Essential AWS Solutions Architect SAA-C03 Cheat Sheet: IAM, EC2, EBS, EFS, ALB, and ASG for Scalability & High Availability

This was created based on Stephan Marek's AWS solutions architect associate Udemy course. You can use this as a cheat sheet when you are preparing for the SAA-C03 exam. If you don’t know some terms or if there is anything unclear. Google it and gather knowledge about it. It will help you when you are doing the exam.

AWS Global Infrastructure

• AWS regions — Regions all around the world, a cluster of data centres, Most AWS services are region-scoped.
• Choose AWS region — Compliance, Proximity to the customer, Available services, Pricing.
• AWS Availability Zones — Each region has many availability zones, min 3, max 6, Each AZ is one or more discrete data centres with redundant power, networking, and connectivity, Isolated from disasters, connected with high brand width | AWS Data Centers
• AWS Edge Locations/Point of Presence — 400+ edge locations and contents are delivered to end users with lower latency.

AWS Global Infrastructure

• I AM
• DNS
• CloudFront
• WAF

Region Scoped Services

• EC2
• Beanstalk
• Lambda
• Rekognition

If you need to verify your region has that exact service, you need to check the region table.

Identity and Access Management(IAM)

IAM Policies

IAM Policies Inheritance

CSPs → define access requirements, supporting the principle of least privilege.

IAM Access Analyzer helps you review and analyse the policies applied for supported resources in your zone of trust.

Policies structure

We can attach policies directly to the user and groups. Attached policies to the user and attached policies to user groups

IAM Password Policies

• Strongest PW
• Minimum pw character policies
• lowercase letters
• numbers inclusion
• Prevent password reuse

MFA

Password you know + security device you already own.
Using aws key secret, we can configure aws cli.
Way to do MFA Authentication

• Virtual MFA device
• U2F — Universal 2-Factor Security Key
• Hardware key Fob MFA device
• Hardware key Fob MFA device for AWS Gov Cloud

IAM roles for Services

Some AWS service will need to act on your behalf.
To do so, we will assign permissions to AWS services with IAM Roles.

Common roles:

• EC2 Instance Roles
• Lambda Function Roles

ex: IAMReadOnlyAccess

IAM Security Roles

IAM Credential Report — account level, users and status of their various credentials
IAM Access Advisor — user level, show given users permissions
IAM users are equal to physical users

EC2

• Instance TypesWe can give interruption behaviour when we create EC2.
• Under advanced details, we can find spot instance allocation details.
• Bootstrap our instance using an EC2 User data script.
• Bootstrapping means launching commands when a machine starts.
• Only run once at the instance's first start.

ex: installing updates, software, and common files install

Instance Types

• General purpose → Web servers, Code Repositories
• Memory-optimized → Compute-intensive task, Batch processing, Media transcode, High-performance web servers, High-performance computing, Scientific modelling and Machine Learning, Dedicated gaming servers
• Accelerated Computing → Large datasets in memory, High performance, relational and non-relational databases, Distributed web-scale cache stores, memory db optimised for BI, Applications performing real-time processing of big unstructured data.
• Storage Optimized → Storage incentive tasks, OLTP, Non-Relational, No SQL, Cache in memory, Distributed file systems.
• Instance Features
• Measuring Instance Performance

m5.2xlarge — m: instance class, 5: generation, 2xlarge

EC2 Spot Instances

Can get a discount of up to 90% compared to On-demand

Define max spot price and yet the instance while current spot price<max, terminate 2 min grace period

Spot Block

• Block spot instances during a specified time frame(1 to 6 hours) without interruptions.
• In rare situations, the instance may be reclaimed.
• Used for batch jobs data analysis or workloads that are resilient to failures.

Security Groups

• Allow containing rules.
• Fundamental of network security in AWS.
• Control how traffic is allowed into or out of our EC2 instances. — Inbound and outbound traffic
• Security group rules can be referenced by IP or by the security group.
• It can be attached to multiple instances.
• Locked down to a region/VPC combination

Ports:

22 = SSH
21 = FTP
22 = SFTP
80 = HTTP
443 = HTTPS
3389 = RDP

If you are encountering a connection timeout issue, that is because of the security group.

We can use:

SSH, Putty, EC2 Instance Connect

EC2 Purchasing Options

• On-Demand Instances — Short workload, Predictable pricing, pay by second
• Reserved(1&3 years) — Long workloads, 72%
• Convertible reserved instances — long workloads with flexible instances. Can change the instance type, family, scope and tenancy 66% discount
• Savings Plans(1&3 years) — commitment to an amount of usage($10) if not on-demand price, long workload 72%
• Spot Instances — short workloads, cheap, can lose instances, 90%, distributed workloads

max spot price changing and they give 2 min grace period
Spot block — specified time period
Spot fleets = set of Spot Instances + On-Demand Instances
Spot fleets allow us to automatically request Spot Instances with the lowest price

Strategies to allocate Spot Instances:

lowest price
diversified
capacityOptimized
priceCapacityOptimized

• Dedicated Hosts — book an entire physical server, control instance placement, and compliance requirements.
• Dedicated Instances — no other customers will share your hardware
• Capacity Reservation — reserve capacity in a specific AZ for any duration, short-term uninterrupted workloads

EC2 Solution Architect

• Public IP: machine can be identified on the internet, Unique across the whole web
• Private IP: Can only identified on a private internet only
• Elastic IP: This enables fixed IP for our EC2 instances, This is an IPv4 IP we own as long as we don’t delete it
• We can attach it to one instance.
• Only can have 5 Elastic IPs for one account.
• It’s better to set up DNS rather than this.

