1
POLICY 2
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction"
]
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": “220.200.16.0/24"
}
}
}
]
}
This policy will allow
you to terminate an
Amazon EC2 instance
in the
us-west-1 region as
long as your source IP
is within the
49.147.194.0/24
CIDR block.

US East (Ohio) us-east-2
Amazon VPC
Data Center
Data Center
Data Center
Data Center
Data Center
Availability Zone 1
Availability Zone 2
Availability Zone 3
ROUTE TABLE

10.0.0.0/24
Private subnet
REGION
Amazon
VPC
CLOUD
ROUTE TABLE
10.0.1.0/24
Public subnet
A subnet must reside entirely within one
Availability Zone only
One subnet cannot span to two or more AZs.
You can have multiple subnets in the same
Availability Zone.

10.0.0.0/24
Private subnet
REGION
Amazon
VPC
CLOUD
ROUTE TABLE
10.0.1.0/24
Public subnet
For backend systems like databases or
application servers that are not meant to be
accessed publicly
For publicly accessible web servers and
resources
This subnet has a connection to the Internet
Gateway of the VPC
INTERNET GATEWAY
Amazon RDS
PUBLIC Amazon EC2 web servers
PRIVATE Amazon EC2
servers

Public subnet
Private subnet
REGION
CLOUD
ROUTE TABLE
INTERNET GATEWAY
Amazon RDS
PRIVATE Amazon EC2
servers
Amazon VPC
AWS IAM

Public subnet
Private subnet
REGION
CLOUD
ROUTE TABLE
INTERNET GATEWAY
Amazon
EFS
Amazon
FSx
Amazon
RDS
PRIVATE Amazon EC2
servers
Amazon VPC
VPC PEERING
Amazon VPC

US East (Ohio) us-east-2
SUBNET 1
SUBNET 2
SUBNET 3

Ashburn
Sterling
Chantilly
8
4
4
US East (Northern Virginia) us-east-1
us-east-1b
us-east-1a
us-east-1c

Amazon S3
Amazon EC2
VPC Endpoint
CLOUD
Amazon VPC
Amazon
DynamoDB
Other
Services
AWS Lambda
Fully Managed By:
Amazon S3 is not hosted in an Amazon VPC

• CIDR Block
• Subnets
• Route Table
• DHCP Options Set
• NAT Devices
• Network ACLs
• Security Groups
• Different types of Gateways
Amazon VPC
Components

CIDR BLOCK
• Allows you to specify the size of your
network
• The allowed block size for a VPC is between
/16 to /28 netmask
• A netmask (subnet mask) tells you the total
number of available hosts for your network
/16
/17
/18
= 65,536 IP addresses
/28 = 16 IP addresses

• AWS reserves a total of 5 IP addresses from
your CIDR block
• The first four IP addresses and the last IP
address in each subnet CIDR block are
reserved
CIDR 10.0.0.0/24
10.0.0.0
10.0.0.1
10.0.0.3
10.0.0.2
10.0.0.255
– Network Address
– VPC Router
– DNS Server
– Reserved for Future Use
– Network Broadcast Address
CIDR BLOCK

CIDR BLOCK
IPv4CIDR Range: 10.0.0.0/16
IPv6CIDR Range: 2001:db8:1234:1a00::/56

ROUTE TABLE
• The implicit router in Amazon VPC
• Controls the network traffic in your VPC
through subnet routing
• All subnets in your VPC must be associated
with a route table.
• A route table can either be the main route
table or a custom route table
• A subnet in your VPC can only be associated
with one route table at a time but you can
associate multiple subnets with the same
subnet route table.

DHCP OPTIONS
SET
• A set of options that controls the automatic
provisioning of IP addresses to your Amazon
EC2 instances and other resources
• Uses the Dynamic Host Configuration
Protocol
• Allocates an IP address to every host, virtual
machine, EC2 instance, RDS database, load
balancer, or any other AWS resources in your
VPC
• Configures your DNS, NetBios Name Server,
and Network Time Protocol (NTP)

NAT DEVICES
• Uses Network Address Translation (NAT)
• Enable Amazon EC2 instances that are in a
private subnet to connect to the public Internet
or other AWS services
• Prevents the public Internet from initiating
connections with your private EC2 instances.
• Works like a one-way street which means only
the traffic initiated within your VPC is allowed
but not vice versa

NAT Gateway
NAT DEVICES
NAT Instance
• A virtualized NAT
device running in an
EC2 instance within
your VPC
• Managed by the
customer (you)
• Not highly available
nor scalable
• An advanced NAT
device that is not
running in your VPC
• Managed by AWS
• Highly available and
scalable

AWS
Cloud
VPC A
N. Virginia Region
Private subnet Private subnet
Public subnet Public subnet
NAT Gateway NAT Gateway

Security Groups Network Access Control List
(Network ACL)

AWS
Cloud
VPC A
N. Virginia Region
SUBNET
Network ACL
Security Group
You can only specify ALLOW rules in a
Security group, but not DENY rules
Amazon EC2
You can create a rule that explicitly
allows or denies traffic by its IP
address, port, or destination

Gateways
• Internet Gateway
• Customer Gateway
• Virtual Private Gateway
• Carrier Gateways
• Egress-only Internet Gateway

Amazon VPC
VIRTUAL PRIVATE
GATEWAY
CUSTOMER GATEWAY
AWS Direct Connect
connection

NAT Gateway
NAT Instance
IPv6 IPv4
Egress-only Gateway

• For VPCs that use AWS Wavelength to deliver
ultra-low latency applications for 5G devices.
• Allows incoming traffic from a carrier
network in a specific location
• Allows outgoing traffic to the carrier network
and to the public Internet.
• Only available for VPCs that contain subnets
in a Wavelength Zone
CARRIER
GATEWAY

VIRTUAL PRIVATE
GATEWAY
Amazon VPC
CUSTOMER
GATEWAY
AWS Direct Connect
Connection

Amazon VPC Network Architectures

Public subnet
Private subnet
REGION
CLOUD
ROUTE TABLE
Amazon VPC
INTERNET GATEWAY
AWS VPN
Amazon
Direct Connect

Default VPC
• There is a default VPC in each AWS Region
• A default VPC can immediately be used to launch your Amazon
EC2 instances, Elastic Load Balancers, Amazon RDS
databases, and other resources.
• Perfect for quickly launching simple public websites or
applications
• The existing components of your default VPC can be
configured
• Has an attached Internet Gateway by default

Public subnet
Private subnet
REGION
CLOUD
ROUTE TABLE
INTERNET GATEWAY
Default VPC
/16 = 65,536 IP addresses
172.31.0.0
172.31.0.1
172.31.0.3
172.31.255.255
– Network Address
– VPC Router
– Reserved for Future Use
– Network Broadcast Address
The first 4 IP addresses and the
last IP address of that range are
reserved.
You have a total of 5 IP addresses
that are not usable
172.31.0.2 – DNS Server

Public subnet
Private subnet
REGION
CLOUD
ROUTE TABLE
172.31.0.0/20 172.31.0.32/20
172.31.0.48/20
172.31.0.16/20
/20 = 4,096 Total IP addresses - Reserved AWS IPs
= ~ 4,090 Usable IPs
INTERNET GATEWAY
DHCP OPTIONS SET
0.0.0.0
Default VPC

Private subnet
IPv4 CIDR Range: 10.0.0.0/28 ROUTE TABLE
CUSTOM AMAZON VPC
/28 = 16 Total IP addresses - 5 Reserved AWS IPs = 11 Usable IPs
Auto Scaling group
Auto Scaling group
/28
Tutorials Dojo

Amazon VPC
Network Architecture Types
• A VPC with a single public subnet
• A VPC with public and private subnets
• A VPC with public and private subnets
and Hardware VPN Access
• A VPC with a private subnet only and
Hardware VPN Access
AWS VPN
AWS VPN

Public subnet
ROUTE TABLE
Amazon VPC
INTERNET GATEWAY
A VPC with a single public subnet

ROUTE TABLE
Amazon VPC
A VPC with public and private subnets
Public subnet
Private subnet
INTERNET GATEWAY

A VPC with public and private subnets and Hardware VPN Access
ROUTE TABLE
Amazon VPC
Private subnet
AWS VPN
Public subnet
INTERNET GATEWAY

ROUTE TABLE
Amazon VPC
Private subnet
VIRTUAL PRIVATE GATEWAY AWS VPN
A VPC with private subnet and Hardware VPN Access

AWS Cloud
VPC A
N. Virginia Region
Private subnet Private subnet
Public subnet Public subnet
NAT Gateway NAT Gateway

Amazon EC2
Can be integrated with
a lot of AWS Services

Amazon EC2
Your Computer
CPU
NETWORK
DISK IMAGE (ISO)
SSD/HDD STORAGE
MEMORY (RAM)
SHARED FILE SERVER
both have

Amazon EBS
Instance Store
SHARED FILE SERVER
OBJECT STORAGE
SSD/HDD STORAGE
Amazon EFS Amazon FSx for Lustre Amazon FSx for Windows
File Server
Amazon S3

NETWORK
AUTO SCALING
DISK IMAGE
Amazon EC2 Auto
Scaling
Amazon VPC
Elastic IP
Address
Elastic Network
Interface (ENI)
Elastic Fabric
Adapter (EFA)
Elastic Network
Adapter (ENA)
Placement
Groups
Amazon Machine
Image (AMI)

Instance Purchasing Options
Amazon EC2

Virtual Machines
A single server can instantiate
multiple EC2 Instances
Underlying
Physical Servers of
Rack
Rack-mounted servers
Amazon EC2
Shared by MULTIPLE Tenants / Customers
across the globe!

Amazon EC2
Service
INTERRUPTION
Spare or
Unused Server
INTERRUPTS
(Automatically Terminates
Your Spot EC2 Instance)
I’ll pay that spare EC2
Instance for
$1 / hour
I want to order an
EC2 Instance for
$2 / hour
I would like to reserve
this instance for
1 year at
$1.5/ hour
I would like to rent the entire server
without any virtualization & is dedicated
for my exclusive use!

• On-Demand
• Spot
• Reserved
• Dedicated
• Savings Plans
• Capacity Reservation
Instance Purchasing
Options
Amazon EC2

80
Unused
Capacity
Spot Instances
Spare or
Unused EC2
Capacity
SUPPLY DEMAND
X Instance Type
70
SURPLUS
LOWEST COST
LOW Supply
=
HIGH Price
20

Amazon EC2
Service
Spare or
Unused Capacity
INTERRUPTS
(Automatically Terminates
Your Spot EC2 Instance)
I want to order a Spot
EC2 Instance for
$1 / hour
I want to order an On-
Demand
EC2 Instance for
$2 / hour
Spot Instances

Based on Spot Market
$ Spot Price
Buy “On the Spot”
for lower prices
Spot Instances

Spot Instances
FEATURES
• Provide discounts of up to 90% compared to an On-Demand
instance
• The most cost-effective type among the Instance purchasing
options
• The interruption/termination is based on the Instance Type
available in the AWS Global Infrastructure
• Can be interrupted, or be automatically terminated by AWS
• Suitable for non-critical and infrequent jobs that can be
interrupted or processed again

• Servers on your development or test environments that do not
require to be 100% up all the time
• Applications with flexible start and end times
• Interruptible workloads that can handle failures gracefully
• Handling the peak load or the additional load of your
application on top of your Reserved or On-Demand EC2
instances
• Infrequent and interruptible jobs
• Workloads that are infrequently executed
USE CASES
Spot Instances

• Interruptible batch jobs or non-production applications that
are currently hosted on your On-Demand Instances
• Running the task nodes of your Amazon Elastic MapReduce
cluster
• Highly dynamic batch processing where each job:
• Is stateless in nature
• Can be started and stopped at any given time
• Typically takes upwards of 60 minutes or an hour in
total to complete
• For whenever you need the MOST cost-effective solution in
running your interruptible workloads
USE CASES
Spot Instances

Spot Fleet Spot Block
• A collection, or fleet, of Spot
Instances
• Can optionally have On-
Demand Instances
• Specify a “block of time” or
the duration in which your
instance will run
continuously
• Rarely interrupted than your
regular Spot instances.

INTERRUPTIONS
NO
On-Demand Instances
Right now, I want to launch an EC2
Instance for my app!
My batch job processing has been
completed. I want to terminate my EC2
instance now
Demand #1
Demand #2

• Mission-critical workloads that must not experience any
interruptions
• Servers of your mission-critical applications that are running
on your production environment
• Short-term workloads that cannot be interrupted
• Handling the steady-state load of your applications
• Running the master node and the core nodes of your Amazon
EMR cluster
• Any workloads that require uninterruptible processing
On-Demand Instances
USE CASES

• Allows you to reserve EC2 capacity for a specific Availability
Zone for a period of time
• Ensures that you always have access to EC2 capacity
• No one-year or three-year term reservation or commitment
• Suitable for scenarios where you require a guaranteed
compute capacity for a week or a few months
On-Demand
Capacity Reservation

Pay
by the second
Pay
by the hour
Minimum of
1 minute
Minimum of
1 hour
Linux
Windows
OS Type

$
Has the highest cost among the
other EC2 Instance Purchasing Options
INTERRUPTIONS
NO
The high price you pay ensures that your
EC2 Instance will NOT be interrupted

Reserved Instances
On-Demand Instances Spot Instances
FOR MISSION-CRITICAL
APPLICATIONS
UNINTERRUPTIBLE
CHEAPER THAN
ON-DEMAND INSTANCES

RESERVE
1 year
3 years
All Upfront Partial Upfront No Upfront

Pay the FULL Price
Provides the
highest savings!
Pay the PARTIAL Price Pay on a MONTHLY basis
Provides the
least amount of discount
All Upfront Partial Upfront No Upfront
Costs a little more!

