AWS Organizations and Accounts - Follow Along Networking Global Networking Database Services Provisioning Services Computing Services Storage Services Business Centric Services Enterprise Integration Logging Services Know your Initialisms
☁️ Technology Overview
AWS Organizations and Accounts
Centrally manage control access, security, compliance, share resources across AWS accounts
Root Account User == Master Account has complete access
Organization Units: group of accounts, can contain another organizational units (hierarchy)
Service Control Policies: access authority to resources
AWS Organizations Follow Along
AWS Networking
VPC (Virtual Private Cloud) : own private network, used to establish boundaries around your AWS resources. In this isolated section, you can launch resources in a virtual network that you define.
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications. You can easily customize the network configuration for your Amazon VPC. For example, you can create a public-facing subnet for your web servers that has access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.
Subnets: is a section of a VPC in which you can group resources based on security or operational needs. contain resources such as Amazon EC2 instances.
Public subnetscontain resources that need to be accessible by the public, such as an online store’s website.
Private subnetscontain resources that should be accessible only through your private network, such as a database that contains customers’ personal information and order histories. In a VPC, subnets can communicate with each other.
Network traffic in a VPC
When a customer requests data from an application hosted in the AWS Cloud, this request is sent as a packet. Apacketis a unit of data sent over the internet or a network. It enters into a VPC through an internet gateway. Before a packet can enter into a subnet or exit from a subnet, it checks for permissions. These permissions indicate who sent the packet and how the packet is trying to communicate with the resources in a subnet. The VPC component that checks packet permissions for subnets is anetwork access control list (ACL). A network access control list (ACL) is a virtual firewall that controls inbound and outbound traffic at the subnet level. You can think of the travelers as packets and the passport control officer as a network ACL. It is stateless and allows all inbound and outbound traffic.
A security group is a virtual firewall that controls inbound and outbound traffic for an Amazon EC2 instance. They are stateful and deny all inbound traffic by default. (Stateful: This means that they use previous traffic patterns and flows when evaluating new requests for an instance.)
Internet Gateway
is used to connect a VPC to the internet To allow public traffic from the internet to access your VPC, you attach an internet gateway to the VPC.
A virtual private gateway enables you to establish a virtual private network (VPN) connection between your VPC and a private network, such as an on-premises data center or internal corporate network. A virtual private gateway allows traffic into the VPC only if it is coming from an approved network.
virtual private network (VPN) connection that encrypts (or protects) your internet traffic from all the other requests around it.
Suppose that you are traveling on this road with a bodyguard to protect you. You are still using the same road as other customers, but with an extra layer of protection. The bodyguard is like a virtual private network (VPN) connection that encrypts (or protects) your internet traffic from all the other requests around it. The virtual private gateway is the component that allows protected internet traffic to enter into the VPC. Even though your connection to the coffee shop has extra protection, traffic jams are possible because you’re using the same road as other customers.
AWS Direct Connect
a service that enables you to establish a dedicated private connection between your data center and a VPC.
In a nutshell
Global Networking
Domain Name System (DNS) resolution
DNS resolution is the process of translating a domain name to an IP address. Customers enter the web address into their browser, and they are able to access the website.DNS resolution involves a customer DNS resolver communicating with a company DNS server.
Amazon Route 53
a DNS(Domain Name System) web service. Translating a domain name to an IP addressAmazon Route 53 connects user requests to infrastructure running in AWS (such as Amazon EC2 instances and load balancers). It can route users to infrastructure outside of AWS.
Another feature of Route 53 is the ability to manage the DNS records for domain names.You can register new domain names directly in Route 53. You can also transfer DNS records for existing domain names managed by other domain registrars. This enables you to manage all of your domain names within a single location. In the previous module, you learned about Amazon CloudFront, a content delivery service. The following example describes how Route 53 and Amazon CloudFront work together to deliver content to customers.
CloudFront
Content delivery service. to cache content closer to your actual customer An edge location is a site that Amazon CloudFront uses to store cached copies of your content for faster delivery to customers.
Database Services
Instance stores
Instance stores are ideal for temporary data that does not need to be kept long term.
Amazon Elastic Block Store (Amazon EBS)
Block level storage behave like physical hard drives
Amazon EBS snapshots: an incremental backup. EC2 and EBS should be within the same AZ
Amazon Simple Storage Service (Amazon S3)
Object storage
The S3 Standard-IA (Instant Access)storage class is ideal for data that is infrequently accessed but requires high availability when needed.
S3 Intelligent-Tiering monitors access patterns of objects and automatically moves them between the S3 Standard and S3 Standard-IA storage classes. It is not designed for archival data.
S3 Glacier and S3 Glacier Deep Archive are low-cost storage classes that are ideal for data archiving.
Amazon Elastic File System (Amazon EFS)
multiple clients (such as users, applications, servers, and so on) can access data that is stored in shared file folders. regional service - in a multiple AZs
DynamoDB
Non-relational - key-value DB. simpler Serverless: do not have to provision, patch, or manage servers. You also do not have to install, maintain, or operate software.
In a key-value database, you can add or remove attributes from items in the table at any time. Additionally, not every item in the table has to have the same attributes.
Purpose built read and write per mille seconds - Scaling up to 10 trillion requests per day highly manageable, scalable cassandra
RDS (Relational DB Service)
available on six database engines: Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, Microsoft SQL Server
Automated patching, Bakcups, Redundancy, Failoverf, Disaster recovery Popular. MySQL, Postgres, Maria DB
a data warehousing service that you can use for big data analytics. Scaling up to 10 trillion requests per day Columnar DB, can handle petabyte data
AWS Database Migration Service (AWS DMS)
ElasticCache
is a service that adds caching layers on top of your databases to help improve the read times of common requests. Redis and Memcached.
Provisioning Services
easy way to set up AWS resources
Elastic Beastalk is like heroku, for deploying and scaling web app CloudFormation: JSON, YAML
Computing Services
Eleastic Beanstalk: set up Dev environment
You upload your application, and Elastic Beanstalk automatically handles the deployment details of capacity provisioning, load balancing, auto-scaling, and application health monitoring.
Storage Services
Business Centric Services
Enterprise Integration
Logging Services
CloudWatch
Amazon CloudWatch is a web service that enables you to monitor and manage various metrics for the resources that run your applications.
Monitor your resources’ utilization and performance in real time
View metrics and graphs to monitor the performance of resources from a single dashboard
Configure automatic actions and alerts in response to metrics
CloudTrail: records API calls for your account
AWS CloudTrail is a web service that enables you to review details for user activities and API calls that have occurred within your AWS environment.
Automatically detecting unusual account activity can be performed by AWS CloudTrail.
Track user activities and API requests throughout your AWS infrastructure
Filter logs to assist with operational analysis and troubleshooting
Trusted Advisors : checklist
AWS Trusted Advisor is a web service that inspects your AWS environment and provides real-time recommendations in accordance with AWS best practices.
5 pillars: cost optimization, performance, security, fault tolerance, service limits The Security category includes checks that help you to review your permissions and identify which AWS security features to enable. The Cost Optimization category includes checks for unused or idle resources that could be eliminated and provide cost savings. The Fault Tolerance category includes checks to help you improve your applications’ availability and redundancy. The Performance category includes checks for your service limits and overutilized instances
Receiving real-time recommendations for improving your AWS environment can be performed by AWS Trusted Advisor.
Comparing your infrastructure to AWS best practices in five categories can be performed by AWS Trusted Advisor.
