AWS Solutions Architect - Associate (SAA-C03) Notes - Part 1
Table of contents
- Performance to EFS
- AWS Secrets Manager
- Hibernate
- Kinesis Data Firehose
- Reserved vs Spot Instances
- Aurora Multi-Master Cluster
- AWS Storage Gateway
- Amazon CloudWatch
- Aurora & RDS
- AWS Config and ACM
- AWS Lambda
- Amazon S3
- S3 Encryption
- VPC Endpoint
- Amazon Cognito
- Spot Fleet
- Dedicated Instances vs Dedicated Hosts
- VPC Peering Connection
- Transit Gateway
- Direct Connect
- VPC Sharing
- Amazon Security Groups
- Connection Draining
- Amazon SQS
- Amazon SNS
- AWS VPN CloudHub
- Amazon CloudFront
- AWS WAF
- AWS Database Migration Service
- Route 53 Records
- Use VPC Endpoint to Access Amazon SQS
- Elastic Fabric Adapter (EFA)
- Amazon CloudWatch Alarm
- Spot Instances
- ElastiCache
- File Storage and Windows File Server Clusters
- Provisioned IOPS SSD (io1)
- Elastic Load Balancer
- AWS Direct Connect
- AWS Security Hub
Performance to EFS
Max I/O performance mode is used to scale to higher levels of aggregate throughput and operations per second.
General Purpose performance mode: Suitable for most applications and workloads that don't require the high throughput and IOPS that Max I/O offers.
Bursting Throughput: Ideal for workloads with occasional high throughput requirements, leveraging burst credits for better performance.
AWS Secrets Manager
Helps protect secrets needed to access applications, services, and IT resources.
Rotation: Enables easy rotation, management, and retrieval of database credentials, API keys, and other secrets throughout their lifecycle.
Integration: Works seamlessly with other AWS services, such as Amazon RDS and Amazon Redshift, for managing database credentials.
Hibernate
To minimize the application bootstrap time whenever the system needs to be stopped and then started at a later point in time.
Instance State: The Amazon EBS root volume is restored to its previous state, RAM contents are reloaded, and processes are resumed.
Data Volumes: Previously attached data volumes are reattached, and the instance retains its instance ID.
Kinesis Data Firehose
The easiest way to reliably load streaming data into data lakes, data stores, and analytics tools.
Capture and Transform: Can capture, transform, and load streaming data into Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk.
Real-time Analytics: Enables near real-time analytics with existing business intelligence tools and dashboards.
Reserved vs Spot Instances
Reserved Instances: Suitable for workloads with predictable usage, providing cost savings in exchange for a commitment.
Spot Instances: Ideal for flexible workloads that can tolerate interruptions, providing significant cost savings for non-essential or batch jobs.
Use Case: For 70 instances that need to be always available, use Reserved Instances; for 30 instances responsible for batch jobs, use Spot Instances.
Aurora Multi-Master Cluster
In a multi-master cluster, all DB instances can perform write operations.
Continuous Availability: Avoids failover, as another writer DB instance is immediately available if one fails.
Use Case: Useful for applications where you can't afford even brief downtime for database write operations.
AWS Storage Gateway
A hybrid cloud storage service that provides on-premises access to virtually unlimited cloud storage.
Low-Latency Performance: Caches frequently accessed data on-premises while storing data securely and durably in Amazon cloud storage.
Integration: Integrates natively with Amazon S3 cloud storage for in-cloud processing.
Amazon CloudWatch
Allows you to monitor AWS cloud resources and applications.
Alarms: Can be used to send notifications via SNS when EC2 instances breach specified thresholds.
Logs and Metrics: Provides detailed logs and metrics for monitoring and troubleshooting.
Aurora & RDS
Aurora: Involves significant systems administration effort to migrate from RDS MySQL to Aurora.
RDS Read Replicas: Provide enhanced performance and durability, but do not automatically scale storage for the primary database.
Data Transfer Charges: There are charges for replicating data across AWS Regions.
Aurora Multi-AZ: Enhances availability and durability but does not help in read scaling.
AWS Config and ACM
AWS Config: Provides AWS-managed rules for evaluating compliance with best practices.
ACM Certificates: AWS Config can check if ACM certificates are expiring soon. ACM automatically renews its own certificates but does not renew imported ones.
AWS Lambda
Can be combined with DynamoDB to process and capture key-value data from IoT sources.
Timeout: Lambda functions timeout after 15 minutes and are not ideal for long-running jobs.
Scalability: Automatically scales with the number of events to process.
Amazon S3
Static Website Hosting: Amazon S3 can host static websites with individual web pages containing static content.
Storage Classes: Store intermediary query results in Amazon S3 Standard storage class.
S3 Encryption
Server-Side Encryption with Customer-Provided Keys (SSE-C): Use when you want to manage encryption keys via your custom application.
Server-Side Encryption (SSE-S3): Amazon S3 handles encryption and key management.
Client-Side Encryption: Encrypt data client-side and upload the encrypted data to S3.
VPC Endpoint
Allows private connection between VPC and supported AWS services without requiring an Internet gateway or NAT device.
Private Connectivity: Ensures secure communication between instances in your VPC and AWS services.
