AWS EC2 Troubleshooting

EC2 Troubleshooting Instances

EC2 Troubleshooting An Instance Immediately Terminates

  • EBS volume limit was reached. Its a soft limit and can be increased by submitting a support request
  • EBS snapshot is corrupt.
  • Instance store-backed AMI used to launch the instance is missing a required part

EC2 Troubleshooting Connecting to Your Instance

  • Error connecting to your instance: Connection timed out
    • Route table, for the subnet, does not have a  route that sends all traffic destined outside the VPC to the Internet gateway for the VPC.
    • Security group does not allow inbound traffic from the public ip address on the proper port
    • ACL does not allow inbound traffic from and outbound traffic to the public ip address on the proper port
    • Private key used to connect does not match with key that corresponds to the key pair selected for the instance during the launch
    • Appropriate user name for the AMI is not used for e.g. user name for Amazon Linux AMI is ec2-user, Ubuntu AMI is ubuntu, RHEL5 AMI & SUSE Linux can be either root or ec2-user, Fedora AMI can be fedora or ec2-user
    • If connecting from an corporate network, the internal firewall does not
      allow inbound and outbound traffic on port 22 (for Linux instances) or port 3389 (for Windows instances).
    • Instance does not the same public IP address (public ip address changes during restarts). Associate an Elastic IP address with the instance
    • CPU load on the instance is high; the server may be overloaded.
  • User key not recognized by server
    • private key file used to connect has not been converted to the format as required by the server
  • Host key not found, Permission denied (publickey), or Authentication failed, permission denied
    • appropriate user name for the AMI is not used for connecting
    • proper private key file for the instance is not used
  • Unprotected Private Key File
    • private key file is not protected from read and write operations from any other users.
  • Server refused our key or No supported authentication methods available
    • appropriate user name for the AMI is not used for connecting

EC2 Troubleshooting Instances with Failed Status Checks

  • System Status Check – Checks Physical Hosts
    • Lost of Network connectivity
    • Loss of System power
    • Software issues on physical host
    • Hardware issues on physical host
    • Resolution
      • For Amazon EBS-backed AMI instance, stop and restart the instance
      • For Instance-store backed AMI, terminate the instance and launch a replacement.
  • Instance Status Check – Checks Instance or VM
    • Possible reasons
      • Misconfigured networking or startup configuration
      • Exhausted memory
      • Corrupted file system
      • Failed Amazon EBS volume or Physical drive
      • Incompatible kernel
    • Resolution
      • Rebooting of the Instance or making modifications in your Operating system, volumes

EC2 Troubleshooting Instance Capacity

  • InsufficientInstanceCapacity
    • AWS does not currently have enough available capacity to service your request
  • InstanceLimitExceeded
    • Concurrent running instance limit, default is 20, has been reached.

Sample Exam Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. A user has launched an EC2 instance. The instance got terminated as soon as it was launched. Which of the below mentioned options is not a possible reason for this?
    1. The user account has reached the maximum EC2 instance limit
    2. The snapshot is corrupt
    3. The AMI is missing. It is the required part
    4. The user account has reached the maximum volume limit
  2. If you’re unable to connect via SSH to your EC2 instance, which of the following should you check and possibly correct to restore connectivity?
    1. Adjust Security Group to permit egress traffic over TCP port 443 from your IP.
    2. Configure the IAM role to permit changes to security group settings.
    3. Modify the instance security group to allow ingress of ICMP packets from your IP.
    4. Adjust the instance’s Security Group to permit ingress traffic over port 22 from your IP
    5. Apply the most recently released Operating System security patches.
  3. You try to connect via SSH to a newly created Amazon EC2 instance and get one of the following error messages: “Network error: Connection timed out” or “Error connecting to [instance], reason: -> Connection timed out: connect,” You have confirmed that the network and security group rules are configured correctly and the instance is passing status checks. What steps should you take to identify the source of the behavior? Choose 2 answers
    1. Verify that the private key file corresponds to the Amazon EC2 key pair assigned at launch.
    2. Verify that your IAM user policy has permission to launch Amazon EC2 instances.
    3. Verify that you are connecting with the appropriate user name for your AMI.
    4. Verify that the Amazon EC2 Instance was launched with the proper IAM role.
    5. Verify that your federation trust to AWS has been established.
  4. A user has launched an EBS backed EC2 instance in the us-east-1a region. The user stopped the instance and started it back after 20 days. AWS throws up an ‘Insufficient Instance Capacity’ error. What can be the possible reason for this?
    1. AWS does not have sufficient capacity in that availability zone
    2. AWS zone mapping is changed for that user account
    3. There is some issue with the host capacity on which the instance is launched
    4. The user account has reached the maximum EC2 instance limit
  5. A user is trying to connect to a running EC2 instance using SSH. However, the user gets an Unprotected Private Key File error. Which of the below mentioned options can be a possible reason for rejection?
    1. The private key file has the wrong file permission
    2. The ppk file used for SSH is read only
    3. The public key file has the wrong permission
    4. The user has provided the wrong user name for the OS login
  6. A user has launched an EC2 instance. However, due to some reason the instance was terminated. If the user wants to find out the reason for termination, where can he find the details?
    1. It is not possible to find the details after the instance is terminated
    2. The user can get information from the AWS console, by checking the Instance description under the State transition reason label
    3. The user can get information from the AWS console, by checking the Instance description under the Instance Status Change reason label
    4. The user can get information from the AWS console, by checking the Instance description under the Instance Termination reason label
  7. You have a Linux EC2 web server instance running inside a VPC. The instance is in a public subnet and has an EIP associated with it so you can connect to it over the Internet via HTTP or SSH. The instance was also fully accessible when you last logged in via SSH and was also serving web requests on port 80. Now you are not able to SSH into the host nor does it respond to web requests on port 80, that were working fine last time you checked. You have double-checked that all networking configuration parameters (security groups route tables, IGW, EIP. NACLs etc.) are properly configured and you haven’t made any changes to those anyway since you were last able to reach the Instance). You look at the EC2 console and notice that system status check shows “impaired.” Which should be your next step in troubleshooting and attempting to get the instance back to a healthy state so that you can log in again?
    1. Stop and start the instance so that it will be able to be redeployed on a healthy host system that most likely will fix the “impaired” system status (for system status check impaired status you need Stop Start for EBS and terminate and relaunch for Instance store)
    2. Reboot your instance so that the operating system will have a chance to boot in a clean healthy state that most likely will fix the ‘impaired” system status
    3. Add another dynamic private IP address to me instance and try to connect via that new path, since the networking stack of the OS may be locked up causing the “impaired” system status.
    4. Add another Elastic Network Interface to the instance and try to connect via that new path since the networking stack of the OS may be locked up causing the “impaired” system status
    5. un-map and then re-map the EIP to the instance, since the IGW/NAT gateway may not be working properly, causing the “impaired” system status
  8. A user is trying to connect to a running EC2 instance using SSH. However, the user gets a connection time out error. Which of the below mentioned options is not a possible reason for rejection?
    1. The access key to connect to the instance is wrong
    2. The security group is not configured properly
    3. The private key used to launch the instance is not correct
    4. The instance CPU is heavily loaded
  9. A user is trying to connect to a running EC2 instance using SSH. However, the user gets a Host key not found error. Which of the below mentioned options is a possible reason for rejection?
    1. The user has provided the wrong user name for the OS login
    2. The instance CPU is heavily loaded
    3. The security group is not configured properly
    4. The access key to connect to the instance is wrong

AWS RDS Replication – Multi-AZ & Read Replica

RDS Replication Overview

  • DB instances replicas can be created in two ways:
  • Multi-AZ deployment
    • Amazon RDS automatically provisions and manages a synchronous standby replica in a different AZ (independent infrastructure in a physically separate location).
    • Multi-AZ deployment high availability and failover support
    • In the event of planned database maintenance, DB instance failure, or an Availability Zone failure, Amazon RDS will automatically failover to the standby so that database operations can resume quickly without administrative intervention.
  • Read Replica
    • Amazon RDS also uses the PostgreSQL, MySQL, and MariaDB DB engines’ built-in replication functionality to create a special type of DB instance called a Read Replica from a source DB instance.
    • Load on your source DB instance can be reduced by routing read queries from your applications to the Read Replica.
    • Read Replicas allow you to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads

Multi-AZ deployment

  • Amazon RDS provides high availability and failover support for DB instances using Multi-AZ deployments.
  • Multi-AZ deployments for Oracle, PostgreSQL, MySQL, and MariaDB DB instances use Amazon technology, while SQL Server DB instances use SQL Server Mirroring.
  • In a Multi-AZ deployment, RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone.
  • Primary DB instance is synchronously replicated across Availability Zones to a standby replica to provide data redundancy, eliminate I/O freezes, and minimize latency spikes during system backups.
  • Running a DB instance with high availability can enhance availability during planned system maintenance, and also to help protect the databases against DB instance failure and Availability Zone disruption.
  • High-availability feature is not a scaling solution for read-only scenarios; standby replica can’t be used to serve read traffic.
  • Multi-AZ deployment to improve the durability and availability of a critical system, but cannot use the Multi-AZ secondary to serve read-only queries. To service read-only traffic, use a Read Replica.
  • When using the BYOL licensing model, a license for both the primary instance and the standby replica is required
  • DB instances using Multi-AZ deployments may have increased write and commit latency compared to a Single-AZ deployment, due to the synchronous data replication that occurs.
  • You may have a change in latency if your deployment fails over to the standby replica, although AWS is engineered with low-latency network connectivity between Availability Zones.
  • For production workloads, it is recommended to use Provisioned IOPS and DB instance classes (m1.large and larger), optimized for Provisioned IOPS for fast, consistent performance.
  • When Single-AZ deployment is modified to a Multi-AZ deployment (for engines other than SQL Server or Amazon Aurora)
    • RDS takes a snapshot of the primary DB instance from the deployment and restores the snapshot into another Availability Zone.
    • RDS then sets up synchronous replication between the primary DB instance and the new instance.
    • This avoids downtime when conversion from Single-AZ to Multi-AZ happens

RDS Multi-AZ Failover Process

  • In the event of a planned or unplanned outage of the DB instance,
    • RDS automatically switches to a standby replica in another AZ, if enabled for Multi-AZ.
    • Time it takes for the failover to complete depends on the database activity and other conditions at the time the primary DB instance became unavailable.
    • Failover times are typically 60-120 secs. However, large transactions or a lengthy recovery process can increase failover time.
    • Failover mechanism automatically changes the DNS record of the DB instance to point to the standby DB instance.
    • As a result, there is no change in the endpoint URLs used by the applications but needs to re-establish any existing connections to your DB instance.
  • RDS handles failovers automatically so that database operations can be resumed as quickly as possible without administrative intervention.
  • Primary DB instance switches over automatically to the standby replica if any of the following conditions occur:
    • An Availability Zone outage
    • Primary DB instance fails
    • DB instance’s server type is changed
    • Operating system of the DB instance is undergoing software patching
    • A manual failover of the DB instance was initiated using Reboot with failover (also referred to as forced failover)
  • If the Multi-AZ DB instance has failed over can be determined by
    • DB event subscriptions can be setup to notify you via email or SMS that a failover has been initiated.
    • DB events can be viewed via the Amazon RDS console or APIs.
    • Current state of your Multi-AZ deployment can be viewed via the Amazon RDS console and APIs.

Read Replica

  • Amazon RDS uses the MySQL, MariaDB, and PostgreSQL (version 9.3.5 and later) DB engines’ built-in replication functionality to create a Read Replica from a source DB instance.
  • Updates made to the source DB instance are asynchronously copied to the Read Replica.
  • Load on the source DB instance can be reduced by routing read queries from the applications to the Read Replica.
  • Using Read Replicas allow db to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads.
  • Read Replica operates as a DB instance that allows only read-only connections; applications can connect to a Read Replica the same way they would to any DB instance.