Standard Reserved Instance Convertible Reserved Instance
Both can modify the attributes such as the Availability Zone or Network
Both can modify the Instance Size using other sizes within the same instance family
Both require a fixed 1-year or 3-year commitment
Can be sold
in the Reserved Instance Marketplace
Cannot be sold
in the Reserved Instance Marketplace
Can be exchanged for another Convertible Reserved
Instance with a different configuration, including instance
family, operating system, and tenancy
Cannot be exchanged for any other Reserved
Instance

• Running non-interruptible workloads for a
one-year or three-year time frame
• Workloads with predictable capacity and
uptime requirements
• Hosting the application servers of your
production environment
• For processing the steady-state load or the
baseline capacity of your workloads
USE CASES
Reserved Instances

• For Batch jobs that cannot be interrupted once
started
• For consuming Amazon SQS queue messages in
which the application should continually process
messages without any downtime
• Running the master node or core nodes of your
Amazon Elastic MapReduce cluster (cheaper than
On-Demand Instances)
• And many more!
USE CASES
Reserved Instances

Dedicated Hosts &
Dedicated Instances

Used by a SINGLE Customer / Tenant
Dedicated Instance
Dedicated Host
TENANCY
It’s like “renting” an entire house for your family,
which you are the sole tenant (single-tenant).
If you share a house with your friends or co-
workers, then there are multiple tenants (multi-
tenant).
DEFAULT
TENANCY
A rack-mounted server
is also called a HOST

= CPU Core
Used by a SINGLE Customer / Tenant
• per-socket
• per-core
• per-VM
A single, physical rack-mounted server
or also known as a host
DEDICATED HOST

• For cases when the existing server-bound software
licenses must be used by customers
• To comply with your per-core software license
requirements
• For compliance and software licensing requirements
mandating that a workload must be hosted on a physical
server
• For migrating commercial off-the-shelf applications with
licenses that must still be utilized upon migration
• For performing cost analysis that supports physical
isolation of a customer workload
• Launching Windows Server, SQL Server, SUSE Linux
Enterprise Server, Red Hat Enterprise Linux, or other
software licenses that are bound to particular VMs,
sockets, or physical CPU cores
A rack-mounted server / host
DEDICATED HOST

• Regular virtual machines that run in a virtual private cloud
(VPC) on hardware that's dedicated to a single customer
• Dedicated Instances that belong to different AWS accounts
are physically isolated at a hardware level
• Dedicated Instances may share hardware with other
Amazon EC2 instances if the instances are:
• In the same AWS account
• Not a type of Dedicated Instance
• Allows you to launch Dedicated Spot Instances, Dedicated
On-Demand Instances, or Dedicated Reserved Instances
DEDICATED INSTANCE
Virtual Machines / Instances
hosted on a
dedicated single-tenant hardware

FEATURES
• A flexible pricing model in AWS that helps you
save on the usage of your:
Savings Plans
• Provides discounts in exchange for a commitment to
a consistent usage amount that is measured in dollars
per hour for a one or three-year term
• Aside from Amazon EC2, it also cover other compute
resources such as AWS Fargate and AWS Lambda
• Can be purchased from:
• Any AWS account
• Management account of your AWS Organization
• Member account of your AWS Organization
AWS Lambda

• Both require a fixed one-year or three-year commitment
• Both provides Billing Discounts
Savings Plans Reserved Instances
• Based on a specific Instance Type or
Instance Size
• Based on a consistent amount of
compute usage
• Must exchange or modify the
Reserved Instance to suit your
current requirements
• Provides flexibility to use a more
suitable compute option at low
prices without any exchanges or
modification

• Allows you to reserve capacity for your EC2
instances in a specific Availability Zone
• Independent of the billing discounts offered by
Savings Plans or regional Reserved Instances
• Works like a Zonal Reserved Instance
• No 1-year or 3-year commitment
• You can reserve a particular Availability Zone
only (Zonal), no Regional reservations in scope
• Can be applied to On-Demand EC2 Instances
FEATURES

• Availability Zone
• Number of Amazon EC2 Instances
• Instance Attributes (e.g. instance type, OS, etc)
REQUIREMENTS

• Availability Zone
• Number of Amazon EC2 Instances
• Instance Attributes (e.g. instance type, OS, etc)
us-east-1a
2
Instance Type:
A3
MATCH
Running EC2 Instances in your VPC

OTHER
COMPONENTS…
Amazon EC2 Instance Type
CPU
RAM
STORAGE
GRAPHICS
NETWORK
Mac Instances
*Powered by Mac Mini

CPU OPTIONS
AWS Graviton
The newer your EC2 instance type is,
the more cost-efficient and powerful it is.

Instance Sizes
INSTANCE
FAMILY
also known as…
nano
micro
small
medium
large
xlarge
metal

INSTANCE CATEGORIES
• General Purpose
• Compute Optimized
• Memory Optimized
• Storage Optimized
• Accelerated Computing
• Others
Mac, T*, M*, A*
C*
R*, X*, Z*, U*
I*, D*, H*
P*, Inf*, G*, F*
INSTANCE FAMILY / TYPES
More Instance Types to be launched soon!

INSTANCE TYPE NAMING CONVENTION
.
TYPE & GENERATION SIZE
Indicates that you
are using a
bare metal type
(non-virtualized)
nano
micro
small
medium
large
xlarge
metal
INSTANCE
FAMILY
GENERATION
m6

TYPE & GENERATION
PREVIOUS GENERATION
m5
m6
5th GENERATION
NEXT GENERATION
6th GENERATION
m4 below
&
m7 above
&

TYPE & GENERATION
**a
**g
AWS
Graviton
CPU TYPE

TYPE & GENERATION
AWS
Graviton
t3, m5, r5
t3a
m6g

TYPE & GENERATION
***d
***n
Has a local NVMe-based SSD storage
Has enhanced networking capabilities

TYPE & GENERATION
T
•Burstable Performance Instances
•Provides a baseline level of CPU performance
with the ability to burst above the baseline
•The ability to burst is governed by CPU Credits

• A CPU Credit accrued when the instance is idle
• A sort of ‘vertical scaling’ since it temporarily
provides higher CPU performance over the
maximum CPU capacity of the instance
• A CPU Credit provides a full CPU core
performance for one minute
0
50
100
150
200
10 AM 11 AM 12 PM 1 PM
BASELINE
BURST ZONE
CPU Utilization

SIZE
metal
• Bare metal instances
• Grants direct access to the CPU and memory
resources of the underlying server
• Doesn't have a pre-installed KVM, Xen, or AWS
Nitro Hypervisor that other EC2 instances use
• Allows you to fully access the CPU, Storage,
and Networking bandwidth of the underlying
server
• Allows customers to run their own hypervisor
or virtualization secured containers such as
Clear Linux Containers

• Meant for customers who have
enterprise applications that need to run in
non-virtualized environments or need to
use their own hypervisor
•Can still be integrated with Amazon EBS,
Elastic Load Balancers, and other
resources on your Amazon VPC
•Provides the highest attributes across all
other types in its Instance Family
•Have equal or more attributes than the
largest instance type in the instance
family

AMI
EC2 Instance
apps & configurations

DISK IMAGE
Amazon Machine Image
(AMI)

(AMI)
Block Device Mapping
Volume Snapshots Launch Permissions

Block Device Mapping
Volume Snapshots Launch Permissions
Amazon EC2
Instance Store
Amazon EBS
BLOCK STORE TYPE
EBS Snapshots
Amazon EBS Volumes
mapping
N/A
• Public
• Explicit
• Implicit
Template for the root
volume
(AMI)

(AMI)
• Regional in scope
• You can copy your AMI to another AWS Region
• You can also copy your AMI to another AWS account

AWS Cloud
VPC A
N. Virginia Region Ohio Region
VPC A
Availability Zone (AZ)
COPY AMI

VIRTUALIZATION
TYPE
PV
HVM
(AMI)
Paravirtual
Hardware
Virtual Machine
Uses several
special hardware extensions
such as
enhanced networking or
GPU processing
Uses special boot
loader called PV-GRUB
BOOT UP
PROCESS
Executes the master boot
record of the root block
device of your image
SUPPORT FOR
SPECIAL HARDWARE
EXTENSIONS
N/A

Amazon SQS
2 3 4
1
Auto Scaling group
• Age of the Oldest Message
EC2 EC2 EC2
EC2 EC2 EC2
EC2 EC2 EC2
Target Tracking
Policy
(AMI)

User Data
EC2
Instance
#!/bin/bash
yum update -y
mkdir tdojologs
systemctl start httpd
echo “tutorialsdojo OK!”

Amazon EFS
User Data
Auto Scaling Group
mkdir ~/tutorialsdojo-efs
sudo mount -t nfs -o nfsvers=4.1,
rsize=1048576,wsize=1048576,hard,
timeo=600,retrans=2,noresvport
awsjonbonsoefs:/ ~/tutorialsdojo-efs
#!/bin/bash
curl https://s3.amazonaws.com/aws-
cloudwatch/downloads/latest/awslogs-agent-
setup.py -O
chmod +x ./awslogs-agent-setup.py
./awslogs-agent-setup.py -n -r us-east-1 -c
s3://tutorialsdojo

• Must be in a base64-encoded format
• Limited to 16 KB only when in raw form
• Accessible from the Instance Metadata using this URI:
User Data
http://169.254.169.254/latest/user-data
• Only run once upon the first EC2 Instance Launch
• Modifying the User Data and restarting the instance won’t
affect the initial User Data

VIRTUALIZATION
EC2 EC2 EC2
EC2 EC2 EC2
EC2 EC2 EC2
EC2

INSTANCE METADATA
• AMI
• Hostname
• Public IP address
• Private IP address
• Instance type
• MAC address
• Security groups
• Security credentials
• IAM Roles of your instance

http://169.254.169.254/latest/meta-data/
INSTANCE METADATA SERVICE
Link-local Address

INSTANCE METADATA SERVICE
version 2
Session Oriented

Public IP or Elastic IP Address

Media Access Control (MAC) Address

PUBLIC INTERNET
PRIVATE NETWORK
in AWS
EC2

EC2
Powered by Physical
Networking Devices

EC2
V I R T U A L
Network Interface Card
P H Y S I C A L
Network Interface Card

IP Addressing Elastic Network Interface
Elastic IP Address Enhanced Networking Elastic Fabric Adapter
(EFA)

PHYSICAL
NETWORK INTERFACE CARD
VIRTUAL
are powered by

Elastic Network Interface
• Primary private IPv4 address
• Secondary private IPv4 addresses
• One Elastic IP address per private IPv4 address
• One public IPv4 address
• One or more IPv6 addresses
• One or more security groups
• Media Access Control (MAC) address
• Source-Destination check flag
• Custom description

EC2
EC2
192.168.2.5
Private
192.168.3.6
Private

EC2
IPv6 Address
IPv4 Address
CIDR
• Classless Inter-Domain Routing
• A method for allocating IP addresses
• Also used for IP Routing
192.168.2.5
Private

Request For Comments 1918
192.168.2.5
Private

RFC 1918
Private IP Address
Private

RFC 1918
A
Class
B
Class
C
Class
10.0.0.0
172.16.0.0
192.168.0.0
/8
/12
/16
CIDR Block Prefix
IP Address Range
Class
Private IP Address
Private

A
Class
B
Class
C
Class
10.0.0.0
172.16.0.0
192.168.0.0
Over 16 million
Private IP Address
Private
Over 1 million
Over 64,000
10.255.255.255
172.31.255.255
192.168.255.255
–
–
–
Total IP Address
IP Address Range
Class
/8
/12
/16
CIDR Block Prefix

10.0.0.0
172.16.0.0
192.168.0.0
10.255.255.255
172.31.255.255
192.168.255.255
–
–
–
Private IP Address
Private

10.0.0.0
172.16.0.0
192.168.0.0
10.255.255.255
172.31.255.255
192.168.255.255
–
–
–
Private IP Address
Private
10.0.0.10
172.16.0.5
192.168.0.9

Private IP Address
Private
10.0.*.*
172.16.*.*
192.168.*.*

10.0.*.*
172.16.*.*
192.168.*.*
Private IP Address
Private
192.168.*.*

192.168.68.107
Private
192.168.1.11
Private
Jon’s Desktop Rizal’s Laptop
192.168.68.0/24
CIDR

ip-10-251-50-12.ec2.internal
Internal DNS hostname
ip-10-251-50-12.ec2.internal

Public IP Address
Public
Private IP Address
Private

Public IP Address
Public
Your
Account
Dynamic IP Address
Elastic IP Address
Static IP Address

ec2-136-158-28-50.compute-1.amazonaws.com
External DNS hostname
ec2-136-158-28-50.compute-1.amazonaws.com

Elastic IP Address
Network Load Balancer
NAT Gateway

Features that enhances and accelerates the network capability
of your EC2 instances:
Elastic Fabric Adapter
(EFA)
Enhanced Networking

• Based on the network adapter drivers of the
underlying physical host
• The network adapter drivers can be:
• Intel® Network Adapter Virtual Function
Driver
• AWS-built custom-based network adapter
driver called Elastic Network Adapter (ENA)
• Network drivers provided by AWS or other
companies
• Similar to the “driver” or the software package that
allows your computer to access a printer or other
physical computer devices
Enhanced Networking

• Uses single root I/O virtualization or SR-IOV
• Provides higher I/O performance and lower CPU
utilization than the traditional virtualization
techniques
• Controlled by network drivers (software)
• Provides:
• Higher bandwidth
• Consistent lower inter-instance latencies
• Higher packet per second performance
(PPS)
Enhanced Networking

Network Drivers
Elastic Network Adapter
(EFA)
Intel 82599 Virtual Function
(VF) interface

Elastic Fabric Adapter
(EFA)
• Just like with additional capabilities
Elastic Network Interface
(ENI)
• Can directly communicate to the network
interface hardware without passing through
the Linux Kernel – also known as OS-
Bypass
• Provides low-latency and reliable transport
functionality to your virtual machines.
• Accelerates the networking capabilities of
your High-Performance Computing or HPC
workloads
• Enhances inter-instance communication

AWS
Cloud
VPC A
N. Virginia Region
SUBNET
Network ACL
Security Group

AWS
Cloud
VPC A
N. Virginia Region
SUBNET 1 SUBNET 2 SUBNET 3
Network ACL
EC2
Security Group
Availability Zone 1 Availability Zone 2 Availability Zone 3
Network ACL Network ACL
EC2
Security Group
EC2
Security Group

AWS
Cloud
VPC A
N. Virginia Region
SUBNET 1 SUBNET 2
Custom Network ACL
Default Network ACL
• Already exists by default
• Can be modified
• Allows all inbound and
outbound traffic by default
• You manually have to
create
• Can be modified
• Denies all inbound and
outbound traffic by default

SUBNET 2
Network ACL
TYPES
Inbound Rules Outbound Rules
• Allow Traffic
• Deny Traffic
You can:
• An address prefix of /32 denotes
a single IP address
• The /24 denotes the CIDR block
which contains 256 different IP
addresses
State
STATELESS

SUBNET 2
Network ACL
Outbound Rules
Ephemeral Ports
• Short-lived port numbers
• The range varies depending
on the Operating System

SUBNET 2
Network ACL
Outbound Rules
Inbound Rules
• 32768 – 61000
• 49152 – 65535
• 1024 – 65535
Ephemeral Ports
• Short-lived port numbers
• The range varies depending
on the Operating System
Tutorials Dojo

SUBNET 2
Network ACL
Outbound Rules
Inbound Rules
EC2

Security Groups
• A virtual firewall that controls the incoming and
outgoing traffic of one or more EC2 instances
• 1 EC2 instance can have one or more security
groups
• Cannot have an explicit DENY Rule (unlike Network
ACL)
• Aside from EC2 Instances, it can also be attached to
Amazon RDS, Amazon ElastiCache and other AWS
resources

Security Groups
• Allows incoming traffic
• Can’t explicitly DENY traffic
• Not affected by Outbound
Rules
• Allows outgoing traffic
• Controls traffic originated
from the EC2 instance itself
• Does not affect the outgoing
response traffic
• Examples:
• EC2-initiated API call
• Scheduled OS Patches

