1. Networking
1.1. VPC
1.1.1. Default VPC
1.1.1.1. All subnets are public
1.1.1.2. If delete public VPC, you have to contact to AWS to get it back
1.1.2. VPC Peering
1.1.2.1. connect 1 VPC with another
1.1.2.2. don't give access to internet
1.1.2.3. don't give access to third VPC via another VPC
1.1.3. Tenancy
1.1.3.1. Default
1.1.3.2. Dedicated
1.1.3.2.1. If you set dedicated while creating new VPC, all instances in the VPC will be automatically dedicated
1.1.4. Route Tables
1.1.4.1. Default route table will be created for VPC automatically
1.1.5. Subnetworks
1.1.5.1. 1 subnet = 1 AZ
1.1.5.2. Amazon reserves 3 IP addresses in every subnet
1.1.6. IGW
1.1.6.1. 1 IGW per VPC
1.1.7. NAT Instance
1.1.7.1. Disable Source/Destination check
1.1.7.2. larger instance provide more network performance
1.1.8. Access Control List (ACLs)
1.1.8.1. It is a Firewall for entire subnet
1.1.8.2. If you create subnet, it will be associated with Default ACL
1.1.8.3. stateless
1.1.8.4. New ACLs is denied by default
1.1.8.5. Subnet can ONLY have 1 ACL (no more, no less)
1.1.8.6. operating of rules begins from lowest rule number
1.2. Direct Connect
1.2.1. Provide dedicated link to AWS
1.3. Route53
1.3.1. Always choose Alias Record over CNAME http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html
1.3.2. ELB is domain
1.3.3. Routing Policies
1.3.3.1. Simple
1.3.3.2. Weighted
1.3.3.2.1. Allow split traffic based on different weight assigned
1.3.3.3. Latency
1.3.3.3.1. based on lowest network latency for your end user (ie. which region gave the fastest response time)
1.3.3.4. Failover
1.3.3.4.1. Will monitor primary web site using health checks and if failed switch to DR site
1.3.3.5. Geolocation
1.3.3.5.1. based on Geo location of end users
2. Compute
2.1. EC2
2.1.1. Price
2.1.1.1. On Demand
2.1.1.1.1. Low price and flexibility without long term commitments
2.1.1.1.2. Application with short term and cannot be interrupted
2.1.1.1.3. development or testing
2.1.1.2. Reserved (1 or 3 Year)
2.1.1.2.1. Steady state or predictable usage
2.1.1.2.2. require reserved capacity
2.1.1.2.3. User is able to do upfront payment
2.1.1.3. Spot
2.1.1.3.1. Application can flexible start and end
2.1.1.3.2. very low compute price
2.1.1.3.3. user need urgent large computing needs
2.1.1.3.4. NOTE: If AWS terminate instance by itself you will not pay for part hour usage. But I you terminate, you will pay