Read Replica creation

  • Up to five Read Replicas can be created from one source DB instance.
  • Creation process
    • Automatic backups must be enabled on the source DB instance by setting the backup retention period to a value other than 0
    • Existing DB instance needs to be specified as the source.
    • RDS takes a snapshot of the source instance and creates a read-only instance from the snapshot.
    • RDS then uses the asynchronous replication method for the DB engine to update the Read Replica any changes to the source DB instance.
  • Amazon RDS replicates all databases in the source DB instance.
  • Amazon RDS sets up a secure communications channel between the source DB instance and a Read Replica if that Read Replica is in a different AWS region from the DB instance.
  • Amazon RDS establishes any AWS security configurations, such as adding security group entries, needed to enable the secure channel.
  • During the Read Replica creation, a brief I/O suspension on the source DB instance can be experienced as the DB snapshot occurs.
  • I/O suspension typically lasts about one minute and can be avoided if the source DB instance is a Multi-AZ deployment (in the case of Multi-AZ deployments, DB snapshots are taken from the standby).
  • While creating a Read Replica wait for long-running transactions to complete as an active, long-running transaction can slow the process of Read Replica creation
  • For multiple Read Replicas created in parallel from the same source DB instance, only one snapshot is taken at the start of the first create action.
  • Promoting a Read Replica would create a new source DB instance and the replication is stopped from the source DB. However, the replication continues for other replicas using it as replication source

Read Replica Deletion & DB Failover

  • Read Replicas must be explicitly deleted, using the same mechanisms for deleting a DB instance.
  • If the source DB instance is deleted without deleting the replicas, each replica is promoted to a stand-alone, single-AZ DB instance.
  • If the source instance of a Multi-AZ deployment fails over to the secondary, any associated Read Replicas are switched to use the secondary as their replication source.

Read Replica Storage & Compute requirements

  • A Read Replica, by default, is created with the same storage type as the source DB instance.
  • For replication to operate effectively, each Read Replica should have the same amount of compute and storage resources as the source DB instance.
  • If source DB instance is scaled, the Read Replicas should be scaled accordingly

Read Replica Features

  • Amazon RDS does not support circular replication.
  • DB instance cannot be configured to serve as a replication source for an existing DB instance; a new Read Replica can be created only from an existing DB instance for e.g., if MyDBInstance replicates to ReadReplica1, ReadReplica1 can’t be configured to replicate back to MyDBInstance.  From ReadReplica1, only a new Read Replica can be created, such as ReadRep2.
  • Cross-Region Replication
    • MySQL or MariaDB Read Replica can be created in a different region than the source DB instance to improve your disaster recovery capabilities, scale read operations into a region closer to end users, or to ease migration from a data center in one region to another region
    • PostgreSQL Read Replicas can be created only in the same region as the source DB instance
  • Read Replica running any version of MariaDB or MySQL 5.6 can specify it as the source DB instance for another Read Replica. However, the replica lag is higher for these instances

Read Replica DifferenceRead Replica Use cases

  • Read Replicas can be used in variety of use cases, including:
    • Scaling beyond the compute or I/O capacity of a single DB instance for read-heavy database workloads, directing excess read traffic to Read Replica(s)
    • Serving read traffic while the source DB instance is unavailable for e.g. If your source DB instance cannot take I/O requests due to backups I/O suspension or scheduled maintenance, the read traffic can be directed to the Read Replica(s). However, the data might be stale.
    • Business reporting or data warehousing scenarios where business reporting queries can be executed against a Read Replica, rather than the primary, production DB instance.

Sample Exam Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. You are running a successful multi-tier web application on AWS and your marketing department has asked you to add a reporting tier to the application. The reporting tier will aggregate and publish status reports every 30 minutes from user-generated information that is being stored in your web applications database. You are currently running a Multi-AZ RDS MySQL instance for the database tier. You also have implemented ElastiCache as a database caching layer between the application tier and database tier. Please select the answer that will allow you to successfully implement the reporting tier with as little impact as possible to your database.
    1. Continually send transaction logs from your master database to an S3 bucket and generate the reports off the S3 bucket using S3 byte range requests.
    2. Generate the reports by querying the synchronously replicated standby RDS MySQL instance maintained through Multi-AZ
    3. Launch a RDS Read Replica connected to your Multi AZ master database and generate reports by querying the Read Replica.
    4. Generate the reports by querying the ElastiCache database caching tier.
  2. A company is deploying a new two-tier web application in AWS. The company has limited staff and requires high availability, and the application requires complex queries and table joins. Which configuration provides the solution for the company’s requirements?
    1. MySQL Installed on two Amazon EC2 Instances in a single Availability Zone
    2. Amazon RDS for MySQL with Multi-AZ
    3. Amazon ElastiCache
    4. Amazon DynamoDB
  3. Your company is getting ready to do a major public announcement of a social media site on AWS. The website is running on EC2 instances deployed across multiple Availability Zones with a Multi-AZ RDS MySQL Extra Large DB Instance. The site performs a high number of small reads and writes per second and relies on an eventual consistency model. After comprehensive tests you discover that there is read contention on RDS MySQL. Which are the best approaches to meet these requirements? (Choose 2 answers)
    1. Deploy ElasticCache in-memory cache running in each availability zone
    2. Implement sharding to distribute load to multiple RDS MySQL instances
    3. Increase the RDS MySQL Instance size and Implement provisioned IOPS
    4. Add an RDS MySQL read replica in each availability zone
  4. Your company has HQ in Tokyo and branch offices all over the world and is using logistics software with a multi-regional deployment on AWS in Japan, Europe and US .The logistic software has a 3-tier architecture and currently uses MySQL 5.6 for data persistence. Each region has deployed its own database. In the HQ region you run an hourly batch process reading data from every region to compute cross-regional reports that are sent by email to all offices this batch process must be completed as fast as possible to quickly optimize logistics how do you build the database architecture in order to meet the requirements?
    1. For each regional deployment, use RDS MySQL with a master in the region and a read replica in the HQ region
    2. For each regional deployment, use MySQL on EC2 with a master in the region and send hourly EBS snapshots to the HQ region
    3. For each regional deployment, use RDS MySQL with a master in the region and send hourly RDS snapshots to the HQ region
    4. For each regional deployment, use MySQL on EC2 with a master in the region and use S3 to copy data files hourly to the HQ region
    5. Use Direct Connect to connect all regional MySQL deployments to the HQ region and reduce network latency for the batch process
  5. What would happen to an RDS (Relational Database Service) multi-Availability Zone deployment if the primary DB instance fails?
    1. The IP of the primary DB Instance is switched to the standby DB Instance.
    2. A new DB instance is created in the standby availability zone.
    3. The canonical name record (CNAME) is changed from primary to standby.
    4. The RDS (Relational Database Service) DB instance reboots.
  6. Your business is building a new application that will store its entire customer database on a RDS MySQL database, and will have various applications and users that will query that data for different purposes. Large analytics jobs on the database are likely to cause other applications to not be able to get the query results they need to, before time out. Also, as your data grows, these analytics jobs will start to take more time, increasing the negative effect on the other applications. How do you solve the contention issues between these different workloads on the same data?
    1. Enable Multi-AZ mode on the RDS instance
    2. Use ElastiCache to offload the analytics job data
    3. Create RDS Read-Replicas for the analytics work
    4. Run the RDS instance on the largest size possible
  7. Will my standby RDS instance be in the same Availability Zone as my primary?
    1. Only for Oracle RDS types
    2. Yes
    3. Only if configured at launch
    4. No
  8. Is creating a Read Replica of another Read Replica supported?
    1. Only in certain regions
    2. Only with MySQL based RDS
    3. Only for Oracle RDS types
    4. No
  9. A user is planning to set up the Multi AZ feature of RDS. Which of the below mentioned conditions won’t take advantage of the Multi AZ feature?
    1. Availability zone outage
    2. A manual failover of the DB instance using Reboot with failover option
    3. Region outage
    4. When the user changes the DB instance’s server type
  10. When you run a DB Instance as a Multi-AZ deployment, the “_____” serves database writes and reads
    1. secondary
    2. backup
    3. stand by
    4. primary
  11. When running my DB Instance as a Multi-AZ deployment, can I use the standby for read or write operations?
    1. Yes
    2. Only with MSSQL based RDS
    3. Only for Oracle RDS instances
    4. No
  12. Read Replicas require a transactional storage engine and are only supported for the _________ storage engine
    1. OracleISAM
    2. MSSQLDB
    3. InnoDB
    4. MyISAM
  13. A user is configuring the Multi AZ feature of an RDS DB. The user came to know that this RDS DB does not use the AWS technology, but uses server mirroring to achieve replication. Which DB is the user using right now?
    1. My SQL
    2. Oracle
    3. MS SQL
    4. PostgreSQL
  14. If I have multiple Read Replicas for my master DB Instance and I promote one of them, what happens to the rest of the Read Replicas?
    1. The remaining Read Replicas will still replicate from the older master DB Instance
    2. The remaining Read Replicas will be deleted
    3. The remaining Read Replicas will be combined to one read replica
  15. If you have chosen Multi-AZ deployment, in the event of a planned or unplanned outage of your primary DB Instance, Amazon RDS automatically switches to the standby replica. The automatic failover mechanism simply changes the ______ record of the main DB Instance to point to the standby DB Instance.
    1. DNAME
    2. CNAME
    3. TXT
    4. MX
  16. When automatic failover occurs, Amazon RDS will emit a DB Instance event to inform you that automatic failover occurred. You can use the _____ to return information about events related to your DB Instance
    1. FetchFailure
    2. DescriveFailure
    3. DescribeEvents
    4. FetchEvents
  17. The new DB Instance that is created when you promote a Read Replica retains the backup window period.
    1. TRUE
    2. FALSE
  18. Will I be alerted when automatic failover occurs?
    1. Only if SNS configured
    2. No
    3. Yes
    4. Only if Cloudwatch configured
  19. Can I initiate a “forced failover” for my MySQL Multi-AZ DB Instance deployment?
    1. Only in certain regions
    2. Only in VPC
    3. Yes
    4. No
  20. A user is accessing RDS from an application. The user has enabled the Multi AZ feature with the MS SQL RDS DB. During a planned outage how will AWS ensure that a switch from DB to a standby replica will not affect access to the application?
    1. RDS will have an internal IP which will redirect all requests to the new DB
    2. RDS uses DNS to switch over to standby replica for seamless transition
    3. The switch over changes Hardware so RDS does not need to worry about access
    4. RDS will have both the DBs running independently and the user has to manually switch over
  21. Which of the following is part of the failover process for a Multi-Availability Zone Amazon Relational Database Service (RDS) instance?
    1. The failed RDS DB instance reboots.
    2. The IP of the primary DB instance is switched to the standby DB instance.
    3. The DNS record for the RDS endpoint is changed from primary to standby.
    4. A new DB instance is created in the standby availability zone.

AWS Auto Scaling & ELB

Auto Scaling & ELB

  • Auto Scaling helps to automatically increase the number of EC2 instances when the user demand goes up, and decrease the number of EC2 instances when demand goes down
  • ELB service helps to distribute the incoming web traffic (called the load) automatically among all the running EC2 instances
  • ELB uses load balancers to monitor traffic and handle requests that come through the Internet.
  • Auto Scaling dynamically adds and removes EC2 instances, while Elastic Load Balancing manages incoming requests by optimally routing traffic so that no one instance is overwhelmed
  • Using ELB & Auto Scaling
    • makes it easy to route traffic across a dynamically changing fleet of EC2 instances
    • load balancer acts as a single point of contact for all incoming traffic to the instances in an Auto Scaling group.

AWS Auto Scaling & ELB

Attaching/Detaching ELB with Auto Scaling Group

  • Auto Scaling integrates with Elastic Load Balancing and enables to attach one or more load balancers to an existing Auto Scaling group.
  • After the ELB is attached, it automatically registers the instances in the group and distributes incoming traffic across the instances
  • ELB registers the EC2 instance with the ELB using its IP address and routes requests to the primary IP address of the primary interface (eth0) of the instance.
  • When ELB is detached, it enters the Removing state while deregistering the instances in the group.
  • If connection draining is enabled, ELB waits for in-flight requests to complete before deregistering the instances.
  • Instances remain running after they are deregistered from the ELB
  • Auto Scaling adds instances to the load balancer as they are launched, but this can be suspended. Instances launched during the suspension period are not added to load balancer, after resumption, and must be registered manually.

High Availability & Redundancy

  • Auto Scaling can span across multiple AZs, within the same region
  • When one AZ becomes unhealthy or unavailable, Auto Scaling launches new instances in an unaffected AZ
  • When the unhealthy AZs recovers, Auto Scaling redistributes the traffic across all the healthy AZs
  • Elastic Load balancer can be setup to distribute incoming requests across EC2 instances in a single AZ or multiple AZs within a region
  • It is recommended to take advantage of the safety and reliability of geographic redundancy by using Auto Scaling & ELB by spanning Auto Scaling groups across multiple AZs within a region and then setting up ELB to distribute incoming traffic across those AZs.
  • Incoming traffic is load balanced equally across all the AZs enabled for ELB

Health Checks

  • Auto Scaling group determines the health state of each instance by periodically checking the results of EC2 instance status checks
  • Auto Scaling marks the instance as unhealthy and replaces the instance, if the instance fails the EC2 instance status check
  • ELB also performs health checks on the EC2 instances that are registered with the it for e.g. if the application is available by pinging and health check page
  • Auto Scaling, by default, does not replace the instance, if the ELB health check fails
  • ELB health check with the instances should be used to ensure that traffic is routed only to the healthy instances
  • After a load balancer is registered with an Auto Scaling group, it can be configured to use the results of the Elastic Load Balancing health check in addition to the EC2 instance status checks to determine the health of the EC2 instances in your Auto Scaling group.

