AWS-100-CCA-31-EN-U3SG.pdf - AWS Academy Cloud Computing Architecture Unit 3 Student Guide Version 3.1.4 AWS-100-CCA-31-EN-SG 2017 Amazon Web Services

AWS-100-CCA-31-EN-U3SG.pdf - AWS Academy Cloud Computing...

This preview shows page 1 out of 659 pages.

You've reached the end of your free preview.

Want to read all 659 pages?

Unformatted text preview: AWS Academy - Cloud Computing Architecture Unit 3 Student Guide Version 3.1.4 AWS-100-CCA-31-EN-SG © 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. Corrections or feedback on the course, please email us at: [email protected] For all other questions, contact us at: . All trademarks are the property of their owners. AWS Training and Certification AWS Academy - Cloud Computing Architecture Contents Module 1: Review of AWS Fundamentals 5 Module 2: Designing Your Environment 26 Module 3: System Design for High Availability 94 Module 4: Event-Driven Scaling 149 Module 5: Designing Your Environment 210 Module 6: System Design for High Availability 259 Module 7: Event-Driven Scaling 322 Module 8: Introducing the Well-Architected Framework 375 Module 8 Appendix: General Design Principles 391 Module 9: Security Pillar 397 Module 9: Security Pillar Questions 468 Module 10: Reliability Pillar 479 Module 10 Appendix: Reliability Pillar Questions 513 Module 11: Performance Efficiency Pillar 523 Module 11 Appendix: Performance Pillar Questions 539 Module 12: Cost Optimization Pillar 544 Module 12: Cost Optimization Pillar Questions 585 Module 13: Troubleshooting 596 © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 3 AWS Training and Certification AWS Academy - Cloud Computing Architecture Contents Module 14: Design Principles and Sample Architectures © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 615 4 AWS Training and Certification Module 1: Review of AWS Fundamentals This module begins CCA Unit 3 – Architecting on AWS. Before starting Unit 3, you should have completed Units 1 and 2. Unit 3 is divided in four sections starting with Section 1, Introduction to System Design: * CCA 3.01 with a review AWS fundamentals (should have covered in Units 1 & 2). * In CCA 3.02 we’ll discuss Designing Your Environment and general design principles followed by * CCA 3.03, Design for High Availability © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 5 AWS Training and Certification Module 1: Review of AWS Fundamentals This module covers a quick review of the following… • Foundational Services • Security • Database Options • Elasticity © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 6 AWS Training and Certification Module 1: Review of AWS Fundamentals Part 1: Foundational Services © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 7 AWS Training and Certification Module 1: Review of AWS Fundamentals Discuss your answers with the class. (For review, go to CCA 2.01 – Part 1) © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 8 AWS Training and Certification Module 1: Review of AWS Fundamentals Discuss your answers with the class. (For review, go to CCA 2.01 – Part 2) © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 9 AWS Training and Certification Module 1: Review of AWS Fundamentals Discuss your answers with the class. (For review, go to CCA 2.01 – Part 3) © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 10 AWS Training and Certification Module 1: Review of AWS Fundamentals Part 2: Security © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 11 AWS Training and Certification Module 1: Review of AWS Fundamentals Discuss your answers with the class. (For review, go to CCA 2.02 – Part 1) © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 12 AWS Training and Certification Module 1: Review of AWS Fundamentals Discuss your answers with the class. (For review, go to CCA 2.02 – Part 2) © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 13 AWS Training and Certification Module 1: Review of AWS Fundamentals Discuss your answers with the class. (For review, go to CCA 2.02 – Part 2) © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 14 AWS Training and Certification Module 1: Review of AWS Fundamentals Part 3: Database Options © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 15 AWS Training and Certification Module 1: Review of AWS Fundamentals Discuss your answers with the class. (For review, go to CCA 2.03 – Part 2) © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 16 AWS Training and Certification Module 1: Review of AWS Fundamentals Discuss your answers with the class. (For review, go to CCA 2.03 – Part 3) © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 17 AWS Training and Certification Module 1: Review of AWS Fundamentals Part 4: Elasticity © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 18 AWS Training and Certification Module 1: Review of AWS Fundamentals Discuss your answers with the class. (For review, go to CCA 2.04 – Part 1) © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 19 AWS Training and Certification Module 1: Review of AWS Fundamentals Discuss your answers with the class. (For review, go to CCA 2.03 – Part 2) © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 20 AWS Training and Certification Module 1: Review of AWS Fundamentals Discuss your answers with the class. (For review, go to CCA 2.03 – Part 3) © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 21 AWS Training and Certification Module 1: Review of AWS Fundamentals Discuss your answers with the class. (For review, go to CCA 2.03 – Part 4) © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 22 AWS Training and Certification Module 1: Review of AWS Fundamentals In review… • Foundational Services • Security • Database Options • Elasticity This module does not include a knowledge assessment. © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 23 AWS Training and Certification Module 1: Review of AWS Fundamentals Next we’ll continue with Unit 3, Architecting on AWS which is broken into four sections: Section 1: Introduction to System Design Section 2: Automation and Serverless Architectures Section 3: Well-Architected Best Practices Section 4: Deployment and Implementation Up next is CCA 3.02 – Designing Your Environment. © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 24 AWS Training and Certification Module 1: Review of AWS Fundamentals Do not speak over this slide – just let it play for 8 seconds. © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 25 AWS Training and Certification