AWS certified developer associate hints. IAM, EC2, ALB and ASG (part I)

IAM, Users, Groups and Policies

IAM = Identity and access management.

Root account created by default should not be used or shared.

Users are people of your organizations, they can be grouped.

Some users could not have a group, some users could belong to multiple groups.

Users and groups could get IAM policies

IAM policy

Consists of:

Version
Id (optional)
Statement: one or more Statements<Statement>

Statement:
Sid - statement id(optional)
Effect - Allow or Deny
Principal - account/user/role to which applied
Action: list of API calls
Resource: list of resources where this policy is applied
Condition: condition for adding rule (optional)

IAM - Password policy

You can enforce users to have:

  • Min pass length
  • Uppercase/lowercase
  • Numbers
  • Non-alphanumeric
  • Require user to change passwords
  • Prevent password re-use

Also possible to use MFA devices for authentication

  • Virtual MFA device
  • Universal 2 factor security key (physical device)
  • Hardware Key Fob MFA device
  • Hardware Key Fob for AWS Cloud Government

IAM Roles for Services

Same as for users but for services.

Give permission for one service to call another service.

IAM Security Tools

  • IAM credential report (account level), contains all users and status of their credentials
  • IAM Access Advisor (user-level), shows the service permissions granted to a user and when those services were last accessed

AWS EC2

EC2 sizing & configuration options

  • Operation system
  • CPU
  • RAM
  • Storage => EBS or EFS or EC2 instance store
  • Network card, public IP address
  • Firewall rules
  • Bootstrap script: EC2 user data

EC2 user data

  • Launching commands when machine starts
  • Run once
  • Automate boot tasks like installing dependencies
  • Runs with root user privilege

EC2 Instance types

Instance type description:

m5.2xlarge => m: instance class, 5: generation, 2xlarge: size within the instance class

Available instance types:

  • General purpose(t) => Webservers
  • Compute optimized(c) => batch processing, high performance computing
  • Memory optimized(r, x, z) => data bases, cache, in memory DB
  • Storage optimized(i1, h1): high frequency online processing (OLTP), Relational and NoSQL database, cache, data warehousing

Security Groups

  • Control traffic in and out of our EC2 instance
  • Only contains "Allow" rules
  • Possible to use IP addressed or other security groups
  • Control access to ports
  • Authorized IP ranges - IPv4 and IPv6
  • Control inbound network
  • Control outbound network
  • Can be attach to multiple instances, one instance can have multiple security groups
  • Locked down to a region / VPC combination

EC2 instances purchasing options

  • On-Demand instances - short workload, predictable pricing pay by second
  • Reserver (1 & 3 years) long workloads, convertible and not
  • Savings plans (1 & 3 years) commitment to an amount of usage
  • Spot instances - short workloads, cheap, can lose instance
  • Dedicated Hosts - book an entire physical server, control instance placement, possible to use software licenses
  • Dedicated Instance - no other customers will share your hardware
  • Capacity Reservation - reserve capacity in a specific AZ for any duration

AWS EC2 storage options

EBS volumes

  • An EBS (Elastic Block Store) Volume is a network drive you can attach to your instance while they run
  • It allows your instances to persist data, even after their termination
  • One instance can have multiple EBS volumes
  • Can only be mounted to one instance
  • Some EBS support multi-attach features
  • They are bound to a specific AZ

EBS volume is a network drive (not a physical device), and:

  • it uses the network to communicate the instance, have latency
  • It can be detached from an EC2 instance and attached to another one quickly

It’s locked to an AZ:

  • EBS volume in us-east-1a can not be attached to us-east-1b
  • To move a volume across, you first need to snapshot

You need to provide capacity in advance.

Root EBS volume is deleted by default on instance termination, possible to change.

EBS snapshots

  • Make a backup of your EBS volume
  • Not necessary to detach volume to do snapshot, but recommended
  • Can copy snapshots across AZ or Region

EBS snapshot archive, allows to store snapshots 75% cheaper, takes 24-27hr to restore.

EBS recycle bin for EBS snapshot, could be moved to recycle bin from 1 day to 1 year.

Fast snapshot restore, force full initialization of snapshot to have no latency on the first use.

