ElB - Region Specific - Multi AZ Boundary Ec2 status checks ELB heath checks Span AZ ElB Types ALB (Path-Based routing, Host-Based, Query string parameters based) ALB targets (EC2, Containers, Functions) NLB NLB targets (EIP, SIP) CLB ELB nodes (public IPs and private IPs)(/27 subnet or Atleast 8 IPs required) Internet facing - CLB, NLB, ALB and DNS name format Internal - CLB, NLB, ALB and DNS name format ALB listeners Target Groups Cross Zone LB (,) Sticky Sessions(, ) ELB security groups (,) Multi Tier Web Architecture ELB Monitoring EC2 Instance Apache logs ELB Server Access Logs to Cloudwatch or S3(Optional) (by default disabled) ELB Cloudwatch logs (Every 1 min active logs) ELB Cloudtrail logs Proxy Protocol(layer 4 compatible), X-Forwarded-For(layer 7 compatible) ASG - Region Specific -Spans AZ's Cloudwatch metric notification (CPU) EC2 Status Checks (by default enabled) ELB heath checks (not enabled) (,,)(, Immediate Effect) 1. No Rules wont apply for traffic within Subnet 2. Specific IP block ranges Subnets (default VPC all public subnets, New subnet::Default RT, No Overlapping CIDR, Subnet vs AZ (1:1), First 4 and Last 1 IP -> Reserved, Immediate Effect) Public Subnet - Instance - Auto Assign IP = Yes (default VPC EC2 -> have both Public and Private IP) Private Subnet - No IGW in RT VPN-only Subnet - VPN/VP-GW in RT VPC Peering - Region specific Inter and Intra Account VPC Comm, VPC Peering connection id in RTs, Non Transitive VPC Endpoint Services/AWS private link - Intra Account VPC, Endpoint sits on Subnet Boundary, private connectivity with AWS services(No VPN, IGW, NAT-GW) Interface Endpoint - ENI with private IP (Used by CloudFormation, Cloudwatch, API Gateway),(Uses SG's) Gateway Endpoint - GW for a specific route (Used by S3, Dynamo DB),(Uses VPC Endpoint Policies) Transit VPC - Global/Multi Inter-Region VPC Comm, use AWS managed Hub and spoke. VPC Sharing - Inter Account VPC subnet resource sharing within an AWS Org, remove 50 vif direct connect Hard limits IGW - Access to Internet, Perform NAT for Public IPV4 addresses, attach/dettach to VPC, no AV or bandwidth risks, IGW vs VPC (1:1) Egress-only IGW - Stateful egress IPV6 traffic from VPC to internet NAT Gateway - Needs EIP EIP - Elastic IP (Chargable for not use) VPC Flow Logs - Stored in cloudwatch EC2 FL - Network interface Subnet FL VPC FL AWS Managed VPN - vgw-id in RT as Target for subnets, DC CIDR as Destination, private SUB to Data Center, Need Internet Conn, IPSec, Atleast 2 for HA VPN Gateway - Sits on VPC Boundary Customer Gateway - Corporate Data Center AWS Direct Connect (Option to use with AWS M-VPN for VPC connect, 1 or 10 GBPS - Not HA by default AWS Cloud VPC -> VPN/VP Gateway AWS Direct Connect Location AWS Cage -> AWS Direct Connect Endpoint AWS Customer Partner Cage -> Partner Endpoint Public VIF -> S3 or Public EC2 (No VPN Private VIF -> To VPN Gateway (for AWS VPC) Corporate Data Center -> Customer Router AWS Direct Connect Gateway (Multiple VPCs in Multiple Regions <--> AWS Direct Connect Gateway <--> AWSCage/Direct Connect Endpoint <--> Data Center/Customer Router) Software VPN (Option: Market place AMIs) AWS VPN CLoudhub (Location connects using hub and spoke manner, remote offices, Multiple Customer-GW to a VP-GW, Need Internet, Need own BGP ASN and IP) Dedicated Tenancy AZ names vs Diff Zones vs Diff Users Route 53 - Global DNS record types (CNAME-, Alias, A, AAAA) Alias records - Route53 specific record type, pointed at DNS of services in AWS. Domain Registration(using console, API), DNS resolution, Domain transfer(intra aws, inter) for TLD supported, Authoritative DNS Server, resides alongside all edge locations Private DNS for VPC's Hosted Zones - Collection of records to manage for a specified domain Private HZ's - For within VPC and not internet (Need 'enableDNSHostname, enableDNSSupport, DHCP options set enabled) Public Hz's - for internet Health Checks (pointed to Cloudwatch alarms, endpoints, instances) Routing policies Simple RP (Name, Type(A), Value(IP), TTL),(Name vs Value (1/N:N)), No Health checks, Single region, round robin Weighted RP (Name, Type(A), Value(IP), Health ID, Weight),(Name vs Value (1:N)) - Optional Health checks, Multi Region Latency RP (Name, Type(A), Value(IP,ALB), Health ID, Region),(Name vs Value (1:N)) - Optional Health checks, Multi Region Failover RP (Name, Type(A), Value(IP,ALB), Health ID, Record Type(primary,secondary)),(Name vs Value (1:2)) - Primary Health check, Multi Region & Data Center Geolocation RP (Name, Type(A), Value(IP,ALB), Health ID, Geolocation(region,default),(Name vs Value (1:N)) - Optional Health checks, Multi Region Multi Value RP (Name, Type(A), Value(IP), Health ID, Multi Value(yes/no)),(Name vs Value (1:N)), Returns