Module 2: Designing Your Environment Welcome to CCA 3.02, Designing Your Environment. © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 26 AWS Training and Certification Module 2: Designing Your Environment This module covers… • Choosing a Region • Use Multiple AZs • Use Multiple VPCs • Dividing VPCs Into Subnets • Managing VPC Traffic • Connecting Multiple VPCs • Integrating On-prem Components • Default VPCs and Subnets © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 27 AWS Training and Certification Module 2: Designing Your Environment Part 1: How do you choose a region? © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 28 AWS Training and Certification Module 2: Designing Your Environment Your data will be subject to the laws of the country and locality in which it's stored. In addition, some laws dictate that if you're operating your business in their jurisdiction, you cannot store that data anywhere else. Similarly, compliance standards (such as the Health Insurance Portability and Accountability Act in the United States) have strict guidelines on how and where data can be stored in order to comply. Take all of these things into account when evaluating where to place your environment. © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 29 AWS Training and Certification Module 2: Designing Your Environment Proximity is a major reason behind choosing your region, especially when latency is critically important, as it is in most applications. In most cases, the latency difference between using the closest region and the farthest away region is relatively small, but even small differences in latency can impact customer experience. An internal study in 2006 found that for every 100-ms Amazon.com is delayed, there was a corresponding 1% drop in sales. A Google study in 2006 similarly found that a 500ms delay for displaying their search results caused a 20% drop in traffic and revenue. Customers expect responsive environments, and ask time goes by and technology becomes more and more powerful, those expectations rise as well. To find more resources on the relationship between latency and revenue, see: © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 30 AWS Training and Certification Module 2: Designing Your Environment While we strive to make all of our services and features available everywhere, the complications which arise from having a global reach make accomplishing that goal extremely challenging. But rather than wait until a service is available everywhere before launching it, we release our service when it's ready, and expand its availability as soon as possible. © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 31 AWS Training and Certification Module 2: Designing Your Environment Service costs can differ depending on which region they're used. An Amazon EC2 instance in US-East 1 may not cost the same as if it were running in EU-West 1, as an example. Typically, the difference in cost may not be enough to supersede the other three considerations, however, in cases where the latency/compliance/service availability differences between regions are minimal, you may be able to save a lot of expense using the lower-cost region for your environment. In circumstances where your customers are in different areas of the globe, you may consider optimizing your customer's experience by replicating your environment in multiple regions that are closer to your customers. Since you would then be distributing your load across multiple environments, your costs for components in each environment may go down even as you add more infrastructure. For example, adding a second application environment might allow you to cut your processing and storage capacity requirements in half in each environment. Since AWS is designed to allow you that kind of flexibility, and since you only really pay for what you use, you could easily scale your existing environment down as a way to mitigate the cost of adding another environment. The downside to that approach is that you now have two environments to manage, and that not all of your components will scale down enough to mitigate all of the new component costs. Additionally, you may have to maintain one single storage "source of truth" in one region (such as a Master RDS instance), which your secondary region would have to communicate with, increasing latency and cost for those operations. © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 32 AWS Training and Certification Module 2: Designing Your Environment Part 2: How many Availability Zones should you use? © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 33 AWS Training and Certification Module 2: Designing Your Environment Most applications can be designed to support 2 AZs but may not benefit from more due to utilizing data sources that only support primary/secondary failover. Availability Zones are spread out physically, so you won't receive much benefit from duplicating your resources in three or more Availability Zones in one region. For heavy Amazon EC2 Spot instance usage or data sources that go beyond active/passive, such as Amazon DynamoDB, there may be a benefit to using more than 2 AZs. © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 34 AWS Training and Certification Module 2: Designing Your Environment In this basic pattern, the two web servers are positioned behind an Elastic Load Balancing load balancer, which distributes traffic between them. 1. If one of the servers becomes unavailable, the load balancer recognizes this. 2. It stops distributing traffic to the unhealthy instance. This ensures that in case there's a problem in one of the AZs where a component resides, your application is still available. You can further increase the availability of your infrastructure using other methods, which we will discuss in a later module. © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 35 AWS Training and Certification Module 2: Designing Your Environment Since Amazon EC2 Spot instances are priced according to Availability Zone, you could leverage two Availability Zones to get the best price even when the prices change. © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 36 AWS Training and Certification Module 2: Designing Your Environment Part 3: Should you just fit everything into one VPC? © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 37 AWS Training and Certification Module 2: Designing Your Environment High-performance computing