Amazon Cognito
User Pools: Manage authentication, sign-up, sign-in, and user profiles.
Identity Pools: Provide temporary AWS credentials to authenticated users for accessing AWS resources.
Integration: Configure an identity pool to exchange user pool tokens for AWS credentials.
Spot Fleet
Target Capacity: Selects Spot Instance pools that meet your needs and launches Spot Instances to meet the target capacity.
Instance Replacement: Maintains target capacity by launching replacement instances after Spot Instances are terminated.
Dedicated Instances vs Dedicated Hosts
Dedicated Instances: Physical isolation without server control, cost-effective and simpler.
Dedicated Hosts: Physical isolation with server control, required for specific licensing and compliance needs.
VPC Peering Connection
Direct Connection: Connects two VPCs directly using private IP addresses, suitable for connecting a small number of VPCs.
Inter-Region Peering: Allows communication between VPCs in different regions but may require multiple connections for large-scale architectures.
Transit Gateway
Central Hub: Connects multiple VPCs, on-premises networks, and other AWS accounts.
Scalability: Simplifies network management and scales well for complex, multi-region architectures.
Direct Connect
Provides a dedicated, private network connection from your on-premises data center to AWS.
Latency and Bandwidth: Offers lower latency and higher bandwidth compared to internet-based connections.
VPC Sharing
- Resource Access Manager: Allows multiple AWS accounts to create resources in shared, centrally-managed VPCs.
Amazon Security Groups
Stateful: Allows inbound traffic to the necessary ports, and automatically permits return traffic.
NAT Instance: Can be associated with a NAT instance for port forwarding and used as a bastion server.
Connection Draining
- Purpose: Ensures that an Elastic Load Balancer stops sending requests to instances that are de-registering or unhealthy while keeping existing connections open.
Amazon SQS
Message Queuing: Decouples and scales microservices, distributed systems, and serverless applications.
Short and Long Polling: Short polling sends immediate responses, while long polling waits for messages to reduce the cost of empty receives.
Amazon SNS
Pub-Sub Messaging: Decouples microservices by delivering notifications using a push mechanism.
Message Storage: SNS delivers messages to subscribed endpoints but does not store them.
AWS VPN CloudHub
Hub-and-Spoke Model: Connects multiple branch offices using existing internet connections.
Use Case: Ideal for connecting branch offices with corporate headquarters.
Amazon CloudFront
Access Control: Restricts access to S3 buckets by configuring CloudFront to send authenticated requests.
Origin Access Control (OAC) and Origin Access Identity (OAI): Methods to securely access S3 buckets via CloudFront.
AWS WAF
Web Application Firewall: Monitors HTTP and HTTPS requests forwarded to protected web application resources.
Resource Protection: Protects resources such as Amazon CloudFront distributions, API Gateway REST APIs, and Application Load Balancers.
AWS Database Migration Service
- Helps migrate databases to AWS quickly and securely, minimizing downtime and ensuring data integrity during the migration process.
Route 53 Records
CNAME Record: Maps DNS queries for a domain to another domain or subdomain.
A Record: Points a domain or subdomain to an IP address.
PTR Record: Resolves an IP address to a fully-qualified domain name (FQDN).
Use VPC Endpoint to Access Amazon SQS
- Private Connectivity: Allows access to Amazon SQS from your VPC without using public IPs or traversing the public internet.
Elastic Fabric Adapter (EFA)
- High Performance: Accelerates High Performance Computing (HPC) and machine learning applications with high throughput and low latency.
Amazon CloudWatch Alarm
- Automatic Recovery: Can automatically recover EC2 instances if they become impaired due to hardware failure or other issues.
Spot Instances
Cost-Effective: Provides unused EC2 instances at lower prices than On-Demand.
Spot Blocks: Designed not to be interrupted for a set period.
Persistent Requests: Automatically reopens after interruptions or instance stops.
ElastiCache
Read-Heavy Workloads: Improves latency and throughput for read-heavy application workloads.
Write-Heavy Workloads: Not ideal, as cache can become stale quickly.
Complex Queries: Not suitable for complex JOIN queries; use relational databases instead.
File Storage and Windows File Server Clusters
Windows FSx: Provides fully managed Windows file systems.
Storage Gateway: Includes file, volume, and tape gateways for hybrid cloud storage solutions.
Provisioned IOPS SSD (io1)
High Performance: Backed by SSDs, designed for critical, I/O intensive database workloads.
Provisioning: Allows specifying a desired level of IOPS performance.
Elastic Load Balancer
Classic Load Balancer: Used for EC2-Classic instances; supports TCP and HTTP/HTTPS.
Application Load Balancer: Operates at the application layer (HTTP/HTTPS) and supports advanced routing.
Network Load Balancer: Operates at the network layer (TCP/UDP) and is designed for high-performance, low-latency applications.
AWS Direct Connect
Connection Types: Offers dedicated connections or hosted connections via AWS Direct Connect Partners.
Failover: Ensures connectivity redundancy by providing failover options in case of a connection failure.
AWS Security Hub
Centralized View: Aggregates, organizes, and prioritizes security alerts from multiple AWS services and partner tools.
Compliance Standards: Assesses compliance with standards such as CIS AWS Foundations.