(OSI) Model Layers
7
UDP
TCP

(OSI) Model Layers
7
TCP
HTTP : 80
HTTPS : 443
MSSQL : 1433
SMB : 445
TCP
MySQL : 3306
RDP : 3389
SSH : 22
ICMP - Ping

• Allow Traffic
You can only Whitelisting

• Already exists on your default VPC
• Has one inbound rule and one outbound rule
by default
• Will be attached to your EC2 instance if you
didn’t specify a particular security group
• Automatically allows incoming traffic from any
resource that also uses the default security
group
• Allows all outgoing traffic that originated from
the instance itself
• You manually have to create
• Has a default outbound rule that allows all
traffic
• Doesn’t have a default inbound rule
• Denies all inbound and outbound traffic by
default
Default Security Group Custom Security Group

• Allow Traffic
You can only
Security Groups

Security Groups
STATEFUL
EC2
Security Group
HTTP : 80
HTTPS : 443
REQUEST
SMB : 445
ICMP - Ping
EC2

Security Groups
EC2 Amazon EC2 Amazon RDS
Amazon Aurora Amazon ElastiCache

Security Groups
• You can’t apply a security group or network ACL to
your Amazon S3 buckets
• Both of these features do not provide enough
protection against Cross-Site Scripting or SQL
Injection attacks
• These two are also inefficient in geographic match
conditions or blocking certain countries
Network Access Control List
(Network ACL)
+
AWS Web Application
Firewall (AWS WAF)

Security Groups
(Network ACL)
+
VPC Flow Logs

Availability Zone 2
Data Center
Availability Zone 3
Data Center
Availability Zone 1
Data Center
US East (Ohio)
us-east-2
Amazon EC2 Service

Data Center
Data Center
Data Center
Availability Zone 3
US East (Ohio)
us-east-2
Amazon EC2 Service
I’ll
place
you…

Data Center
Data Center
Data Center
Availability Zone 3
US East (Ohio)
us-east-2
Amazon EC2 Service

Availability Zone 3
US East (Ohio)
us-east-2
Amazon EC2 Service

PARTITION
CLUSTER
Placement Groups
SPREAD

CLUSTER
Logical Group / Host Rack Networking
Availability Zone
Group of rack servers on a network building block with special routing configuration
Provide low-latency network performance and
high network throughput

PARTITION
Partition 1
Availability Zone
Partition 2
Commonly used on large distributed and
replicated workloads, such as Hadoop,
Cassandra, and Kafka

SPREAD
Reduces correlated failures and improves
availability
Availability Zone

Auto Scaling group
EC2 EC2 EC2
EC2 EC2 EC2
EC2 EC2 EC2
Placement Group

Amazon EC2 Auto Scaling Overview

Private subnet
Auto Scaling group
Public subnet
Number of requests: 1
10
100
1000
100
1
AMI

Private subnet
Auto Scaling group
Public subnet
10
100
1000
100

ELASTICITY
• The ability to dynamically acquire or release
resources when you need them
• Can be easily done in the cloud since it has
hundreds of thousands of servers
• Improves the performance of your
application when it is experiencing a surge of
requests
• Avoids over-provisioning of your resources
• Lowers down your operating costs
significantly by eliminating idle resources

Amazon EC2
CPU
NETWORK BANDWIDTH
SSD/HDD STORAGE

RIGID and NOT FLEXIBLE

SCALING TYPES
VERTICAL SCALING HORIZONTAL SCALING

Small Amazon EC2
Instance Type
10 vCPU
100 GB
Large Amazon EC2
Instance Type
30 vCPU
300 GB
VERTICAL SCALING
SCALE UP
SCALE DOWN

HORIZONTAL SCALING
SCALE OUT
SCALE IN

HORIZONTAL SCALING
SCALE OUT
SCALE IN
Amazon Machine
Image (AMI)

HORIZONTAL SCALING
Amazon EC2
Auto Scaling

Amazon EC2
Auto Scaling
AUTO SCALING GROUP
CONFIGURATION TEMPLATE
SCALING OPTION

AUTO SCALING GROUP
• Organizes your Amazon EC2 instances into
groups
• A logical unit for scaling and management
• Must have a setting for the minimum,
maximum, and desired number of Amazon
EC2 instances

CONFIGURATION TEMPLATE
• Types:
• Launch Template
• Launch Configuration
• Acts as a template for your Auto Scaling
Group, containing the AMI ID, the instance
type, the key pair, the security groups, block
device mapping and others
• It is recommended to use a Launch
Template, rather than a Launch
Configuration, as the latter only offers
limited features

SCALING OPTION • Types:
• Dynamic
• Predictive
• Scheduled
• Allows you to choose the suitable scaling
behavior of your Auto Scaling Group.

Auto Scaling group
INSTANCE WARM-UP COOL DOWN
LIFECYCLE HOOKS
5
4
3
2
1
NOT YET READY
TO ACCEPT CONNECTIONS
READY
TO ACCEPT CONNECTIONS!

SIMPLE SCALING
STEP SCALING
TARGET TRACKING
SCHEDULED SCALING
AMAZON EC2 AUTO SCALING TYPES

SIMPLE SCALING
• Automatically increases or decreases the
current capacity of your Auto Scaling Group
based on a single scaling adjustment
CPU UTILIZATION
ALARM THRESHOLD
Auto Scaling
Group
Amazon CloudWatch
A L A R M
COOL DOWN

current capacity of your Amazon EC2 Auto
Scaling group based on a set of scaling
adjustments, also known as step
adjustments
• Also requires the use of CloudWatch alarms
with specified high and low thresholds as
well as a defined action that either adds or
removes instances
• Also supports setting the Auto Scaling
group to an exact size or a fixed capacity
unit in the event that your CloudWatch
alarm threshold was breached
• Unlike Simple Scaling policy, it can
continue to respond to additional
CloudWatch alarms, even if the current
scaling activity or health check
replacement is already in progress
STEP SCALING
COOL DOWN

current capacity of your Auto Scaling group
based on a target value for a specific
metric
• Maintains and adjusts the number of EC2
instances in your Auto Scaling group based
on the target that you specify
TARGET TRACKING

AVERAGE CPU UTILIZATION
ALARM THRESHOLD =
Auto Scaling
Group
Amazon CloudWatch
A L A R M
TARGET TRACKING
50%
AVERAGE CPU OF ALL EC2 INSTANCES 80%
30%

TARGET TRACKING WORKS LIKE A THERMOSTAT!

TARGET TRACKING
• If you’ve determined the optimal
performance of your web application
and you want to maintain its desired
performance across all EC2 instances
of your Auto Scaling group
• If your application works best when
the combined CPU utilization of your
Amazon EC2 instances is at or near a
certain percentage (e.g. 40% ). You
can set up a target tracking policy with
a metric type of “Average CPU
utilization” and a 40% target value
USE CASES

TARGET TRACKING
• Tracking of a certain metric that is
produced by your application. You can
track the average network in or
network out of all your instances
• You can use the request count per
target ( ALBRequestCountPerTarget)
metric of your Application Load
Balancer as the metric type for your
Target Tracking policy
USE CASES

current capacity of your Auto Scaling group
based on a set schedule that you define
• Allows you to set up your own scheduled
scaling based on the predictable load
changes of your application.
SCHEDULED SCALING

• Performs significantly slower when the
month-end financial calculation batch
executes
• Causes the CPU utilization of your
Amazon EC2 instances to immediately
peak to 100% on that period
• Always happens on the first day of
every month at the stroke of midnight.
SCHEDULED SCALING
USE CASES
Month-end Batch Processing Scenario
• Set a scheduled scaling policy with a
monthly schedule
• Scale out before the clock hits 12 midnight
on the first day of the month so there would
be more EC2 instances deployed to handle
the peak load

SCHEDULED SCALING
USE CASES
Holidays and Public Announcements
• Provides a consistent user experience by
scaling your Auto Scaling group a few hours
before your event or specific holidays
• Scaling out your compute capacity takes
time due to the cooldown period. It may
take an hour or more to fully scale your
compute capacity to match the current
load. This is the reason why you have to
scale-out early!
• Setting up a scheduled scaling activity
beforehand can reduce the performance
issues of your application

SCHEDULED SCALING
USE CASES
• Sluggish application performance right when
the workday begins (e.g. 8 AM ) but usually
runs well by mid-morning (e.g. 10 AM) or at
lunchtime
• There is a delay in launching new instances
as opposed to the number of incoming
requests
• For example, your Auto Scaling group scales
up to 20 or 25 instances during work hours,
but scales down to just 2 instances
overnight
• In the morning, it takes a few hours for the
scaling process to complete – extending to
mid-morning or till lunchtime, since there
are only 2 instances at the start of the day
Slow site every morning when work day begins…

Amazon EC2 Lifecycle Hooks
Hooks

• A function that gets executed automatically
on a certain event
• Provides the ability to influence the
outcome of your workflow based on the
criteria that you define
• Can stop, skip, or replace the other
function that is supposed to run on a
particular lifecycle
• Also used in some programming languages,
version control, and other programs
Hooks

Hooks
Repository
git commit
Run Integration Tests
Git Hook
no commit
git push
PASS FAIL

UPDATING UNMOUNTING
MOUNTING
Hooks
REACT COMPONENT LIFECYCLE
ANGULAR COMPONENT LIFECYCLE

Pending:Wait
AMI
rebooting
pending
running
shutting-down
Amazon EC2 Instance Lifecycle
Amazon EBS-Backed EC2 Instances Only
stopped
stopping
Terminating:Wait
terminated
Pending:Proceed
Terminating:Proceed

Pending:Wait
AMI
rebooting
pending
running
shutting-down
Amazon EC2 Instance Lifecycle
Amazon EBS-Backed EC2 Instances Only
stopped
stopping
Terminated:Wait
terminated
Pending:Proceed
Terminated:Proceed
Pending:Wait
pending
Terminating:Wait
terminated
• During the scale-out event of your Auto
Scaling group, you can:
• Ensure that your new EC2 instances
download the latest code base from your
repository
• Verify that your EC2 user data has been
successfully completed first before the
instance can start accepting traffic
• You have to use the Pending:Wait
lifecycle hook for this particular
scenario
• During the scale-in event of your Auto
Scaling group, you can:
• Pause the instance termination for a
certain amount of time to upload all the
remaining data logs before the instance
gets completely terminated
• Execute a custom shell script
• You have to use the Terminating:Wait
lifecycle hook for these use cases

• EBS stands for Elastic Block Store
• A type of a block storage like the Amazon
EC2 Instance Store
• Its data is more persistent and will not get
lost even if the EC2 instance was stopped,
restarted, or terminated
• Zonal in scope, which means it only exists
in a single Availability Zone
• Can be attached to any EC2 instances in the
same Availability Zone only
• Can be encrypted at rest using AWS KMS
• You can attach one or more Amazon EBS
volumes in a single EC2 instance
Amazon EBS

• Suitable for a variety of workloads such as
databases, enterprise applications, big data
analytics engines, file systems, media
workflows, and others
• Allows you to store and retrieve your data
with high throughput and low latency
• The Amazon EC2 instance and its attached
EBS volumes are logically attached
together and are both located within a
single Availability Zone, which significantly
reduces latency
• Since the underlying physical resources
that power your Amazon EC2 instance and
EBS volumes are located within the same
city or geographic area, Amazon EBS is
capable of providing low latency read or
write access to your data
• Mainly operates on the hardware level
Amazon EBS

BLOCK
File Size: 4 kb File Size: 4 kb
Total File Size: 8 kb
Block Size: 4 kb
BLOCK
divided by
BLOCK
BLOCK

RAID
Redundant Array of Independent Disks
RAID 0 RAID 1
• Stripes multiple volumes together
• Provides greater I/O performance
• Divides a body of data into blocks and
then spreads the data blocks across
multiple storage devices
• Suitable if I/O performance is your
priority
• Mirrors two or more volumes together
• Provides on-instance redundancy
• Duplicates data to provide more
durability and availability
• Suitable if data redundancy is your
focus

• An incremental backup that internally uses
Amazon S3 to persist your data
• It only saves the data blocks that have
changed after your most recent snapshot
• Allows you to restore the state of your EBS
volume in the event of data loss
• Enables you to copy your EBS volume to
another AWS Region for your data
migration, disaster recovery activities
• Can be used to encrypt an unencrypted
Amazon EBS volume.
• Automate the creation, retention, and
deletion of your EBS snapshots and EBS-
backed AMIs using the Amazon Data
Lifecycle Manager (Amazon DLM) service
Amazon EBS
Snapshots

AWS KMS Keys
Exclusively managed by AWS
ENCRYPTION IN TRANSIT
AMAZON EBS
SNAPSHOT
AMAZON EBS
VOLUME
INTERNAL AMAZON
S3 BUCKET
EC2
Amazon EBS Encryption
by Default
ENCRYPTION AT REST
Must be manually enabled per AWS Region

ROOT EBS
VOLUME
OTHER DATA
VOLUMES
Amazon EC2 Instance
* contains the system image for
booting the EC2 instance

Solid State Drive
(SSD)
Hard Disk Drive
(HDD)

Solid State Drive
(SSD)
• Suitable for transactional workloads
• For various types of applications and
systems with frequent read/write
operations with small I/O sizes
• Performance Attribute: IOPS

Solid State Drive
(SSD)
io
General Purpose SSD
gp

• Provides a balance of price and
performance for your workloads
• Recommended for most workloads
• Also suitable for apps with unpredictable
or unknown access patterns
• Provides a configurable and consistent
IOPS to allow you to accommodate the
changes in your data storage
requirements
io
General Purpose SSD
gp
Solid State Drive
(SSD)

io
General Purpose SSD
gp
Solid State Drive
(SSD)
• Suitable for low-latency interactive apps
in production as well as your development
and test environments
• For your infrequently accessed
applications or systems that:
Only peaks during certain times of the
day
Has a varying Disk I/O operations
• Provides ample IOPS for your applications
but not on par with what a Provisioned
IOPS type can give
• The most cost-effective storage option
that does NOT sacrifice performance

• Primarily used for mission-critical, low-
latency, or high-throughput workloads
• Provides sub-millisecond latency and
consistent IOPS performance
• Allows you to set the amount of available
IOPS of your EBS volume
io
General Purpose SSD
gp
Solid State Drive
(SSD)
• For hosting data to y
that makes small rea
small file system
• For applications that

io
General Purpose SSD
gp
Solid State Drive
(SSD)
• For hosting data to your applications
that makes small reads and writes to a
small file system
• For applications that require a number of
high read and write IOPS performance
• For fixing latency issues
• For scenarios where your database
storage performance is the bottleneck
• For storage systems that require a
configurable and consistent IOPS

io
General Purpose SSD
gp
Solid State Drive
(SSD)
io
Amazon EC2
Nitro-based
Instance
Amazon EC2
Nitro-based
Instance
Amazon EC2
Nitro-based
Instance
Amazon EC2
Nitro-based
Instance
No concurrent file modification
File-Manila.txt
Amazon EBS Multi-Attach

