Mod1-ReviewArchitectingConcepts

Slide: 1.

$img\Mod1-ReviewArchitectingConcepts1.jpg$

Advanced Architecting on AWS

Advanced Architecting on AWS Module 1: Review Architecting Concepts Lab 1

Notes:

Slide: 2.

$img\Mod1-ReviewArchitectingConcepts2.jpg$

Module overview

Module overview Architectural review Lab 1

Notes:

Slide: 3.

$img\Mod1-ReviewArchitectingConcepts3.jpg$

Review architecting concepts

Review architecting concepts This is our starting point. Let’s review.

Notes:

Throughout the modules in this course, we review and discuss the components of this architectural diagram in detail. By the end of this course, you will be able to construct your own architectural solutions.

This architecture has a single virtual private cloud (VPC) with multiple Availability Zones, and application servers using auto scaling. The application servers connect to database servers. The application servers are connected to Amazon Elastic File System (Amazon EFS) mount points for shared file system across the Availability Zones. This solution also includes both internet and NAT gateways for access to the outside world for private resources. Outside of the VPC, this architecture uses static Amazon Simple Storage Service (Amazon S3) buckets, Amazon Route 53 for domain name resolution, and Amazon CloudFront for faster distribution of static and dynamic web content.

Slide: 4.

$img\Mod1-ReviewArchitectingConcepts4.jpg$

Architecting review 1

Architecting review 1 Span of a single VPC

Notes:

Throughout the modules in this course, we will review and discuss the VPC components of this architectural diagram in detail.

Slide: 5.

$img\Mod1-ReviewArchitectingConcepts5.jpg$

Architecting review question 1

Architecting review question 1 True/False: A single VPC can span multiple Regions. True False

Notes:

Slide: 6.

$img\Mod1-ReviewArchitectingConcepts6.jpg$

Architecting review question 1 and answer

Architecting review question 1 and answer True/False: A single VPC can span multiple Regions. True B correct False

Notes:

The correct answer is B, false.

A VPC is a regional resource. VPCs can be peered across regions, but each VPC is still bound to a region. To get started with Amazon VPC, you create a VPC and subnets. A VPC is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud.

For more information, review “How Amazon VPC works” (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html).

Slide: 7.

$img\Mod1-ReviewArchitectingConcepts7.jpg$

Architecting review 2

Architecting review 2 Function of a NAT gateway

Notes:

Throughout the modules in this course, we review and discuss the NAT gateway components of this architectural diagram in detail. By the end of this course, you will be able to construct your own architectural solutions.

Slide: 8.

$img\Mod1-ReviewArchitectingConcepts8.jpg$

Architecting review question 2

Architecting review question 2 Which function does the NAT gateway serve? Load balances incoming traffic to multiple instances Allows internet traffic initiated by private subnet instances Allows instances to communicate across VPCs Increases security for instances in a public subnet

Notes:

Slide: 9.

$img\Mod1-ReviewArchitectingConcepts9.jpg$

Architecting review question 2 and answers

Architecting review question 2 and answers Which function does the NAT gateway serve? Load balances incoming traffic to multiple instances B correct Allows internet traffic initiated by private subnet instances Allows instances to communicate across VPCs Increases security for instances in a public subnet

Notes:

The correct answer is B, allows internet traffic initiated by private subnet instances.

NAT gateway allows resources to use private addresses and still access the public internet. The NAT gateway allows instances in a private subnet to use private addresses to access the internet. You can use a NAT gateway to enable instances in a private subnet to connect to the internet or other AWS services but prevent the internet from initiating a connection with those instances.

For more information, review “NAT gateways” (https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html).

Slide: 10.

$img\Mod1-ReviewArchitectingConcepts10.jpg$

Architecting review 3

Architecting review 3 Valid targets for an Application Load Balancer

Notes:

Throughout the modules in this course, we review and discuss the load balancer components of this architectural diagram in detail. By the end of this course, you will be able to construct your own architectural solutions.

Slide: 11.

$img\Mod1-ReviewArchitectingConcepts11.jpg$

Architecting review question 3

Architecting review question 3 What are valid targets for an Application Load Balancer? (Select 3) Amazon ECS container Lambda function IP address VPN connection

Notes:

Slide: 12.