Monitoring

  • Elastic Load Balancing sends data about the load balancers and EC2 instances to Amazon CloudWatch. CloudWatch collects data about the performance of your resources and presents it as metrics.
  • After registering one or more load balancers with the Auto Scaling group, Auto Scaling group can be configured to use ELB metrics (such as request latency or request count) to scale the application automatically

Sample Exam Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. A company is building a two-tier web application to serve dynamic transaction-based content. The data tier is leveraging an Online Transactional Processing (OLTP) database. What services should you leverage to enable an elastic and scalable web tier?
    1. Elastic Load Balancing, Amazon EC2, and Auto Scaling
    2. Elastic Load Balancing, Amazon RDS with Multi-AZ, and Amazon S3
    3. Amazon RDS with Multi-AZ and Auto Scaling
    4. Amazon EC2, Amazon DynamoDB, and Amazon S3
  2. A user has configured ELB with Auto Scaling. The user suspended the Auto Scaling AddToLoadBalancer, which adds instances to the load balancer. process for a while. What will happen to the instances launched during the suspension period?
    1. The instances will not be registered with ELB and the user has to manually register when the process is resumed
    2. The instances will be registered with ELB only once the process has resumed
    3. Auto Scaling will not launch the instance during this period due to process suspension
    4. It is not possible to suspend only the AddToLoadBalancer process
  3. You have an Auto Scaling group associated with an Elastic Load Balancer (ELB). You have noticed that instances launched via the Auto Scaling group are being marked unhealthy due to an ELB health check, but these unhealthy instances are not being terminated. What do you need to do to ensure trial instances marked unhealthy by the ELB will be terminated and replaced?
    1. Change the thresholds set on the Auto Scaling group health check
    2. Add an Elastic Load Balancing health check to your Auto Scaling group
    3. Increase the value for the Health check interval set on the Elastic Load Balancer
    4. Change the health check set on the Elastic Load Balancer to use TCP rather than HTTP checks

AWS VPC VPN CloudHub Connections

VPC VPN Connections

VPC can be connected to Remote networks by using a VPN connection

  • AWS hardware VPN
    • Connectivity can be established by creating an IPsec, hardware VPN connection between the VPC and the remote network.
    • On the AWS side of the VPN connection, a virtual private gateway (VGW) provides two VPN endpoints for automatic failover.
    • On customer side a customer gateway (CGW) needs to be configured, which is the physical device or software application on the remote side of the VPN connection
  • AWS Direct Connect
    • AWS Direct Connect provides a dedicated private connection from a remote network to your VPC.
    • Direct Connect can be combined with an AWS hardware VPN connection to create an IPsec-encrypted connection
  • AWS VPN CloudHub
    • For more than one remote network for e.g. multiple branch offices, multiple AWS hardware VPN connections can be created via the VPC to enable communication between these networks
  • Software VPN
    • VPN connection can be created to the remote network by using an Amazon EC2 instance in the VPC that’s running a software VPN appliance.
    • AWS does not provide or maintain software VPN appliances; however, there are range of products provided by partners and open source communities

Hardware VPN Connection

VPN ConnectionVPN Components

  • Virtual Private Gateway
    • A virtual private gateway is the VPN concentrator on the Amazon side of the VPN connection
    • A VPC can only have one attached virtual private gateway
  • Customer Gateway
    • A customer gateway is a physical device or software application on customer side of the VPN connection.
    • When a VPN connection is created, the VPN tunnel comes up when traffic is generated from the remote side of the VPN connection.
    • Virtual private gateway is not the initiator; the customer gateway must initiate the tunnels.
    • If the VPN connection experiences a period of idle time, usually 10  seconds, depending on the configuration, the tunnel may go down. To prevent this, a network monitoring tool to generate keepalive pings; for e.g. by using IP SLA.

VPN Configuration

  • VPC has an attached virtual private gateway, and the remote network includes a customer gateway, which must be configured to enable the
    VPN connection.
  • Routing must be setup so that any traffic from the VPC bound for the remote network is routed to the virtual private gateway.
  • Multiple VPN connections to a single VPC can be created, and a second customer gateway can be configured to create a redundant connection to the same external location or to create VPN connections to multiple geographic locations.

VPN Routing Options

  • For a VPN connection, the route table for the subnets should be updated with the type of routing (static of dynamic) that you plan to use.
  • Route tables determine where network traffic is directed. Traffic destined for the VPN connections must be routed to the virtual private gateway.
  • Type of routing that you select can depend on the make and model of your VPN devices.
  • BGP dynamic routing
    • If the VPN device supports Border Gateway Protocol (BGP), specify dynamic routing when you configure your VPN connection.
    • When using a BGP device, static routes need not be specified to the VPN connection because the device uses BGP to advertise its routes to the virtual private gateway.
    • BGP-capable devices are recommended as the BGP protocol offers robust liveness detection checks that can assist failover to the second VPN tunnel if the first tunnel goes down.
  • Static Routing
    • If your device does not support BGP, specify static routing.
    • Using static routing, the routes (IP prefixes) can be specified that should be communicated to the virtual private gateway.
    • Devices that don’t support BGP may also perform health checks to assist failover to the second tunnel when needed.
  • Only IP prefixes known to the virtual private gateway, either through BGP advertisement or static route entry, can receive traffic from your VPC.
  • Virtual private gateway does not route any other traffic destined outside of the advertised BGP, static route entries, or its attached VPC CIDR.

VPN Connection Redundancy

VPN Connection Redundancy

  • A VPN connection is used to connect the customer network to a VPC.
  • Each VPN connection has two tunnels to help ensure connectivity in case one of the VPN connections becomes unavailable, with each tunnel using a unique virtual private gateway public IP address.
  • Both tunnels should be configured for redundancy.
  • When one tunnel becomes unavailable, for e.g. down for maintenance, network traffic is automatically routed to the available tunnel for that specific VPN connection.
  • To protect against a loss of connectivity in case the customer gateway becomes unavailable, a second VPN connection can be setup to the VPC and virtual private gateway by using a second customer gateway.
  • The customer gateway IP address for the second VPN connection must be publicly accessible.
  • By using redundant VPN connections and customer gateways, maintenance on one of the customer gateways can be performed while traffic continues to flow over the second customer gateway’s VPN connection.
  • Dynamically routed VPN connections use the Border Gateway Protocol (BGP) are recommended, if available, to exchange routing information between the customer gateways and the virtual private gateways.
  • Statically routed VPN connections require static routes for the network to be entered on the customer gateway side.
  • BGP-advertised and statically entered route information allow gateways on both sides to determine which tunnels are available and reroute traffic if a failure occurs.

VPN CloudHub

  • VPN CloudHub can be used to provide secure communication between sites, if you have multiple VPN connections
  • VPN CloudHub operates on a simple hub-and-spoke model that can be used with or without a VPC.
  • Design is suitable for customers with multiple branch offices and existing
    Internet connections who’d like to implement a convenient, potentially low-cost hub-and-spoke model for primary or backup connectivity between these remote offices

VPN CloudHub Architecture

  • VPN CloudHub architecture with blue dashed lines indicates network
    traffic between remote sites being routed over their VPN connections.
  • AWS VPN CloudHub requires a virtual private gateway with multiple customer gateways.
  • Each customer gateway can either have a unique or same Border Gateway Protocol (BGP) Autonomous System Number (ASN)
  • Customer gateways advertise the appropriate routes (BGP prefixes) over their VPN connections.
  • Routing advertisements are received and re-advertised to each BGP peer, enabling each site to send data to and receive data from the other sites.
  • Routes for each spoke must have unique ASNs and the sites must not have overlapping IP ranges.
  • Each site can also send and receive data from the VPC as if they were using a standard VPN connection.
  • Sites that use AWS Direct Connect connections to the virtual private gateway can also be part of the AWS VPN CloudHub.
  • To configure the AWS VPN CloudHub,
    • multiple customer gateways can be created, each with the unique public IP address of the gateway and the ASN.
    • a VPN connection can be created from each customer gateway to a common virtual private gateway.
    • each VPN connection must advertise its specific BGP routes. This is done using the network statements in the VPN configuration files for the VPN connection.

Sample Exam Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. You have in total 5 offices, and the entire employee related information is stored under AWS VPC instances. Now all the offices want to connect the instances in VPC using VPN. Which of the below help you to implement this?
    1. you can have redundant customer gateways between your data center and your VPC
    2. you can have multiple locations connected to the AWS VPN CloudHub
    3. You have to define 5 different static IP addresses in route table.
    4. 1 and 2
    5. 1,2 and 3
  2. You have in total 15 offices, and the entire employee related information is stored under AWS VPC instances. Now all the offices want to connect the instances in VPC using VPN. What problem do you see in this scenario?
    1. You can not create more than 1 VPN connections with single VPC (Can be created)
    2. You can not create more than 10 VPN connections with single VPC (soft limit can be extended)
    3. When you create multiple VPN connections, the virtual private gateway can not sends network traffic to the appropriate VPN connection using statically assigned routes. (Can route the traffic to correct connection)
    4. Statically assigned routes cannot be configured in case of more than 1 VPN with virtual private gateway. (can be configured)
    5. None of above

References

AWS CloudFront Overview

CloudFront Overview

  • CloudFront is a web service that speeds up distribution of static, dynamic web or streaming content to end users.
  • CloudFront delivers the content through a worldwide network of data centers called edge locations
  • CloudFront speeds up the distribution of your content by routing each user request to the edge location that can best serve the content thus providing the lowest latency.
  • CloudFront dramatically reduces the number of network hops that users’ requests must pass through, which helps improves performance, provide lower latency and higher data transfer rates.
  • CloudFront also provides increased reliability and availability because copies of objects are held in multiple edge locations around the world

Configuration & Content Delivery

  • Configuration
    1. Origin servers need to be configured to get the files for distribution. An origin server stores the original, definitive version of your objects
    2. Files (also called objects) can be added/uploaded to the Origin servers with public read permissions or permissions restricted to OAI
    3. Create a CloudFront distribution, which tells CloudFront which origin servers to get your files from when users request the files
    4. CloudFront sends the distribution configuration to all the edge locations
    5. Website can be used with the CloudFront provided domain name or a custom alternate domain name
    6. Origin server can be configured to limit access protocols, caching behavior, add headers to the files to add TTL or the expiration time
  • Content delivery to Users
    1. When user access the website, file or the object the DNS routes the request to the CloudFront edge location that can best serve the user’s request with the lowest latency
    2. CloudFront returns the object immediately, if the requested object is present in the cache at the Edge location
    3. If the request object does not exist in the cache at the edge location, CloudFront requests the object from the Origin server and returns it to the user as soon as it starts receiving it
    4. When the object reaches it expiration time, for any new request CloudFront checks with the Origin server for any latest versions, if it has the latest it uses the same object. If the Origin server has the latest version the same is retrieved, served to the user and cached as well

Delivery Methods

Web distributions

  • supports both static and dynamic content for e.g. html, css, js, images etc using HTTP or HTTPS.
  • supports multimedia content on demand using progressive download and Apple HTTP Live Streaming (HLS).
  • supports a live event, such as a meeting, conference, or concert, in real time. For live streaming, distribution can be created automatically using an AWS CloudFormation stack.
  • origin servers can be either an Amazon S3 bucket or an HTTP server, for e.g., a web server or an AWS ELB etc

RMTP distributions

  • supports streaming of media files using Adobe Media Server and the Adobe Real-Time Messaging Protocol (RTMP)
  • must use an Amazon S3 bucket as the origin.
  • To stream media files using CloudFront, two types of files are needed
    • Media files
    • Media player for e.g. JW Player, Flowplayer, or Adobe flash
  • End users view media files using the media player that is provided; not the locally installed on the computer of the device
  • When an end user streams the media file, the media player begins to play the file content while the file is still being downloaded from CloudFront.
  • Media file is not stored locally on the end user’s system.
  • Two CloudFront distributions are required, Web distribution for media Player and RMTP distribution for media files
  • Media player and Media files can be stored in same origin S3 bucket or different buckets

