Amazon Certified Solutions Architect Associate Notes
It is the EBS snapshots, not the EBS volume, that has a copy of the data which is stored redundantly in multiple Availability Zones. EBS volumes are stored in the redundantly in the same Availability Zone.
Instances that you launch into a default subnet receive both a public IPv4 address and a private IPv4 address, and both public and private DNS hostnames. Instances that you launch into a nondefault subnet in a default VPC don't receive a public IPv4 address or a DNS hostname.
NAT Gateway or a NAT instance is primarily used to enable instances in a private subnet to connect to the Internet or other AWS services, but prevent the Internet from initiating a connection with those instances.
Internet gateway (IGW) is used for instances in the public subnet to have accessibility to the Internet.
In cases where your EC2 instance cannot access the Internet, you usually have to check two things:
1. Does it have an EIP or public IP address?
2. Is the route table properly configured?
A VPC can span a region. But each subnet must reside entirely within one Availability Zone and cannot span zones. VPC can spans not only AZ, Region but multiple AWS accounts. With Cross-Region VPC peering, to subnet from different Regions or VPC can communicate. You cannot peer two VPCs with overlapping CIDR blocks.
Amazon S3 replicates data across multiple AZ by default. It can replicate in mutiple regions if Cross-Region Replication(CRR) is enabled.
S3 is an object storage service, it does not provide file system access semantics such as strong consistency, file locking and concurrent accessible storage. EFS provides this feature but not S3
The maximum of 20 EC2 instances limit is set per region and not per Availability Zone. This can be increased after submitting a request form to AWS.
Below are the important points you have to remember about subnets:
-Each subnet maps to a single Availability Zone.
-Every subnet that you create is automatically associated with the main route table for the VPC.
-If a subnet's traffic is routed to an Internet gateway, the subnet is known as a public subnet.
ELB is designed to only run in one region and not across multiple regions. Cross-Zone LoadBalancing is availabe but not Cross-Region LoadBalancing. User Route53 foor Cross-Region LoadBalancing.
A load balancer should be in a public subnet if it is part of the VPC.
Load balancers distribute traffic only within their respective regions and not to other AWS regions. It is best to use Route 53 instead to balance the incoming load to two or more AWS regions.
A newly created VPC has default settings and by default, the Network ACL allows all traffic.
You only have to configure a NAT instance when your instances are on a private subnet.
Public subnet
If a subnet’s default traffic is routed to an internet gateway, the subnet is known as a public subnet. For example, an instance launched in this subnet is publicly accessible if it has an Elastic IP address or a public IP address associated with it.
Private subnet
If a subnet's default traffic is routed to a NAT instance/gateway or completely lacks a default route, the subnet is known as a private subnet. For example, an instance launched in this subnet is not publicly accessible even if it has an Elastic IP address or a public IP address associated with it.
You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances. You are charged for creating and using a NAT gateway in your account.
A S3 bucket name must be unique across all existing bucket names in Amazon S3.
Server-side Encryption and Client-side Encryption are S3 constructs and not EBS volume constructs.
There is a constraint in S3 that objects must be stored at least 30 days in the current storage class before you can transition them to STANDARD_IA or ONEZONE_IA. You cannot create a lifecycle rule to transition objects to either STANDARD_IA or ONEZONE_IA storage class 7 days after you create them because you can only do this after the 30-day period has elapsed. Hence, these options are incorrect.
AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics.
AWS Certification Manager is used to generate SSL certificates to encrypt traffic in transit, but not at rest. AWS KMS API is a managed service that can be used to manage your own keys that can be used to encrypt data at rest in services like S3, EBS, RDS, Redshift etc
Instead of creating and distributing your AWS credentials to the containers or using the EC2 instance’s role, you can associate an IAM role with an ECS task definition or RunTask API operation. The applications in the task’s containers can then use the AWS SDK or CLI to make API requests to authorized AWS services.
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs and Amazon S3. After you've created a flow log, you can retrieve and view its data in the chosen destination.
Remember we can enable Cross-Region Snapshots for Redshift cluster
AWS storage gateway stored volumes vs cached volumes: In the cached mode, your primary data is written to S3, while retaining your frequently accessed data locally in a cache for low-latency access. In the stored mode, your primary data is stored locally and your entire dataset is available for low-latency access while asynchronously backed up to AWS.
A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.
