Amazon Web Services Fundamentals

AW S C L O U D P L AT F O R M AN D R E S O U R C E S
Agenda
1. F U N D AM E N T AL S O F T H E AW S P L AT F O R M 5. N E T W O R K I N G R E M I N D E R S I N AW S
1. AW S G L O B AL I N F R AS T R U C T U R E 1. AM AZ O N V P C
2. AW S R E G I O N S , AV AI L AB I L I T Y Z O N E S , L O C AL Z O N E S , 2. SUBNETS
AW S O U T P O S T S 3. N AC L
2. COMPUTE 4. R O U T E T AB L E S
1. W H AT I S T H E AM AZ O N E C 2 ?
2. I N S T AN C E T Y P E S AN D AM I S
3. SECURITY GROUPS
4. AU T OS C AL I N G
5. ECS and EKS
3. S T O R AG E
1. EBS & EFS
2. G L AC I E R AN D S 3
4. D AT AB AS E I N AW S

2
 1

Fundamentals of the AWS Platform

Amazon Web Services Fundamentals - 1. Fundamentals of the AWS platform

AWS Global Infrastructure

AWS uses a globally available

infrastructure, that is composed of:

• Regions

• Availability Zones

• Local Zones

• Wavelength Zones

• AWS Outposts

4
Amazon Web Services Fundamentals - 1. Fundamentals of the AWS platform

AWS Regions, Availability Zones, Local Zones,

AWS Outposts

Regions are isolated geographic locations.

They are designed to be isolated from each-other
in order to attain greatest fault-tolerance and
stability.

While working in AWS, the console / CLI will only

show resources ties to the specified Regions. As
regions are naturally isolated from each other,
resources are not automatically replicated
across regions.

Additionally, not all resources are available in all

regions. We must ensure that we can create the
needed resources before committing to using a
specific region.

5
Amazon Web Services Fundamentals - 1. Fundamentals of the AWS platform

What is a Cloud Service Provider?

Availability zones are multiple Wavelength Zones enable

locations within a region. The code developers to build applications that
for the availability zone is the region deliver ultra-low latencies to mobile
code followed by a letter identified. devices and end users. Wavelength
For example, us-east-1a. deploys standard AWS compute and
storage services to the edge of
telecommunication carriers' 5G
networks.

Local Zones are an extension of AWS Outposts is a fully managed

an AWS Region in a geographic service that extends AWS
proximity to users. Local Zones infrastructure, services, APIs, and tools
have their own connections to the to customer premises.
internet.

6
 2

Amazon Elastic Compute Cloud Instance

Amazon Web Services Fundamentals - 2. Amazon Elastic Compute Cloud Instance

What is the Amazon EC2?

Amazon Elastic Cloud Compute (EC2) is a web service

that provides secure, resizable compute capacity in the cloud.
Essentially speaking, it’s a VM where you pay for what resources
(CPU, Memory etc.) you’re using.

On-Demand Instances – compute capacity is paid by the

hour or the second depending on the instance. No long-term
commitments or upfront payments.

• Spot Instances – an instance that uses spare EC2 capacity

that is available for less than the On-Demand price.

• Reserved Instances – a discounted on-demand instance,

matching certain attributes, such as instance-type and region.

8
Amazon Web Services Fundamentals - 2. Amazon Elastic Compute Cloud Instance

Instance types and AMIs – Instance Types

Instance types comprise of varying combinations of CPU,

memory, storage and network capacity, allowing you to have
some flexibility when choosing your EC2 instance.

There are multiple EC2 instance type families, where the instance
configuration is designed for different use-cases:

• General Purpose (M6g, T4g, M5, M5a, M4, T3, T3a, T2).

• Compute Optimized (C6g, C5 / C5d, C5a, C4, C3).

• Memory Optimized (R6g, X1, R5 / R5d, R5a, Z1d, R4).

• Storage Optimized (I3, D2, I2).

• Linux Accelerated Computing (P3, G4dn, Inf1, G3).

9
Amazon Web Services Fundamentals - 2. Amazon Elastic Compute Cloud Instance

Instance types and AMIs -- AMIs

An Amazon Machine Image (AMI) is a supported and maintained image provided by AWS that provides the information
required to launch an instance.

You must specify an AMI when you launch an instance. You can launch multiple instances from a single AMI when you require
multiple instances with the same configuration. You can use different AMIs to launch instances when you require instances
with different configurations.

You can launch an instance from an existing AMI, customize the instance (for example, install software on the instance), and
then save this updated configuration as a custom AMI.

After you create an AMI, you can keep it private so that only you can use it, or share it with other AWS accounts. You can also
make your custom AMI public so that the community can use it.

10
Amazon Web Services Fundamentals - 2. Amazon Elastic Compute Cloud Instance

Instance lifecycle
An AWS EC2 instance transitions through multiple different states from the moment you launch it, until its termination.

From the graph above, only running and / or stopping (when preparing to hibernate) are billed. The other instance states (pending, stopped,
shutting down, terminated) are not billed.