$img\Mod1-ReviewArchitectingConcepts12.jpg$

Architecting review question 3 and answers

Architecting review question 3 and answers What are valid targets for an Application Load Balancer? (Select 3) A correct Amazon ECS container B correct Lambda function C correct IP address VPN connection

Notes:

The correct answers are A, Amazon ECS container, B, Lambda function, and C, IP address.

Application Load Balancers distribute traffic to resources, known as targets groups. A VPN connection is not a valid target because it is not a compute instance.

Each target group is used to route requests to one or more registered targets. When you create each listener rule, you specify a target group and conditions. When a rule condition is met, traffic is forwarded to the corresponding target group. You can create different target groups for different types of requests

For more information, review “Target groups for your Application Load Balancers” (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html).

Slide: 13.

$img\Mod1-ReviewArchitectingConcepts13.jpg$

Architecting review 4

Architecting review 4 Auto scaling launch templates

Notes:

Throughout the modules in this course, we will review and discuss the Auto scaling components of this architectural diagram in detail. By the end of this course, you will be able to construct your own architectural solutions.

Slide: 14.

$img\Mod1-ReviewArchitectingConcepts14.jpg$

Architecting review question 4

Architecting review question 4 What is the best practice when reconfiguring Auto Scaling to install an additional application on new instances? Create a CloudFormation template. Create a launch template and configure the Auto Scaling group to use it. Create a new AMI and configure the Auto Scaling group to use it. Modify a CloudFormation template.

Notes:

Slide: 15.

$img\Mod1-ReviewArchitectingConcepts15.jpg$

Architecting review question 4 and answers

Architecting review question 4 and answers What is the best practice when reconfiguring Auto Scaling to install an additional application on new instances? Create a CloudFormation template. B correct Create a launch template and configure the Auto Scaling group to use it. Create a new AMI and configure the Auto Scaling group to use it. Modify a CloudFormation template.

Notes:

The correct answer is B, create a launch template and configure the Auto Scaling group to use it.

Launch templates improve the availability and optimization of the workloads you host in Auto Scaling groups. You can use them to access the full set of EC2 features when launching instances in an Auto Scaling group. Before you can create an Auto Scaling group using a launch template, you must create a launch template with the parameters required to launch an EC2 instance.

For more information, review “Create a launch template for an Auto Scaling group” (https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-launch-template.html).

Slide: 16.

$img\Mod1-ReviewArchitectingConcepts16.jpg$

Architecting review 5

Architecting review 5 AWS services used for caching

Notes:

Throughout the modules in this course, we will review and discuss the components of this architectural diagram in detail. By the end of this course, you will be able to construct your own architectural solutions.

Slide: 17.

$img\Mod1-ReviewArchitectingConcepts17.jpg$

Architecting review question 5

Architecting review question 5 Which AWS services are used for caching? (Select THREE.) CloudFront DynamoDB Accelerator (DAX) Application Load Balancer ElastiCache

Notes:

Slide: 18.

$img\Mod1-ReviewArchitectingConcepts18.jpg$

Architecting review question 5 and answers

Architecting review question 5 and answers Which AWS services are used for caching? (Select THREE.) A correct CloudFront B correct DynamoDB Accelerator (DAX) Application Load Balancer D correct ElastiCache

Notes:

The correct answer is A, CloudFront, and B, DynamoDB Accelerator (DAX).

CloudFront caches data at the edge. DAX adds accelerated caching to DynamoDB applications. ElastiCache adds application caching capabilities for VPC-based applications. Application load balancers do not act as a data cache.

A cache is a high-speed data storage layer that stores a subset of data, typically transient in nature, so that future requests for that data are served up faster than is possible by accessing the data's primary storage location.

For more information, review “Caching Overview” (https://aws.amazon.com/caching).

Slide: 19.

$img\Mod1-ReviewArchitectingConcepts19.jpg$

Architecting review 6

Architecting review 6 Outcomes of an Aurora Multi-AZ failover

Notes:

Slide: 20.