Origin

  • Each origin is either an Amazon S3 bucket or an HTTP server, for e.g., a web server, which stores the original content
  • For HTTP server as the origin, the domain name of the resource needs to be mapped and files must be publicly readable
  • For S3 bucket, use the bucket url or the static website endpoint url and the files either need to be publicly readable or secured using OAI
  • Origin restrict access, for S3 only, can be configured using Origin Access Identity to prevent direct access to the S3 objects
  • Distribution can have multiple origins for each bucket with one or more cache behaviors that route requests to each origin. Path pattern in a cache behavior determines which requests are routed to the origin (the Amazon S3 bucket) that is associated with that cache behavior

Cache Behavior

  • Cache behavior allows you to define
    • Path patterns to apply for the request. A default (*) pattern is created and multiple cache distributions can be added with patterns to take priority over the default path

Viewer Protocol Policy

  • Viewer Protocol policy can be configured to define the access protocol allowed. Can be either HTTP and HTTPS, or HTTPS only or HTTP redirected to HTTPS

HTTPS Connection

  • Between CloudFront & Viewers, cache distribution can be configured to either allow HTTP or HTTPS requests, or use HTTPS only, or redirect all HTTP request to HTTPS
  • Between CloudFront & Origin, cache distribution can be configured to require that CloudFront fetches objects from the origin by using HTTPS or CloudFront uses the protocol that the viewer used to request the objects.
  • For Amazon S3 as origin,
    • for website, the protocol has to be HTTP as HTTPS is not supported
    • for S3 bucket, the default Origin protocol policy is Match Viewer and cannot be changed. So When CloudFront is configured to require HTTPS between the viewer and CloudFront, CloudFront automatically uses HTTPS to communicate with Amazon S3.
  • CloudFront can also be configured to work with HTTPS for alternate domain names by using:-
    • Serving HTTPS Requests Using Dedicated IP Addresses
      • CloudFront associates the alternate domain name with a dedicated IP address, and the certificate is associated with the IP address. when a request is received from a DNS server for the IP address, CloudFront uses the IP address to identify the distribution and the SSL/TLS certificate to return to the viewer
      • This method works for every HTTPS request, regardless of the browser or other viewer that the user is using.
      • Additional monthly charge is incurred for using dedicated IP address
    • Serving HTTPS Requests Using SNI
      • With SNI method, CloudFront associates an IP address with the alternate domain name, but the IP address is not dedicated
      • CloudFront can’t determine, based on the IP address, which domain the request is for as the IP address is not dedicated
      • Browsers that support SNI that is an extension to the TLS protocol, automatically gets the domain name from the request URL and adds it to a new field in the request header.
      • When CloudFront receives an HTTPS request from a browser that supports SNI, it finds the domain name in the request header and responds to the request with the applicable SSL/TLS certificate.
      • Viewer and CloudFront perform SSL negotiation, and CloudFront returns the requested content to the viewer.

Allowed HTTP methods

  • GET, HEAD methods to get objects or object headers from your origin
  • GET, HEAD, OPTIONS to use CloudFront only to get objects, object headers or retrieve a list of the options supported from your origin
  • GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE to use CloudFront to get, add, update, and delete objects, and to get object headers. POST, PUT operations can also be perform for e.g. submitting data from a web form, which are directly routed to the Origin server
  • CloudFront only caches responses to GET and HEAD requests and, optionally, OPTIONS requests. CloudFront does not cache responses to PUT, POST, PATCH, DELETE request methods and these requests are directed to the origin

Improving CloudFront Edge Caches

  • Control the cache max-age
    • To increase your cache hit ratio, origin can be configured to add a Cache-Control max-age directive to the objects. Longer the interval less frequently it would be retrieved from the origin
  • Caching Based on Query String Parameters
    • For Web distributions, CloudFront can be configured to cache based on the query parameters
    • Caching performance can be improved by
      • Configure CloudFront to forward only the query strings for which your origin will return unique objects.
      • Using the same case for the parameters values for e.g. parameter value A or a, CloudFront would cache the same request twice even if the response or object returned is identical
      • Using the same parameter order for e.g. for request a=x&b=y and b=y&a=x, CloudFront would cache the same request twice even thought the response or object returned is identical
    • For RTMP distributions, when CloudFront requests an object from the origin server, it removes any query string parameters.
  • Caching Based on Cookie Values
    • For Web distributions, CloudFront can be configured to cache based on cookie values.
    • By default, it doesn’t consider cookies while caching on edge locations
    • Caching performance can be improved by
      • Configure CloudFront to forward only specified cookies instead of forwarding all cookies for e.g. if the request has 2 cookies with 3 possible values, CloudFront would cache all possible combinations even if the response takes into account a single cookie
      • Cookie names and values are both case sensitive so better to stick with the same case
      • Create separate cache behaviors for static and dynamic content, and configure CloudFront to forward cookies to your origin only for dynamic content for e.g. for css files, the cookies do not make sense as the object does not change with the cookie value
      • If possible, create separate cache behaviors for dynamic content for which cookie values are unique for each user (such as a user ID) and dynamic content that varies based on a smaller number of unique values reducing the number of combinations
    • For RTMP distributions, CloudFront cannot be configured to process
      cookies. When CloudFront requests an object from the origin server, it removes any cookies before forwarding the request to your origin. If your origin returns any cookies along with the object, CloudFront
      removes them before returning the object to the viewer.
  • Caching Based on Request Headers
    • CloudFront can be configured to cache based on request headers
    • By default, CloudFront doesn’t consider headers when caching your objects in edge locations.
    • CloudFront configured to cache based on request headers, does not change the headers that CloudFront forwards, only whether CloudFront caches objects based on the header values.
    • Caching performance can be improved by
      • Configure CloudFront to forward and cache based only specified headers instead of forwarding and caching based on all headers.
      • Try to avoid caching based on request headers that have large numbers of unique values.
      • CloudFront configured to forward all headers to your origin, CloudFront doesn’t cache the objects associated with this cache behavior. Instead, it sends every request to the origin
      • CloudFront caches based on header values, it doesn’t consider the case of the header name, but considers the case of the header value
    • For RTMP distributions, CloudFront cannot be configured to cache based on header values.

Object Caching & Expiration

  • Object expiration determines how long your objects stay in a CloudFront cache before CloudFront fetches it again from Origin
  • Low expiration time would help serve content that changes frequently and high expiration time helps to improve performance and reduce load on the origin
  • After expiration time, CloudFront checks if it still has the latest version
    • if the cache already has the latest version, the origin returns a 304 status code (Not Modified).
    • if the CloudFront cache does not have the latest version, the origin returns a 200 status code (OK) and the latest version of the object
  • If an object in an edge location isn’t frequently requested, CloudFront might evict the object, remove the object before its expiration date, to make room for objects that have been requested more recently.
  • By default, each object automatically expires after 24 hours
  • For Web distributions, the default behavior can be changed by
    • for the entire path pattern, cache behavior can be configured by setting of Minimum TTL, Maximum TTL and Default TTL values
    • for individual objects, origin can be configured to add a Cache-Control max-age or Cache-Control s-maxage directive, or an Expires header field to the object.
    • AWS recommends using Cache-Control max-age directive over Expires header to control object caching behavior
    • CloudFront uses only the value of Cache-Control max-age, if both the Cache-Control max-age directive and Expires header are specified
    • HTTP Cache-Control or Pragma header fields in a GET request from a viewer can’t be used to force CloudFront to go back to the origin server for the object
    • By default, when the origin returns an HTTP 4xx or 5xx status code, CloudFront caches these error responses for five minutes and then submits the next request for the object to the origin to see whether
      the requested object is available and the problem has been resolved
  • For RTMP distributions
    • CloudFront keeps objects in edge caches for 24 hours by default.
    • Cache-Control or Expires headers can be added to objects to change the amount of time that CloudFront keeps objects in edge caches before it forwards another request to the origin.
    • Minimum duration is 3600 seconds (one hour). If you specify a lower value, CloudFront uses 3600 seconds.

Restrict viewer access

Serving Private Content

  • To securely serve this private content using CloudFront
    • Require that your users access your private content by using special CloudFront signed URLs or signed cookies with following restrictions
      • an end date and time, after which the URL is no longer valid
      • date time, when the URL becomes valid
      • ip address or range of addresses to access the URLs
    • Require that your users access your Amazon S3 content only using CloudFront URLs, not Amazon S3 URLs. Requiring CloudFront URLs isn’t required, but recommended to prevent users from bypassing the restrictions that you specify in signed URLs or signed cookies.
  • Signed URLs or Signed Cookies can used with CloudFront using HTTP server as an origin. It requires the content to be publicly accessible and care should be taken to not share the direct URL of the content
  • Restriction for Origin can be applied by
    • For S3, using Origin Access Identity to grant only CloudFront access using Bucket policies or Object ACL, to the content and removing any other access permissions
    • For HTTP server, custom header can be added by CloudFront which can be used at Origin to verify the request has come from CloudFront
  • Trusted Signer
    • To create signed URLs or signed cookies, at least one AWS account (trusted signer) is needed that has an active CloudFront key pair
    • As soon as an AWS account is added as trusted signer to the distribution, CloudFront starts to require that users use signed URLs or signed cookies to access the objects.
    • Private key from the trusted signer’s key pair to sign a portion of the URL or the cookie. When someone requests a restricted object, CloudFront compares the signed portion of the URL or cookie with the unsigned portion to verify that the URL or cookie hasn’t been tampered with. CloudFront also validates the URL or cookie is valid for e.g, that the expiration date and time hasn’t passed.
    • Each Trusted signer AWS accounts used to create CloudFront signed URLs or signed cookies must have its own active CloudFront key pair ,which should be frequently rotated
    • A maximum of 5 trusted signers can be assigned for each cache behavior or RTMP distribution

Signed URLs vs Signed Cookies

  • CloudFront signed URLs and signed cookies helps to secure the content and provide control to decide who can access the content
  • Use signed URLs in the following cases:
    • For RTMP distribution as Signed cookies aren’t supported for RTMP distributions.
    • to restrict access to individual files, for e.g., an installation download for your application.
    • users using a client for e.g. a custom HTTP client that doesn’t support cookies
  • Use signed cookies in the following cases:
    • provide access to multiple restricted files, for e.g., all of the video files in HLS format or all of the files in the subscribers’ area of a website.
    • don’t want to change your current URLs.

Canned Policy vs Custom Policy

  • Canned policy or a custom policy is a policy statement, used by the Signed URLs, helps define the restrictions for e.g. expiration date and timeCloudFront Signed URLs - Canned vs Custom Policy
  • CloudFront validates the expiration time at the start of the event.
  • If user is downloading a large object, and the url expires the download would still continue and the same for RTMP distribution.
  • However, if the user is using range GET requests, or while streaming video skips to another position which might trigger an other event, the request would fail.

Serving Compressed Files

  • CloudFront can be configured to automatically compress files of certain types and serve the compressed files when viewer requests include Accept-Encoding: gzip in the request header
  • Compressing content, downloads are faster because the files are smaller as well as less expensive as the cost of CloudFront data transfer is based on the total amount of data served
  • If serving from a custom origin, it can be used to
  • configure to compress files with or without CloudFront compression.
  • compress file types that CloudFront doesn’t compress.
  • If the origin returns a compressed file, CloudFront detects compression by the Content-Encoding header value and doesn’t compress the file again.
  • CloudFront serves content using compression as below
    1. CloudFront distribution is created and configured to compress content.
    2. A viewer requests a compressed file by adding the Accept-Encoding: gzip header to the request.
    3. At the edge location, CloudFront checks the cache for a compressed version of the file that is referenced in the request.
    4. If the compressed file is already in the cache, CloudFront returns the file to the viewer and skips the remaining steps.
    5. If the compressed file is not in the cache, CloudFront forwards the request to the origin server (Amazon S3 bucket or a custom origin)
    6. Even if CloudFront has an uncompressed version of the file in the cache, it still forwards a request to the origin.
    7. Origin server returns an uncompressed version of the requested file
    8. CloudFront determines whether the file is compressible:
      1. file must be of a type that CloudFront compresses.
      2. file size must be between 1,000 and 10,000,000 bytes.
      3. response must include a Content-Length header for CloudFront to determine the size within valid compression limits. If the Content-Length header is missing, CloudFront won’t compress the file.
      4. value of the Content-Encoding header on the file must not be gzip i.e. the origin has already compressed the file.
    9. If the file is compressible, CloudFront compresses it, returns the compressed file to the viewer, and adds it to the cache.
    10. The viewer uncompresses the file.