11
Amazon Web Services Fundamentals - 2. Amazon Elastic Compute Cloud Instance

Auto Scaling

AWS Autoscaling allows you to automatically add or remove EC2 instances according to user-defined conditions. You can
also use dynamic scaling, which responds to changing demand and automatically schedules the right number of EC2
instances based on predicted demand. Dynamic scaling and predictive scaling can be used together to scale faster.

Key components of Amazon EC2 Autoscaling are:

Groups – EC2 instances are organized into groups so that they

can be treated as individual logical units for the purposes of
scaling and management.

Configuration templates – A group uses a launch template

or launch-configuration, where information like AMI ID, instance-
type, key-pair, security groups and block device mapping.

Scaling Options – Options that allow you to configure a group

based on the occurrence of specific conditions (dynamic scaling)
or schedule.

12
Amazon Web Services Fundamentals - 2. ECS and EKS

Amazon Elastic Container Service

Amazon Elastic Container Service allows you to deploy and run containerized workloads in AWS. It can be run in Fargate or on EC2. ECS
doesn’t have a cost-per service, instead the pricing comes from the resources you consume. The more resources used, the higher the cost.

13
Amazon Web Services Fundamentals - 2. ECS and EKS

Amazon Elastic Container Service on EC2

ECS can use EC2 instances to run containers. These EC2

instances would be registered in a defined ECS cluster, meaning
that ECS can use those instances to deploy containers.

An ECS cluster is a logical grouping of tasks or services. If

running tasks or services with EC2, a cluster is also a grouping
of container instances.

This would take usage of your already existing infrastructure,

your VPC, subnets and tools / processes defined for provisioning
and managing EC2 instances.

Additionally, if you have applications that require directly-

attached persistent storage, adding on EC2 is a good idea.

ECS optimized AMI

AWS provides ECS optimized AMIs that are preconfigured with

requirements and recommendations for ECS workloads

14
Amazon Web Services Fundamentals - 2. ECS and EKS

Amazon Elastic Container Service on Fargate

Fargate is an Amazon service that allows you to run containers without having to manage the servers, or clusters. With Fargate, there’s no
provisioning, configuration or scaling of instances to run containers.

15
Amazon Web Services Fundamentals - 2. ECS and EKS

Amazon Elastic Kubernetes Service

EKS is a managed service to allow users to run Kubernetes on AWS without the need to install, operate or maintain the Kubernetes control-
plane or nodes. Unlike ECS, EKS does have a cost of $0.10 per hour for each EKS cluster that gets created, on top of additional costs based
on the resources used.

16
Amazon Web Services Fundamentals - 2. ECS and EKS

EKS service fundamentals

An EKS Cluster consists of two components:

• The EKS Control plane

• Amazon EKS nodes that are registered with the control plane

The EKS control plane consists of control-plane nodes that run Kubernetes
services (such as etcd and Kubernetes API server) The plane runs in the account
managed by AWS and the Kubernetes API is exposed via the AWS EKS endpoint
associated with the cluster.

The EKS cluster can schedule pods on:

Self-managed nodes – EKS nodes run in the AWS account and connect to the
control plane of the cluster. You deploy one or more nodes in a node-group.

EKS managed nodes – the provisioning and lifecycle of nodes (AWS EC2
instances) is automated. This means you don’t need to separately provision or
register the EC2 instances.

AWS Fargate – with Fargate there is no provisioning, configuration or scaling of VMs

to run the pods.

17
 3

Storage
Amazon Web Services Fundamentals - 3. Storage

Amazon Elastic Block Store (Amazon EBS)

Amazon EBS or Elastic Block Store is a block-storage service that stores data in block volumes. EBS volumes behave like raw, unformatted
block devices that can be mounted as devices to instances. EBS volumes that are attached to an instance become storage volumes that persist
independently from the instance itself.

Attached to an instance, the EBS volume size can be dynamically increased, the provisioned IOPS capacity can be modified and the volume type
on live production volumes can be changed. Multiple EBS volumes can be attached to a single-instance, or a volume can be attached to multiple
instances.

19
Amazon Web Services Fundamentals - 3. Storage

Amazon Elastic Block Store (Amazon EBS)

All EBS volume types, whether they are General Purpose (SSD), Magnetic (HDD) or with Provisioned IOPs come with the following features:

Data availability – EBS volumes are automatically replicated within its

availability Zone to prevent data loss. It can be attached to any EC2 instance in
the same availability zone.

Data persistence – EBS volumes persist independently from the instance.

Data encryption – EBS volumes can be encrypted using AES-256 encryption.

Data security – EBS volumes are presented as raw, unformatted block devices.
These are logical devices created on the EBS infrastructure and AWS ensures
that they are logically empty (raw blocks are zeroed or they contain
cryptographically pseudorandom data) before being used.

Snapshotting – EBS volumes can be snapshotted and data copies can be

written in S3, where it’s stored redundantly across multiple Availability Zones.

