AWS Certified Solutions Architect Exam Notes – VPC

Posted on by antonogeo

VPC – Virtual Private Cloud

  • A logically isolated section of AWS cloud. Provides complete control over the environment.
  • Cannot have one Subnet to many AZs
  • 5 VPCs per region by default
  • In Amazon VPC an instance retains its private IP. 
  • How to make an instance on a public subnet reachable?
    • Create an elastic IP address and associate it with the instance.
  • On VPC creation the following are created
    • Route table
    • Network ACL
    • Security Group
  • Elastic IP vs Public IP: Public IP changes every time you restart the instance. Elastic IP remains the same. 
  • To login to VPC we need Internet Gateway. Only one Internet Gateway per VPC.​​​​​​​  

Route Tables

  • Each subnet in VPC must be associated with a route table.
  • Route table controls the routing for the subnet. You can explicitly associate a subnet with a particular route table. Otherwise, the subnet is implicitly associated with the main route table.
  • A subnet can only be associated with one route table at a time. 
  • Optionally associate a route table with an internet gateway (for internet access) or a virtual private gateway (gateway route table). This enables you to specify routing rules for inbound traffic that enters your VPC through the gateway


VPC Creation Steps

  1. Create VPC
  2. Create private and public Subnets
  3. Give IPs to public subnets
  4. Create an Internet Gateway and attach it to VPC
  5. Create a new Route Table for Internet Access. Using the default one would work but it is a bad practice cause every new subnet will be associated with the public route table by default.

VPC Private Link ​​​​​​​

  • Allow opening a VPC to another VPCs
  • Does not require VPC peering
  • Does not expose VPC to the internet

VPC Peering

  • Connect two VPCs. NO Transitive peering. NO Edge to Edge routing.


VPC Private Link vs VPC Peering

  • VPC Peering allows connectivity between two VPCs. It’s just like normal routing between network segments.
  • VPC Private Link allows you to publish an “endpoint” that others can connect with from their own VPC. It’s similar to a normal VPC Endpoint, but instead of connecting to an AWS service, people can connect to your endpoint.
  • In both cases, no traffic goes across the Internet. Connectivity is directly between the VPCs.

AWS Transit Gateway

  • Used for complex VPC architectures, where VPCs are connected with each other or with premises using VPN.
  • Connect everything together (star architecture)


AWS VPN Cloudhub 

  • When use it? Manage Multiple VPNs. Multiple sites with VPN connections
  • Use Cloudhub to connect those together.


Nat (Network Address Translation) Gateways

  • Allow private subnets to communicate with the internet. (download software etc)
  • Add them to the public subnet. Private subnets then talk with the public subnets and access the internet. Need to setup route.
  • 1 NAT Gateway per AZ
  • No need to patch. 

Network ACLs

  • Each subnet must be explicitly associated with an ACL. Default ACL if no other association.
  • A subnet can have only one ACL.
  • An ACL can be attached to many subnets.
  • Order matters. The most specific allow/deny rules must be on top. 

Default ACL vs New ACL

  • Default ACL: Allow everything
  • New ACL: Deny everything

Network ACLS vs Security Groups

  • Security Group: stateful
  • ACL: stateless
  • ACL can block IPS. Security Groups only allows.

Bastion Host (Jump Box)

  • A proxy server used to withstand attacks. It is located on a public subnet.
  • Used for administration (access the env SSH) on a private subnet.

Elastic Load Balancers 

  • They do not have IPv4 address, only DNS name
  • You need at least 2 public subnets to create an ELB.
  • An ELB works always in one Region

3 different types of Load Balancers 

  • Application Load Balancer 
    • Load Balance HTTP/S. Layer 7.
    • Clever, Intelligent
  • Network Load Balancer 
    • Performance
    • Million requests per second
  • Classic Load Balancer 
    • Older, Basic 
    • Bit cheaper

Sticky Sessions: Bind an IP to an ec2 instance. Send all the traffic to the specific subnet.

Cross Zone Load Balancing: Load Balance through multiple AZ.

Path Patterns: Route specific traffic to a specific targetExample: all images to another AZ.



Auto Scaling

  • First, create Launch Configuration. This will be used by the auto-created ec2 instances.
  • Choose many subnets, it will randomly create ec2 into those.
  • Use Cloudwatch for triggers.
  • Components
    • Groups. Logical (Application/WebServer/Database group etc)
    • Configuration Templates. Launch template used by Groups for the EC2 instances.
    • Scaling Options
  • Cooldown. Default 300 seconds. No other scaling action is performed during that period
    • Prevent your Auto Scaling group from launching or terminating additional instances before the effects of previous activities are visible.

Scaling Options 
Options for auto-scaling the groups. Based on conditions (CPU usage) or schedule (specific time). 

  • Maintain Current instance levels at all times
    • Amazon EC2 Auto Scaling performs periodic health checks. 
    • If an instance is down, it terminates it and launches a new one.
  • Scale manually
    • Basic. (i.e. I want 3 ec2 instances instead of 4.)
  • Scale based on a schedule
  • Scale based on demand 
    • Most popular. Advanced. Define parameters. (i.e I want the CPU to stay below 50%.)
    • Single scaling: increases/decreases the current capacity of the group based on a single scaling adjustment 
    • Step scaling: increases/decreases the current capacity of the group based on a set of scaling adjustments – step adjustments.
    • Target scaling:  increases/decreases the current capacity of the group based on a target value for a specific metric
  • Use predictive scaling
    • Performance/Availability. Predicts based on previous performance

Attach an EC2 instance to an existing Auto Scale Group
Must meet the following criteria

  • The instance is in the running state.
  • The AMI used to launch the instance must still exist.
  • The instance is not a member of another Auto Scaling group.
  • The instance is launched into one of the Availability Zones defined in your Auto Scaling group.
  • If the Auto Scaling group has an attached load balancer, the instance and the load balancer must both be in EC2-Classic or the same VPC. If the Auto Scaling group has an attached target group, the instance and the load balancer must both be in the same VPC.