Access to S3 can only be restricted to Amazon CloudFront using Amazon CloudFront Origin Access Identifier (OAI)
What is VPC Endpoint?
A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network. There are two types of VPC endpoints: interface endpoints and gateway endpoints. You have to create the type of VPC endpoint required by the supported service.
An interface endpoint is an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service. A gateway endpoint is a gateway that is a target for a specified route in your route table, used for traffic destined to a supported AWS service. It is important to note that for Amazon S3 and DynamoDB service, you have to create a gateway endpoint and then use an interface endpoint for other services.
Classic Load Balancer - Legacy load balancer. Provides either HTTP, HTTPS or TCP listeners to a single backend port across different instances.
Network Load Balancer - This is a TCP Load Balancer only that does some NAT magic at the VPC level. It uses EIPs, so it has a static endpoint unlike ALB and CLBs (by default, contact support if this is a requirement for your CLB or ALB). Each Target can be on different ports.
Application Load Balancer - Feature fulled L7 load balancer, HTTP and HTTPS listeners only. Provides the ability to route HTTP and HTTPS traffic based upon rules, host based or path based. Like an NLB, each Target can be on different ports. Even supports HTTP/2. Configurable range of health check status codes (CLB only supports 200 OK for HTTP health checks).
Cross-zone LoadBalancing
With cross-zone load balancing enabled, your load balancer nodes distribute incoming requests evenly across the Availability Zones enabled for your load balancer. Otherwise, each load balancer node distributes requests only to instances in its Availability Zone. For example, if you have 10 instances in Availability Zone us-west-2a and 2 instances in us-west-2b, the requests are distributed evenly across all 12 instances if cross-zone load balancing is enabled. Otherwise, the 2 instances in us-west-2b serve the same number of requests as the 10 instances in us-west-2a.
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them privately. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, with a VPC in another AWS account, or with a VPC in a different AWS Region.
Amazon RDS
Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while managing time-consuming database administration tasks, freeing you up to focus on your applications and business. Amazon RDS provides six familiar database engines to choose from, including Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle, and Microsoft SQL Server. Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups.
Amazon Aurora
Amazon Aurora is a relational database engine. It is designed to deliver the speed and reliability of high-end commercial databases in a simple and cost-effective manner. Aurora is designed to be compatible with MySQL 5.6 and delivers five times the throughput of standard MySQL running on the same hardware. DBAs are able to save time on planning backup storage disks, as data is continuously backed up to AWS S3 in real time, with no performance impact to the end user. This eliminates the need for backup windows and automated backup scripts. Aurora replicates data to six storage nodes in Multi AZs to withstand the loss of an entire AZ or two storage nodes without any availability impact to the client’s applications. Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups.
NAT gateways and NAT instances are only applicable for IPv4 and not IPv6. Even though these two components can enable the EC2 instance in a private subnet to communicate to the Internet and prevent inbound traffic, it is only limited with instances which are using IPv4 address and not IPv6. The most suitable VPC component to use is egress-only Internet gateway. Internet gateways are primarily used to provide Internet access to your instances in the public subnet of your VPC, and not for private subnets. However, with an Internet gateway, traffic originating from the public Internet will also be able to reach your instances. To prevent inbound access in such cases, use an egress-only Internet Gateway.
Enhanced Monitoring is a feature of RDS and not of CloudWatch.
Amazon Route 53 currently supports the following DNS record types:
-A (address record)
-AAAA (IPv6 address record)
-CNAME (canonical name record)
-CAA (certification authority authorization)
-MX (mail exchange record)
-NAPTR (name authority pointer record)
-NS (name server record)
-PTR (pointer record)
-SOA (start of authority record)
-SPF (sender policy framework)
-SRV (service locator)
-TXT (text record
You are limited to running up to a total of 20 On-Demand instances across the instance family, purchasing 20 Reserved Instances and requesting Spot Instances per your dynamic Spot limit per region. If you wish to run more than 20 instances, complete the Amazon EC2 instance request form.
Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and your Amazon S3 bucket. Transfer Acceleration leverages Amazon CloudFront’s globally distributed AWS Edge Locations. As data arrives at an AWS Edge Location, data is routed to your Amazon S3 bucket over an optimized network path.
AWS Step Functions provides serverless orchestration for modern applications. Orchestration centrally manages a workflow by breaking it into multiple steps, adding flow logic, and tracking the inputs and outputs between the steps. As your applications execute, Step Functions maintains application state, tracking exactly which workflow step your application is in, and stores an event log of data that is passed between application components. That means that if networks fail or components hang, your application can pick up right where it left off.
Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL expressions. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries you run. Athena is easy to use. Simply point to your data in Amazon S3, define the schema, and start querying using standard SQL expressions. Most results are delivered within seconds. With Athena, there’s no need for complex ETL jobs to prepare your data for analysis. This makes it easy for anyone with SQL skills to quickly analyze large-scale datasets.
DynamoDB supports auto scaling and it uses the AWS Application Auto Scaling service to dynamically adjust provisioned throughput capacity on your behalf, in response to actual traffic patterns. This enables a table or a global secondary index to increase its provisioned read and write capacity to handle sudden increases in traffic, without throttling. When the workload decreases, Application Auto Scaling decreases the throughput so that you don't pay for unused provisioned capacity.
Although S3 is also highly available and highly scalable, it still does not provide the lowest-latency access to the data, unlike EBS. Remember that S3 does not reside within your VPC by default, which means the data will traverse the public Internet that may result to higher latency. You can set up a VPC Endpoint for S3 yet still, its latency is greater than that of EBS.
Amazon SWF helps developers build, run, and scale background jobs that have parallel or sequential steps. You can think of Amazon SWF as a fully-managed state tracker and task coordinator in the Cloud. If your app's steps take more than 500 milliseconds to complete, you need to track the state of processing, and you need to recover or retry if a task fails. By default, each workflow execution can run for a maximum of 1 year in Amazon SWF.
AWS Certicate Manager lets you import third-party certificates from the ACM console, as well as programmatically. If ACM is not available in your region, use AWS CLI to upload your third-party certificate to the IAM certificate store.
Failover is automatically handled by Amazon Aurora so that your applications can resume database operations as quickly as possible without manual administrative intervention.
If you have an Amazon Aurora Replica in the same or a different Availability Zone, when failing over, Amazon Aurora flips the canonical name record (CNAME) for your DB Instance to point at the healthy replica, which in turn is promoted to become the new primary. Start-to-finish, failover typically completes within 30 seconds.
If you do not have an Amazon Aurora Replica (i.e. single instance), Aurora will first attempt to create a new DB Instance in the same Availability Zone as the original instance. If unable to do so, Aurora will attempt to create a new DB Instance in a different Availability Zone. From start to finish, failover typically completes in under 15 minutes. Options 1 and 3 are incorrect because this will only happen if you are using an Amazon Aurora Replica. In addition, Amazon Aurora flips the canonical name record (CNAME) and not the A record (IP address) of the instance.
The pre-built AMI are not accessible to another region hence, you have to copy them from one region to another to properly establish your disaster recovery instance. The pre-built AMI to a specific region only.
When you use Amazon Redshift Enhanced VPC Routing, Amazon Redshift forces all COPY and UNLOAD traffic between your cluster and your data repositories through your Amazon VPC. By using Enhanced VPC Routing, you can use standard VPC features, such as VPC security groups, network access control lists (ACLs), VPC endpoints, VPC endpoint policies, internet gateways, and Domain Name System (DNS) servers
Amazon ECS enables you to inject sensitive data into your containers by storing your sensitive data in either AWS Secrets Manager secrets or AWS Systems Manager Parameter Store parameters and then referencing them in your container definition. This feature is supported by tasks using both the EC2 and Fargate launch types.
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.
CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, API calls, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.
AWS X-Ray helps you debug and analyze your microservices applications with request tracing so you can find the root cause of issues and performance.
Oracle RMAN and RAC are not supported in RDS.
Instance Metadata: http://169.254.169.254/latest/meta-data/
Classic Load Balancer does not support Server Name Indication (SNI). You have to use an Application Load Balancer instead or a CloudFront web distribution to allow the SNI feature.
An alias record is a Route 53 extension to DNS. It's similar to a CNAME record, but you can create an alias record both for the root domain, such as tutorialsdojo.com, and for subdomains, such as portal.tutorialsdojo.com. (You can create CNAME records only for subdomains.) To enable IPv6 resolution, you would need to create a second resource record, tutorialsdojo.com ALIAS AAAA -> myelb.us-west-2.elb.amazonnaws.com, this is assuming your Elastic Load Balancer has IPv6 support.
You can use Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes.