AMI Overview

  • AMI = amazon machine image
  • AMI is our customized EC2 instance
  • Your own software, configuration, operation system and monitoring
  • Faster boot, configuration time because its pre-packaged
  • Build for specific regions, can be copied across regions

Instances can be launched from:

  • Public AMI: AWS provided
  • Own AMI
  • Marketplace AMI

AMI process

  • Start an EC2 instance and customize it
  • Stop the instance
  • Build an AMI - this will also create EBS snapshot
  • Launch instance from other AMIs


EC2 Instance Store

  • Hardware disc attached to you machine
  • It has better I/O performance
  • EC2 instance store lose their storage if they are stopped
  • Good buffer/cache/tmp content

EBS Volume types

  • gp2/gp3 - general purpose SSD
  • ios1/io2 - highest performance SSD
  • st1 - Low cost HDD volume, frequently access data
  • sc1 - lowest cost HDD, less frequently access data

Only gp2/gp3 and io1/io2 can be used as boot volumes

General purpose SSD

  • Cost effective
  • Possible to use as sys boot
  • 1GiB- 16 TiB

gp3:

  • baseline of 3.000 IOPS and throughput of 125 MiB/s
  • possible to increase IOPS up to 16.000 and throughput to 1000 MiB/s independently

gp2:

  • Small gp2 volumes can burst IOPS to 3.000
  • Size of the volume and IOPS are linked, max IOPS is 16.000
  • 3000 IOPS per GB, means at 5334 GB we are at the max IOPS (3000 * 5334 = 16.000 IOPS)

Provision IOPS (PIOPS) SSD

  • Critical business application with sustained IOPS performance
  • Or application the need more than 16 000 IOPS
  • Great for database workloads (sensitive storage)

io1 (4GiB - 16TiB)

  • Max IOPS 64 000 for Nitro EC2 instance & 32 000 for others.
  • Can increase PIOPS independently from storage size.
  • io2 have more durability and more IOPS per GiB (same price).

io2 Block Express (4GiB - 64 TiB)

  • Sub millisecond latency
  • Max 256 000 IOPS with an IOPS:GiB of 1 000: 1

Support EBS multi-attach.

Hard Disk Drives (HDD)

  • Can not be a boot volume
  • 125 GiB to 16 TiB

Throughput optimized HDD st1:

  • Big data, data, warehousing, log processing
  • Max throughputs 500 MiB/s - max IOPS 500

Cold HDD (sc1):

  • Archive data
  • Lowest cost
  • Max throughput 250 MiB/s - max IOPS 250

EBS multi-attach (io1/io2)

  • Attach the same EBS volume to multiple EC2
  • Each instance has full read & write permissions
  • Achieve higher application availability in cluster
  • Concurrent write application
  • Work in 1 AZ
  • Up to 16 EC2 instances
  • Cluster aware file system not XFS/EXT4

Amazon EFS - elastic file system

  • Managed NFS (network file system) that can be mounted on many EC2
  • EFS work with EC2 instances in multi-AZ
  • Highly available, scalable, expensive (3* gp2), pay per use
  • Use NFSv4.1 protocol
  • Controlled with security groups
  • Compatible with Linux based AMI
  • Possible to encrypt with KMS
  • POSIX file system
  • File system scales automatically

Possible to chose performance mode.

General purpose (web sites):

  • Max I/O - higher latency, throughput, highly parallel

Throughput Mode:

  • Bursting - 1 TiB = 50MiB/s + burst of up to 100MiB/s
  • Provisioned - set your throughput
  • Elastic - automatically scales throughput up or down based on your workload

Storage Tiers (lifecycle management feature):

  • Standard: for frequently accessed files
  • Infrequent access (EFS-IA): cost to retrieve files, lower price to store. Enable EFS-IA with a lifecycle policy

Availability and durability

  • Standard: Multi-AZ, great for prod
  • One Zone: One AZ, great for dev

Elastic load balancing (ELB)

  • Spread load
  • Expose single point of access DNS
  • Handle failures
  • Health checks
  • SSL termination HTTPS
  • Enforce stickiness with cookies
  • High availability across zones
  • Separate public traffic from private

Integration

  • EC2, EC2 ASG, amazon ECS
  • aws certificate manger, could watch
  • route 53, AWS WAF, AWS global accelerator

Types

  • Classic (http, https, tcp, ssl)
  • Application (https, https, websocket)
  • Network (tcp, tls(secure tcp), udp)
  • Gateway - (IP protocol)

Application load balancer layer 7

Support redirects from http to https, support http/2 and websocket.