$img\Mod1-ReviewArchitectingConcepts20.jpg$

Architecting review question 6

Architecting review question 6 What action does Aurora take to maintain high availability if the primary instance in a database cluster fails? Takes a snapshot of the primary DB instance. Restores the snapshot into another Availability Zone. Automatically promotes one of the reader instances to take its place as the new writer. Sets up synchronous replication between the primary DB instance and the new instance.

Notes:

Slide: 21.

$img\Mod1-ReviewArchitectingConcepts21.jpg$

Architecting review question 6 and answers

Architecting review question 6 and answers What action does Aurora take to maintain high availability if the primary instance in a database cluster fails? Takes a snapshot of the primary DB instance. Restores the snapshot into another Availability Zone. C correct Automatically promotes one of the reader instances to take its place as the new writer. Sets up synchronous replication between the primary DB instance and the new instance.

Notes:

The correct answer is C, automatically promotes one of the reader instances to take its place as the new writer.

Aurora Replicas provide redundancy and help increase availability. If the writer instance in a cluster becomes unavailable, Aurora automatically promotes one of the reader instances to take its place as the new writer.

An Aurora DB cluster is fault tolerant by design. The cluster volume spans multiple Availability Zones in a single AWS Region, and each Availability Zone contains a copy of the cluster volume data. This functionality means that your DB cluster can tolerate a failure of an Availability Zone without any loss of data and only a brief interruption of service.

For more information, review “High availability for Amazon Aurora” (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.AuroraHighAvailability.html).

Slide: 22.

$img\Mod1-ReviewArchitectingConcepts22.jpg$

Architecting review 7

Architecting review 7 Automatically change Amazon S3 data storage tiers

Notes:

Slide: 23.

$img\Mod1-ReviewArchitectingConcepts23.jpg$

Architecting review question 7

Notes:

Slide: 24.

$img\Mod1-ReviewArchitectingConcepts24.jpg$

Architecting review question 7 and answer

Architecting review question 7 and answer Which Amazon S3 feature automatically changes data storage tiers? Amazon SNS notification Streams C correct Lifecycle configuration Amazon S3 Glacier

Notes:

The correct answer is C, lifecycle configuration.

A lifecycle configuration is a set of one or more rules you can attach to an S3 bucket. The rules define when certain objects are changed to a different storage class. For more information, review “Setting lifecycle configuration on a bucket” (https://docs.aws.amazon.com/AmazonS3/latest/userguide/how-to-set-lifecycle-configuration-intro.html).

Slide: 25.

$img\Mod1-ReviewArchitectingConcepts25.jpg$

Architecting review 8

Architecting review 8 Public subnets

Notes:

Slide: 26.

$img\Mod1-ReviewArchitectingConcepts26.jpg$

Architecting review question 8

Architecting review question 8 What makes a subnet public? The route table sends nonlocal traffic to the NAT gateway. An instance in the subnet has a public IP address. Subnets are public by default. The route table directs nonlocal traffic to the internet gateway.

Notes:

Slide: 27.

$img\Mod1-ReviewArchitectingConcepts27.jpg$

Architecting review question 8 and answer

Architecting review question 8 and answer What makes a subnet public? The route table sends nonlocal traffic to the NAT gateway. An instance in the subnet has a public IP address. Subnets are public by default. D correct The route table directs nonlocal traffic to the internet gateway.

Notes:

The correct answer is D, the route table directs nonlocal traffic to the internet gateway.

Until a subnet route table contains a route to an internet gateway, it is a private subnet and you can only communicate with it using private addresses. With a route set to the internet gateway, you can now use public IP addresses to resources in the subnet. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.

For more information, review “Connect to the internet using an internet gateway” (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html).

Slide: 28.

$img\Mod1-ReviewArchitectingConcepts28.jpg$

Architecting review 9

Architecting review 9 Direct connectivity to EC2 instances

Notes:

Slide: 29.

$img\Mod1-ReviewArchitectingConcepts29.jpg$

Architecting review question 9

Architecting review question 9 Which solutions allow direct connectivity to EC2 instances? (Select THREE.) Kerberos RDP Systems Manager Session Manager SSH

Notes:

Slide: 30.

$img\Mod1-ReviewArchitectingConcepts30.jpg$

Architecting review question 9 and answers

Architecting review question 9 and answers Which solutions allow direct connectivity to EC2 instances? (Select THREE.) Kerberos B correct RDP C correct Systems Manager Session Manager D correct SSH

Notes:

The correct answer is B, RDP, C, Systems Manager Session Manager, and D, SSH.