Hard Disk Drive
(HDD)
• Optimized for large streaming workloads
• For various types of applications and
systems with large, sequential I/O
operations
• Performance Attribute: Throughput (MB/s)

Hard Disk Drive
(HDD)
Cold HDD
st
sc

• A low-cost HDD designed for frequently
accessed, throughput-intensive
workloads
• Can be used for your Big data
applications, Data Warehouses, and Log
Processing
• Cannot be used as your boot (root
device) volume
Hard Disk Drive
(HDD)
Cold HDD
st
sc

• Lowest-cost HDD storage type
• Meant for storing less frequently
accessed workloads
• The most cost-effective storage EBS type
option for data archiving only since its
throughput performance is substantially
low
• Suitable for throughput-oriented storage
for data that is infrequently accessed
• Perfect for scenarios where the lowest
storage cost is of the utmost importance
Hard Disk Drive
(HDD)
Cold HDD
st
sc

• If you just need a temporary storage for
your data, use EC2 Instance Store
instead
• If you have to store your application or
system data in a POSIX-compliant
hierarchical directory structure (use
Amazon EFS instead)
• If you have multiple applications that are
concurrently accessing the same files at
the same time, it is better to use the
Amazon EFS or Amazon FSx service
instead
• If you need to store your static data in
the most cost-effective way, it’s more
appropriate and cheaper to store them in
Amazon S3
ANTI-PATTERNS

Amazon Elastic Load Balancing
Overview

Amazon EC2
Instances
AWS Lambda
Functions
Amazon ECS
Tasks
AWS Fargate
Tasks
Amazon EKS
Clusters
Custom IP
Addresses
Load
Balancing
the distribution of
traffic to underlying
resources
Elastic

SIMPLE ROUTING POLICY
52.44.107.223
WEBSITE STATUS:
UP
WEBSITE STATUS:
DOWN!
OS Patching or
System Maintenance
Critical Application
or System Errors

WEBSITE STATUS:
UP
WEBSITE STATUS:
DOWN!
FAILOVER ROUTING POLICY
WEBSITE STATUS:
UP

WEIGHTED
ROUTING POLICY
The distribution of the incoming load
traffic is not balanced across the
underlying servers
The traffic is distributed randomly
Unbalanced - Some servers are
overutilized while others are underutilized
No routing algorithm
Lacks security features
WEBSITE
STATUS:
UP
WEBSITE STATUS:
UP with slight
degradation
Incoming Load of Traffic
MULTIVALUE ANSWER
ROUTING POLICY
40% 60%
CPU Utilization: Over 100%
OVERUTILIZED SERVERS UNDERUTILIZED SERVERS

10.0.1.0/24
Public subnet A
REGION
CLOUD
10.0.1.0/24
Public subnet B
AZ 1 AZ 2
Load Balancer
Balanced distribution
of incoming traffic
through the use of
routing algorithm

Application
Load Balancer
( ALB )
Classic
Load Balancer
( CLB )
Network
Load Balancer
( NLB )
Gateway
Load Balancer
( GWLB )
TYPES
PROTOCOL LISTENERS
USE CASES
HTTP / HTTPS
gRPC
For web apps,
microservices
& containers
Handling
millions of requests
per second while
maintaining
ultra-low latencies
TCP / UDP
TLS
Running third-party
virtual appliances
in AWS
IP
For implementing
Custom Security Policies
and
TCP passthrough
configuration
HTTP / HTTPS
TCP
SSL/TLS
For legacy applications
in AWS
ROUTING ALGORITHM
Least Outstanding
Requests (LOR)
Round Robin
Least Outstanding
Requests (LOR)
Round Robin
Flow Hash
IP Listener Routing that
leverages on GENEVE
protocol

LISTENER TARGET
HTTP 80
http://tutorialsdojo.com
https://tutorialsdojo.com

TARGET
Amazon EC2
Instances
AWS Lambda
Functions
Amazon ECS
Tasks
AWS Fargate
Tasks
Amazon EKS
Clusters
Custom IP
Addresses

TARGET
Amazon EC2
Instances
AWS Lambda
Functions
Amazon ECS
Tasks
AWS Fargate
Tasks
Amazon EKS
Clusters
Custom IP
Addresses
GROUP

https://tutorialsdojo.com
LISTENER
HTTPS 443
TARGET
GROU
P
Health Check

US-EAST-1 REGION
CLOUD
10.0.1.0/24
Public subnet A 10.0.1.0/24
Public subnet B
TARGET GROUP
TARGET GROUP
ELB

CLOUD
US-EAST-1 REGION US-EAST-2 REGION
TARGET GROUP TARGET GROUP
ELB
TARGET GROUP TARGET GROUP
ELB
Route 53
AWS Global Accelerator

Availability Zone 2
Availability Zone 1
Auto Scaling group
10
100
1000
100
10
1
TARGET GROUP
RequestCountPerTarget
No Auto Scaling
group
TARGET GROUP
US-EAST-1 REGION
Manual Process

Amazon Elastic Load Balancing
T Y P E S

Application Load Balancer Network Load Balancer
Gateway Load Balancer Classic Load Balancer

Application Load Balancer
• Primarily used for load balancing HTTP and HTTPS
traffic
• Suitable for web applications
• Works on the Layer 7 (Application Layer) of the OSI
Model
• Supports Round Robin (default) and Least
Outstanding Requests (LOR) routing algorithms
• Target types:
Amazon EC2
Instance
AWS Lambda
Function IP Address
• Supported Protocol listeners: HTTP, HTTPS, and gRPC
• Also supports WebSockets and HTTP2
• Can be integrated with AWS Global
Accelerator, AWS Config, AWS WAF and other
features

• Notable features:
Advanced routing via listener rule condition types
Connection Draining
Idle connection timeout
Cross-zone Load Balancing
Preserving Source IP address
Slow Start
• Has different security features such as:
SSL Offloading
Server Name Indication (SNI)
Back-end Server Encryption
User Authentication
Application-Layer Protocol Negotiation (ALPN)
Integration with Security Group and AWS WAF

LISTENER RULE CONDITION TYPES
• Host condition
• HTTP Header
• HTTP Request Method
• Path
• Query String
• Source IP
tutorialsdojo.com
app.tutorialsdojo.com
*.tutorialsdojo.com
/img/
/doc/cebu
/pdf/*/report
GET, POST, PUT, DELETE
User-Agent
Content-Type
/info?version=1
/health?status=manila
/account?id=123&alias=pogi
192.0.2.0, 198.51.100.10

• For load balancing TCP, UDP, and TLS traffic
• Can handle millions of requests per second
• Routes the traffic while maintaining ultra-low latencies
• Works on the Layer 4 (Transport Layer) of the OSI
Model
• Uses the flow hash routing algorithm
• Can be directly associated with an Elastic IP address
• Supports direct integration with: AWS Global
Accelerator, AWS Config, VPC Endpoint Services and
Traffic Mirroring

• Notable features:
Connection Draining
Cross-zone Load Balancing
Preserving Source IP address
WebSockets support
Long-lived TCP connection
• Has different security features such as:
SSL Offloading
Server Name Indication (SNI)
Back-end Server Encryption
Application-Layer Protocol Negotiation (ALPN)
Integration with AWS Global Accelerator

• Does not have a selection of rule condition types unlike
ALB
• Uses the TCP and UDP transport protocols not HTTP and
HTTPS
• Suitable for various networking use cases, or for real-
time multiplayer games that uses UDP
• Can support millions of requests per second while
maintaining ultra-low latencies unlike ALB
• Can be directly integrated with an Elastic IP address,
unlike ALB
Notable differences between ALB and NLB

Gateway Load Balancer
• Primarily used for running third-party virtual
appliances
• Suitable for custom firewalls, deep packet inspection
systems, intrusion detection & prevention systems and
many other virtual appliances
• Uses the Internet Protocol (IP) to pass the OSI Layer 3
traffic to its registered targets
• Works on both Layer 3 (Network Layer) and Layer 4
(Transport Layer) of the OSI Model
• Uses the Generic Network Virtualization Encapsulation
(GENEVE) protocol to exchange application traffic
• You can use GWLB endpoints to exchange traffic across
different VPC boundaries
• The access is configured using the route tables of your
VPC, instead of virtual IP addresses

Classic Load Balancer
• Intended for legacy applications that are still using
the EC2-Classic network
• Not recommended for modern applications
• Supports both the transport layer protocols (TCP,
SSL) as well as the application layer protocols
(HTTP, HTTPS)
• Works on both Layer 4 (Transport Layer) and Layer
7 (Application Layer) of the OSI Model
• For applications with custom security policies and
TCP passthrough configuration
• Can provide end-to-end security for your data-in-
transit

• An object storage service
• S3 stands for “Simple Storage Service”
• Highly durable, available & scalable storage
service
• Primarily used to store static data that does
not change frequently
• Allows your files to be publicly available via
the Internet
Amazon S3

METADATA
BUCKET
OBJECT
a set of name-value pairs
Highly scalable and allows you to store
virtually unlimited amounts of files

BUCKET NAMING
GUIDELINES
• The S3 bucket name is globally unique
• The namespace is shared by all AWS accounts
around the world
• Example:
If you created an S3 bucket named
“tutorialsdojo”, then no other AWS user
can create a bucket with that same name
If someone tries to create a new bucket
called “tutorialsdojo”, then that request
will fail

Amazon S3 Folders
and Prefixes
• Helps you organize or group your objects
• S3 has a flat structure
• The concept of a “folder” is not hierarchical
unlike Amazon EFS
• Example:
tutorialsdojo/aws.jpeg
Object key name
Prefix Filename
• Amazon S3 does NOT support POSIX,
including:
Concurrent file modification
File system access semantics
File locking

AWS
Cloud
N. Virginia Region
YOUR
VPC
Automatically replicates your objects to
all Availability Zones of the AWS region
by default

AVAILABILITY
DURABILITY
99.99%
99.999999999%

DURABILITY
99%
99.999999999%
100%
• The probability that an object remains
intact and accessible after a period of one
year
Absolutely no data loss per year
1% chance of data loss per year
99.99% 0.01% chance of data loss per year
0.000000001% chance
of data loss per year or one lost data
every 10 million years

S3 Standard S3 Intelligent-
Tiering
S3 Standard-IA
(Infrequent
Access)
S3 One Zone-IA
(Infrequent Access)
S3 Glacier S3 Glacier Deep Archive
For frequently accessed data
For changing or
unknown access patterns
For storing long-lived,
yet less frequently accessed data
For low-cost long-term storage
and data archiving

Lifecycle Policy
S3 Standard
S3
Intelligent-Tiering
S3 Standard-IA S3 One Zone-IA S3 Glacier S3 Glacier
Deep Archive
30 Days 90 Days 180 Days

Static Website
Hosting
• Launch a static website with HTML pages,
downloadable packages, images, media files,
or other client-side scripts
• Cost-effective solution for hosting your static
websites with no server management
required (serverless)
• Cannot be used for running server-side
scripts such as PHP, JSP, ASP.NET etc…

Amazon EFS
Amazon EBS
Amazon S3
• Invoked via a REST API
request call
• Attached/Mounted to
the Amazon EC2
instance
Via the public
Internet by
default
EC2

- Prevent accidental data deletion in Amazon S3
S3 Versioning Multi-Factor Authentication
(MFA)
Version
x.*
Access Control List
(ACL)
Bucket Policy
- Secure access to your S3 buckets and objects
- Control external access to your Amazon
S3 bucket

- Automatically replicate objects to a
different AWS Region for backup purposes
Cross Region Replication (CRR)
Transfer Acceleration Multipart Upload
- Accelerate or expedite the data transfer
(upload/download) of S3 objects
…and many other S3 features!

S3 Standard-Infrequent
Access (Standard-IA)
S3 One Zone-Infrequent
Access (One Zone-IA)
S3 Glacier
S3 Standard S3 Intelligent-Tiering
S3 Glacier Deep Archive

• Primarily used for storing your data
that are frequently accessed
• Highly durable, highly available, and
high performance object storage
• Replicates your data to 3 or more
Availability Zones
• 99.99% Availability
• No minimum storage duration charge
• No data retrieval fee
S3 Standard

• For setting up a highly available and
durable static web hosting
• As a temporary storage service for
storing the nightly log processing of
your application, where the logs are
meant to be stored for 1 day (24
hours) only. It is a cost-effective
option for this case since it has no
minimum storage duration charge
USE CASES
S3 Standard

• Not cost-effective as this storage
class is the most expensive among
all other classes
• Not recommended for data archiving,
for infrequently access files or for
any workloads that require a cost-
effective storage
LIMITATIONS
S3 Standard

• Primarily used for storing infrequently
accessed data but provides a way to
rapidly retrieve the stored files
Availability Zones
• 30-day minimum storage duration
charge
• Has a data retrieval fee that is
measured per gigabyte (GB)
S3 Standard-IA

• As a long-term storage for long-
lived, but infrequently accessed data
• For data backups
• As a data store for your Disaster
Recovery (DR) files
• For storing the primary backup
copies of your on-premises dataset
USE CASES
S3 Standard-IA

• For storing less frequently accessed
and easily reproducible data that
requires immediate retrieval when
needed
charge
• Cheaper than:
• Only uses 1 Availability Zone
• 99.95% Availability (the lowest
among all other Amazon S3 storage
classes)
S3 One Zone-IA
S3 Standard-IA

• If you require a cost-effective option
to store infrequently accessed data
• For workloads that do not require the
availability and resilience of the
Amazon S3 Standard or S3
Infrequent Access class
• For storing secondary backup copies
of rarely-accessed on-premises
dataset
• For storing easily recreatable data
USE CASES
S3 One Zone-IA

• The data is replicated in a single AZ
only
• Not recommended for storing your
company’s primary backup copies or
any critical business data that is
difficult to reproduce
S3 One Zone-IA
LIMITATIONS

• Delivers automatic cost savings
• Automatically moves your objects
between different access tiers
whenever your access pattern
changes
charge
• No data retrieval fee
• Moves data to the most cost-effective
access tier without any operational
overhead
• Stores the objects in four access tiers:
2 low-latency access tiers
2 optional archive access tiers
S3 Intelligent-Tiering

• Suitable if your data has an
unpredictable access pattern
• For buckets with a mix of frequent
and infrequent accessed data
• If the access patterns to your data
vary all the time
• If some of your files are accessed
frequently while the others are rarely
accessed (move to Glacier)
• If some of your data are accessed
less frequently than others (move to
IA tier)
• If you are unsure of how frequently
your data will be accessed
USE CASES

• If you want to keep costs low by
automatically moving your data to
the appropriate S3 storage class
• If your data will be accessed by
users over variable periods of time
• If you need storage with no
management overhead
• If you want to avoid lifecycle policies
that are not consistently
implemented or are partially
implemented
USE CASES

• A secure, durable, and low-cost
storage
• Suitable for data archiving
• A cost-effective storage solution for
rarely accessed data and does not
require a fast retrieval time
Availability Zones
• 90 day-minimum storage duration
charge
• High data retrieval fee (expensive)
S3 Glacier