If you got SSL/TLS certificates from a third-party CA, import the certificate into AWS Certicate Manager or upload it to the IAM certificate store
By default, each workflow execution can run for a maximum of 1 year in Amazon SWF
Instances that you launch into a default subnet receive both a public IPv4 address and a private IPv4 address, and both public and private DNS hostnames. Instances that you launch into a nondefault subnet in a default VPC don't receive a public IPv4 address or a DNS hostname.
NAT Gateway or a NAT instance is primarily used to enable instances in a private subnet to connect to the Internet or other AWS services, but prevent the Internet from initiating a connection with those instances.
Internet gateway (IGW) is used for instances in the public subnet to have accessibility to the Internet.
In cases where your EC2 instance cannot access the Internet, you usually have to check two things:
1. Does it have an EIP or public IP address?
2. Is the route table properly configured?
A VPC can span a region. But each subnet must reside entirely within one Availability Zone and cannot span zones. VPC can spans not only AZ, Region but multiple AWS accounts. With Cross-Region VPC peering, to subnet from different Regions or VPC can communicate. You cannot peer two VPCs with overlapping CIDR blocks.
Amazon S3 replicates data across multiple AZ by default. It can replicate in mutiple regions if Cross-Region Replication(CRR) is enabled.
S3 is an object storage service, it does not provide file system access semantics such as strong consistency, file locking and concurrent accessible storage. EFS provides this feature but not S3
The maximum of 20 EC2 instances limit is set per region and not per Availability Zone. This can be increased after submitting a request form to AWS.
Below are the important points you have to remember about subnets:
-Each subnet maps to a single Availability Zone.
-Every subnet that you create is automatically associated with the main route table for the VPC.
-If a subnet's traffic is routed to an Internet gateway, the subnet is known as a public subnet.
ELB is designed to only run in one region and not across multiple regions. Cross-Zone LoadBalancing is availabe but not Cross-Region LoadBalancing. User Route53 foor Cross-Region LoadBalancing.
A load balancer should be in a public subnet if it is part of the VPC.
Load balancers distribute traffic only within their respective regions and not to other AWS regions. It is best to use Route 53 instead to balance the incoming load to two or more AWS regions.
A newly created VPC has default settings and by default, the Network ACL allows all traffic.
You only have to configure a NAT instance when your instances are on a private subnet.
Public subnet
If a subnet’s default traffic is routed to an internet gateway, the subnet is known as a public subnet. For example, an instance launched in this subnet is publicly accessible if it has an Elastic IP address or a public IP address associated with it.
Private subnet
If a subnet's default traffic is routed to a NAT instance/gateway or completely lacks a default route, the subnet is known as a private subnet. For example, an instance launched in this subnet is not publicly accessible even if it has an Elastic IP address or a public IP address associated with it.
You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances. You are charged for creating and using a NAT gateway in your account.
A S3 bucket name must be unique across all existing bucket names in Amazon S3.
Server-side Encryption and Client-side Encryption are S3 constructs and not EBS volume constructs.
There is a constraint in S3 that objects must be stored at least 30 days in the current storage class before you can transition them to STANDARD_IA or ONEZONE_IA. You cannot create a lifecycle rule to transition objects to either STANDARD_IA or ONEZONE_IA storage class 7 days after you create them because you can only do this after the 30-day period has elapsed. Hence, these options are incorrect.
AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics.
AWS Certification Manager is used to generate SSL certificates to encrypt traffic in transit, but not at rest. AWS KMS API is a managed service that can be used to manage your own keys that can be used to encrypt data at rest in services like S3, EBS, RDS, Redshift etc
Instead of creating and distributing your AWS credentials to the containers or using the EC2 instance’s role, you can associate an IAM role with an ECS task definition or RunTask API operation. The applications in the task’s containers can then use the AWS SDK or CLI to make API requests to authorized AWS services.
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs and Amazon S3. After you've created a flow log, you can retrieve and view its data in the chosen destination.
Remember we can enable Cross-Region Snapshots for Redshift cluster
AWS storage gateway stored volumes vs cached volumes: In the cached mode, your primary data is written to S3, while retaining your frequently accessed data locally in a cache for low-latency access. In the stored mode, your primary data is stored locally and your entire dataset is available for low-latency access while asynchronously backed up to AWS.
A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.
Access to S3 can only be restricted to Amazon CloudFront using Amazon CloudFront Origin Access Identifier (OAI)
What is VPC Endpoint?