Kerberos is an authentication protocol. Each of the other solutions is a client-server system for connectivity. Windows is a native RDP server. You can load the Systems Manager agent for connectivity to Linux instances or use SSH. Connect to the Linux instances that you launched, and transfer files between your local computer and your instance.

For more information, review “Connect to your Linux instance” (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstances.html).

Slide: 31.

$img\Mod1-ReviewArchitectingConcepts31.jpg$

Architecting review 10

Architecting review 10 Origins for a CloudFront distribution

Notes:

Throughout the modules in this course, we will review and discuss the CloudFront components of this architectural diagram in detail. By the end of this course, you will be able to construct your own architectural solutions.

Slide: 32.

$img\Mod1-ReviewArchitectingConcepts32.jpg$

Architecting review question 10

Architecting review question 10 What can be an origin for a CloudFront distribution? (Select THREE.) Aurora endpoint Application Load Balancer On-premises server EC2 instance RDS endpoint

Notes:

Slide: 33.

$img\Mod1-ReviewArchitectingConcepts33.jpg$

Architecting review question 10 and answers

Architecting review question 10 and answers What can be an origin for a CloudFront distribution? (Select THREE.) Aurora endpoint B correct Application Load Balancer C correct On-premises server D correct EC2 instance RDS endpoint

Notes:

The correct answer is B, Application Load Balancer, C, on-premises server, and D, EC2 instance.

CloudFront origins define the source location of resources used by your distribution. There are multiple origins available; however, Aurora and RDS endpoints are not valid origins. You can still cache data from Aurora through your distribution if the data was called from an EC2 instance, for example. When you create a distribution, you specify where CloudFront sends requests for the files. CloudFront supports using several AWS resources as origins. For example, you can specify an Amazon S3 bucket or a MediaStore container, a MediaPackage channel, or a custom origin, such as an Amazon EC2 instance or your own HTTP web server. For more information, review “Using various origins with CloudFront distributions” (https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.html).

Slide: 34.

$img\Mod1-ReviewArchitectingConcepts34.jpg$

Architecting review 11

Architecting review 11 Access to an EFS file share

Notes:

Throughout the modules in this course, we will review and discuss the EFS components of this architectural diagram in detail. By the end of this course, you will be able to construct your own architectural solutions.

Slide: 35.

$img\Mod1-ReviewArchitectingConcepts35.jpg$

Architecting review question 11

Architecting review question 11 Which of the following can NOT access an EFS file share? DynamoDB Amazon EC2 Amazon ECS Amazon EKS Lambda SageMaker

Notes:

Slide: 36.

$img\Mod1-ReviewArchitectingConcepts36.jpg$

Architecting review question 11 and answer

Architecting review question 11 and answer Which of the following can NOT access an EFS file share? A correct DynamoDB Amazon EC2 Amazon ECS Amazon EKS Lambda SageMaker

Notes:

The correct answer is A, DynamoDB.

DynamoDB does not support access to EFS file shares. Amazon EFS is a fully-managed service that makes it easy to set up, scale, and cost-optimize file storage in the AWS Cloud.

For more information, review “Amazon EFS FAQs” (https://aws.amazon.com/efs/faq).

Slide: 37.

$img\Mod1-ReviewArchitectingConcepts37.jpg$

Architecting review 12

Architecting review 12 Functions of Amazon Route 53

Notes:

Throughout the modules in this course, we will review and discuss the Route 53 components of this architectural diagram in detail. By the end of this course, you will be able to construct your own architectural solutions.

Slide: 38.

$img\Mod1-ReviewArchitectingConcepts38.jpg$

Architecting review question 12

Architecting review question 12 What is NOT a function of Amazon Route 53? Weighted routing Domain registration Load balancing within a VPC Alias records

Notes:

Slide: 39.

$img\Mod1-ReviewArchitectingConcepts39.jpg$

Architecting review question 12 and answer

Architecting review question 12 and answer What is NOT a function of Amazon Route 53? Weighted routing Domain registration C correct Load balancing within a VPC Alias records

Notes:

The correct answer is C, load balancing within a VPC.