• Has its own management console
apart from the regular Amazon S3
console
• 2 Ways to store your data:
Using the Amazon S3 console
Using the Amazon Glacier console
• Automatically move your data from
S3 Standard or S3 Standard-IA to
Amazon S3 Glacier by using a
lifecycle policy
S3 Glacier

• Has a resource called: Vault
• A vault is a container for storing your
data archives
• Base unit of storage in S3 Glacier,
containing a unique ID and an
optional description
• Can only be created in the Amazon
S3 Glacier console
• You must provide the vault name and
its corresponding AWS Region
S3 Glacier
Vault

• Use a Vault Lock to ensure data
integrity and access control to your
Amazon S3 Glacier Vaults
• A Vault Lock is an access policy that
helps you enforce regulatory and
compliance requirements
• You can specify a “Write Once Read
Many” (WORM) control to lock your
Glacier vault policy from future edits
• A Glacier vault access policy can no
longer be changed when the vault
lock process has been completed
after 24 hours
S3 Glacier
Vault

• Applicable if your company wants to
retain its archives for a specific
number of years before the files can
be deleted
• If you want to deny users from
modifying or deleting an archive until
after 1 year, 3 years, 7 years et
cetera
S3 Glacier
Vault
USE CASES

• Quickly access a subset of
your data archives
• Allows you to access your
archived data within 1 - 5
minutes ( file size should
NOT exceed 250 MB )
• Ensure sufficient retrieval
capacity for your Expedited
retrieval operations by
purchasing provisioned
capacity
S3 Glacier Archival Retrieval Options
• Default option for
retrieval requests
• Allows you to access any
of your glacier archives
within 3 – 5 hours
• Lowest-cost retrieval
option
• Retrieves large amounts
of data archive in less
than half a day
• Typically completes the
process within 5 – 12
hours
EXPEDITED STANDARD BULK

• The lowest-cost storage class in
Amazon S3.
• Supports long-term retention and
digital preservation for your data
• Primarily used to retain your data
sets for 7 to 10 years or longer to
meet regulatory compliance
requirements
Availability Zones

charge ( roughly 6 months )
• Should be used for data archiving
only
• The data stored here should be rarely
accessed with no strict retrieval time

S3 Glacier Deep Archive - Retrieval Options
• Default option for
retrieval requests
• Data will be restored
within 12 hours
• Costs lower than the
Standard retrieval option
• Data will be restored
within 48 hours
STANDARD BULK

Amazon S3
Minimum Storage Duration

S3 Glacier
Which is more cost-effective?
S3 Standard

• The specific amount of time that your
objects must be stored in a particular
storage class
• Deleting your objects won’t affect
the minimum storage duration. You
will still have to pay the remaining
days of the mandatory minimum
period
• A minimum storage duration of 30
days means that you will be charged
for the entire 30 days even if you
deleted or changed the storage class
of your objects before that period

• An object was uploaded in an Amazon
S3 Standard Infrequent Access (S3
Standard-IA) storage class
• You deleted the object after 10 days
• You’re still billed for the entire 30 days
• Also applicable if you changed the
storage class to another class
S3 Standard-IA
30-Day Minimum storage
Only stored for 10
Days

S3 Glacier
Which is more cost-effective?
S3 Standard
NO Minimum
Storage Duration
90–Day Minimum Storage
Duration
Non-reproducible and frequently-accessed data that needs to be temporarily stored for hours only

S3 Glacier
Deep Archive
COST
MINIMUM STORAGE DURATION
S3 Glacier vs
DATA DELETED AFTER
10 DAYS
DATA DELETED AFTER
90 DAYS
DATA DELETED AFTER
180 DAYS
LOW
90 Days
$ $
You will be billed for the entire 90
Days
Normal storage usage
charge
charge
LOWEST
180 days
$
charge
Days
Days
180 - 10 = 170 Days!

DATA LAKE
ELB Access
Logs
Amazon EBS
Snapshots
AWS CloudFormation
Templates
AWS CloudTrail
Logs
Amazon Redshift
Spectrum
AWS Glue Amazon Athena Amazon EMR

S3 Event Notifications
• New Object Creation
• Object Deletion
• Object Restoration from the Amazon
S3 Glacier storage class
• Reduced Redundancy Storage (RRS)
object lost events
• Replication events

S3 Event Notifications
• Transmitted within seconds
• Delivered at least once
• Enable object versioning to ensure
that an event notification is always
sent whenever you upload an object
Amazon SNS Amazon SQS AWS Lambda

Amazon RDS Overview
Amazon RDS

• A relational database service
• Managed by both you (limited access) and AWS
• Allows you to run various database engines:
Amazon RDS
SQL Server
Microsoft
PostgreSQL
Amazon
Aurora

• Can be deployed using:
Amazon RDS
AWS
CloudFormation
• Eliminates the time-consuming tasks of hardware
provisioning, patching, backups, and maintenance
for your database
AWS Management
Console
AWS CLI Amazon RDS
API

DB Instance
Amazon EC2
Instance Size & Type Network Access
Amazon VPC
VPC Endpoint
Storage
Amazon RDS
• You can configure the underlying EC2 instance used by your
Amazon RDS database such as its size, instance type &
storage
• Purchase a Reserved DB instance to lower down your RDS
costs
• Allows you to choose the Availability Zone where your
database will be hosted, including its associated security
group
Amazon EC2

Amazon EC2
Self-Hosted Database Amazon RDS Database

Amazon EC2
MANAGED BY
• Patching
• Scaling
• Taking database backups
• Ensuring high availability
• Replication
• Monitoring
(AWS Customer)
YOU
• Patching
• Scaling
• Taking database backups
• Ensuring high availability
• Replication
• Monitoring
• Minimal maintenance
work
• Physical Infrastructure
• Virtualization layer
• Host OS of the EC2
instance

Amazon EC2
• Can be directly accessed via SSH, RDP
or other connections
• Allows direct access and modification
of your database configuration files
such as:
/etc/mysql/my.cnf
ConfigurationFile.ini
INIT.ORA, TNSNAMES.ORA, *.ORA
• The underlying EC2 instance CANNOT
be directly accessed via SSH or RDP
Read-Only setting

• You have full access to the virtual
machine and the underlying database
• You are responsible for making your
database highly available, fault-
tolerant and secure
• You have to apply the OS patches as
well as the Database Engine patches
regularly
• You will handle all of the database
administrative tasks
• You can choose the actual time when
Amazon RDS will apply the DB
patches in its maintenance window
• Database maintenance tasks are
handled automatically
Amazon EC2
Parameter Group Options Group
• Modify the database configuration via:

SQL Server
Microsoft
Amazon EC2

VPC A
AWS
Cloud
Single AZ Multi-AZ
PRIMARY PRIMARY
READ REPLICA
STANDBY
N. Virginia Region
s
s
read_only

VPC A
AWS
Cloud
Single AZ Multi-AZ
PRIMARY PRIMARY
READ REPLICA
STANDBY
N. Virginia Region

AWS
Cloud
VPC A
Single AZ Multi-AZ
PRIMARY
PRIMARY
READ REPLICA
STANDBY
N. Virginia Region
READ REPLICA
VPC B
Ohio Region

• Suitable for applications that read or write constantly changing
data, such as Online Transaction Processing OLTP applications
Amazon RDS OLTP Applications

Amazon RDS
A
C
I
D
TOMIC
ONSISTENT
SOLATED
URABLE

• A fully managed, highly available
database proxy
• Automatically connects your
application to a new DB instance
while preserving its application
connections
• Minimizes downtime by instantly
routing the incoming requests
directly to the new database instance

Security Group
Inbound
Rules
Outbound
Rules
TCP : 3306
EC2
RDS Events Notification
Who made the
change?

Instances
Security Groups
Parameter Groups
Snapshots
Clusters
Cluster Snapshots
SOURCE TYPE

TARGET TYPE
Amazon SNS

AWS
Cloud
VPC A
PRIMARY
N. Virginia Region
READ REPLICA
VPC B
Ohio Region
PRIMARY
Lambda Function
SNS TOPIC

SNS TOPIC
QUEUE #1
Filter by
Custom Type
Amazon EC2
Amazon ECS
AWS Lambda
Amazon SNS with Message Filtering
Message Filter
CONSUMERS
SQS QUEUES
QUEUE #2
QUEUE #3

Amazon RDS
Multi-AZ Deployments

REPLICA
a copy of your primary database
READ REPLICA
STANDBY REPLICA
SYNCHRONOUS
REPLICATION
ASYNCHRONOUS
REPLICATION

SYNCHRONOUS
REPLICATION
Two-Way
STANDBY REPLICA
PRIMARY
INSERT INTO CITIES (Name, Country)
VALUES ('Manila', 'Philippines');
VALUES ('Toronto', 'Canada');
VALUES ('Manila', 'Philippines');

UPDATE CITIES
SET City= 'Chicago'
WHERE CITY_ID = 2;
READ REPLICA
SYNCHRONOUS
REPLICATION
ASYNCHRONOUS
REPLICATION
Two-Way One-Way
STANDBY REPLICA
PRIMARY
PRIMARY
UPDATE CITIES
SET City= 'Mumbai'
WHERE CITY_ID = 1;
UPDATE CITIES
SET City= 'Mumbai'
WHERE CITY_ID = 1;

STANDALONE
MASTER-SLAVE
CONFIGURATION
S
READ REPLICA
PRIMARY
STANDBY REPLICA
PRIMARY
Read Replica
Single DB Instance (Single AZ)

AWS
Cloud
VPC A
PRIMARY
us-east-1a
N. Virginia Region | us-east-1
VPC B
Ohio Region
VPC A
us-east-1b
A Standby Instance
can’t be deployed
to another AWS
Region
STANDBY REPLICA
SAME DB ENDPOINT
Failover duration only lasts
a little over a minute
Amazon RDS Multi-AZ Deployments
Configuration
NEW PRIMARY
*failover to standby instance

AWS
Cloud
VPC A
PRIMARY
us-east-1a
VPC B
Ohio Region
VPC A
us-east-1b
A Standby Instance
can’t be deployed
to another AWS
Region
STANDBY REPLICA
READ REPLICA
DIFFERENT DB ENDPOINT
READ REPLICA

AWS
Cloud
VPC A
PRIMARY
us-east-1a
VPC B
Ohio Region
VPC A
us-east-1b
A Standby Instance
can’t be deployed
to another AWS
Region
STANDBY REPLICA
READ REPLICA
READ REPLICA
Amazon RDS
Configuration
• Provides High Availability
• Improves Data Redundancy
• Minimizes latency spikes during
system backups
• Keeps your database available on your
planned system maintenance or DB Engine
upgrade
• Protects your database against DB
instance failure and disruptions when an
Availability Zone outage occurs

AWS
Cloud
VPC A
PRIMARY
us-east-1a
VPC B
Ohio Region
VPC A
us-east-1b
A Standby Instance
can’t be deployed
to another AWS
Region
STANDBY REPLICA
READ REPLICA
READ REPLICA
Amazon RDS
Configuration
1. Takes a snapshot of your primary DB instance
2. Launch a new Standby Instance in a different Availability Zone
3. Automatically configure synchronous replication between the
primary and standby instances
Multi-AZ Deployments Configuration – Internal Steps

• Amazon RDS uses an internal Amazon EC2
instance that has its own operating system and
attributes
• Maintains database performance while the
regular process of patching the database engine
is on-going
• Ensures the availability of your database when
the OS and its underlying hardware go through its
scheduled maintenance activities
PRIMARY STANDBY REPLICA

• During an AWS-initiated hardware maintenance,
a Multi-AZ database will only have a minimal
disruption unlike a Single-AZ database
• Your database will only be unavailable during the
primary DB instance failover to the Standby
Replica
• The duration of the failover process to the
Standby Replica is only about 1 minute or so

• When the automatic failover in Amazon RDS
occurs, the Canonical Name record (CNAME) of
your DB instance is automatically altered to point
to the newly promoted Standby Instance
• If AWS conducts a hardware maintenance on the
Availability Zone where your Standby Replica is
hosted, your Multi-AZ RDS database will not
experience any failover or downtime
• The Operating System (OS) patch will be applied
to the Standby Replica first before it is installed
to the primary instance
• The only downtime would be the failover process

• Suitable for mission-critical applications where
you need the highest availability while minimizing
your operational and management overhead.
• Applicable if you have an application running in
your production environment that uses a single-
instance RDS database
• If you want to migrate your existing database
running on your on-premises network, that is
running on a single database configuration
• If you are required to eliminate single points of
failure in your architecture
U S E C A S E S

• For minimizing database downtime without
requiring any changes to your application code
• For enterprise systems that need to be highly
available with low operational complexity
• For any scenario where the availability of your
database is the highest priority/most important
requirement and not its scalability
U S E C A S E S

• For poorly-designed architectures that needs to
be re-designed/refactored, such as:
A three-tier application architecture runs in
public and private subnets
The application is running on a single Amazon
EC2 instance that is hosted in the public
subnet
A single Amazon RDS database running on the
private subnet
• Improved architecture:
Launch an Auto Scaling group of EC2
instances behind an Application Load
Balancer that spans multiple AZs
Enable the Multi-AZ Deployments
configuration in Amazon RDS to make the
database tier highly available
U S E C A S E S

• You can combine Multi-AZ Deployments
configuration with Read Replicas
• A Read Replica can provide cross-region database
replication for multi-Region disaster recovery,
which a Multi-AZ Deployment configuration can’t
provide
• Having both Standby and Read Replica ensures
both high availability and scalability of your
database tier
U S E C A S E S
READ REPLICA
+

• A Multi-AZ database can provide high availability
in a single AWS Region only
• You cannot deploy a Standby Replica to another
AWS Region
• Does not provide multi-region disaster recovery
• The Standby Replica cannot be used to read or
write your application data, or accept live traffic
• Cannot be used this to scale your application in
terms or read performance or handle the
increased number of queries to your database
L I M I T A T I O N S

• Not suitable if the required Recovery Point
Objective (RPO) and Recovery Time Objective
(RTO) are quite short
• It cannot provide an RPO of 1 second and an RTO
of 1 minute
• If you have this requirement, you have to use:
Amazon Aurora
Global Databases
L I M I T A T I O N S

Amazon RDS Read Replica
Read Replica

STANDALONE
MASTER-SLAVE
CONFIGURATION
S S
M

Secondary
Primary
S S S
S
Multi-Master Configuration
M M
REPLICA
SOURCE

REPLICA
a copy of something READ REPLICA
STANDBY REPLICA

READ REPLICA
SYNCHRONOUS
REPLICATION
ASYNCHRONOUS
REPLICATION
PRIMARY
2-W
ay
Replication
1-W
ay
Replication
STANDBY REPLICA
• Does not accept live traffic without
failover
• Cannot be seen in the Amazon RDS
Console as a separate DB instance
• The DB Endpoint is the same as the
primary DB instance
• Can accept live traffic
• Can be seen in the Amazon RDS
Console as a separate DB instance
• The DB Endpoint is different from
the primary DB instance