environments may work best entirely within a single VPC, as a single VPC environment will have lower latency than one spread across multiple VPCs. Identity management environments may best be limited to one VPC for best security. For small applications supported by a small team (or one person), it may be easiest to use one VPC. © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 38 AWS Training and Certification © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. Module 2: Designing Your Environment 39 AWS Training and Certification © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. Module 2: Designing Your Environment 40 AWS Training and Certification Module 2: Designing Your Environment Multi-VPC patterns are best suited for a single team or organization that maintains full control over the provisioning and management of all resources in each application environment. For example, a single team developing a large e-commerce application may use this pattern when the developers have full access to the Dev & Prod environments. Also, this pattern is very common with Managed Service Providers (MSPs) managing all resources in Test & Prod. © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 41 AWS Training and Certification Module 2: Designing Your Environment Multi-account patterns are best suited for Enterprise customers or organizations deploying applications managed across multiple teams. For example, an organization supporting two or more teams may use this pattern to support developers having full access to the Dev environment resources but limited or no access to Prod. © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 42 AWS Training and Certification Module 2: Designing Your Environment Although EC2 instances are configured with public IP addresses, network traffic between AWS Regions traverse the AWS global network backbone by default, which typically provide more consistent, lower latency network connectivity than equivalent Internet-based connections. A VPC endpoint enables you to create a private connection between your VPC and another AWS service without requiring access over the Internet, through a NAT device, a VPN connection, or AWS Direct Connect. For more, see: © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 43 AWS Training and Certification Module 2: Designing Your Environment Part 4: How should you divide your VPCs into subnets? © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 44 AWS Training and Certification © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. Module 2: Designing Your Environment 45 AWS Training and Certification © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. Module 2: Designing Your Environment 46 AWS Training and Certification © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. Module 2: Designing Your Environment 47 AWS Training and Certification © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. Module 2: Designing Your Environment 48 AWS Training and Certification © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. Module 2: Designing Your Environment 49 AWS Training and Certification © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. Module 2: Designing Your Environment 50 AWS Training and Certification Module 2: Designing Your Environment The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance. For example, in a subnet with CIDR block 10.0.0.0/24, the following five IP addresses are reserved: • 10.0.0.0: Network address. • 10.0.0.1: Reserved by AWS for the VPC router. • 10.0.0.2: Reserved by AWS for mapping to the Amazon-provided DNS. • 10.0.0.3: Reserved by AWS for future use. • 10.0.0.255: Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address. © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 51 AWS Training and Certification Module 2: Designing Your Environment Rather than define your subnets based on application or functional tier (web/app/data/etc), you should organize your subnets based on Internet accessibility. This allows you to define clear, subnet-level isolation between public and private resources. Note: In certain circumstances, such as for PCI compliance, where extremely sensitive data cannot have any direct or indirect connection to the Internet, that subnet is referred to as "protected" subnet. © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 52 AWS Training and Certification Module 2: Designing Your Environment As subnets should be used to define Internet accessibility, there may not be a good reason to have more than one public and one private subnet per Availability Zone. In this environment, all of your resources that require direct access to the Internet (publicfacing load balancers, NAT instances, bastion hosts, etc.) would go into the public subnet, while all other instances would go into your private subnet (exception: resources which require absolutely no access to the Internet, either directly or indirectly, would go into a separate private subnet). Some environments try to use subnets to create layers of separation between "tiers" of resources, such as putting your back-end application instances and your data resources into separate private subnets. This practice requires you to more accurately predict how many hosts you will need in each subnet, making it more likely that you will either run out of IPs more quickly, or leave too many IPs unused, when they could be used elsewhere. While subnets can provide a very basic element of segregation between resources using network ACL rules, security groups can provide an even more finely grained level of traffic control between your resources, without the risk of overcomplicating your infrastructure and wasting or running out of IPs. With this approach, you just need to anticipate how many public and how many private IPs your VPC needs, and use other resources to create segregation between resources within a subnet. © 2018 Amazon Web Services, Inc. or its affiliates All rights reserved. 53 AWS Training and Certification Module 2: Designing Your Environment The majority of resources on AWS can be hosted in private subnets, using public subnets fo...
View Full Document

  • Summer '18
  • Pedi
  • IP address, Amazon Web Services, AWS, Amazon Elastic Compute Cloud

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

Stuck? We have tutors online 24/7 who can help you get unstuck.
A+ icon
Ask Expert Tutors You can ask You can ask You can ask (will expire )
Answers in as fast as 15 minutes