A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network. There are two types of VPC endpoints: interface endpoints and gateway endpoints. You have to create the type of VPC endpoint required by the supported service.
An interface endpoint is an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service. A gateway endpoint is a gateway that is a target for a specified route in your route table, used for traffic destined to a supported AWS service. It is important to note that for Amazon S3 and DynamoDB service, you have to create a gateway endpoint and then use an interface endpoint for other services.
Classic Load Balancer - Legacy load balancer. Provides either HTTP, HTTPS or TCP listeners to a single backend port across different instances.
Network Load Balancer - This is a TCP Load Balancer only that does some NAT magic at the VPC level. It uses EIPs, so it has a static endpoint unlike ALB and CLBs (by default, contact support if this is a requirement for your CLB or ALB). Each Target can be on different ports.
Application Load Balancer - Feature fulled L7 load balancer, HTTP and HTTPS listeners only. Provides the ability to route HTTP and HTTPS traffic based upon rules, host based or path based. Like an NLB, each Target can be on different ports. Even supports HTTP/2. Configurable range of health check status codes (CLB only supports 200 OK for HTTP health checks).
Cross-zone LoadBalancing
With cross-zone load balancing enabled, your load balancer nodes distribute incoming requests evenly across the Availability Zones enabled for your load balancer. Otherwise, each load balancer node distributes requests only to instances in its Availability Zone. For example, if you have 10 instances in Availability Zone us-west-2a and 2 instances in us-west-2b, the requests are distributed evenly across all 12 instances if cross-zone load balancing is enabled. Otherwise, the 2 instances in us-west-2b serve the same number of requests as the 10 instances in us-west-2a.
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them privately. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, with a VPC in another AWS account, or with a VPC in a different AWS Region.
Amazon RDS
Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while managing time-consuming database administration tasks, freeing you up to focus on your applications and business. Amazon RDS provides six familiar database engines to choose from, including Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle, and Microsoft SQL Server. Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups.
Amazon Aurora
Amazon Aurora is a relational database engine. It is designed to deliver the speed and reliability of high-end commercial databases in a simple and cost-effective manner. Aurora is designed to be compatible with MySQL 5.6 and delivers five times the throughput of standard MySQL running on the same hardware. DBAs are able to save time on planning backup storage disks, as data is continuously backed up to AWS S3 in real time, with no performance impact to the end user. This eliminates the need for backup windows and automated backup scripts. Aurora replicates data to six storage nodes in Multi AZs to withstand the loss of an entire AZ or two storage nodes without any availability impact to the client’s applications. Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups.
NAT gateways and NAT instances are only applicable for IPv4 and not IPv6. Even though these two components can enable the EC2 instance in a private subnet to communicate to the Internet and prevent inbound traffic, it is only limited with instances which are using IPv4 address and not IPv6. The most suitable VPC component to use is egress-only Internet gateway. Internet gateways are primarily used to provide Internet access to your instances in the public subnet of your VPC, and not for private subnets. However, with an Internet gateway, traffic originating from the public Internet will also be able to reach your instances. To prevent inbound access in such cases, use an egress-only Internet Gateway.
Enhanced Monitoring is a feature of RDS and not of CloudWatch.
Amazon Route 53 currently supports the following DNS record types:
-A (address record)
-AAAA (IPv6 address record)
-CNAME (canonical name record)
-CAA (certification authority authorization)
-MX (mail exchange record)
-NAPTR (name authority pointer record)
-NS (name server record)
-PTR (pointer record)
-SOA (start of authority record)
-SPF (sender policy framework)
-SRV (service locator)
-TXT (text record
You are limited to running up to a total of 20 On-Demand instances across the instance family, purchasing 20 Reserved Instances and requesting Spot Instances per your dynamic Spot limit per region. If you wish to run more than 20 instances, complete the Amazon EC2 instance request form.
Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and your Amazon S3 bucket. Transfer Acceleration leverages Amazon CloudFront’s globally distributed AWS Edge Locations. As data arrives at an AWS Edge Location, data is routed to your Amazon S3 bucket over an optimized network path.
AWS Step Functions provides serverless orchestration for modern applications. Orchestration centrally manages a workflow by breaking it into multiple steps, adding flow logic, and tracking the inputs and outputs between the steps. As your applications execute, Step Functions maintains application state, tracking exactly which workflow step your application is in, and stores an event log of data that is passed between application components. That means that if networks fail or components hang, your application can pick up right where it left off.
Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL expressions. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries you run. Athena is easy to use. Simply point to your data in Amazon S3, define the schema, and start querying using standard SQL expressions. Most results are delivered within seconds. With Athena, there’s no need for complex ETL jobs to prepare your data for analysis. This makes it easy for anyone with SQL skills to quickly analyze large-scale datasets.
DynamoDB supports auto scaling and it uses the AWS Application Auto Scaling service to dynamically adjust provisioned throughput capacity on your behalf, in response to actual traffic patterns. This enables a table or a global secondary index to increase its provisioned read and write capacity to handle sudden increases in traffic, without throttling. When the workload decreases, Application Auto Scaling decreases the throughput so that you don't pay for unused provisioned capacity.
Although S3 is also highly available and highly scalable, it still does not provide the lowest-latency access to the data, unlike EBS. Remember that S3 does not reside within your VPC by default, which means the data will traverse the public Internet that may result to higher latency. You can set up a VPC Endpoint for S3 yet still, its latency is greater than that of EBS.
Amazon SWF helps developers build, run, and scale background jobs that have parallel or sequential steps. You can think of Amazon SWF as a fully-managed state tracker and task coordinator in the Cloud. If your app's steps take more than 500 milliseconds to complete, you need to track the state of processing, and you need to recover or retry if a task fails. By default, each workflow execution can run for a maximum of 1 year in Amazon SWF.
AWS Certicate Manager lets you import third-party certificates from the ACM console, as well as programmatically. If ACM is not available in your region, use AWS CLI to upload your third-party certificate to the IAM certificate store.
Failover is automatically handled by Amazon Aurora so that your applications can resume database operations as quickly as possible without manual administrative intervention.
If you have an Amazon Aurora Replica in the same or a different Availability Zone, when failing over, Amazon Aurora flips the canonical name record (CNAME) for your DB Instance to point at the healthy replica, which in turn is promoted to become the new primary. Start-to-finish, failover typically completes within 30 seconds.
If you do not have an Amazon Aurora Replica (i.e. single instance), Aurora will first attempt to create a new DB Instance in the same Availability Zone as the original instance. If unable to do so, Aurora will attempt to create a new DB Instance in a different Availability Zone. From start to finish, failover typically completes in under 15 minutes. Options 1 and 3 are incorrect because this will only happen if you are using an Amazon Aurora Replica. In addition, Amazon Aurora flips the canonical name record (CNAME) and not the A record (IP address) of the instance.
The pre-built AMI are not accessible to another region hence, you have to copy them from one region to another to properly establish your disaster recovery instance. The pre-built AMI to a specific region only.
When you use Amazon Redshift Enhanced VPC Routing, Amazon Redshift forces all COPY and UNLOAD traffic between your cluster and your data repositories through your Amazon VPC. By using Enhanced VPC Routing, you can use standard VPC features, such as VPC security groups, network access control lists (ACLs), VPC endpoints, VPC endpoint policies, internet gateways, and Domain Name System (DNS) servers
Amazon ECS enables you to inject sensitive data into your containers by storing your sensitive data in either AWS Secrets Manager secrets or AWS Systems Manager Parameter Store parameters and then referencing them in your container definition. This feature is supported by tasks using both the EC2 and Fargate launch types.
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.
CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, API calls, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.
AWS X-Ray helps you debug and analyze your microservices applications with request tracing so you can find the root cause of issues and performance.
Oracle RMAN and RAC are not supported in RDS.
Instance Metadata: http://169.254.169.254/latest/meta-data/
Classic Load Balancer does not support Server Name Indication (SNI). You have to use an Application Load Balancer instead or a CloudFront web distribution to allow the SNI feature.
An alias record is a Route 53 extension to DNS. It's similar to a CNAME record, but you can create an alias record both for the root domain, such as tutorialsdojo.com, and for subdomains, such as portal.tutorialsdojo.com. (You can create CNAME records only for subdomains.) To enable IPv6 resolution, you would need to create a second resource record, tutorialsdojo.com ALIAS AAAA -> myelb.us-west-2.elb.amazonnaws.com, this is assuming your Elastic Load Balancer has IPv6 support.
You can use Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes.
If you got SSL/TLS certificates from a third-party CA, import the certificate into AWS Certicate Manager or upload it to the IAM certificate store
By default, each workflow execution can run for a maximum of 1 year in Amazon SWF