READ REPLICA
• Just a regular database with a read-only
configuration
• Under the hood, Amazon RDS creates this by
cloning your source database, setting up the
replication parameters, and disabling any write
operations
SQL Server
Microsoft
PostgreSQL
• Based on the built-in replication functionality of:

READ REPLICA
CREATE
INSERT
UPDATE
DELETE

Other required parameters for
binary logging to be set:
log_bin
binlog-format
sync_binlog
...and many more!
READ REPLICA
• A binary log
• Also known as ‘binlog’
• A set of log files that contain information about
the recent SQL modifications
• Contains all of the CREATE, INSERT, UPDATE,
DELETE, ALTER, and other SQL statements that
were made in your primary database
• The actual data that is being transferred from
the source database to the database replica

• Can be launched two ways:
On the same AWS Region of your primary DB
On a different AWS region
• Does NOT provide the capability of directly
accessing the actual configuration files – my.cnf
(MySQL), ConfigurationFile.ini (MS SQL) and
others in Amazon RDS
• View and modify the DB configuration of the
replica using a parameter group
READ REPLICA

READ REPLICA
• Can be promoted to be a standalone DB instance
• Useful for:
Database sharding
Implementing failure recovery
Performing Data Definition Language (DDL)
operations
• Lessens the impact to the primary DB instance
brought by rebuilding indexes, scheduled jobs, and
other processing
• Helpful if your primary AWS Region experiences an
outage
• Can be deployed to a different AWS Region and be
promoted as the primary DB instance in the event
that the AWS Region of your source/primary
database experiences a downtime
PRIMARY

READ REPLICA
• Cannot directly create an encrypted Read Replica
from an unencrypted database instance
• Can be created from your encrypted database
instances but not from the unencrypted ones
• An encrypted cross-region read replica can be
launched as long as the target region and an
encryption key in AWS KMS for that particular region
are supplied
• Allows the use of a custom encryption key or the
default encryption key for Amazon RDS that is
created by AWS KMS in each region

READ REPLICA
• Suitable if your company has a web application with
a built-in reporting module
• If your department or application runs large SQL
queries every month that impact your database's
performance due to high usage
• If you need to minimize the impact that the
reporting activity has on your application by
offloading the read requests
USE CASES

READ REPLICA
• If you need to separate the read requests from the
write requests of your application
• If you have an application wherein the read
operations are causing high I/O usage to your
primary RDS database instance which then results in
high latency to the write requests in your production
environment
• If you have application modules or reporting tools
that only send SELECT queries. You can configure the
reporting module to use the Read Replica endpoint
and direct the transactional operations to the
primary database instance
USE CASES

READ REPLICA
• If you have 3rd-party applications or other internal
systems that query your database instance heavily
• If you have an internal batch processing job that
fetches reporting data from your RDS DB instance.
• If your entire database slows down significantly
whenever your batch runs which impacts the overall
read and write performance of your application
• If you need to configure your internal systems to
fetch data from the replica instead of the primary
instance
USE CASES

READ REPLICA
• A Read Replica is primarily used to improve the
scalability of your application in terms of read
operations and not for improving the availability of
your database
• Cannot be used for ensuring that the database will
be highly available in the event of an outage. You
have to use the Multi-AZ Deployments configuration
instead
• Unlike Multi-AZ RDS, a Read Replica doesn’t have an
automatic failover. If the primary DB instance
experienced an outage, the incoming requests are
not automatically routed to the Read Replica by
default
ANTI-PATTERNS

AWS
Cloud
VPC A
PRIMARY
Availability Zone (AZ) A
N. Virginia Region
CROSS-REGION
READ REPLICA
VPC B
Ohio Region
VPC A
Availability Zone (AZ) A
READ REPLICA

Amazon Aurora Overview
Amazon Aurora

Amazon Aurora
• A fully managed database service and also a type of
database engine within Amazon RDS
• Scales automatically, performs faster, and costs lower
• A relational database that is compatible with:
PostgreSQL
Amazon RDS

Amazon Aurora
• Can automatically grow or scale its storage
• Usually deployed as a database cluster
• A cluster consists:
Writer/Re
ader
ONE PRIMARY MULTIPLE REPLICAS

Amazon Aurora
Single-master
CLUSTER TYPES
Multi-master
STANDALONE TYPE
Single primary DB instance
with no replica

Amazon Aurora
• Performs faster than other databases
• Can scale the computing components and storage
automatically without any manual intervention
• The database cluster typically lags behind the primary
instance by a few milliseconds only
• Provides less than 1 second of read replication latency
for Aurora Replicas in the same or different AWS
Region

Amazon Aurora
ENDPOINTS
Cluster endpoint
Reader endpoint
Custom endpoint
Instance endpoint
• Group the individual DB instances and
associate them with a particular endpoint

Amazon Aurora
Serverless
• Recommended for sporadic usage workloads or with
unpredictable usage
• Pay your database usage on a per-second basis
• Provides a more cost-effective option than the regular
Amazon RDS or Amazon Aurora databases

Amazon Aurora
Serverless
USE CASES
• For migrating legacy applications hosted on-premises
that needs to be re-architected and reduce operating
costs
• If it is required to re-architect your application by
using technologies that do not require any IT
administration team to regularly manage your servers
or clusters
• If you need to turn your monolithic application into
microservices architecture with serverless resources
• Can be used for serverless stack with the application
containers running on AWS Fargate and your database
on Aurora Serverless

• For sporadic usage patterns
• If your application has:
Extremely high usage at the beginning of each
month
An unpredictable usage at the start of each week
A moderate usage over the weekend
• For situations where it is difficult to predict the
application demand or to choose the most suitable
instance size of your database due to the constantly
changing usage
• If a cost-effective database platform is required which
does not require any database modifications
• If you need to automatically scale the capacity up or
down based on your application's needs
Amazon Aurora
Serverless
USE CASES

Amazon Aurora
Serverless
USE CASES
• For applications with infrequent access patterns
• Automatically scales down your database capacity if
there’s less incoming traffic coming in, without any
manual intervention
• For migrating your on-premises database to AWS
Cloud without having to worry about its particular
database instance type
• If you need to eliminate the need to manually modify
your database instance type in anticipation of the
changes in the number of your users or workloads

Amazon Aurora
Global Databases
• Designed for globally distributed applications
• Allows a single Amazon Aurora database to span
multiple AWS Regions
• Offers faster physical replication between Aurora
clusters
• Eliminates the need to manually create cross-region
Aurora Replicas yourself

AWS
Cloud
N. Virginia Region Ohio Region
+ OTHER AWS REGIONS
Reader Reader
Reader
CLUSTER VOLUME
CLUSTER VOLUME
PRIMARY DB CLUSTER SECONDARY DB CLUSTER
Writer/Re
ader

RTO
Recovery Time Objective
RPO
Recovery Point Objective
second
1
=
minute
1
=
Amazon Aurora
Global Databases

Relational Database NoSQL Database
• For applications with well-defined schema that
does NOT change too often
• Has hundreds or thousands of tables
• Multiple table joins
• Tables having foreign keys
• Support complex SQL queries
• Tables having a relationship with other tables
• Has ACID properties
• Perfect for transactional workloads
tomicity
onsistency
solation
urability
A
C
I
D
• For applications that require a flexible schema
that changes too often
• Does not have any related tables or table joins
• Usually has one table only
• Provides high throughput and performance for
your global applications
• Can scale better than relational databases
• Can be used if you are unsure of the database
schema that you will implement
• Suitable if you expect to make a lot of database
changes as your website or application grows
• Does not have ACID properties by default

• A fully managed NoSQL database
• Highly scalable storage and read/write
capacity
• Provides single-digit millisecond
performance
• Serverless
• Highly durable database
• Has built-in security, backup features as
well as in-memory caching
Amazon DynamoDB

• Has the least amount of operational overhead
than other types of databases
• Eliminates the manual database management
tasks, provisioning and scaling activities
• Capable of automatically scaling its read and
write capacity without the need for advanced
capacity planning
• Can be queried using simple key-value
requests via its APIs
• Can handle millions of requests per second
Amazon DynamoDB
Dynamo

Amazon DynamoDB
Dynamo
HIGHLY SCALABLE
ULTRA-FAST PERFORMANCE
Response times in a matter of milliseconds or even in microseconds!
• All data is stored in a single table only
• Capable of accepting millions of
requests per second globally
• Faster and more scalable than
traditional relational databases
• Does not have a relationship with
other DynamoDB tables
DynamoDB Table

Relational Database Amazon DynamoDB
TABLE
ROW
COLUMN
PRIMARY KEY
INDEX
VIEW
NESTED TABLE/OBJECT
ARRAY
TABLE
ITEM
ATTRIBUTE
PRIMARY KEY / PARTITION KEY
SECONDARY INDEX
GLOBAL SECONDARY INDEX
MAP
LIST
MAKES YOUR QUERIES
RUN FASTER!

LOCAL SECONDARY INDEX
• Queries data over a single partition only (localized)
• Supports both eventual consistency or strong
consistency
• Can only be added at the same time that you create
the base table
• Queries data across all partitions of the entire
table
• Only supports eventual consistency
• Can be added or deleted at any time

AWS
Cloud
AWS
Cloud
Single DynamoDB Table DynamoDB Global Tables
US East 1 US East 1
US East 3
US East 2
US East 4

• A data stream that captures each and every
data change made to the items
• If an item was added, modified, or deleted,
then that item will be included in the
DynamoDB stream
• Can be associated with AWS Lambda. The
function can poll the stream and execute a
set of actions whenever it detects new
stream records
• Can also be integrated with Kinesis Data
Streams
• Important component that needs to be
enabled when using Amazon DynamoDB
Global Tables
Amazon DynamoDB
Streams

• Automatically expire the items based on
their timestamp and the TTL value that you
specify
• TTL stands for Time to Live
• Allows you to define a timestamp per item
• Deletes the item from your table after the
date and time of the specified timestamp
• Reduces the number of obsolete data in
your table which can also lower down your
costs
Amazon DynamoDB
TTL

• Provides ACID properties to your
DynamoDB table for your transactional
workloads
• Provides an all-or-nothing change to
multiple items both within and across
DynamoDB tables
• Consists of DynamoDB transactional read
and write APIs
TransactWriteItems
TransactGetItems
• Empowers you to manage complex business
workflows that require adding, updating, or
deleting multiple items as an atomic
operation
Amazon DynamoDB
Transactions

• An in-memory cache for Amazon DynamoDB
that is fully managed and highly available
• Launches a DAX cluster that can be run in
your default or custom Amazon VPC
• Provides response time in microseconds and
not just in milliseconds
• Delivers fast response times for accessing
eventually consistent data
• Significantly reduces the response times of
your DynamoDB database
Amazon DynamoDB
Accelerator (DAX)

• Measured in terms of:
Read Capacity Unit or RCU
Write Capacity Unit or WCU
Amazon DynamoDB
Scaling

• Suitable if your application has
predictable traffic that doesn’t
vary over time
• Allows you to manually set or
provision the RCU and WCU of
your DynamoDB table
• Has an Auto Scaling feature that
you can configure
• Can set the target utilization,
minimum provisioned capacity,
and maximum provisioned
capacity values in the Auto Scaling
settings
• At risk of over-provisioning and
having unnecessary costs when
the incoming traffic is way lower
than expected
Amazon DynamoDB
Scaling
Provisioned Capacity Mode On-Demand Capacity Mode
• For applications with inconsistent
traffic or has varying access
patterns
• Suitable if you expect that there’ll
be more traffic with sharp spikes
in the future
• No manual Auto Scaling setting
that you can configure. The RCU &
WCU are automatically scaled
without any intervention
• Can be used if your application has
a combination of predictable and
variable traffic
• Suitable if you have clearly
defined access patterns
throughout the year but with
variable amounts of traffic on
certain days only

• Protects your data both in transit and at
rest
• All data stored in Amazon DynamoDB is
fully encrypted at rest by default
• The API calls from your private Amazon EC2
instances that go to DynamoDB can be
configured to not traverse the public
Internet by creating a VPC Gateway
Endpoint and adding a new route table
entry
Amazon DynamoDB
Security

Amazon DynamoDB
Identity & Access
Management
{
"Id": "TutorialsDojoPhilippineBooksPolicy1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessToBooksTable",
"Effect": "Allow",
"Action": [
"dynamodb:Get*",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWrite*",
"dynamodb:CreateTable",
"dynamodb:Delete*",
"dynamodb:Update*",
“dynamodb:PutItem" ],
"Resource": “arn:aws:dynamodb:us-west-2:12345:table/Books"
}
]
}
Tutorials Dojo

• Automated backup process
• Enables continuous backups to
your table
• Allows you to restore your table
at a point in time that you
specify
• Entails additional costs
Point-in-time Recovery
(PITR)
On-Demand Backup
and Restore
• Manual backup process
• No continuous backups
• Can only restore to a particular
backup that you’ve taken
• A cost-effective yet limited
backup option feature for your
data
Amazon DynamoDB
Backups

Amazon DynamoDB
Core Components

AWS
Cloud
DynamoDB Global Tables
US East 1
US East 3
US East 2
US East 4
DynamoDB Streams

TABLE
ITEM
ATTRIBUTE
PRIMARY KEY
SECONDARY INDEX
AND OTHER COMPONENTS…

• Similar to the table of other database
systems
• A collection of related data that can
represent an object, an idea, a role, or an
abstract concept
• In DynamoDB, the entire NoSQL database is
within a single DynamoDB table only
TABLE

ITEM
ATTRIBUTE
• Each table contains zero or more items
• Similar to the rows, records, or tuples in other database
systems
• The “Row” of the DynamoDB Table
• Can have a nested attribute, which contains another item
or another nested attribute
• Can be automatically expired based on its timestamp
using TTL, or Time to Live
• Each item contains zero or more attributes
• Similar to the fields or columns in other data stores
• The “Column” of the DynamoDB Table

• Also known as the partition key
• Acts as the primary index that uniquely
identifies each item in your DynamoDB table
• Provides the ability to search for a particular
item in your table
• Used an an input to the internal hash function
in DynamoDB. The output from that function
determines the physical internal storage in
which the item will be stored
• The primary key attribute must be a scalar
PRIMARY KEY

Simple Composite
PRIMARY KEY
PARTITION KEY
PARTITION KEY
SORT KEY
+

• Makes your queries run faster!
• Provides more flexibility and performance
improvement to your queries
• Supports your advanced queries to access
your stored data faster
• Allows you to query the data in the table
using an alternate key other than the primary
key
SECONDARY INDEX