Placement Groups

EC2 instance placement strategy

cluster — single availability zone

spread — spreads across underlying hardware(max 7 instances per group per AZ)

partition — spread instances across many different partitions(Different racks) — with an AZ(Hadoop, Casendra)

EC2 Hibernate

Stop: The data on disk(EBS) is kept intact in the next start
Terminate: any EBS volumes (root) also set up to be destroyed is lost
Hibernate in-memory (RAM) state is preserved — RAM state is written to file in the EBS(must be encrypted)
must be less than 150GB.
Not more than 60 days

use cases:

• Long-running processing
• Saving the RAM state
• Services that take time to initialise

ENI:

Logical component in a VPC that represents a virtual network card
primary private IPv4 one or more secondary IPV4
One Elastic IP per private IPv4
Bound to AZ
Helpful for failover

EBS and EFS(EC2 Instance Storage)

Elastic Block Storage(EBS)

Network drive — network USB sticks
allows persistent data, even after their termination
They can only be mounted to one instance at a time
Bound to a specific availability zone
Snapshots can move

Delete on Termination option by default enabled when we create EBS with EC2 — preserve root volume.

EBS Snapshots

Make a backup (snapshot) of your EBS volume at a point in time
It is not necessary to detach the volume to do a snapshot, but it is recommended
Can copy snapshots across AZ or Region

Features:

• Can move the EBS Snapshot Archive it is cheaper.
• Recycle bin for EBS snapshots.
• Fast Snapshot restore

AMI

• AMI — Amazon Machine Image
• AMI is a customisation of an EC2 instance
• AMIs are built for a specific region( and can be copied across regions)
• You can launch EC2 instances from: A public AMI, Your own AMI, or AWS Marketplace AMI.
• Build an AMI — this will also create EBS snapshots.
• Monitoring AMI CreateImageAPI call + SNS topic to send an alert when a CreateImage API call is detected.

EC2 instance store

• High-performance hardware disk, use EC2 instance store.
• Better I/O performance hardware disk, use EC2 instance storage.
• Better I/O performance
• EC2 Instance Stores lose their storage if they’re stopped
• Cache, Scratch data, Temporary content
• Risk of data loss if hardware fails

EBS Volume Types

• gp2/ gp3 — Can be used as boot volumes, Cost-effective, Low latency, Virtual desktops
• io1/ io2 — Can be used as boot volumes — Sustained IOPS performance, Great for database workloads over 32000 IOPS
• st1
• sc1

characterized in Size | Throughput | IOPS

EBS Multi Attach

Attach the same EBS volume to multiple EC2 instances in the same AZ
Each instance has full read & write permissions to the high-performance volume
Same AZ
16 EC2 instances at a time
Cluster-aware file system

Use cases:

• Achieve higher application availability in clustered Linux applications.
• Must manage concurrent write operations

EBS Encryption

KMS use
Encryption and decryption are handled transparently( you have nothing to do)
Encrypt and unencrypted EBS volume:

• Create an EBS snapshot of the volume.
• Encrypt the EBS snapshot(using copy)
• Create a new EBS volume from the snapshot( the volume will also be encrypted)
• Now, you can attach the encrypted volume to the original instance

Elastic File System(EFS)

Managed NFS that can be mounted to many EC2.
EFS works with EC2 instances in multi-AZ.
Use cases: content management, web serving, data sharing, WordPress
compatible with AMI
uses security group to control access to EFS
The file system scales automatically
Performance Mode(set at EFS creation time)

• General Purpose
• Max IO

Throughput Mode

• Bursting
• Provisioned
• Elastic

Storage Tiers(Lifecycle management feature)

• Standard
• Infrequent access

Availability and Durability

• Standard
• One zone

EBS vs EFS

EBS:

• One instance
• Locked at the AZ
• Migrate an EBS volume across AZ: Take a snapshot.
• EBS gets terminated by default if the EC2 instance gets terminated.

EFS:

• Mounting 100s of instances across AZ
• EFS shares website files
• only for Linux Instances

EFS has a higher price point than EBS

Can leverage EFS-IA for cost savings

ALB & ASG(Scalability & High Availability)

Scalability means that an application/system can handle greater loads by adapting.

• Vertical Scalability: increase the size of the instance
• Horizontal Scalability: implies distributed systems/Increased number of instances.