2.1.2. Types
2.1.2.1. t2 - Low cost, General Purpose
2.1.2.2. M4, M3 - General purpose
2.1.2.3. C3, C4 - Computer optimised
2.1.2.4. R3 - Memory optimised
2.1.2.5. G2 - GPU
2.1.2.6. I2 - High Speed Storage (NoSQL...)
2.1.2.7. D2 - Dense storage (hadoop ..)
2.1.3. EBS
2.1.3.1. Type
2.1.3.1.1. General Purpose SSD (GP2)
2.1.3.1.2. Provisioned IOPS SSD (IO1)
2.1.3.1.3. Magnetic (Standard)
2.1.3.2. Encription
2.1.3.2.1. Root volume (where is OS) is NOT encrypted. You can use THIRD tools to encrypt Root volume
2.1.3.2.2. Addition volumes can be encrypted
2.1.4. SG
2.1.4.1. All Inbound traffic is blocked by default
2.1.4.2. All Outbound traffic is allowed by default
2.1.4.3. Changes to SG take effect immediately
2.1.4.4. SGs are STATEFUL
2.1.4.4.1. If you create Inbound rule allowing traffic in, that traffic is allowed back out again
2.1.5. Volume
2.1.5.1. exist on EBS
2.1.5.2. Virtual Hard Disk
2.1.5.3. Volume restored from encrypted snapshot is encrypted
2.1.5.4. RAID
2.1.5.4.1. AWS does NOT recommend to use RAID5
2.1.5.4.2. RAID0 - no redundancy and good performance
2.1.5.4.3. RAID10 provide redundancy and good performance
2.1.5.4.4. Creating Snapshot of RAID
2.1.6. Snapshot
2.1.6.1. exist on S3
2.1.6.2. is incremental. Only changed block will be upload to s3
2.1.6.3. Snapshot of encrypted volume is encrypted automatically
2.1.6.4. You can share snapshot, if the snapshot is NOT encrypted
2.1.6.5. To create snapshot of Root volume, you need to stop instance (or the instance will be stopped by AWS). If an instance was not stopped at all, integrity of filesystem can not be guaranteed
2.1.6.6. You can NOT remove snapshot if the snapshot is in AMI
2.1.7. AMI
2.1.7.1. EBS root volume
2.1.7.1.1. Root volume is EBS volume that created from EBS snapshot
2.1.7.2. Instance Store
2.1.7.2.1. Root device launched from AMI is instance store volume created from template stored on S3. (takes a bit more time to launch)
2.1.7.2.2. can not be stopped
2.1.7.2.3. if the underling host fails you will lose your data
2.1.8. ELB
2.1.8.1. only has own DNS name, NOT IPs
2.1.9. IAM Role
2.1.9.1. You can NOT change role for created instance
2.1.9.2. You can change role itself and it will be applied immediately
2.1.9.3. Roles are easier to manage
2.1.10. Instance Metadata
2.1.10.1. http://169.254.169.254/latest/meta-data/
2.1.10.2. You can NOT to get user-data using the URL. Only meta-data
2.1.11. Placement Group
2.1.11.1. Single AZ
2.1.11.2. Low latency
2.1.11.3. 10 Gbps
2.1.11.4. Name of Placement Group should be unique accoss AWS account
2.1.11.5. Only certain type of instances can be launched in PG (CPU, GPU, RAM and Storage optimised)
2.1.11.6. AWS recommend to use homogeneous instance type (same family and same size)
2.1.11.7. can NOT merge PGs
2.1.11.8. can NOT move created instance to PG
2.2. EC2 Container Service
2.3. Elastic Beanstalk
2.4. Lambda
2.4.1. is event driven compute service, where Lambda runs your code in responce to event