{
"SongId": 1,
"Artist" : “Jon Bonso",
"SongTitle" : “Brand New Memories”,
"Genre": “Rock”,
"Year" : 2009
}
{
"SongId": 2,
"Artist" : “Ariel Rivera",
"SongTitle" : “Sana Kahit Minsan”,
"Genre": “R&B”,
"Year" : 1991
}
{
"SongId": 3,
"Artist" : "Rey Valera",
"SongTitle" : "Kung Kailangan Mo Ako",
"Genre": “Jazz”,
"Year" : 1980
}
{
"SongId": 4,
"Artist" : “Gino Padilla",
"SongTitle" : “Closer You and I",
"Genre": “R&B",
"Year" : 2000
}
MUSIC TABLE
{
"SongId": 1,
"Artist" : “Jon Bonso”,
“Genre": “Rock”
}
{
"SongId": 2,
"Artist" : “Ariel Rivera”,
"Genre": “R&B”
}
{
"SongId": 4,
"Artist" : “Gino Padilla”
"Genre": “R&B”
}
SongId
PARTITION KEY:
SECONDARY INDEX
LOGICAL TABLE
Artist
PARTITION KEY:
Genre
SORT KEY:

{
"SongId": 1,
"Artist" : “Jon Bonso",
"Genre": “Rock”,
"Year" : 2009
}
{
"SongId": 2,
"Artist" : “Ariel Rivera",
"Genre": “R&B”,
"Year" : 1991
}
{
"SongId": 3,
"Artist" : "Rey Valera",
"SongTitle" : "Kung Kailangan Mo Ako",
"Genre": “Jazz”,
"Year" : 1980
}
{
"SongId": 4,
"Artist" : “Gino Padilla",
"Genre": “R&B",
"Year" : 2000
}
MUSIC TABLE
{
"SongId": 1,
"Artist" : “Jon Bonso”,
“Genre": “Rock”
}
{
"SongId": 2,
"Artist" : “Ariel Rivera”,
"Genre": “R&B”
}
SongId
PARTITION KEY:
Artist
PARTITION KEY:
Genre
SORT KEY:
{
"SongId": 4,
"Artist" : “Gino Padilla”
"Genre": “R&B”
}
{
"SongId": 3,
"Artist" : “Rey Valera”,
"SongTitle" : “Kung Kailangan Mo Ako”,
“Genre": “Jazz”
}
LOCAL SECONDARY INDEX
SongId
PARTITION KEY:
Genre
SORT KEY:
Artist
SORT KEY:
Tutorials Dojo

SECONDARY INDEX
• Similar to the INDEX of MySQL, Oracle, SQL
Server, and other relational databases
• Primarily used to make your queries FASTER!

Application Integration
Overview

Distributed Architecture

Empowers the migration from
Monolithic Architecture

MONO
LITH

USER INTERFACE
BUSINESS LOGIC
DATA ACCESS LAYER
SYNCHRONOUS
TIGHTLY-COUPLED

USER INTERFACE
BUSINESS LOGIC
DATA ACCESS LAYER
USER INTERFACE
SERVICE 2
SERVICE 3
SERVICE 4
SERVICE 1 SERVICE 5
API Gateway
TIGHTLY-COUPLED LOOSELY-COUPLED

USER INTERFACE
SERVICE 2
SERVICE 3
SERVICE 4
SERVICE 1 SERVICE 5
API Gateway
LOOSELY-COUPLED
ASYNCHRONOUS
Amazon SQS Amazon MQ

USER INTERFACE
SERVICE 2
SERVICE 3
SERVICE 4
SERVICE 1 SERVICE 5
API Gateway
LOOSELY-COUPLED
Amazon SNS Amazon EventBridge
AWS Step Functions
AWS AppSync Amazon
API Gateway
Amazon SQS Amazon MQ

Amazon SQS Overview
Amazon SQS

Amazon SQS
•Decouple tightly-coupled architecture
•Process workloads asynchronously

QUEUE
• The order of processing is First-In, First-Out
(FIFO)
• Items are stored sequentially
• The processing is done by a Consumer

QUEUE
• Handles the incoming messages of your application
• Sends the items to the consumers for processing
• Asynchronous service-to-service communication
• Messages can be HTTP or an API request
• For workloads that take several minutes to complete
• Fetching messages for processing is called Polling
MESSAGE

Amazon SQS
• Fully-managed message queue
• For workloads with long-running
requests
• Assists in scaling your compute
resources
• Can be integrated with other AWS
services

THROUGHPUT
DELIVERY
ORDERING
STANDARD F I F O
At Least Once
2 3 4
1
1
2 3
4 6
5
Possible Duplicate Messages!
Exactly Once
TYPES
Best Effort
Messages might be delivered in a different order
Preserves the exact order
in which the messages are received
ChangeMessageVisibility API
HIGH LIMITED
4
Amazon SQS
Deduplication

VISIBILITY TIMEOUT
MESSAGE RETENTION PERIOD
SETTINGS
Amazon SQS
RECEIVEMESSAGE WAIT TIME
ACCESS POLICY
DEAD-LETTER
QUEUE
DELAY
QUEUE
DELIVERY DELAY
TEMPORARY
QUEUE
TEMPORARY QUEUE CLIENT

SECURITY
Amazon SQS
ACCESS POLICY
E N C R Y P T I O N
DATA IN-TRANSIT DATA AT-REST
{
"Version": "2012-10-17",
"Id": “Banana_Queue1_Policy_UUID”,
"Statement": [{
"Sid":"JonBonsoQueue1_SendMessage",
"Effect": "Allow",
"Principal": {
"AWS": [
"111122223333"
]
},
"Action": "sqs:SendMessage",
"Resource": “arn:aws:sqs:us-east-2:1234:bananaqueue"
}]
}

INTEGRATION
Amazon SQS
AWS Lambda
Amazon SNS
Amazon EC2 Auto Scaling
Amazon S3
Amazon ECS & EKS
AGE OF OLDEST MESSAGE
FAN-OUT EVENT NOTIFICATION
LAMBDA TRIGGER
SQS DEPTH
NUMBER OF SQS MESSAGES
S3 EVENT NOTIFICATION
INTER-CONTAINER
COMMUNICATION

Amazon SNS Overview
Amazon SNS

Amazon SNS
NOTIFICATION
FULLY-MANAGED MESSAGING & SERVICE
SNS
NOTIFICATION

SNS TOPIC
PUBLISHERS SUBSCRIBERS

SNS TOPIC
SUBSCRIBERS
SQS Queue A
SQS Queue B
SQS Queue C
Amazon EC2 Instance
AWS Lambda
Function
Amazon ECS Task

SNS TOPIC
SQS Queue A
SQS Queue B
Amazon EC2 Instance
Amazon ECS Task
Support Manager
APPLICATION TO APPLICATION MESSAGING
APPLICATION TO PERSON MESSAGING

Amazon SNS Types
Standard F I F O

ACCESS POLICY
E N C R Y P T I O N
DATA IN-TRANSIT DATA AT-REST
{
"Statement": [{
"Sid": “TutorialsDojo-Allow-SNS-SendMessage",
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Action": ["sqs:SendMessage"],
"Resource": "arn:aws:sqs:us-east-2:444455556666:BananaQueue",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:sns:us-east-2:444455556666:TutorialsDojoTopic"
}
}
}]
}
Amazon SNS Encryption

MESSAGE FILTERING
MESSAGE FANOUT
MESSAGE ENCRYPTION
MESSAGE ARCHIVING
MESSAGE DURABILITY
Amazon SNS Features

Amazon SNS Features
Dead-Letter Queue (DLQ)
for Amazon SNS
Redrive Policy

AWS Amplify Overview
AWS Amplify

• One of the development services in AWS
• Allows you to build extensible, full-stack web and
mobile apps faster
• Automates the deployment, scaling and
management of your applications and underlying
resources
• Provides Machine Learning integration to your
apps
AWS Amplify

AWS Amplify
AWS Amplify Studio
AWS Amplify Libraries
AWS Amplify CLI
AWS Amplify Hosting
M O D U L E S

Serverless Computing
Overview

What is
?

On-Demand Service
Less Server Management

Serverless
Less Management
Server

Serverless
FaaS
AWS Lambda AWS Fargate
Amazon Aurora
Serverless
Amazon DynamoDB Amazon S3

Serverless microVMs
powered by

Serverless
microVMs
Virtual Machine Container
VM

Serverless
Edge Computing
Edge Location
Lambda@Edge
CloudFront Function

- Virtual Server Deployment
- OS Patching
- Storage Management
- Virtual Server Management
- Virtual Server Maintenance
- Scaling
Traditional
Infrastructure-as-a-Service
(IaaS)
Function-as-a-Service
(FaaS)
Serverless

Serverless
Does NOT run all the time unlike a
traditional virtual machine
Will only run once you invoked it
Start up time ranges from several
milliseconds to less than a second
Can only run your function
continuously for 15 minutes

Amazon Aurora
Serverless
Amazon DynamoDB

Architectures
Serverless

Less Management
Server
Serverless

AWS Lambda
Amazon EventBridge
Scheduled Actions
AWS Step Functions
Orchestration
AWS Lambda@Edge
Edge Computing at
Regional Edge Locations
CloudFront Functions
Edge Computing at
Edge Locations
Function as a Service (FaaS)

App
Container 1
App
Container 2
AWS Fargate
CONTAINER ENGINE
Amazon EventBridge AWS Step Functions
Amazon SQS Amazon SNS
Amazon API Gateway AWS AppSync
SERVERLESS CONTAINERS SERVERLESS APPLICATION INTEGRATION

SERVERLESS DATA STORES
Amazon Aurora
Serverless
Amazon
DynamoDB
Amazon S3
Amazon Redshift Spectrum
STATIC DATA
DYNAMIC DATA
DATA
WAREHOUSE
Extract, Transform &
Load (ETL)
AWS Glue
Amazon QuickSight
Amazon Athena
Amazon Kinesis
Data Analytics
Analytics Services
SERVERLESS ETL & ANALYTICS

KERNEL
HARDWARE /
BARE-METAL SERVER
NETWORK SSD/HDD STORAGE
CPU
MEMORY
(RAM)
Virtual Machine
CONTAINER ENGINE
AWS NITRO HYPERVISOR /
VIRTUAL MACHINE MONITOR (VMM)
EXECUTION
ENVIRONMENT
MICRO VM KERNEL
Firecracker Virtualization /
VIRTUAL MACHINE MONITOR (VMM)
Container MicroVM
Docker
Container
Kubernetes
Pod
KERNEL
GUEST
Service
A
Service
B
Service
C
HOST

Static Single Page Application Service-Oriented Architecture
Containerized Application Serverless Architecture
Serverless Architecture Types
Amazon S3 Amazon CloudFront AWS Lambda API Gateway
AWS Fargate AWS Fargate
AWS Lambda
Amazon
DynamoDB
API Gateway

SERVERLESS DATABASES
Amazon Aurora
Serverless
Amazon
DynamoDB
• For applications that have sporadic or infrequent
database usage patterns
• No need to choose a particular DB instance type
or do any advanced capacity planning
• Automatically increases and decreases the
compute and storage capacity of your database
• Unlike RDS, there’s no need to downgrade your
database instance if your demand decreases
• Costs way less than a regular server-based
database

Amazon Route 53 Overview
Amazon Route 53

• A global service
• Provides different Routing Policies
• Allows you to register your own domain name
• Transfer a domain from another domain
registrar
• Create health checks
• Route traffic flows
• Configure DNS resolvers
Domain Name System (DNS)

Domain Name System (DNS)
49.143.173.201
Amazon EC2 Instance
Domain Name
Elastic IP
address
Amazon S3
Static Website
Elastic Load
Balancers
Amazon CloudFront
Web Distributions

bengaluru.tutorialsdojo.com
www.tutorialsdojo.com cebu.tutorialsdojo.com
Subdomains
Hosted Zone
Root Domain Zone Apex
The “apex” (summit) of the Hosted
Zone
Also known as Naked Domain
DNS Security Extensions
🏴☠
DNS Spoofing Attacks Man-In-The-Middle Attacks

Public Hosted Zone
NS
SOA
Name Server
Start of Authority
NS
SOA
Name Server
Start of Authority
Query Logging
Private Hosted Zone

• Route traffic to selected AWS
resources
• Works like a CNAME (Canonical
Name) Record
• Not visible to DNS resolvers
• Points to a specific AWS resource
• Allows you to specify the IP
addresses or the custom domain
names of your servers or resources
• Visible to DNS resolvers
• Points to a particular IP address
NON-ALIAS RECORD
ALIAS RECORD
49.143.173.201
Hosted
Zone
Record

CNAME
MX
A
AAAA
TXT
PTR
SRV
SPF
NAPTR
CAA
IPv4 Host Address
IPv6 Host Address
Canonical Name
Mail Exchange
Text
Pointer
Service Locator
Sender Policy Framework
Naming Authority Pointer
Certification Authority
Authorization
NS
SOA
Name Server
Start of Authority
DNS RECORD
T Y P E S
ALIAS
ALIAS

CNAME Canonical Name
Root Domain / Zone Apex
A AAAA
IPv4 Host Address IPv6 Host Address

• An open-source program that you can use
as a fully customizable domain name
server
• Usually launched by companies as their
internal DNS service
• Stands for Berkeley Internet Name
Domain server
• Has a BIND DNS forwarder that allows you
to resolve the domain names in the
private hosted zones in AWS from your
on-premises network
• Can be migrated to Amazon Route 53 by
importing the BIND zone file

PASSIVE
ACTIVE
Live Traffic Failover

PASSIVE
ACTIVE
ACTIVE ACTIVE
• Improves fault tolerance and
performance of your applications
• Entails additional cost
• Has several active environments that
accepts live production traffic
• Ensures the high availability and
resiliency of your global applications
• Can be implemented by using a
single policy, or a combination of
routing policies such as:
• Provides a basic fault tolerance
• More cost-effective than
• Has one active environment and one
backup environment on standby
• Primarily implemented by using the:
ACTIVE
ACTIVE
Failover Policy
Latency
Geolocation Geoproximity
Weighted
Multivalue Answer …other routing types!