Distribution Details

Price Class

  • CloudFront has edge locations all over the world and as cost for each edge location varies and the price charge by CloudFront for serving the requests also varies
  • CloudFront edge locations are grouped into geographic regions, and regions have been grouped into price classes
    • Default Price Class – includes all the regions
    • Another price class includes most regions (the United States; Europe; Hong Kong, Korea, and Singapore; Japan; and India regions) but excludes the most-expensive regions
    • A third price class includes only the least-expensive regions (the United States and Europe regions)
  • Price class can be selected to lower the cost but this would come only at the expense of performance (higher latency), as CloudFront would serve requests only from the selected price class edge locations
  • CloudFront may, sometimes, serve request from a region not included within the price class, however you would be charged the rate for the least-expensive region in your selected price class

Alternate Domain Names (CNAMEs)

  • CloudFront by default assigns a domain name for the distribution for e.g. d111111abcdef8.cloudfront.net
  • An alternate domain name, also known as a CNAME, can be used to use own custom domain name for links to objects
  • Both web and RTMP distributions support alternate domain names.
  • CloudFront supports * wildcard at the beginning of a domain name instead of specifying subdomains individually.
  • However, wildcard cannot replace part of a subdomain name for e.g. *domain.example.com, or cannot replace a subdomain in the middle of a domain name for e.g. subdomain.*.example.com.

Geo Restriction (Geoblocking)

  • Geo restriction can help prevent users in selected countries from accessing the content,
  • CloudFront distribution can be configured either to allow users in a whitelist of specified countries to access the content or to not allow users in a blacklist of specified countries to access the content
  • Geo restriction can be used to restrict access to all of the files that are
    associated with a distribution and to restrict access at the country level
  • Use a third-party geolocation service, if access is to be restricted to a subset of the files that are associated with a distribution or to restrict access at a finer granularity than the country level

CloudFront with Amazon S3

  • CloudFront can be used to distribute the content from Amazon S3 bucket
  • For an RTMP distribution, Amazon S3 bucket is the only supported origin and custom origins cannot be used
  • Using CloudFront over S3 has the following benefits
    • can be more cost effective if the objects are frequently accessed as at higher usage, the price for CloudFront data transfer is much lower than the price for Amazon S3 data transfer.
    • downloads are faster with CloudFront than with Amazon S3 alone because the objects are stored closer to the users
  • When using Amazon S3 as the origin for a CloudFront distribution and the bucket is moved to a different region, CloudFront can take up to an hour to update its records to include the change of region when both of the following are true:
    • CloudFront Origin Access Identity (OAI) is used to restrict access to the bucket
    • Bucket is moved to an Amazon S3 region that requires Signature Version 4 for authentication

Origin Access Identity

  • When using CloudFront with S3, the objects in S3 must be granted public read permissions and hence the objects are accessible from both S3 as well as CloudFront
  • Even though, CloudFront does not expose the underlying S3 url, it can be know to the user if shared directly or used by applications
  • For using CloudFront signed URLs or signed cookies to provide access to the objects, it would be necessary to prevent users from having direct access to the S3 objects
  • Users accessing S3 objects directly would
    • bypass the controls provided by CloudFront signed URLs or signed cookies, for e.g., control over the date and time that a user can no longer access the content and over which IP addresses can be used to access content.
    • CloudFront access logs are less useful because they’re incomplete.
  • Origin Access Identity can be used to prevent users from directly accessing objects from Amazon S3
  • Origin access identity, which is a special CloudFront user, can be created and associated with the distribution.
  • S3 bucket/object permissions needs to be configured to only provide access to the Origin Access Identity
  • When users access the object from CloudFront, it uses the OAI to fetch the content on users behalf, while direct access to the S3 objects is restricted

Working with Objects

  • CloudFront can be configured to include custom headers whenever it forwards a request to your origin, which can be used to
    • check if the user is not accessing the origin directly, bypassing CDN
    • to identify the CDN from which the request was forwarded, if more than one CloudFront distribution to use the same origin is configured
    • if users use viewers that don’t support CORS, configure CloudFront to forward the Origin header to your origin. That will cause the origin to return the Access-Control-Allow-Origin header for every request

Adding & Updating Objects

  • Objects just need to be added to the Origin and CloudFront would start distributing them when accessed
  • Objects served by CloudFront the Origin, can be updated either by
    • Overwriting the Original object
    • Create a different version and updating the links exposed to the user
  • For updating objects, its recommended to use versioning for e.g. have files or the entire folders with versions, so the the links can be changed when the objects are updated
  • With versioning,
    • there is no time wait for an object to expire before CloudFront begins to serve a new version of it
    • there is no difference in consistency in the object served from the edge
    • no cost involved to pay for object invalidation.

Removing/Invalidating Objects

  • Objects can be removed from the edge cache before it expires
    • Invalidate the object from edge caches. For the next request, CloudFront returns to the Origin to fetch the object
    • Use object versioning to serve a different version of the object that has a different name
  • Objects would be removed upon expiry and the latest object would be fetched from the Origin
  • For Web distributions,
    • If your objects needs to be updated frequently, Versioning of objects is recommended over Invalidating objects, as versioning
      • enables to control which object a request returns even when the user has a version cached either locally or behind a corporate caching proxy. If an object is invalidated, the user might continue to see the old version until it expires from those caches.
      • makes it easier to analyze the results of object changes as CloudFront access logs include the names of the objects
      • provides a way to serve different versions to different users.
      • simplifies rolling forward & back between object revisions.
      • is less expensive, as you don’t pay for invalidating objects.
    • Invalidating objects can be used
      • to invalidate multiple objects for e.g. objects in a directory or all of the objects whose names begin with the same characters, you can include the * wildcard at the end of the invalidation path.
      • invalidate selected objects
    • A specified number of invalidation paths can be submitted each month for free. Any invalidation requests more than the allotted no. per month, fee is charged for each submitted invalidation path
    • First 1,000 invalidation paths requests submitted per month are free; charges apply for each invalidation path over 1,000 in a month.
    • Invalidation path can be for a single object for .e.g /images/logo.jpg or for multiple objects for e.g. /images/* and is counted as a single request even if the * wildcard request may invalidate thousands of objects.
  • For RTMP distribution, objects served cannot be invalidated

Partial Requests (Range GETs)

  • Partial requests using Range headers in a GET request helps to download the object in smaller units, improving the efficiency of partial downloads and the recovery from partially failed transfers.
  • For a partial GET range request, CloudFront
  • checks the cache in the edge location for the requested range or the entire object and if exists, serves it immediately
  • if the requested range does not exist, CloudFront forwards the request to the origin and may request a larger range than the client requested to optimize performance
    • if the origin supports range header, it returns the requested object range and CloudFront returns the same to the viewer
    • if the origin does not support range header, it returns the complete object and CloudFront servers the entire object and caches it for future. CloudFront uses the cache entire object to serve the any future range GET header requests

Access Logs

  • CloudFront can be configured to create log files that contain detailed information about every user request that CloudFront receives.
  • Access logs are available for both web and RTMP distributions.
  • With logging enabled, an Amazon S3 bucket can be specified where CloudFront would save the files

Sample Exam Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. Your company Is moving towards tracking web page users with a small tracking Image loaded on each page Currently you are serving this image out of US-East, but are starting to get concerned about the time It takes to load the image for users on the west coast. What are the two best ways to speed up serving this image? Choose 2 answers
    1. Use Route 53’s Latency Based Routing and serve the image out of US-West-2 as well as US-East-1
    2. Serve the image out through CloudFront
    3. Serve the image out of S3 so that it isn’t being served oft of your web application tier
    4. Use EBS PIOPs to serve the image faster out of your EC2 instances
  2. You deployed your company website using Elastic Beanstalk and you enabled log file rotation to S3. An Elastic Map Reduce job is periodically analyzing the logs on S3 to build a usage dashboard that you share with your CIO. You recently improved overall performance of the website using Cloud Front for dynamic content delivery and your website as the origin. After this architectural change, the usage dashboard shows that the traffic on your website dropped by an order of magnitude. How do you fix your usage dashboard’?
    1. Enable CloudFront to deliver access logs to S3 and use them as input of the Elastic Map Reduce job
    2. Turn on Cloud Trail and use trail log tiles on S3 as input of the Elastic Map Reduce job
    3. Change your log collection process to use Cloud Watch ELB metrics as input of the Elastic Map Reduce job
    4. Use Elastic Beanstalk “Rebuild Environment” option to update log delivery to the Elastic Map Reduce job.
    5. Use Elastic Beanstalk ‘Restart App server(s)” option to update log delivery to the Elastic Map Reduce job.
  3. An AWS customer runs a public blogging website. The site users upload two million blog entries a month. The average blog entry size is 200 KB. The access rate to blog entries drops to negligible 6 months after publication and users rarely access a blog entry 1 year after publication. Additionally, blog entries have a high update rate during the first 3 months following publication; this drops to no updates after 6 months. The customer wants to use CloudFront to improve his user’s load times. Which of the following recommendations would you make to the customer?
    1. Duplicate entries into two different buckets and create two separate CloudFront distributions where S3 access is restricted only to Cloud Front identity
    2. Create a CloudFront distribution with “US & Europe” price class for US/Europe users and a different CloudFront distribution with All Edge Locations for the remaining users.
    3. Create a CloudFront distribution with S3 access restricted only to the CloudFront identity and partition the blog entry’s location in S3 according to the month it was uploaded to be used with CloudFront behaviors
    4. Create a CloudFront distribution with Restrict Viewer Access Forward Query string set to true and minimum TTL of 0.
  4. Your company has on-premises multi-tier PHP web application, which recently experienced downtime due to a large burst in web traffic due to a company announcement. Over the coming days, you are expecting similar announcements to drive similar unpredictable bursts, and are looking to find ways to quickly improve your infrastructures ability to handle unexpected increases in traffic. The application currently consists of 2 tiers a web tier, which consists of a load balancer, and several Linux Apache web servers as well as a database tier which hosts a Linux server hosting a MySQL database. Which scenario below will provide full site functionality, while helping to improve the ability of your application in the short timeframe required?
    1. Offload traffic from on-premises environment Setup a CloudFront distribution and configure CloudFront to cache objects from a custom origin Choose to customize your object cache behavior, and select a TTL that objects should exist in cache.
    2. Migrate to AWS Use VM Import/Export to quickly convert an on-premises web server to an AMI create an Auto Scaling group, which uses the imported AMI to scale the web tier based on incoming traffic Create an RDS read replica and setup replication between the RDS instance and on-premises MySQL server to migrate the database.
    3. Failover environment: Create an S3 bucket and configure it tor website hosting Migrate your DNS to Route53 using zone (lie import and leverage Route53 DNS failover to failover to the S3 hosted website.
    4. Hybrid environment Create an AMI which can be used of launch web serfers in EC2 Create an Auto Scaling group which uses the * AMI to scale the web tier based on incoming traffic Leverage Elastic Load Balancing to balance traffic between on-premises web servers and those hosted in AWS.
  5. You are building a system to distribute confidential training videos to employees. Using CloudFront, what method could be used to serve content that is stored in S3, but not publically accessible from S3 directly?
    1. Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.
    2. Add the CloudFront account security group “amazon-cf/amazon-cf-sg” to the appropriate S3 bucket policy.
    3. Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User.
    4. Create a S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).

References

 

AWS CloudTrail Overview

CloudTrail Overview

  • AWS CloudTrail helps to get a history of AWS API calls and related events for the AWS account.
  • CloudTrail tracking includes calls made by using the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services.
  • CloudTrail helps to identify which users and accounts called AWS for services that support CloudTrail, the source IP address the calls were made from, and when the calls occurred.