Scalability is linked but different to High Availability

High availability:

• Application at least 2 data centers (AZ)
• To avoid data loss
• Auto Scaling Group multi-AZ
• Load balancer multi-AZ

Elastic Load Balancer

Load Balances are servers that forward traffic to multiple servers downstream.
Managed load balancers
Configurations: EC2, Auto Scaling Groups, Amazon ECS, ACM, Cloudwatch, Route 53, AWS WAF, AWS Global Accelerator
Health check verify EC2 works

Importance of ELB

• Spread load across multiple downstream instances.
• Expose a single point of access (DNS) to your instances.
• Do regular health checks on your instances
• Provide SSL termination (HTTPS) for your websites.
• Enforce stickiness
• High availability across zones
• Separate public traffic from private traffic

Types of load balancer on AWS

Some load balancers can be set up as internal(private) or external(public) ELBs.

Load balancer security groups:

Classic Load Balancer

Application Load Balancer

• The application load balancer is layer 7
• Load balancing to multiple HTTP applications across machines(target groups)
• Load balancing to multiple applications on the same machine
• Support redirects
• Routing table to different target groups
• ALB are a great fit for microservices
• Has a port mapping feature.

Target groups: multiple target groups. Health checks are done at the target group level.

EC2 instances, ECS tasks, Lambda functions, IP addresses

• Fixed hostname
• Application servers don’t see the IP of the client directly.
• NLBs are used for extreme performance or TCP or UDP traffic

Network Load Balancer

• We can allow a set of Static IPs to access our application.
• Network load balancer (Layer 4) — TCP & UDP
• Handle millions of requests per second.
• NLB has one static IP per AZ

Target groups: EC2 instances, IP Addresses, Application Load Balancer, and Health Checks support the TCP, HTTP and HTTPS Protocols

Gateway Load Balancer

• Deploy, Scale, and manage a fleet of 3rd party network virtual appliances in AWS
  ex: Firewalls, Intrusion Detection and Prevention Systems, Deep Packet Inspection Systems
• Route tables are modified, and every traffic goes through the gateway load balancer. We can analyse traffic.
  Operates at Layer 3 (Network Layer)
• Combine the following functions: Transparent Network Gateway and load balancer.
• Uses the GENEVE protocol on port 6081

Target groups: EC2 instances, IP Addresses

Sticky Sessions (Session Affinity)

It is possible to implement stickiness so that the same client is always redirected to the same instance behind a load balancer.

Work for any load balancer.

Use cookies for stickiness.

• Application based cookie
• custom cookie — Generated by the target, Can include any custom attributes required by the application
• application cookie — Generated by the load balancer
• duration-based cookie — cookie generated by the load balancer

Cross-Zone Load Balancing

Each load balancer instance distributes evenly across all registered instances in all AZ.

ALB — Enabled by default

NLB & GLB — Disabled by default

CLB — Disabled by default. No charger for inter-AZ data if enabled

SSL/TLS — Basics

• An SSL Certificate allows traffic between your clients and your load balancer to be encrypted in transit (in-fight encryption)
• SSL refers to the Secure Sockets Layer, used to encrypt connections
• TLS refers to Transport Layer Security, which is a newer version
• Nowadays, TLS certificates are mainly used, but people refer as SSL.
• Public SSL certificates are issued by Certificate Authorities (CA)
• ACM is used to manage
• You can upload our one.

HTTP listener: You must specify a default certificate, You can add an optional list of certs to support multiple domains, Clients can use SNI, support for older versions

SNI

SNI solves the problem of loading multiple SSL certificates onto one server
requires the client to indicate the hostname of the target server
The server will find the correct certification

CLB — 1

ALB, NLB — multiple certificates with multiple visitors

Connection Draining

Time to complete in-flight requests while the instance is de-registering or unhealthy

Stops sending new requests to the EC2 instance, which is de-registering

Feature naming — Connection Draining, Deregistration Delay

Auto Scaling Group

• Goal — Scale out or in according to load
• Ensure we have a minimum and a maximum number of EC2 instances running.
• Automatically register new instances to a load balancer.
• Recreate an EC2 instance in case a previous one is terminated.
• ASG free
• A Launch Template
• Min / Max and initial capacity
• AS policies
• It is possible to scale an ASG based on Cloudwatch alarms
  An alarm monitors a metric — Based on this, can create AS policies
  Scaling cooldowns — 300 seconds

Dynamic Scaling policies

• Target Tracking Scaling — CPU over 40%
• Simple / Step Scaling →70%
• Scheduled Actions — based on usage pattern
• Predictive scaling

Metrics can be used — CPU, RequestCountPerTraget, Average Network/In out, or Any custom metric.

This article was heavily inspired by and based on the AWS Solutions Architect — Associate (SAA-C03) course created by Stephan Marek. His comprehensive and clear explanations were instrumental in shaping the content presented here. You can find his course materials at: https://www.udemy.com/course/aws-certified-solutions-architect-associate-saa-c03/