Healthy Records Only, Single region, upto 8 healthy records at random Resolver Outbound Endpoints- Sits inside Subnets ( Route 53 <--> VPC(Subnets(EC2 client, OE)) <--(VPN)--> Corporate Data Center (DNS Server) Inbound Endpoints - Sits inside Subnets ( Route 53 <--> VPC(Subnets(EC2 client, IE)) <--(VPN)--> Corporate Data Center (DNS Server, Client PC) Global Accelerator - Static Anycast IPs(2), single/multi region fail over fixed entry points, uses edge locations and health checks, targets ALB/NLB/EC2, IPs attached even when diabled S3 - Regional S3 gateway endpoints - Sits on VPC boundary (private connect to s3 from VPC EC2s) (include in RT) S3 Bucket - Multi AZ storage(>=3), 100 buckets by default, unlimited objects, No nested buckets S3 Object - Key, Value, Metadata, Version ID, Access Control Information, Sub Resources, No object heirarchy, mimic folder using prefix, console folders Sub Resources with buckets Lifecyle Website Versioning ACL CORS Logging S3 Storage Classes - Standard, Intelligent Tiering(30), Standard IA(30), One ZONE-IA(30), Glacier(90), Glacier Deep Archive(180) File size (0-5 TB), Single PUT is 5GB PUT objects New - Read after write consistency Old PUTS and DELETE - Eventual consistency Multi part upload - 100MB recommended, >5GB mandatory, 5MB-5TB S3 Copy S3 Identity based policy - Inline for User, Group, Role S3 Resource based policy - Bucket policy S3 Cross Account Access - (Account B accessing Account B by Assuming Role) S3 ACL (XML owner, grantee) - Used by All users, Authenticated Users, Log Delivery Group. Bucket Object READ List objects Read metadata and data WRITE Create, Overwrite, delete objects NA READ_ACP Read ACL of bucket Read ACL of Objects WRITE_ACP Write ACL of bucket Write ACL of Objects FULL_CONTROL All above All above Transfer Acceleration - Only enable or suspend, no disable (Use CF Edge Location to S3, than direct Access)(enable option)(Charge only on benifit) Event notifications Requester Pays Encryption SSE-AWS Managed keys - Unique object keys, master key SSE-KMS Managed keys - Customer Master Keys (can be customer generated) SSE-Client Managed keys - Not stored on AWS (Encrypt/Decrypt on AWS side) Client Side encryption S3 Select and Glacier Select (Lambda retrives ZIP from S3 using SQL) REST support Cross Region Replication Cloudfront - Global(driven by regional support) (Can you Zone APEX CNAME) Origins - S3 Origin Custom Orgins - (Static S3 Website, EC2) Region - Regional Edge Cache(Bigger cache), Edge Locations(Not tied up to az/regions) Distribution - Web - Static and Dynamic Content, HTTP(s), CRUD on objects, Realtime streaming RTMP - Play before download, Adobe flash RTMP protocol, S3 origin must OAI - Origin Access Identity - mostly for non-direct access to S3 static websites Bucket policy restrictions Signed cookie and Signed URL Access restrictions Invalidations Wild card ssl, Wild card CNAME, Dedicated IP Block and File Storage EBS (EBS vs AZ (1:1)) - Attach to EC2 EFS (EFS vs AZ (1:N)) - Mount to EC2 ElastiCache doesnot give high availability ElasticCache improves performance ELB points ELB will LB between AZs Ec2 points Maximum 20 EC2 Instances per region IAM user cannot be attached to EC2 instance but IAM role can be attached to the Amazon EC2 instance. So answer is C. EBS points Can only be accessed by a single Amazon EC2 instance. Max 16TB limt No limit on file size CMK GP, IOPS(io1) -> SSD throughput. cold -> HDD burstable -> CPU Legacy, Running on EC2 - needs block storage = EBS “sequential” think throughput optimised. High sequential - HDD Small random - SSD ( Intensive read/write) EFS points Can be accessed by 1 to 1000s of EC2 instances from multiple AZs, concurrently. data is stored in multi AZ's to withstand Az failure No size limit size file upto 47TiB Kinesis means ordered, sequential and fast. SQS FIFO is not fast enough (300 Tps) (cannot withstand higher TPS) Aurora -> auto scales exponentially upt 64 TB, OLTP REdshift -> Not a DB, OLAP RDS -> Manual scale indexed -> dynamo db DynamoDB is typically useful for storing a large number of small records with single digit millisecond latency Amazon RDS MySQL with Multi-AZ enabled by default Aurora will deploy in atleast three AZ'z and will generate two copies of data in each AZ Enable versioning and configure cross-region replication from the bucket in us-east-1 to the bucket in ap-southeast-2. often make mistakes' --> Problems with the Code --> infrastrucure as Code --> CloudFormation Spot Instance interruption notice also became available as an event in Amazon CloudWatch Events. This allows targets such as AWS Lambda functions or Amazon SNS topics to process Spot Instance interruption notices by creating a CloudWatch Events rule to monitor for the notice.