CloudTrail Works

CloudTrail Architecture

  • AWS CloudTrail captures AWS API calls and related events made by or on behalf of an AWS account and delivers log files to an specified S3 bucket.
  • Log files contain API calls from all of the account’s services that support CloudTrail.
  • Log files from all the regions can be delivered to a single S3 bucket and are encrypted, by default, using Amazon S3 server-side encryption (SSE)
  • CloudTrail typically delivers log files within 15 minutes of an API call and publishes new log files multiple times an hour, usually about every 5 mins.
  • CloudTrail can be configured, optionally, to deliver events to a log group to be monitored by CloudWatch Logs.
  • Amazon SNS notifications can be configured to be sent each time a log file is delivered to your bucket.
  • A trail, which is a configuration, needs to be created that enables logging of the AWS API activity and related events in your account.
  • Trail can be created with the CloudTrail console, the AWS CLI, or the CloudTrail API.
  • A trail can be applied to all regions or a single region
    • A trail that applies to all regions
      • When a trail is created that applies to all regions, CloudTrail creates the same trail in each region, records the log files in each region, and delivers the log files to the specified single S3 bucket (and optionally to the CloudWatch Logs log group)
      • Default setting when a trail is created using the CloudTrail console
      • A single SNS topic for notifications and CloudWatch Logs log group for events would suffice for all regions
      • Advantages
        • configuration settings for the trail apply consistently across all regions
        • manage trail configuration for all regions from one location.
        • immediately receive events from a new region
        • receive log files from all regions in a single S3 bucket and optionally in a CloudWatch Logs log group.
        • create trails in regions not used often to monitor for unusual activity
    • A trail that applies to one region
      • A S3 bucket can be specified that receives events only from that region and it can be in any region that you specify.
      • Additional individual trails created that apply to specific regions, those trails can deliver event logs to a single S3 bucket.
  • ‘Turning on a trail’ means that create a trail and start logging
  • CloudTrail supports five trails per region. A trail that applies to all regions counts as one trail in every region
  • As a best practice, a trail can be created that applies to all regions in the AWS partition for e.g. aws for all standard aws regions or aws-cn for china
  • IAM can be used to control which AWS users can create, configure, or delete trails, start and stop logging, and access the buckets that contain log information.
  • Log file integrity validation can be enabled to verify that log files have
    remained unchanged since CloudTrail delivered them.

Global Services Option

  • For most services, events are sent to the region where the action happened.
  • For global services such as IAM, AWS STS, and Amazon CloudFront, events are delivered to any trail that has the Include global services option enabled.
  • AWS OpsWorks and Amazon Route 53 actions are logged in the US East (N. Virginia) region.
  • To avoid receiving duplicate global service events, remember
    • Global service events are always delivered to trails that have the Apply trail to all regions option enabled.
    • Events are delivered from a single region to the bucket for the trail. This setting cannot be changed.
    • If you have a single region trail, you should enable the Include global services option.
    • If you have multiple single region trails, you should enable the Include global services option in only one of the trails.
  • About global service events
    • have a trail with the Apply trail to all regions option enabled.
    • have multiple single region trails.
    • do not need to enable the Include global services option for the single region trails. Global service events are delivered for the first trail.

Validating CloudTrail Log File Integrity

  • Validated log files are invaluable in security and forensic investigations
  • CloudTrail log file integrity validation can be used to check whether a log file was modified, deleted, or unchanged after CloudTrail delivered it
  • Validation feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing which makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection
  • When log file integrity validation is enabled:-
    • CloudTrail creates a hash for every log file that it delivers.
    • Every hour, CloudTrail also creates and delivers a digest file that references the log files for the last hour and contains a hash of each.
    • CloudTrail signs each digest file using the private key of a public and private key pair.
    • After delivery, the public key can be used to validate the digest file.
    • CloudTrail uses different key pairs for each AWS region.
    • Digest files are delivered to the same Amazon S3 bucket, but a separate folder, associated with the trail for the log files
    • Separation of digest files and log files enables enforcement of granular security policies and permits existing log processing solutions to continue to operate without modification.
    • Each digest file also contains the digital signature of the previous digest file if one exists.
    • Signature for the current digest file is in the metadata properties of the digest file Amazon S3 object.
    • Log files and digest files can be stored in Amazon S3 or Amazon Glacier securely, durably and inexpensively for an indefinite period of time.
    • To enhance the security of the digest files stored in Amazon S3, Amazon S3 MFA Delete can be enabled

CloudTrail Enabled Use Cases

  • Track changes to AWS resources
    • Can be used to track creation, modification or deletion of AWS resources
  • Compliance Aid
    • easier to demonstrate compliance with internal policy and regulatory standards
  • Troubleshooting Operational Issues
    • identify the recent changes or actions to troubleshoot any issues
  • Security Analysis
    • use log files as inputs to log analysis tools to perform security analysis and to detect user behavior patterns

Sample Exam Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. You currently operate a web application In the AWS US-East region. The application runs on an auto-scaled layer of EC2 instances and an RDS Multi-AZ database. Your IT security compliance officer has tasked you to develop a reliable and durable logging solution to track changes made to your EC2, IAM and RDS resources. The solution must ensure the integrity and confidentiality of your log data. Which of these solutions would you recommend?
    1. Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected. Use IAM roles, S3 bucket policies and Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs. (Single New bucket with global services option for IAM and MFA delete for confidentiality)
    2. Create a new CloudTrail with one new S3 bucket to store the logs. Configure SNS to send log file delivery notifications to your management system. Use IAM roles and S3 bucket policies on the S3 bucket that stores your logs. (Missing Global Services for IAM)
    3. Create a new CloudTrail trail with an existing S3 bucket to store the logs and with the global services option selected Use S3 ACLs and Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs. (Existing bucket prevents confidentiality)
    4. Create three new CloudTrail trails with three new S3 buckets to store the logs one for the AWS Management console, one for AWS SDKs and one for command line tools. Use IAM roles and S3 bucket policies on the S3 buckets that store your logs (3 buckets not needed, Missing Global services options)
  2. Which of the following are true regarding AWS CloudTrail? Choose 3 answers
    1. CloudTrail is enabled globally (it can be enabled for all regions and also per region basis)
    2. CloudTrail is enabled by default (is not enabled by default)
    3. CloudTrail is enabled on a per-region basis (it can be enabled for all regions and also per region basis)
    4. CloudTrail is enabled on a per-service basis (once enabled it is applicable for all the supported services, service can’t be selected)
    5. Logs can be delivered to a single Amazon S3 bucket for aggregation
    6. CloudTrail is enabled for all available services within a region. (is enabled only for CloudTrail supported services)
    7. Logs can only be processed and delivered to the region in which they are generated. (can be logged to bucket is any region)
  3. An organization has configured the custom metric upload with CloudWatch. The organization has given permission to its employees to upload data using CLI as well SDK. How can the user track the calls made to CloudWatch?
    1. The user can enable logging with CloudWatch which logs all the activities
    2. Use CloudTrail to monitor the API calls
    3. Create an IAM user and allow each user to log the data using the S3 bucket
    4. Enable detailed monitoring with CloudWatch
  4. A user is trying to understand the CloudWatch metrics for the AWS services. It is required that the user should first understand the namespace for the AWS services. Which of the below mentioned is not a valid namespace for the AWS services?
    1. AWS/StorageGateway
    2. AWS/CloudTrail (CloudWatch supported namespaces)
    3. AWS/ElastiCache
    4. AWS/SWF

References

AWS CloudTrail User Guide

 

AWS Resource Tags

Tags

  • Tags are words or phrases or labels that act as metadata for organizing your AWS resources
  • Tagging allows you to assign your own metadata to each resource in the form of tags.
  • Tags don’t have any semantic meaning to the resources it is assigned and are interpreted strictly as a string of characters
  • Tags can
    • help managing AWS resources & services for e.g. instances, images, security groups etc.
    • enable you to categorize AWS resources in different ways, for e.g., by purpose, owner (Developer, Finance etc), or environment (DEV, TEST, PROD etc).
    • enable you to search and filter the resources based on the tags defined.
    • be used as a mechanism to organize your resource costs on your cost allocation report.
  • Tags are not automatically assigned to your resources.
  • Tags can be defined using the
    • AWS Management Console,
    • AWS CLI
    • Amazon API.
  • Tags can be assigned only to resources that already exist and cannot be assigned when you create a resource; for e.g., when you use the run-instances AWS CLI command.
  • However, when using the Amazon Management console, some resource creation screens enable you to specify tags which are applied immediately after the resource is created.
  • Each tag consists of a key and value
    • key and an optional value, both of which you define.
    • defining a new tag that has the same key as an existing tag on that resource, the new value overwrites the old value.
    • keys and values can be edited, removed from a resource at any time.
    • value can be defined as an empty string, but can’t be set to null.
  • IAM allows you the ability to control which users in your AWS account have permission to create, edit, or delete tags.

Tag Restrictions

  • Maximum number of tags per resource—10
  • Maximum key length—127 Unicode characters in UTF-8
  • Maximum value length—255 Unicode characters in UTF-8
  • Tag keys and values are case sensitive.
  • Do not use the aws: prefix in your tag names or values because it is reserved for AWS use. Tags with this prefix can’t be edit or delete and they do not count against your tags per resource limit.
  • Tags allowed characters are: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + – = . _ : / @.

EC2 resources tags

  • For tags on EC2 instances, instances can’t terminate, stop, or delete a resource based solely on its tags; you must specify the resource identifier.
  • You can tag public or shared resources, but the tags you assign are available only to your AWS account and not to the other accounts sharing the resource.
  • All resources can’t be tagged, and some can only be tagged using API actions or the command lineEC2 Tag Supported Services
  • Resources with tagging restrictions of None can be tagged with API actions, the CLI, and the console.

Cost Allocation tags

  • AWS uses tags as a mechanism to organize your resource costs on your cost allocation report.
  • Cost allocation tags can be used to categorize and track your AWS costs.
  • When tags are applied to AWS resources such as Amazon EC2 instances or Amazon S3 buckets and activated in the billing console, AWS generates a cost allocation report as a (CSV file) with the usage and costs aggregated by active tags.
  • Tags can be applied so that they represent business categories (such as cost centers, application names, or owners) to organize costs across multiple services.
  • Cost allocation report includes all of the AWS costs for each billing period and includes both tagged and untagged resources
  • Tags can also be used to filter views in Cost Explorer

Access Control Tags

Sample Exam Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. Fill in the blanks: _________ let you categorize your EC2 resources in different ways, for example, by purpose, owner, or environment.
    1. Wildcards
    2. Pointers
    3. Tags
    4. Special filters
  2. Please select the Amazon EC2 resource, which can be tagged.
    1. Key pairs
    2. Elastic IP addresses
    3. Placement groups
    4. Amazon EBS snapshots
  3. Can the string value of ‘Key’ be prefixed with aws:?
    1. No
    2. Only for EC2 not S3
    3. Yes
    4. Only for S3 not EC
  4. What is the maximum key length of a tag?
    1. 512 Unicode characters
    2. 64 Unicode characters
    3. 256 Unicode characters
    4. 128 Unicode characters
  5. An organization has launched 5 instances: 2 for production and 3 for testing. The organization wants that one particular group of IAM users should only access the test instances and not the production ones. How can the organization set that as a part of the policy?
    1. Launch the test and production instances in separate regions and allow region wise access to the group
    2. Define the IAM policy which allows access based on the instance ID
    3. Create an IAM policy with a condition which allows access to only small instances
    4. Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specific tags
  6. A user has launched multiple EC2 instances for the purpose of development and testing in the same region. The user wants to find the separate cost for the production and development instances. How can the user find the cost distribution?
    1. The user should download the activity report of the EC2 services as it has the instance ID wise data
    2. It is not possible to get the AWS cost usage data of single region instances separately
    3. User should use Cost Distribution Metadata and AWS detailed billing
    4. User should use Cost Allocation Tags and AWS billing reports
  7. An organization is using cost allocation tags to find the cost distribution of different departments and projects. One of the instances has two separate tags with the key/ value as “InstanceName/HR”, “CostCenter/HR”. What will AWS do in this case?
    1. InstanceName is a reserved tag for AWS. Thus, AWS will not allow this tag
    2. AWS will not allow the tags as the value is the same for different keys
    3. AWS will allow tags but will not show correctly in the cost allocation report due to the same value of the two separate keys
    4. AWS will allow both the tags and show properly in the cost distribution report
  8. A user is launching an instance. He is on the “Tag the instance” screen. Which of the below mentioned information will not help the user understand the functionality of an AWS tag?
    1. Each tag will have a key and value
    2. The user can apply tags to the S3 bucket
    3. The maximum value of the tag key length is 64 unicode characters
    4. AWS tags are used to find the cost distribution of various resources
  9. Your system recently experienced down time during the troubleshooting process. You found that a new administrator mistakenly terminated several production EC2 instances. Which of the following strategies will help prevent a similar situation in the future? The administrator still must be able to:- launch, start stop, and terminate development resources. – launch and start production instances.
    1. Create an IAM user, which is not allowed to terminate instances by leveraging production EC2 termination protection. (EC2 termination protection is enabled on EC2 instance)
    2. Leverage resource based tagging along with an IAM user, which can prevent specific users from terminating production EC2 resources.
    3. Leverage EC2 termination protection and multi-factor authentication, which together require users to authenticate before terminating EC2 instances. (Does not prevent user from terminating instance)
    4. Create an IAM user and apply an IAM role, which prevents users from terminating production EC2 instances. (Role is not applied to User but assumed by the User)

 

AWS Route 53 Routing Policy

  • AWS Route 53 allows you to define a routing policy when a record set is created
  • Routing policy determines how AWS responds to the DNS queries

Routing Policy Options

Simple Routing Policy

  • Simple routing policy can be applied when there is a single resource doing the function for your domain for e.g. web server that serves content for the website
  • AWS Route 53 responds to the DNS queries based on the values in the resource record set for e.g. ip address in an A record

Weighted Routing Policy

  • Weighted routing policy enables Amazon Route 53 to route traffic to different resources in proportions as specified for e.g., 25% one server and 75% to the other during a pilot release
  • Weighted routing policy can be applied when there are multiple resources that perform the same function for e.g., web servers that serve the same website
  • Weighted resource record sets let you associate multiple resources with a single DNS name
  • Common use cases include
    • load balancing
    • testing and piloting new versions of software
  • To create a group of weighted resource record sets, two or more resource record sets can be created that have the same combination of DNS name and type, and each resource record assigned set a unique identifier and a relative weight.
  • When processing a DNS query, Amazon Route 53 searches for a resource record set or a group of resource record sets that have the specified name and type.
  • For weighted resource record sets, Amazon Route 53 selects one from the group. The probability of any one resource record set being selected depends on its weight as a proportion of the total weight for all resource record sets in the group.
  • for e.g., suppose you create three resource record sets for www.example.com. The three A records have weights of 1 (20%), 1 (20%), and 3 (60%)(sum = 5). On average, Amazon Route 53 selects each of the first two resource record sets one-fifth of the time, and returns the third resource record set three-fifths of the time.

