AWS Global Accelerator endpoint

AWS Global Accelerator endpoint

Security Groups


·       cannot block traffic by country
· cannot create deny rules
· do not apply to S3 buckets
· specify rules that allows access from an IP address range, port, or Elastic Compute Cloud (EC2) security group


Service Control Policy (SCP)


·       offer central control over the maximum available permissions for all accounts in your organization
· apply restrictions across multiple member accounts
· SCPs alone are not sufficient for allowing access in the accounts. Attaching an SCP to an AWS Organizations entity (root, OU, or account) to actually grant permission to them
· they don't grant any permissions


IAM Roles


·       you cannot add multiple IAM roles to a single EC2 instance
· if you need to attach multiple policies you must attach them to a single IAM role


IAM Role Tasks


·       specify permissions for specific task on Amazon ECS
· taskRoleArm parameter is used to specify the policy
· can only apply one IAM role to a Task Definition so you must create a separate Task Definition


IAM Role Task execution


·       AmazonECSTask ExecutionRolePolicy is used by the container agent to be able to pull container images, write log file etc


Origin Access Identity (OAI)


·       Only use OAI to restrict access to content in S3 but not EC2 or ELB


S3 Transfer Acceleration


·       Used for speeding up uploads of data to S3 by using the CloudFront network
· Not used for downloading data




·       By default, it allows all inbound and outbound IPv4 traffic


VPC Peering


·       Networking connection between 2 VPCs that enable you to route traffic between them using private IPv4 addresses or IPv6 addresses


VPC Gateway endpoint


·       configure your route table to point to the endpoint
· all traffic will go through the VPC endpoint straight to DynamoDB using private IP addresses


VPC Interface Endpoint


·       use an ENI in the VPC


Egress-Only Internet Gateway


·       horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the Internet, and prevents the Internet from initiating an IPv6 connection with your instances
- must be attached to the VPC to facilitate outbound connections


NAT Gateway


·       used for enabling Internet connectivity using IPv4 protocol only
· highly available in each AZ into which they are deployed
· not associated with any security groups and can scale automatically up to 45Gbps
· managed by AWS


NAT Instances


·       managed by you
· must be scaled manually and do not provide HA
· can be used as bastion hosts and cab be assigned to security groups
· runs on EC2 instance you must launch, configure and manage and therefore involves more ongoing systems management effort




·       CGW is customer side of VPN connection
· IGW connects a network to the Internet




·       Used to setup an AWS VPN which you can use in combination with Direct Connect to encrypt all data that traverses the Direct Connect link




·       support gateway endpoints, not interface endpoints
· not a storage layer that can be mounted and accessed concurrently
· does not support FTP transfers
· only host static websites, not dynamic websites
· can only connect to S3 static websites using HTTP
· can only connect to S3 static websites using HTTP


S3 Storage Class


·       S3 Intelligent-Tiering
- designed to optimize costs by automatically moving data to the most cost-effective access tier, without performance impact or operational overhead
- additional fee for using this service and for short-term requirement may not be beneficial
S3 Standard-Infrequent Access (S3 Standard-IA) - if data is accessed there are retrieval fees
- immediate access and 99.9% availability
S3 One Zone-Infrequent Access (S3 One Zone-IA)
- immediate access, 99.5% availability
- if data is accessed there are retrieval fees
- minimum capacity charge per object (128 KB) and a per GB retrieval fee
Deep_Archive has a minimum storage duration of 180 days
Retrieve Archive
· expedited - within 1-5 minutes
· Standard - 3 -5 hours
· Bulk - lowest-cost option, 5-12 hours
Vault Lock - deploy and enforce compliance controls on individual Glacier vaults via a lockable policy (Vault Lock policy)


EC2 Placement Groups


·       Spread Placement Group
· Recommended for applications that have a small number of critical instances that should be kept separate from each other
· Reduces the risk of simultaneous failure that might occur when instances share the same underlying hardware
Cluster Placement Group
· Logical grouping of instances within a single Availability Zone
· Recommended for applications that benefit from low network latency, high network throughput, or both, and if the majority of the network traffic is between the instances in the group.
· Typical of HPC applications
Partition Placement Group
· Spreads your instances across logical partitions such that groups of instances in one partition do not share the underlying hardware with groups of instances in different partitions
· Typically used by large distributed and replicated workloads, such as Hadoop, Cassandra and Kafka





·       SSE-C - Server-side encryption with customer-provided encryption keys
· SSE-S3 - Server-side encryption with Amazon managed master key
· keys are managed in Amazon Key Management Service
· requires that AWS manage the data key but you manage the customer master key (CMK) in AWS KMS
· you have full control over these CMKs, including establishing and maintaining their key policies
· 4-tier hierarchy of encryption keys: master key, cluster key, database key and data encryption keys
· AWS CloudHSM - keys are held in AWS in a hardware security module. Dedicated service and charged on an hourly basis.