CloudFormation 

  • Script your cloud Environment. Automate the creation of a cloud environment. JSON templates.

Template anatomy

  • AWSTemplateFormatVersion: “version date”
  • Description: String
  • Metadata
  • Parameters
  • Mappings
  • Conditions
  • Transform
  • Resources – Mandatory 
  • Outputs


Elastic Beanstalk

  • Quickly deploy and manage AWS apps
  • What BeanStalk handles? 
    • Application Load Balancing. Capacity. Scaling. Health Monitoring
  • CloudFormation vs Elastic BeanStalk:
    • CloudFormation uses massive JSON templates, BeanStalk uses UI

EC2

  • Provides resizable compute capacity on Cloud.
  • Termination Protection turned off by default.

EC2 Security Groups

  • Control traffic to and from EC2 instances.
  • Cannot block/blacklist specific IP addresses. (Only with VPC network ACLS)
  • On a new Security Group
    • All inbound traffic is blocked by default.
    • All outbound traffic is allowed by default.
  • Changes to Security Group take effect immediately 
  • You can 
    • Attach multiple security groups in an instance
    • Use a security group in multiple instances.

EC2 – Hibernate

When we start EC2 the following happens:

  • Operating system starts
  • Bootstrap script runs
  • Application starts (MySql, Apache etc)

Hibernate does the following:

  • Takes the RAM and stores it to EBS Volume
  • On the restart, the RAM content is restored. It is not really a restart.
  • A lot faster
  • Useful for services that take a long time to instantiate or for long Bootstrap processes.
  • The root volume must be encrypted to use hibernation.

EBS – Elastic Block Store

  • A virtual hard disk in the cloud.
  • Volumes will ALWAYS be in the same AZ as EC2.
  • Allows configuration changes (volume type, volume size, IOPS) while in production.
  • Choose EBS over S3 when you care for low latency.
  • Choose EBS over EFS if you have only one EC2 instance.
General Purpose Provisioned IOPS Throughput Optimized Cold HDD
gp2 io1 st1 sc1
SSD SSD HDD HDD
  Highest performance

    
  Better for small, random I/O operations Better for Large, sequential I/O operations Infrequent access
  Used for databases

 Used for Big data / Data WH Used for File Servers

EFS – Elastic File System

  • Similar to EBS but EFS can be shared among EC2 Instances. 
  • EBS is only 1 per EC2.
  • EFS scales automatically.
  • Only pay for storage that you use

Snapshots

  • Snapshots are point-in-time copies of Volumes.
  • Snapshots are incremental. If I take two snapshots, the second will contain only the changes of the volume since the creation of the first.
  • The best practice is to stop the instance before taking a snapshot.
  • We can create AMIs(Images) from snapshots
  • I can perform actions on snapshots.
  • I cannot delete a snapshot of a root EBS volume
  • I can perform actions on EBS while I am creating a snapshot.

How can I transfer EC2 from one AZ to another? 

  • Take a snapshot, create AMI, use AMI to launch EC2 in new AZ

How can I transfer EC2 from one region to another? 

  • Take a snapshot, create AMI, copy the AMI to the target region, use AMI to launch EC2 in the new region.

 Data Lifecycle Manager – DLM 

  • Automate the creation, retention, and deletion of snapshots taken to backup your Amazon EBS volumes.
  • Protect valuable data by enforcing a regular backup schedule.
  • Retain backups as required by auditors or internal compliance.
  • Reduce storage costs by deleting outdated backups.

EBS vs Instance Store

  • Two different root device types.
  • EBS volume is a network-attached drive that results in slow performance but data is persistent meaning even if you reboot the instance data will be there.
  • Instance store (Ephemeral storage) is a physically attached device that gives better performance but data will be lost once the instance is rebooted.
  • You cannot detach the instance store and attach it to another instance.
  • By default, both root volumes will be deleted on termination. With EBS we can configure it to persist.

Elastic Fabric Adapter vs Elastic Network Adapter

  • EFA -> High-Performance Computing, Machine Learning
  • EFA is an ENA that bypass OS
  • EFA OS bypass does not work on Windows.

Elastic Network Interface – ENI

An elastic network interface (ENI) is a logical networking component in a VPC that represents a virtual network card.

  • You can attach a network interface to an EC2 instance in the following ways:
    • When it’s running – hot attach
    • When it’s stopped – warm attach
    • When the instance is being launched  – cold attach
  • You can: Create a network interface. Attach it to an instance. Detach it from an instance. Attach it to another instance
  • The attributes follow it as it is attached or detached from an instance and reattached to another instance. 
  • When you move a network interface from one instance to another, network traffic is redirected to the new instance.
  • You cannot detach a primary network interface from an instance.

EC2- Encryption

  • Snapshots of encrypted volumes are automatically encrypted.
  • Volumes created from encrypted snapshots are automatically encrypted.
  • Only unencrypted snapshots can be shared with other AWS accounts
  • How can I encrypt an unencrypted volume (root or not)?
    • Create Snapshot
    • Copy Snapshot with encryption
    • Create AMI
    • Launch 

Raid 0 vs Raid 1

Choose Raid 0 when: performance more important than fault tolerance (Heavily used DB with existing replication)

Choose Raid 1 when: fault tolerance more important than performance (Critical app)