Latency Routing Policy

  • Latency Routing Policy enables Amazon Route 53 chooses to respond to the DNS query based on which data center gives the user the lowest network latency.
  • Use the latency routing policy can be applied when there are multiple resources that perform the same function for e.g., web servers that serve the same website, and Amazon Route 53 needs to be configured to respond to the DNS queries with the resources that provide the fastest response with lowest latency.
  • Latency resource record set can be created for the Amazon EC2 resource in each region that hosts your application. When Amazon Route 53 receives a query for the corresponding domain, it selects the latency resource record set for the Amazon EC2 region that gives the user the
    lowest latency. Amazon Route 53 then responds with the value associated with that resource record set.
  • for e.g., you might have web servers for example.com in the Amazon EC2 data centers in Ireland and in Tokyo. When a user browses to example.com from Singapore, Amazon Route 53 will pick up the data center (Tokyo) which has the lowest latency from the users location
  • Latency between hosts on the Internet can change over time as a result of changes in network connectivity and routing. Latency-based routing is based on latency measurements performed over a period of time, and the measurements reflect these changes for e.g. if the latency from the user in Singapore to Ireland improves, the user can be routed to Ireland
  • Latency resource record sets can be created using any record type that Amazon Route 53 supports except NS or SOA

Failover Routing Policy (Public Hosted Zones Only)

  • Failover routing policy allows active-passive failover configuration, in which one resource takes all traffic when it’s available and the other resource takes all traffic when the first resource isn’t available.

Geolocation Routing Policy

  • Geolocation routing policy enables Amazon Route 53 to respond to DNS queries based on the geographic location of the users i.e. location from which the DNS queries originate
  • Common use cases include
    • localization of content and presenting some or all of the website in the users language
    • restrict distribution of content to only the locations in which you have distribution rights.
    • balancing load across endpoints in a predictable, easy-to-manage way, so that each user location is consistently routed to the same endpoint.
  • Geolocation routing policy allows geographic locations to be specified by continent, country, or by state (only in US)
  • Geolocation record sets, if created, for overlapping geographic regions for e.g. continent and then for the country within the same continent, priority goes to the smallest geographic region, which allows some queries for a continent to be routed to one resource and queries for selected countries on that continent to a different resource
  • Geolocation works by mapping IP addresses to locations, which might not mapped to a geographic location.
  • A default resource record set can be created to handle these queries and also the ones which do not have an explicit record set created
  • Amazon Route 53 returns a “no answer”response for queries from those locations, if a default resource record set if not created
  • Two geolocation resource record sets that specify the same geographic location cannot be created
  • Amazon Route 53 supports the edns-client-subnet extension of EDNS0(EDNS0 adds several optional extensions to the DNS protocol.) to improve the accuracy of geolocation routing

Sample Exam Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. You have deployed a web application targeting a global audience across multiple AWS Regions under the domain name.example.com. You decide to use Route53 Latency-Based Routing to serve web requests to users from the region closest to the user. To provide business continuity in the event of server downtime you configure weighted record sets associated with two web servers in separate Availability Zones per region. During a DR test you notice that when you disable all web servers in one of the regions Route53 does not automatically direct all users to the other region. What could be happening? (Choose 2 answers)
    1. Latency resource record sets cannot be used in combination with weighted resource record sets.
    2. You did not setup an http health check for one or more of the weighted resource record sets associated with me disabled web servers
    3. The value of the weight associated with the latency alias resource record set in the region with the disabled servers is higher than the weight for the other region.
    4. One of the two working web servers in the other region did not pass its HTTP health check
    5. You did not set “Evaluate Target Health” to “Yes” on the latency alias resource record set associated with example com in the region where you disabled the servers.
  2. The compliance department within your multi-national organization requires that all data for your customers that reside in the European Union (EU) must not leave the EU and also data for customers that reside in the US must not leave the US without explicit authorization. What must you do to comply with this requirement for a web based profile management application running on EC2?
    1. Run EC2 instances in multiple AWS Availability Zones in single Region and leverage an Elastic Load Balancer with session stickiness to route traffic to the appropriate zone to create their profile (should be in different regions)
    2. Run EC2 instances in multiple Regions and leverage Route 53’s Latency Based Routing capabilities to route traffic to the appropriate region to create their profile (Latency based routing policy would not guarantee the compliance requirement)
    3. Run EC2 instances in multiple Regions and leverage a third party data provider to determine if a user needs to be redirect to the appropriate region to create their profile
    4. Run EC2 instances in multiple AWS Availability Zones in a single Region and leverage a third party data provider to determine if a user needs to be redirect to the appropriate zone to create their profile (should be in different regions)
  3. A US-based company is expanding their web presence into Europe. The company wants to extend their AWS infrastructure from Northern Virginia (us-east-1) into the Dublin (eu-west-1) region. Which of the following options would enable an equivalent experience for users on both continents?
    1. Use a public-facing load balancer per region to load-balance web traffic, and enable HTTP health checks.
    2. Use a public-facing load balancer per region to load-balance web traffic, and enable sticky sessions.
    3. Use Amazon Route 53, and apply a geolocation routing policy to distribute traffic across both regions
    4. Use Amazon Route 53, and apply a weighted routing policy to distribute traffic across both regions.
  4. You have been asked to propose a multi-region deployment of a web-facing application where a controlled portion of your traffic is being processed by an alternate region. Which configuration would achieve that goal?
    1. Route53 record sets with weighted routing policy
    2. Route53 record sets with latency based routing policy
    3. Auto Scaling with scheduled scaling actions set
    4. Elastic Load Balancing with health checks enabled
  5. Your company Is moving towards tracking web page users with a small tracking Image loaded on each page Currently you are serving this image out of US-East, but are starting to get concerned about the time It takes to load the image for users on the west coast. What are the two best ways to speed up serving this image? Choose 2 answers
    1. Use Route 53’s Latency Based Routing and serve the image out of US-West-2 as well as US-East-1
    2. Serve the image out through CloudFront
    3. Serve the image out of S3 so that it isn’t being served oft of your web application tier
    4. Use EBS PIOPs to serve the image faster out of your EC2 instances

References

CloudWatch Monitoring Supported AWS Services

  • CloudWatch offers either basic or detailed monitoring for supported AWS services.
  • Basic monitoring means that a service sends data points to CloudWatch every five minutes.
  • Detailed monitoring means that a service sends data points to CloudWatch every minute.
  • If the AWS service supports both basic and detailed monitoring, the basic would be enabled by default and the detailed monitoring needs to be enabled for details metrics

AWS Services with Monitoring support

  • Auto Scaling
    • Auto Scaling sends data to CloudWatch every 5 minutes by default.
    • For an additional charge, you can enable detailed monitoring for Auto Scaling, which sends data to CloudWatch every minute.
  • Amazon CloudFront
    • Amazon CloudFront sends data to CloudWatch every minute by default.
  • Amazon CloudSearch
    • Amazon CloudSearch sends data to CloudWatch every minute by default.
  • Amazon CloudWatch Events
    • Amazon CloudWatch Events sends data to CloudWatch every minute by default.
  • Amazon CloudWatch Logs
    • Amazon CloudWatch Logs sends data to CloudWatch every minute by default.
  • Amazon DynamoDB
    • Amazon DynamoDB sends data to CloudWatch every minute for some metrics and every 5 minutes for other metrics.
  • Amazon EC2 Container Service
    • Amazon EC2 Container Service sends data to CloudWatch every minute.
  • Amazon ElastiCache
    • Amazon ElastiCache sends data to CloudWatch every minute.
  • Amazon Elastic Block Store
    • Amazon Elastic Block Store sends data to CloudWatch every 5 minutes.
    • Provisioned IOPS SSD (io1) volumes automatically send one-minute metrics to CloudWatch.
  • Amazon Elastic Compute Cloud
    • Amazon EC2 sends data to CloudWatch every 5 minutes by default. For an additional charge, you can enable detailed monitoring for Amazon EC2, which sends data to CloudWatch every minute.
  • Elastic Load Balancing
    • Elastic Load Balancing sends data to CloudWatch every minute.
  • Amazon Elastic MapReduce
    • Amazon Elastic MapReduce sends data to CloudWatch every 5 minutes.
  • Amazon Elasticsearch Service
    • Amazon Elasticsearch Service sends data to CloudWatch every minute.
  • Amazon Kinesis Streams
    • Amazon Kinesis Streams sends data to CloudWatch every minute.
  • Amazon Kinesis Firehose
    • Amazon Kinesis Firehose sends data to CloudWatch every minute.
  • AWS Lambda
    • AWS Lambda sends data to CloudWatch every minute.
  • Amazon Machine Learning
    • Amazon Machine Learning sends data to CloudWatch every 5 minutes.
  • AWS OpsWorks
    • AWS OpsWorks sends data to CloudWatch every minute.
  • Amazon Redshift
    • Amazon Redshift sends data to CloudWatch every minute.
  • Amazon Relational Database Service
    • Amazon Relational Database Service sends data to CloudWatch every minute.
  • Amazon Route 53
    • Amazon Route 53 sends data to CloudWatch every minute.
  • Amazon Simple Notification Service
    • Amazon Simple Notification Service sends data to CloudWatch every 5 minutes.
  • Amazon Simple Queue Service
    • Amazon Simple Queue Service sends data to CloudWatch every 5 minutes.
  • Amazon Simple Storage Service
    • Amazon Simple Storage Service sends data to CloudWatch once a day.
  • Amazon Simple Workflow Service
    • Amazon Simple Workflow Service sends data to CloudWatch every 5 minutes.
  • AWS Storage Gateway
    • AWS Storage Gateway sends data to CloudWatch every 5 minutes.
  • AWS WAF
    • AWS WAF sends data to CloudWatch every minute.
  • Amazon WorkSpaces
    • Amazon WorkSpaces sends data to CloudWatch every 5 minutes.