3. Storage
3.1. S3
3.1.1. Object base storage. Key, value storage. Consist:
3.1.1.1. Key (name of the object)
3.1.1.2. Value
3.1.1.3. Version ID (Important for versioning)
3.1.1.4. Metadata
3.1.1.5. Subresources
3.1.1.6. Access Control List
3.1.2. File size can be from 1 Byte to 5 Tb
3.1.3. Universal namespace: https://s3-us-east-1.amazonaws.com/bucketname
3.1.4. Name for bucket does not support Capital characters
3.1.5. Read after Write consistency for PUTS of new Objects
3.1.6. Eventual Consistency for overwrite PUTS and DELETES (can take some time to propagate)
3.1.7. Availability: 99.99%
3.1.8. Durability: 99,999999999 (11 x 9's)
3.1.9. New objects in Bucket are Private
3.1.10. Tiered Storage Availability (can be set/change for entire Bucket or objects in the Bucket)
3.1.10.1. S3
3.1.10.1.1. Availability: 99.99%
3.1.10.1.2. Durability: 99,999999999 (11 x 9's)
3.1.10.2. S3 - IA (Infrequently Access)
3.1.10.2.1. Lower fee than S3
3.1.10.2.2. Retrieval fee
3.1.10.2.3. Standard - IA has a minimum object size of 128KB. Smaller objects will be charged for 128KB of storage.
3.1.10.2.4. Minimum Storage Duration: 30days
3.1.10.3. Reduced Redundancy Storage
3.1.10.3.1. Availability: 99.99%
3.1.10.3.2. Durability: 99,99
3.1.11. Lifecycle Management
3.1.11.1. can be applied to whole bucket or prefix
3.1.11.2. Actions (without versioning)
3.1.11.2.1. Transition to S3-IA (minimum 30 after creating)
3.1.11.2.2. Archive to Glacier
3.1.11.2.3. Permanent Delete
3.1.11.3. Actions (with versioning)
3.1.11.3.1. Actions for current version
3.1.11.3.2. Action for previous versions
3.1.12. Versioning
3.1.12.1. Can't turn it off
3.1.12.2. Versioning's MFA Delete capability
3.1.12.3. Doesn't deduplicate (S3 keeps all versions of a file as separate files)
3.1.13. Security
3.1.13.1. Bucket is PRIVATE by default
3.1.13.2. Access Controle
3.1.13.2.1. Bucket Policies (applied to whole bucket)
3.1.13.2.2. Access Control List (can be applied to individual items in bucket)
3.1.13.3. Encriptions
3.1.13.3.1. In Transite
3.1.13.3.2. At Rest
3.1.14. Transfer Acceleration
3.1.14.1. Allow to upload files to S3 via CloudFront Edge
3.1.15. Cross Region Replication
3.1.15.1. Doesn't replicate existing files
3.1.15.2. Requires Versioning
3.2. Cloud Front
3.2.1. Edge Location
3.2.1.1. supports READ and WRITE
3.2.1.2. around the world, more than 50
3.2.1.3. TTL
3.2.1.4. Can clear cached objects (you will be charged )
3.2.2. Origin
3.2.2.1. S3 bucket
3.2.2.2. EC2 instance
3.2.2.3. ELB
3.2.2.4. Route53
3.2.2.5. None AWS server
3.2.3. Distribution
3.2.3.1. Web Distribution
3.2.3.2. RTMP - media streaming
3.2.4. Geo Restrictions
3.2.4.1. White list
3.2.4.2. Black list
3.2.5. Invalidation
3.2.5.1. to remove objects from cache
3.3. Glacier
3.3.1. Archive data
3.3.2. Takes 3-5 hours to restore
3.3.3. Extremely low-cost (0.01$ per 1Gb per 1 month)
3.3.4. Minimum Storage Duration: 90 days
3.4. EFS
3.4.1. Supports NFSv4
3.4.2. pay only for storage
3.4.3. scale up to petabytes
3.4.4. supports thousands NFS concurrency connections
3.4.5. cross AZ within single region
3.4.6. READ after WRITE concistency
3.5. Import/Export
3.5.1. Import/Export Disk
3.5.1.1. Import
3.5.1.1.1. S3
3.5.1.1.2. EBS
3.5.1.1.3. Glasier
3.5.1.2. Export
3.5.1.2.1. S3
3.5.2. Import/Export Snowball
3.5.2.1. Only S3
3.6. Storage Gateway
3.6.1. is a service that connect an on premises software appliance with cloud based storage to provide seamless and secure integration between organisation's on-premises IT env and AWS cloud
3.6.2. Types
3.6.2.1. Gateway Store Volume
3.6.2.1.1. Entire Dataset is stored on site and is asynchronously backed up to S3
3.6.2.2. Gateway Cached Volume