Network ACL


·       block IP address ranges associated with specific countries would be extremely difficult to manage




·       only supports Linux system, NFSv4 protocol
· no lifecycle policy available for deleting files on EFS
· filesystem not block device
· designed to burst to allow high throughput levels for periods of time
· offers the ability to encrypt data at rest and in transit


Elastic Block Store (EBS)


·       block level storage devices, data is persistent
· Not a fully managed solution and doesn't grow automatically - you would need to increase the volume size and then extend your filesystem.
· must be attached to EC2 instances
· cannot copy EBS volumes directly from EBS to Amazon S3
· EBS volumes cannot be shared between instances across AZs
· no lifecycle policy available for deleting files on EBS
· when create EBS volume in an AZ, it is automatically replicated within that AZ to prevent data loss due to failure of any single hardware component
· Amazon Data Lifecycle Manager (DLM) feature automates the creation, retention, and deletion of EBS snapshots but not the individual files within an EBS volume
· EBS snapshot creates a copy of an EBS volume to S3 so that copies of the volume can reside in different AZs within a region
· EBS from snapshot data is loaded lazily, the volume can be accessed upon creation, and if the data being requested has not yet been restored, it will be restored upon first request
· EBS volumes are single points of failure which are not shared with other instances


EBS Volume Types


·       SSD, General Purpose - gp2
· Volume size 1GB - 16TB
· Max IOPS/Volume 16,000
SSD, Provisioned IOPS - i01
· Volume size 4GB - 16TB
· Max IOPS/Volume 64,000
HDD, Throughput Optimized - st1
· Volume size 500GB - 16TB
HDD, Cold - sc1
· Volume size 500GB - 16TB


Network Load Balancer (NLB)


·       operates at Layer 4 - only understands TCP & UDP
· supports IP addresses as targets as well as instance IDs as targets
· using IP addresses as targets allows load balancing any application hosted in AWS or on-premise using IP addresses of the application back-ends as targets


Application Load Balancer (ALB)


·       operates on Layer 7 - understands HTTP/S
· only put ALB in front of the web tier, no the DB tier
· supports IP addresses as targets as well as instance IDs as targets
· using IP addresses as targets allows load balancing any application hosted in AWS or on-premise using IP addresses of the application back-ends as targets


Elastic Load Balancer (ELB)


·       distributing inbound connection requests to EC2 instances (only return traffic goes back through the ELB)
· configure sticky sessions
- target group


Web Application Firewall (WAF)


·       Layer 7 (HTTP/S) Firewall
· Protects against complex Layer 7 attacks/exploits
· SQL Injections, Cross-Site Scripting, Geo Blocks, Rate Awareness
· Web Access Contol List (WEBACL) integrated with ALB, API Gateway and CloudFront
· Classic you create "IP match conditions"
· WAF (new version) you create "IP set match statements" - look for wording in exam
· protects applications from malicious attacks
· it does not improve performance
· available on the Application Load Balancer (ALB), both internally and externally in a VPC, to protect your websites and web services


AWS Shield


·       protect against DDoS attacks
- Shield standard - free with Route53 and CloudFront


AWS Transit Gateway


·       connect on-premise networks to VPCs
· you can manage a single connection for multiple VPCs or VPNs that are in the same Region by associating a Direct Connect gateway to a transit gateway
· hub and spoke topology with Transit Gateway that supports transitive routing


AWS Global Accelerator


·       Used for improving availability and performance for EC2 instances or Elastic Load Balancers (ALB and NLB), it is not used for improving S3 performance
· service to improve availability and performance of your applications for local and global users
· directs traffic to optimal endpoints over the AWS global network
· can be used for NON HTTP/S (TCP/UDP) - * difference from Cloudfront*


AWS Global Accelerator endpoint


·       service used for directing users to different instances of the application in different regions based on latency


Auto Scaling group


·       cost effective, will ensure the right number of instances are running based on demand
· cannot launch instances in multiple Regions from a single Auto Scaling group
· 4 plans: maintain current levels, manual scaling, scheduled scaling, and dynamic scaling
· Target tracking action is recommended in place of step scaling for most cases


Answer Detail

Get This Answer

Invite Tutor