Sample Exam Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. What is the minimum time Interval for the data that Amazon CloudWatch receives and aggregates?
    1. One second
    2. Five seconds
    3. One minute
    4. Three minutes
    5. Five minutes
  2. In the ‘Detailed’ monitoring data available for your Amazon EBS volumes, Provisioned IOPS volumes automatically send _____ minute metrics to Amazon CloudWatch.
    1. 3
    2. 1
    3. 5
    4. 2
  3. Using Amazon CloudWatch’s Free Tier, what is the frequency of metric updates, which you receive?
    1. 5 minutes
    2. 500 milliseconds.
    3. 30 seconds
    4. 1 minute
  4. What is the type of monitoring data (for Amazon EBS volumes) which is available automatically in 5-minute periods at no charge called?
    1. Basic
    2. Primary
    3. Detailed
    4. Local
  5. A user has created an Auto Scaling group using CLI. The user wants to enable CloudWatch detailed monitoring for that group. How can the user configure this?
    1. When the user sets an alarm on the Auto Scaling group, it automatically enables detail monitoring
    2. By default detailed monitoring is enabled for Auto Scaling
    3. Auto Scaling does not support detailed monitoring
    4. Enable detail monitoring from the AWS console
  6. A user is trying to understand the detailed CloudWatch monitoring concept. Which of the below mentioned services provides detailed monitoring with CloudWatch without charging the user extra?
    1. AWS Auto Scaling
    2. AWS Route 53
    3. AWS EMR
    4. AWS SNS
  7. A user is trying to understand the detailed CloudWatch monitoring concept. Which of the below mentioned services does not provide detailed monitoring with CloudWatch?
    1. AWS EMR
    2. AWS RDS
    3. AWS ELB
    4. AWS Route53
  8. A user has enabled detailed CloudWatch monitoring with the AWS Simple Notification Service. Which of the below mentioned statements helps the user understand detailed monitoring better?
    1. SNS will send data every minute after configuration
    2. There is no need to enable since SNS provides data every minute
    3. AWS CloudWatch does not support monitoring for SNS
    4. SNS cannot provide data every minute

References

AWS Storage Options Whitepaper Summary

Overview

  • AWS offers multiple cloud-based storage options. Each has a unique combination of performance, durability, availability, cost, and interface, as well as other characteristics such as scalability and elasticity
  • All storage options are ideally suited for some uses cases and there are certain Anti-Patterns which should be taken in account while making a storage choice

AWS Various Storage Options

Amazon S3 & Amazon Glacier

More Details @ AWS Storage Options – S3 & Glacier

Amazon Elastic Block Store (EBS) & Instance Store Volumes

More details @ AWS Storage Options – EBS & Instance Store

Amazon RDS, DynamoDB & Database on Ec2

More details @ AWS Storage Options – RDS, DynamoDB & Database on EC2

Amazon SQS & Redshift

More details @ AWS Storage Options – SQS & Redshift

Amazon CloudFront & Elasticache

More details @ AWS Storage Options – CloudFront & ElastiCache

Amazon Storage Gateway & Import/Export

More details @ AWS Storage Options – Storage Gateway & Import/Export

Sample Exam Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. Your firm has uploaded a large amount of aerial image data to S3. In the past, in your on-premises environment, you used a dedicated group of servers to oaten process this data and used Rabbit MQ, an open source messaging system, to get job information to the servers. Once processed the data would go to tape and be shipped offsite. Your manager told you to stay with the current design, and leverage AWS archival storage and messaging services to minimize cost. Which is correct?
    1. Use SQS for passing job messages, use Cloud Watch alarms to terminate EC2 worker instances when they become idle. Once data is processed, change the storage class of the S3 objects to Reduced Redundancy Storage.
    2. Setup Auto-Scaled workers triggered by queue depth that use spot instances to process messages in SQS. Once data is processed, change the storage class of the S3 objects to Reduced Redundancy Storage.
    3. Setup Auto-Scaled workers triggered by queue depth that use spot instances to process messages in SQS. Once data is processed, change the storage class of the S3 objects to Glacier.
    4. Use SNS to pass job messages use Cloud Watch alarms to terminate spot worker instances when they become idle. Once data is processed, change the storage class of the S3 object to Glacier.
  2. You are developing a new mobile application and are considering storing user preferences in AWS, which would provide a more uniform cross-device experience to users using multiple mobile devices to access the application. The preference data for each user is estimated to be 50KB in size. Additionally 5 million customers are expected to use the application on a regular basis. The solution needs to be cost-effective, highly available, scalable and secure, how would you design a solution to meet the above requirements?
    1. Setup an RDS MySQL instance in 2 availability zones to store the user preference data. Deploy a public facing application on a server in front of the database to manage security and access credentials
    2. Setup a DynamoDB table with an item for each user having the necessary attributes to hold the user preferences. The mobile application will query the user preferences directly from the DynamoDB table. Utilize STS. Web Identity Federation, and DynamoDB Fine Grained Access Control to authenticate and authorize access
    3. Setup an RDS MySQL instance with multiple read replicas in 2 availability zones to store the user preference data .The mobile application will query the user preferences from the read replicas. Leverage the MySQL user management and access privilege system to manage security and access credentials.
    4. Store the user preference data in S3 Setup a DynamoDB table with an item for each user and an item attribute pointing to the user’ S3 object. The mobile application will retrieve the S3 URL from DynamoDB and then access the S3 object directly utilize STS, Web identity Federation, and S3 ACLs to authenticate and authorize access.
  3. A company is building a voting system for a popular TV show, viewers would watch the performances then visit the show’s website to vote for their favorite performer. It is expected that in a short period of time after the show has finished the site will receive millions of visitors. The visitors will first login to the site using their Amazon.com credentials and then submit their vote. After the voting is completed the page will display the vote totals. The company needs to build the site such that can handle the rapid influx of traffic while maintaining good performance but also wants to keep costs to a minimum. Which of the design patterns below should they use?
    1. Use CloudFront and an Elastic Load balancer in front of an auto-scaled set of web servers, the web servers will first can the Login With Amazon service to authenticate the user then process the users vote and store the result into a multi-AZ Relational Database Service instance.
    2. Use CloudFront and the static website hosting feature of S3 with the Javascript SDK to call the Login With Amazon service to authenticate the user, use IAM Roles to gain permissions to a DynamoDB table to store the users vote.
    3. Use CloudFront and an Elastic Load Balancer in front of an auto-scaled set of web servers, the web servers will first call the Login with Amazon service to authenticate the user, the web servers will process the users vote and store the result into a DynamoDB table using IAM Roles for EC2 instances to gain permissions to the DynamoDB table.
    4. Use CloudFront and an Elastic Load Balancer in front of an auto-scaled set of web servers, the web servers will first call the Login. With Amazon service to authenticate the user, the web servers would process the users vote and store the result into an SQS queue using IAM Roles for EC2 Instances to gain permissions to the SQS queue. A set of application servers will then retrieve the items from the queue and store the result into a DynamoDB table
  4. A large real-estate brokerage is exploring the option to adding a cost-effective location-based alert to their existing mobile application. The application backend infrastructure currently runs on AWS. Users who opt in to this service will receive alerts on their mobile device regarding real-estate offers in proximity to their location. For the alerts to be relevant delivery time needs to be in the low minute count. The existing mobile app has 5 million users across the US. Which one of the following architectural suggestions would you make to the customer?
    1. Mobile application will submit its location to a web service endpoint utilizing Elastic Load Balancing and EC2 instances. DynamoDB will be used to store and retrieve relevant offers. EC2 instances will communicate with mobile earners/device providers to push alerts back to mobile application. —
    2. Use AWS Direct Connect or VPN to establish connectivity with mobile carriers EC2 instances will receive the mobile applications location through carrier connection: RDS will be used to store and relevant offers. EC2 instances will communicate with mobile carriers to push alerts back to the mobile application
    3. Mobile application will send device location using SQS. EC2 instances will retrieve the relevant offers from DynamoDB. AWS Mobile Push will be used to send offers to the mobile application
    4. Mobile application will send device location using AWS Mobile Push. EC2 instances will retrieve the relevant offers from DynamoDB. EC2 instances will communicate with mobile carriers/device providers to push alerts back to the mobile application.
  5. You are running a news website in the eu-west-1 region that updates every 15 minutes. The website has a worldwide audience it uses an Auto Scaling group behind an Elastic Load Balancer and an Amazon RDS database. Static content resides on Amazon S3, and is distributed through Amazon CloudFront. Your Auto Scaling group is set to trigger a scale up event at 60% CPU utilization; you use an Amazon RDS extra-large DB instance with 10.000 Provisioned IOPS its CPU utilization is around 80%. While freeable memory is in the 2 GB range. Web analytics reports show that the average load time of your web pages is around 1.5 to 2 seconds, but your SEO consultant wants to bring down the average load time to under 0.5 seconds. How would you improve page load times for your users? (Choose 3 answers)
    1. Lower the scale up trigger of your Auto Scaling group to 30% so it scales more aggressively.
    2. Add an Amazon ElastiCache caching layer to your application for storing sessions and frequent DB queries
    3. Configure Amazon CloudFront dynamic content support to enable caching of re-usable content from your site
    4. Switch Amazon RDS database to the high memory extra-large Instance type
    5. Set up a second installation in another region, and use the Amazon Route 53 latency-based routing feature to select the right region.
  6. A read only news reporting site with a combined web and application tier and a database tier that receives large and unpredictable traffic demands must be able to respond to these traffic fluctuations automatically. What AWS services should be used meet these requirements?
    1. Stateless instances for the web and application tier synchronized using ElastiCache Memcached in an autoscaling group monitored with CloudWatch. And RDS with read replicas.
    2. Stateful instances for the web and application tier in an autoscaling group monitored with CloudWatch and RDS with read replicas
    3. Stateful instances for the web and application tier in an autoscaling group monitored with CloudWatch. And multi-AZ RDS
    4. Stateless instances for the web and application tier synchronized using ElastiCache Memcached in an autoscaling group monitored with CloudWatch and multi-AZ RDS
  7. You have a periodic Image analysis application that gets some files as input, analyzes them and for each file writes some data in output to a ten file. The number of files in input per day is high and concentrated in a few hours of the day. Currently you have a server on EC2 with a large EBS volume that hosts the input data and the results it takes almost 20 hours per day to complete the process. What services could be used to reduce the elaboration time and improve the availability of the solution?
    1. S3 to store I/O files. SQS to distribute elaboration commands to a group of hosts working in parallel. Auto scaling to dynamically size the group of hosts depending on the length of the SQS queue
    2. EBS with Provisioned IOPS (PIOPS) to store I/O files. SNS to distribute elaboration commands to a group of hosts working in parallel Auto Scaling to dynamically size the group of hosts depending on the number of SNS notifications
    3. S3 to store I/O files, SNS to distribute evaporation commands to a group of hosts working in parallel. Auto scaling to dynamically size the group of hosts depending on the number of SNS notifications
    4. EBS with Provisioned IOPS (PIOPS) to store I/O files SOS to distribute elaboration commands to a group of hosts working in parallel Auto Scaling to dynamically size the group to hosts depending on the length of the SQS queue.
  8. A 3-tier e-commerce web application is current deployed on-premises and will be migrated to AWS for greater scalability and elasticity The web server currently shares read-only data using a network distributed file system The app server tier uses a clustering mechanism for discovery and shared session state that depends on IP multicast The database tier uses shared-storage clustering to provide database fail over capability, and uses several read slaves for scaling. Data on all servers and the distributed file system directory is backed up weekly to off-site tapes. Which AWS storage and database architecture meets the requirements of the application?
    1. Web servers store read-only data in S3, and copy from S3 to root volume at boot time. App servers share state using a combination of DynamoDB and IP unicast. Database use RDS with multi-AZ deployment and one or more Read Replicas. Backup web and app servers backed up weekly via AMIs, database backed up via DB snapshots.
    2. Web servers store read-only data in S3, and copy from S3 to root volume at boot time. App servers share state using a combination of DynamoDB and IP unicast. Database use RDS with multi-AZ deployment and one or more Read replicas. Backup web servers app servers, and database backed up weekly to Glacier using snapshots
    3. Web servers store read-only data In S3 and copy from S3 to root volume at boot time. App servers share state using a combination of DynamoDB and IP unicast. Database use RDS with multi-AZ deployment Backup web and app servers backed up weekly via AMIs. Database backed up via DB snapshots
    4. Web servers, store read-only data in an EC2 NFS server, mount to each web server at boot time App servers share state using a combination of DynamoDB and IP multicast Database use RDS with multi-AZ deployment and one or more Read Replicas Backup web and app servers backed up weekly via AMIs database backed up via DB snapshots
  9. Our company is getting ready to do a major public announcement of a social media site on AWS. The website is running on EC2 instances deployed across multiple Availability Zones with a Multi-AZ RDS MySQL Extra Large DB Instance. The site performs a high number of small reads and writes per second and relies on an eventual consistency model. After comprehensive tests you discover that there is read contention on RDS MySQL. Which are the best approaches to meet these requirements? (Choose 2 answers)
    1. Deploy ElasticCache in-memory cache running in each availability zone
    2. Implement sharding to distribute load to multiple RDS MySQL instances (Would distributed read write both, focus is on read contention)
    3. Increase the RDS MySQL Instance size and Implement provisioned IOPS (Would distributed read write both, focus is on read contention)
    4. Add an RDS MySQL read replica in each availability zone
  10. Run 2-tier app with the following: an ELB, three web app server on EC2, and 1 MySQL RDS db. With grown load, db queries take longer and longer and slow down the overall response time for user request. What Options could speed up performance? (Choose 3)
    1. Create an RDS read-replica and redirect half of the database read request to it
    2. Cache database queries in amazon ElastiCache
    3. Setup RDS in multi-availability zone mode.
    4. Shard the database and distribute loads between shards.
    5. Use amazon CloudFront to cache database queries.

References