3.6.2.2.1. Data in on S3 but the most frequent accessed data is stored locally
3.6.2.2.2. if you lose internet, you will not have access to all data
3.6.2.3. Gateway Virtual Tape Libary (VTL)
3.6.2.3.1. Provide a Virtual Tape Shelf to backup to S3 or Glacier
4. Databases
4.1. Elasticache - In memory caching
4.1.1. Memcached
4.1.2. Redis
4.2. DMS
4.3. RDS - OLTP (Online Transaction Processing)
4.3.1. Aurora
4.3.1.1. Autoscaling Storage (start from 10Gb, scales in 10Gb increment Up to 64Tb)
4.3.1.2. Compute resources scale up to 32 vCPU and 244 Gb RAM
4.3.1.3. 2 copies of data in each AZ within 3 minimum AZs (6 copies of data)
4.3.1.4. can loss up to 2 copies without effecting Write availability
4.3.1.5. can loss up to 3 copies without effecting Read availability
4.3.1.6. self-healing (disk is continuously scanning for error and repairing)
4.3.1.7. Replicas
4.3.1.7.1. Aurora Replica (up to 15)
4.3.1.7.2. MySQL Replica (up to 5)
4.3.2. Types
4.3.2.1. MSSQL
4.3.2.2. MySQL
4.3.2.3. Postgres
4.3.2.4. Oracle
4.3.2.5. Aurora
4.3.2.6. MarinaDB
4.3.3. Automated Backups
4.3.3.1. from 0 up to 35 days
4.3.3.2. Storage IO may be suspended
4.3.3.3. you will get free place on S3 equals DB volume
4.3.4. Snapshots
4.3.4.1. manually
4.3.4.2. will be stored even if you remove source DB (unlike Automated Backup)
4.3.5. Restoring is always new RDS instance with new endpoint
4.3.6. Encryption
4.3.6.1. supports by MySQL, Postgres, Oracle, mariaDB and SQL Server
4.3.6.2. Can NOT be enabled for existing instances
4.3.7. MultyAZ
4.3.7.1. For Disaster Recovery ONLY
4.3.7.2. Automatic
4.3.7.3. synchronous
4.3.8. Read Replica
4.3.8.1. Asynchronous replication
4.3.8.2. MySQL, Postgres, MariaDB
4.3.8.3. Use for Scaling. NOT for DR
4.3.8.4. Require Automatic Backup
4.3.8.5. Up to 5 Read REplicas
4.3.8.6. can have Read Replica of Read replica (Latency!!)
4.3.8.7. Read Replica can NOT be MultyAZ
4.3.8.8. Read replica in Second Region (for MySQL and MariaDB)
4.3.9. NOTES
4.3.9.1. DB Security Group: you don't need to specify port/protocol only source IP range / security group http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html#Overview.RDSSecurityGroups.DBSec
4.4. DynamoDB - No SQL
4.4.1. Automatic Scaling on FLY vs
4.4.2. Stored on SSD
4.4.3. Spread across 3 geographically distinct data centers
4.4.4. Eventual consistency Reads (default)
4.4.4.1. Consistency across all copies of data is usually reached within 1 second
4.4.5. Strong Consistency Reads
4.4.5.1. returns a result of all writes
4.4.6. Pricing
4.4.6.1. Read Throughput 0.0065 per hour for every 50 units
4.4.6.2. Write Throughput 0.0065 per hour for every 10 units
4.4.6.3. Storage const of 0.25$ per Gb per month
4.5. Redshift - OLAP (Online Analytic Processing)
4.5.1. data warehouse service in a cloud
4.5.2. Single Node (160Gb)
4.5.3. Multi-Node
4.5.3.1. Leader Node (handle queries)
4.5.3.2. Compute Node (store data, perform queries) up to 128 nodes
4.5.4. Price
4.5.4.1. Leader node is free
4.5.4.2. Compute node: charge for hours instances running
4.5.4.3. Backup
4.5.4.4. Data transfer (within VPC)
4.5.5. Encryption
4.5.5.1. SSL/TSL for data transfer
4.5.5.2. Encrypted at rest using AES-256
4.5.5.3. By default Redshift handle key by it self
4.5.5.3.1. But you can use KMS or
4.5.5.3.2. Manage your own keys using HSM
4.5.6. Availability
4.5.6.1. only 1 AZ
4.5.6.1.1. you can restore snapshot to New AZ
5. Analytics
5.1. EMR
5.2. Data Pipeline
5.3. ElasticSearch
5.4. Kinesis
5.5. Machine Learning
5.6. Quick Sight
6. Security & Identity
6.1. IAM
6.1.1. Users
6.1.2. Groups
6.1.3. Roles
6.1.4. Policies
6.1.5. Notes
6.1.5.1. IAM items are shared globally
6.1.5.2. New users don't have any permissions