CloudFront
Content
Delivery
Network

Content
Delivery
Network
C
D
N
Origin
Server

Origin
Server
🇵🇭
🇺🇸

Origin
Serve
r
🇺🇸
🇵🇭
Trans-Pacific Submarine Cables

Origin
Server
🇺🇸
🇵🇭 seconds
0
1
2
3
4
5
6
7
8
9
10
LOAD TIME

Origin
Server
🇺🇸
Mid
West
PoP
PoP
PoP
NY
Trans-Atlantic Submarine Cables

Origin
Serve
r
🇺🇸
🇵🇭
PoP
PoP
PoP
PoP
PoP
PoP
second!
1
LOAD TIME

Origin
Serve
r
🇺🇸
🇵🇭
PoP
PoP
PoP
PoP
PoP
PoP
second!
1
LOAD TIME
seconds
5
LOAD TIME
EDGE LOCATIONS
The data does NOT need to be fetched
from the remote origin server
The data does NOT need to be fetched
from the remote origin server

PoP
Internet Service Provider #1
Internet Service Provider #2
Edge/Boundary of ISP 1
Edge/Boundary of ISP 2
Edge Location
•Refers to the ‘edge’ or the
boundary of the network
•Connects the different
networks of various
Internet Service Providers
(ISPs) or
Telecommunications
companies

ORIGIN
DISTRIBUTION
VIEWER
CloudFront

ORIGIN
Amazon S3 Bucket Elastic Load Balancer
Amazon EC2 Instance or
Your On-Premises Server
AWS Elemental
MediaPackage Endpoint
AWS Elemental
MediaStore Container

Amazon CloudFront Features
ORIGIN ACCESS IDENTITY
(OAI)
OA
I
GEO-RESTRICTION
&
Lambda@Edge
and
CloudFront Functions
ORIGIN GROUP and ORIGIN FAILOVER
ORIGIN A
ORIGIN B
ORIGIN GROUP
failover
primary

Amazon CloudFront Features
Signed URLs Signed Cookies
Custom Domain Name and Custom SSL
(SNI / Dedicated IP)
AWS WAF - CloudFront Integration

Amazon CloudFront
Security Features

D Y N A M I C
Delivery
S T A T I C
Content Network

A W S O R I G I N S
Amazon S3 Bucket Elastic Load Balancer
Amazon EC2 Instance or
Your On-Premises Server
Content Network
Delivery
AWS Elemental
MediaPackage
AWS Elemental
MediaStore

Delivery
Content Network
Viewers
Viewer Protocol Policy
Amazon S3 Origin
Origin Protocol Policy
HTTP
HTTPS
HTTP
HTTPS
Signed URL
Signed Cookies

• Specifies the allowed protocols for the
Origin and the Viewer (end users)
• Configures the CloudFront distribution to
use HTTP, HTTPS or both
PROTOCOL POLICY
ORIGIN
Protocol Policy Types
VIEWER
Protocol Policy Types
• HTTP Only
• HTTPS Only
• Match Viewer
• HTTPS Only
• Redirect HTTP to
HTTPS
• HTTP and HTTPS
HTTP
HTTP
HTTPS
HTTPS

• Primarily used for CloudFront distributions
with an Amazon S3 bucket as the origin
• Restricts access to the content that you
serve from your S3 bucket
• Works like an IAM User which you can
associate to the Origin or Origin Group of
your CloudFront distribution
• After OAI has been created, the Amazon S3
bucket policy must be configured too
ORIGIN ACCESS IDENTITY
(OAI)
OAI
S3 URL
CloudFront URL

• Allows you to encrypt the specific data fields
• Protects sensitive information in your origin
and the data being sent by your customers
• Suitable for securing Credit Card numbers,
Personal Health Information (PHI) and
Personally Identifiable Information (PII)
• Encrypts the sensitive fields using a public
key
• Provides you with a private key that can be
used to decrypt the protected fields
FIELD-LEVEL ENCRYPTION

• Primarily used for distributing private
content over the Internet
• Restrict access to your confidential or
private data to authorized users only
SIGNED URLs &
SIGNED COOKIES

https://tutorialsdojo.com/report.pdf
?Expires=13570344005
&Signature=nitfHRCrtziwO2HwPfWw~yYDhUF5EwRunQA...
&Key-Pair-Id=K2JCJMDEHXQW5F
SIGNED URLs
SIGNED COOKIES
CloudFront Distribution with Custom Domain Name
HEADER
Set-Cookie

• Restricts access to your content based on
the specific country (geographic location) of
your users
• Allows you to select the specific countries
where you want to deliver your content and
which countries to block
GEO-RESTRICTION

ALTERNATE DOMAIN NAME &
SSL CERTIFICATE
SNI (Server Name Indication)
Dedicated IP address
AWS Certificate Manager

INTEGRATIONS TO OTHER
AWS SERVICES Different from the Origin Shield feature
AWS WAF - CloudFront Integration
AWS Shield

HIGH AVAILABILITY FAULT TOLERANCE
VS

Are these two exactly the same?

Both of them aims to ensure
the application runs all the time
without any system degradation,
data loss or outage
SAME OBJECTIVE

HIGH
AVAILABILITY
FAULT
TOLERANCE
UPTIME
DESIGN
REDUNDANCY
COST
SINGLE SERVER
ARCHITECTURE
LOW
NONE
LOW MODERATE HIGH
HAS AT LEAST ONE
REDUNDANT RESOURCE
FOR FAILOVER
HAS A LOT
OF REDUNDANT
RESOURCES
99.99% 100%

HIGH
AVAILABILITY
FAULT
TOLERANCE
COST COST
HAS AT LEAST ONE
REDUNDANT RESOURCE
FOR FAILOVER
HAS A LOT
OF REDUNDANT
RESOURCES
UPTIME UPTIME
99.99% 100%
MODERATE HIGH
MORE RESOURCES
CAUSES

RTO
RPO
VS

DISASTER RECOVERY
OBJECTIVES
RTO
RPO
Time Point

9:00 AM
10:00 AM
11:00 AM
12:00 NN
1:00 PM
2:00 PM
3:00 PM
4:00 PM
12:00 NN
RTO
RPO
D I S A S T E R
3 HOURS
1 HOUR
SERVICE RESTORED
5:00 PM
ALL DATA
BEFORE 11 AM
MUST BE
RECOVERABLE
ACCEPTABLE
DATA LOSS
11 AM - 12 NN
3:00 PM
11:00 AM

12:00 NN
1:00 PM
2:00 PM
3:00 PM
4:00 PM
5:00 PM
6:00 PM
7:00 PM
3:00 PM
RTO
RPO
D I S A S T E R
2 HOURS
1 HOUR
SERVICE RESTORED
ALL DATA
BEFORE 2 PM
MUST BE
RECOVERABLE
ACCEPTABLE DATA LOSS
2 PM - 3 PM
3:00 PM 05:00 PM
2 HOURS
+ =
3:00 PM 02:00 PM
1 HOUR
– =
5:00 PM
2:00 PM

VS
Security Group
( )
Network ACL

Security Group
• Created by default when you launch a new VPC and on your default VPC
• Acts as a virtual firewall that protects your AWS resources from unauthorized traffic
• Inbound & Outbound rules can be set to have one IP address or a CIDR range as a source
• Allows you to control the incoming and outgoing traffic to and from your network
Network ACL

STATE STATELESS
STATEFUL
• 1024 – 65535
• 32768 – 61000
• 49152 – 65535
Outbound Rules
Ephemeral Ports
Security Group
Network ACL

AWS Cloud
VPC A
N. Virginia Region
SUBNET 1 SUBNET 2
Network ACL
Subnet 1 / Availability Zone 1 Subnet 2 / Availability Zone 2
Network ACL
Security Group
EC2

Tutorials Dojo
Network ACL Security Group
• Can explicitly DENY traffic • Cannot explicitly DENY traffic
No explicit DENY Rules
WHITELISTING only!

• Does not track the status of the request
• The inbound traffic that has already been
permitted before is still subject to the rules
for the outbound traffic, and vice versa
• Provides a more fine-grained control to
configure both the inbound and outbound
rules of your Network ACL
• Tracks all the status of the incoming requests
• If a traffic is a response to a particular request, then it
will be allowed automatically regardless of any rules in
your Outbound Rules
• It is aware if the outgoing traffic is:
Initiated from the EC2 instance itself
A response to the request that was initiated
externally
• Its Outbound Rule can filter:
An API call initiated by an application hosted in
the EC2 instance
A scheduled OS Patch that is initiated by the EC2
instance which automatically fetches updates from
a designated repository
STATEFUL
STATELESS

• Each rule has a corresponding rule number
• Evaluates the rules in order, starting with the
lowest numbered rule
• No rule number
• Evaluates ALL of the rules at the same time
(no order of precedence)

EC2
• Applies the rules to a single EC2 instance only or to a
group of AWS resources where it is associated with
• Applies the rules to all EC2 instances and other AWS
resources in the subnets that it's associated with
EC2
EC2
EC2
EC2

• 1024 – 65535
• 32768 – 61000
• 49152 – 65535
Outbound Rules
Ephemeral Ports
• Does NOT use Ephemeral Ports
?

A N O T H E R

VS VS
File
Gateway
Tape
Gateway
Volume
Gateway
AWS Storage Gateway Types Comparison

VM VM
AWS DataSync
MIGRATION
INTEGRATION
AWS Storage Gateway
Storage Area
Network

Volume Gateway
*File storage *Block storage * Tape storage
SMB file share
NFS file share
Also known as Amazon S3 File
Gateway
Stores data in:
Provides a local cache for low-latency
access to your most recently used
data
Amazon S3
Also known as Amazon FSx File
Gateway
Stores data in:
Provides a low-latency on-premises
access to Windows SMB file shares of
the Amazon FSx for Windows File
Server service in AWS
Amazon FSx for
Windows File Server
VM
CACHED
VM
STORED
Uses Amazon S3 as the
primary storage
Stores a subset of
frequently accessed
data locally
Retains the entire
dataset in your on-
premises data center
Asynchronously backs
up your data to Amazon
S3
GLACIER POOL
DEEP ARCHIVE POOL
Amazon S3 Glacier
Amazon S3 Glacier
Deep Archive

Volume Gateway
Active Directory
Microsoft
AWS Managed
Microsoft AD
Can be integrated with:
Amazon FSx for
Windows File Server
No Active Directory Support No Active Directory Support

Volume Gateway
SMB
NFS
VTL
iSCSI

Volume Gateway
An image of an actual AWS Storage Gateway Hardware Appliance

VS
INTEGRATION MIGRATION

MIGRATION
hybrid cloud
storage
synchronized
copies on both
on-premises
and AWS
replication
via local
cache
INTEGRATION
for moving
data
large amount
of unused
records or
data hosted
on-premises
for
decommission
ing existing
storage
systems
if your on-
premises
storage ran
out
of space

MIGRATION
INTEGRATION
Storage Area
Network
REPLICATE DATA MOVE DATA
On-premises data will
still be actively used
On-premises data would not
be utilized anymore/will be
decommissioned
VM
DataSync Agent

VS VS
Amazon EBS Amazon S3
Amazon EFS

BLOCK STORAGE FILE STORAGE OBJECT STORAGE

BLOCK STORAGE FILE STORAGE OBJECT STORAGE
Amazon Elastic Block
Store
Service
Amazon Elastic File
System

BLOCK STORAGE
4 kb
4 kb
4 kb
4 kb
16 kb
Total File Size = 16 kb
Block Size = 4 kb

Amazon EFS
Amazon EBS
Attached/Mounted to the
Amazon EC2 instance
EC2
Lower latency than
Amazon S3
- The block storage or
file storage is
physically attached to
the host/server or
located in close
proximity
- The latency is low
when transferring
data between 2
systems

FILE STORAGE
• Commonly used by multiple servers
•Uses the Portable Operating System Interface (POSIX)

OBJECT STORAGE
•Every object usually includes a globally
unique identifier, its custom metadata and
the data itself
•Doesn’t depend on the operating system of
the host/ EC2 instance
•Upload or fetch objects using RESTful web
APIs and NOT by mounting it to the host

Amazon EFS
Data is stored
redundantly in a single
AZ only
D U R A B I L I T Y
Data is stored redundantly across multiple AZs

Amazon S3
Amazon EFS
D U R A B I L I T Y
Amazon EBS
A C C E S S M E T H O D
Usually attached/mounted
to a single EC2 instance Can be mounted to thousands
of EC2 instances or on-
premises servers across
multiple AZs
A single EBS volume can be
attached to multiple EC2
instances by using the Multi-
Attach feature
(available on certain EBS types
only)
Two or more applications/
EC2 instances can’t access
the exact same file
concurrently
Via the public
Internet by default
Invoked via a REST API request
call
Allows multiple applications or
servers to concurrently access
the same files at the same time

D U R A B I L I T Y
Amazon S3
S C A L A B I L I T Y
Amazon EFS
Both Amazon EFS and Amazon S3 are highly scalable
Not highly scalable
Need to manually
resize the EBS Volume
to increase storage
capacity
Automatically grows
and shrinks the file
system as you add and
remove files
Can store virtually unlimited
amounts of data

D U R A B I L I T Y
L A T E N C Y
Amazon S3
Amazon EFS
LOWEST MODERATE
MODERATE
HIGH
if the request
goes through the
public Internet
if the request goes
through the
S3 Gateway Endpoint or
S3 Interface Endpoint

D U R A B I L I T Y
B A C K U P S
Amazon S3
Amazon EFS
Back up data using
Amazon EBS Snapshots
(incremental backups)
Allows you to copy your
EBS snapshot to another
AWS Region
Transfer your file system to
another EFS file system using
AWS DataSync
Perform incremental
backups of your EFS file
system using AWS Backup
Cross-Region
Replication (CRR)

D U R A B I L I T Y
D A T A E N C R Y P T I O N
Amazon S3
Amazon EFS
Amazon EBS Encryption By Default
(Regional Setting)
Encrypt your volume using
Amazon EBS Encryption
which is powered by
AWS KMS
Client-side Encryption
Server-side Encryption
Enforce HTTPS connection
by setting up the Bucket
Policy
Encryption at Rest
Encryption in Transit
Via TLS and the EFS mount helper

D U R A B I L I T Y
A C C E S S C O N T R O L
Amazon S3
Amazon EFS
Security Group
Network ACL
Controlled by the associated
security groups and Network
ACL of the EC2 instance that the
volume is mounted to
Can associate a security group
to the file system mount target
NFSv4 endpoint
EC2
Security Group
Bucket Policy
Access Control List
(ACL)
S3 Access Points
S3 Object Lambda
Access Points

D U R A B I L I T Y
NFSv4 Protocol Support
Amazon S3
Amazon EFS
POSIX-compliant
NFSv4 Support

D U R A B I L I T Y
D A T A L I F E C Y C L E
Amazon S3
Amazon EFS
Amazon Data Lifecycle
Manager (DLM)
Amazon EFS lifecycle
management
Standard Standard-
IA
One Zone One Zone-
IA
Amazon S3 Lifecycle Policy
S3 Standard S3 Standard-IA
30 Days
S3 Glacier
Deep Archive
180 Days
Snapshot at
1:00 PM
Snapshot at
3:00 PM
Snapshot at
5:00 PM

D U R A B I L I T Y
U S E C A S E S
Amazon S3
Amazon EFS
For storing dynamic data that are frequently accessed and updated
LOWEST Latency
A storage system accessed by
multiple servers that need
concurrent access to the same set
of files at the same time
POSIX-compliant
For static data or for files that are
NOT usually modified regularly
For a cost-effective &
serverless static web
hosting that can be
integrated with:
Amazon CloudFront

AWS_Certified_Solutions_Architect_Associate_SAA-C03_Slides_Tutorials_Dojo.pdf

More Related Content

Similar to AWS_Certified_Solutions_Architect_Associate_SAA-C03_Slides_Tutorials_Dojo.pdf (20)

Recently uploaded (20)

AWS_Certified_Solutions_Architect_Associate_SAA-C03_Slides_Tutorials_Dojo.pdf