Although you can create rules like weighted routing, load balancing within a VPC is best done by local load balancers running within the VPC.

Domain Name System (DNS) is a globally distributed service that translates human readable names, such as www.example.com, into the numeric IP addresses like 192.0.2.1 that computers use to connect to each other. The internet's DNS system works much like a phone book by managing the mapping between names and numbers.

For more information, review “Amazon Route 53 FAQs” (https://aws.amazon.com/route53/faqs).

Slide: 40.

$img\Mod1-ReviewArchitectingConcepts40.jpg$

Architecting review 13

Architecting review 13 Private subnet instance access to an S3 bucket

Notes:

Throughout the modules in this course, we will review and discuss the S3 components of this architectural diagram in detail. By the end of this course, you will be able to construct your own architectural solutions.

Slide: 41.

$img\Mod1-ReviewArchitectingConcepts41.jpg$

Architecting review question 13

Architecting review question 13 How can a private subnet instance access an S3 bucket without an internet gateway? (Select TWO.) Use a VPN connection. Modify the S3 bucket policy. Use a VPC gateway endpoint. Use a VPC interface endpoint.

Notes:

Slide: 42.

$img\Mod1-ReviewArchitectingConcepts42.jpg$

Architecting review question 13 and answers

Architecting review question 13 and answers How can a private subnet instance access an S3 bucket without an internet gateway? (Select TWO.) Use a VPN connection. Modify the S3 bucket policy. C correct Use a VPC gateway endpoint. D correct Use a VPC interface endpoint.

Notes:

The correct answer is C, use a VPC gateway endpoint, and D, use a VPC interface endpoint.

VPC endpoints allow applications to connect to AWS services without going across the internet. Amazon S3 offers two types of VPC endpoints. The original is the gateway endpoint. The newer offering is an interface endpoint. On-premises resources can access the interface endpoint without going through the internet.

AWS PrivateLink for Amazon S3 is now generally available. PrivateLink provides private connectivity between Amazon S3 and on-premises resources using private IPs from your virtual network.

For more information, review “AWS PrivateLink for Amazon S3 is Now Generally Available” in the AWS News Blog (https://aws.amazon.com/blogs/aws/aws-privatelink-for-amazon-s3-now-available/).

Slide: 43.

$img\Mod1-ReviewArchitectingConcepts43.jpg$

Lab 1:

Lab 1: Securing Amazon S3 VPC endpoint communications

Notes:

Lab 1: Securing Amazon S3 VPC Endpoint Communications Duration: 60 minutes

Slide: 44.

$img\Mod1-ReviewArchitectingConcepts44.jpg$

Lab 1 diagram

Notes:

An Amazon Virtual Private Cloud (Amazon VPC) endpoint enables private connections between your VPC and supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network. Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components. They allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic. There are two types of VPC endpoints: interface endpoints and gateway endpoints. Create the type of VPC endpoint that the supported service requires.

Interface endpoints:

An interface endpoint is an elastic network interface with a private IP address (from the IP address range of your subnet) that serves as an entry point for traffic destined to a supported service. PrivateLink powers interface endpoints. This technology enables you to privately access services by using private IP addresses. PrivateLink restricts all network traffic between your VPC and services to the AWS network. You do not need an internet gateway, a NAT device, or a virtual private gateway.

Gateway endpoints:

A gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service. The following AWS services are supported: Amazon Simple Storage Service (Amazon S3) Amazon DynamoDB

Slide: 45.

$img\Mod1-ReviewArchitectingConcepts45.jpg$

Lab tasks

Notes:

In this lab, you create VPC endpoints and use them to access Amazon S3 from an Amazon Elastic Compute Cloud (Amazon EC2) instance located in a private subnet. To further improve data security, you create a VPC endpoint policy to restrict use of the endpoint to specific resources.

Lab tasks:

Explore the lab environment. Interact with Amazon S3 from Amazon EC2 instances. Create the VPC endpoint for Amazon S3. Interact with Amazon S3 via the private instance.

Optional tasks:

Add a VPC endpoint policy.

Slide: 46.

$img\Mod1-ReviewArchitectingConcepts46.jpg$