6.1.5.3. Root account has complete Admin access by default
6.1.5.4. Power User Access allows access to all AWS services except for management of groups and users within IAM
6.2. Directory Service
6.3. Inspector
6.4. WAF
6.5. Cloud HSM
6.6. KMS
7. Management Tools
7.1. CloudWatch
7.1.1. Basic Monitoring
7.1.1.1. Every 5 min
7.1.1.2. Free
7.1.2. Detailed Monitoring
7.1.2.1. Every 1 min
7.1.2.2. Additional charge
7.1.3. Dashboard
7.1.4. Metrics
7.1.4.1. CPU
7.1.4.2. Disk
7.1.4.3. Network
7.1.5. Events
7.1.5.1. Allow to react on changes
7.1.6. Alarms
7.1.6.1. Allow to react if metrics cross thresholds
7.1.7. Logs
7.1.7.1. Allow to aggregate, monitor and store logs
7.2. CloudFormation
7.3. CloudTrail
7.4. Opsworks
7.5. Config
7.6. Service Catalog
7.7. Trusted Advisor
8. Application Services
8.1. API Gateway
8.2. AppStream
8.3. CloudSearch
8.4. Elastic Transcoder
8.5. SES
8.6. SQS
8.6.1. Distributed queue system
8.6.2. Message is up to 256KB text in any format
8.6.3. Billed at 64KB "Chunks"
8.6.4. first 1 million requests are free. 0.5$ per million
8.6.5. 1 request can have up to 10 messages
8.6.6. Messages can be retrieved using SQS API
8.6.7. Has Buffer
8.6.8. SQS ensures delivering at least once
8.6.9. It is NOT FIFO
8.6.10. Asynchronously PULL messages from a QUEUE
8.6.11. Visibility Period starts when Message was picked up
8.6.12. If Application is failed, message will be in a queue. After Visibility Period, Message will be consumed another application
8.6.13. When application finishes, message will be removed from Queue
8.6.14. Visibility Timeout is 30s by default.
8.6.15. Retention period is up to 14 days
8.7. SWF
8.7.1. Simple WorkFlow Service
8.7.2. Retention Period is up to 1 year
8.7.3. task oriented API (vs SQS is message oriented)
8.7.4. task is assigned ONLY ONCE
8.7.5. SWF tracks all tasks in application (for SQS you need implement your own application level )
8.7.6. SWF Actors (can be Code or Humans)
8.7.6.1. Workflow Starter - start workflow
8.7.6.2. Deciders - control workflow
8.7.6.3. Activity Workers
9. WhitePapers
9.1. Security
9.1.1. Shared Security Model
9.1.2. Storage Decommissioning
9.1.2.1. DoD 5220.22-M or NST 800-88
9.1.3. Amazon Corporate Segregation
9.1.4. Network monitoring & Protection
9.1.4.1. DDOS
9.1.4.2. Man in the middle attack (MITM)
9.1.4.3. IP spoofing
9.1.4.4. Port scanning
9.1.4.4.1. you should request permission for vulnerable port scanning in advance
9.1.4.5. Port sniffing by other tenants
9.1.5. Instance Isolation
9.1.5.1. instances on the same host are isolated by Xen hypervisor
9.1.5.2. AWS firewall resides on hypervisor so instances on the same host don;t have more permissions than other
9.1.5.3. RAM is separated
9.1.5.4. disk and RAM are zeroing
9.1.6. AWS doesn't have a write/read access to your guest OS
9.1.7. Strategic Busyness Plan at least biannually (every 6 month)
9.1.8. AWS scans Public Services for vulnerability
9.1.9. Compliances
9.1.9.1. SOC1,2,3
9.1.9.2. FISMA, DIACAP, REDRAMP
9.1.9.3. PCI DSS level1 (only infrastructure)
9.1.9.4. ISO27001
9.1.9.5. ISO 9001
9.1.9.6. ITAR
9.1.9.7. FIPS 140-2
9.1.9.8. Industrial Standarts
9.1.9.8.1. HIPAA
9.1.9.8.2. Cloud Security Alliance
9.1.9.8.3. Motion Picture Association of America
10. Development Tools
10.1. CodeCommit
10.2. CodeDeploy
10.3. CodePipeline
11. Basic
11.1. Support
11.1.1. Basic, Developer, Business, Enterprise
12. Mobile Services
12.1. Mobile Hub
12.2. Cognito
12.3. Device Farm
12.4. Mobile Analytics
12.5. SNS
12.5.1. Sends notifications from a cloud
12.5.2. Can push notification to mobile devices
12.5.3. push to SQS
12.5.4. send email
12.5.5. trigger Lambda function
12.5.6. messages are redundantly stored across multy AZ