Latency is 400 ms.

Routing to different target groups based on:

  • url
  • hostaname
  • query string
  • client location (geography)

Great for container based apps, has port mapping to a dynamic port in ECS.

Target groups:

  • EC2
  • ECS tasks
  • Lambda
  • IP addresses - must be private IPs

Has fixed hostname.

The true IP of the client is inserted in the X-Forwarded-For.

Network load balancer layer 4

TCP and UDP trafic.

Millions of request per second.

Latency is 100ms.

Has one static IP per AZ and support Elastic IP.

Target groups:

  • EC2
  • IP addresses
  • application load balancer

Health checks TCP, HTTP, HTTPS

Gateway load balancer layer 3

Uses the GENEVE protocol import 6081.

3rd party network virtual appliances in AWS.

Used for firewalls, intrusion detections and prevention systems, deep packet inspections systems.

Target groups:

  • EC2
  • IP addresses

Sticky session

Can be used for CLB, ALB, NLB.

Custom cookie:

  • generated by target
  • must be specified individually for each target group
  • Don’t use AWSALB, AWSALBAPP pr AWSALBTG -reserver for ELB

Application cookie:

  • generated by loadbalancer
  • cookie name is AWSALBAPP

Duration cookies

  • cookies generated by load balancer
  • cookie name is AWSALB for ALB, AWSELB for CLB

Cross zone balancing

Spread traffic to all instances in all AZ equally.

For ALB enabled by default, can be disabled at the Target Group level, no charges for inter AZ data.

For NLB and GLB disabled by default, you have to pay money for inter AZ data.

CLB disabled by default, no charges for inter AZ data.

ELB SSL/TLS

The load balancer uses an X.509 certificate.

You can use AWS certificate manager including
uploading your own certificate.

HTTPS listener:

  • you must specify a default certificate
  • you can add an optional list of certs to support multiple domains
  • client can use SNI (server name indication) to specify the hostname
  • possible to use older version of SSL/TLS (legacy clients)

SNI - server name indication

Solves the problem of loading multiple SSL certificates for one web server.

Works with ALB and NLB.

Connection draining

1 - 3600 seconds, default is 300, can be disabled.

For CLB - connection draining.

For ALB and NLB - de-registration delay.

Time to complete in flight requests while the instance is de-registering or unhealthy.

Stop sending new requests to the EC2 instance which is de-registering.

Auto scaling group (ASG)

Scale out and scale in to increase or decrease instances count.

Ensure that you have a min and max number of EC2 instances.

Automatically register new instance to a load balancer.

Re-create an EC2 instance in case previous one was terminated.

A Launch template (older launch configuration) contain information on how to lunch your EC2 instances:

  • AMI, Instance type
  • EC2 user data
  • EBS volume
  • Security groups
  • SSH key pairs
  • IAM roles
  • Network and subnets
  • Load balancer info

It is possible to scale an ASG based on CloudWatch alarms.

The alarm monitor a metric (such as Average CPU, or a custom metric).

Inside a scaling group, it’s possible to overwrite instance type requirements, including enabling sport instances.

Scaling policies

Dynamic scaling:

  • target tracking scaling (ASG cpu stay around 40%)
  • simple / step scaling (add/remove 2 units on cloud watch alarm)
  • schedule actions (you know when)

Predictive scaling:

  • predictive scaling (based on forecast)

Good metrics to scale on:

  • CPUUtilization: average CPU
  • RequestCountPerTarget
  • Average Network IN/OUT
  • Custom metrics that you push to CloudWatch

Scaling cooldown - 300 seconds, no scale in/out in this period.

Use ready-to-use AMI to reduce configuration time in order to be serving request faster and reduce cooldown period.

Auto scaling - instance refresh

Goal is to update launch template and then re-create EC2 instances.

We set minimum healthy percentage, we can set up warm-up time.

Теги