Flexibility - EBS volumes support live configuration changes while in

production, allowing changes to volume type, volume size, and IOPS capacity
without service interruptions.

20
Amazon Web Services Fundamentals - 3. Storage

Amazon Elastic File System (EFS)

Amazon Elastic File System (EFS) is a serverless, set-and-forget, elastic file system. It can be mounted to EC2 instances, or in the VPC through
the Network File System 4.0 and 4.1 (NFSv4). EFS is fully elastic, growing or shrinking according to demand.

21
Amazon Web Services Fundamentals - 3. Storage

Amazon Simple Storage Service

Amazon Simple Storage Service or S3 is an object-storage service. Unlike file-storage where all data is organized hierarchically in a top-down
network of folders, data in S3 is contained on the same flat plane, with more comprehensive metadata (labels) added to make it more manageable.

22
Amazon Web Services Fundamentals - 3. Storage

AWS S3 Glacier Storage

AWS S3 Glacier Storage are purpose-built for data archiving, providing unlimited scalability and are designed for 99.999999999% (11 nines) of
data durability.

23
Amazon Web Services Fundamentals - 3. Storage

AWS S3 Glacier Storage

AWS S3 Glacier Storage are purpose-built for data archiving, providing unlimited scalability and are designed for 99.999999999% (11 nines) of
data durability.

24
 4

Database in AWS
Amazon Web Services Fundamentals - 4. Databases in AWS

Databases in AWS – Relational Databases

To run relational databases in AWS, you can use the Amazon RDS service (Relational Database Service), which is a collection of managed services
that can set-up, operate and scale cloud databases without much of preparation work.

The RDS service can work with MySQL, PostgreSQL, MariaDB, Oracle and Microsoft SQL Server.

26
Amazon Web Services Fundamentals - 4. Databases in AWS

Databases in AWS – RDS Service

Amazon RDS is a managed SQL DB service in Cloud, simplifying the

provisioning, patching and backups of databases.

Architecturally speaking RDS is like setting up a DB on an AWS EC2

instance but leaves the provisioning and maintenance to AWS. RDS also
provides out of the box features like failover, backups etc. RDS use Amazon
EBS volumes for database and log-storage. Multi-AZ can also be turned on,
allowing the replication of RDS instance synchronously to a stand-by replica
in another Availability Zone.

Out of the box, RDS can:

• Scale storage automatically up to 64 TiB (except MSSQL which is limited

to 16TiB) with zero downtime.

• Compute storage can scale vertically, increasing up to 244 GiB RAM and
32 vCPUs.

• RDS has up to 5 provisioned replicas, the replication process is relatively

slower compared to Aurora.

27
Amazon Web Services Fundamentals - 4. Databases in AWS

Databases in AWS – Aurora Service

Amazon Aurora is a cloud-first database that externally behaves like any

other RDS database. It’s API-compatible with MySQL (only InnoDB) and
PostgreSQL, and it’s meant to be a drop-in replacement.

Aurora splits the compute and storage into two different components.
Storage is handled by a custom data-layer that takes advantage of AWS’
cloud infrastructure.

Compared to the RDS service, Aurora has some very different architectural
changes:

• Aurora uses asynchronous cache replication between nodes, but nothing

synchronous, which allows Aurora to have quite a few more replicas
compared to RDS. RDS allows 5, Aurora allows 15.

• Every Aurora cluster has six storage nodes that spread across three AZs,
even with one compute node.

• Aurora being serverless means you don’t have to provision storage or

compute in advance, these scale-up with demand. It automatically starts
and stops compute nodes to match application needs.

28
 5

Networking reminders in AWS

Amazon Web Services Fundamentals - 5. AWS Networking architecture - VPC

Amazon VPC (Virtual Private Cloud)

Amazon Virtual Private Cloud (Amazon VPC) is a service that allows you
to create a logically isolated virtual network to use with other Amazon
resources.

You have absolute control of the environment, including the ability to choose
your IP address range, the capacity to create public-facing subnets for web-
servers with access to the internet, or private-subnets with no internet
access. The VPC also allows you to set-up multiple layers of security,
including security groups and network access control-lists to help control
access to various resources in each subnet.

Some basic concepts for VPC are:

• Subnet

• Network access control lists

• Routing Table

30
Amazon Web Services Fundamentals - 5. AWS Networking architecture - VPC

Amazon VPC (Virtual Private Cloud) – Subnets

A subnet is a grouped range of IP addresses in your VPC. You can launch various AWS
resources into a specified subnet.

Each subnet must reside entirely within one availability zone and cannot span zones.
Additionally, a subnet can be added in a Local Zone (allows you to place resources and
services closer to end-users).

Subnet types:

• Public Subnets – The subnet traffic is routed to the public internet through an internet
gateway or an egress-only internet gateway.

• Private Subnet – The subnet traffic doesn’t have access to the internet through a gateway.
It may use a NAT device to get access to the public internet.

• VPN only subnet – Subnet traffic is routed through a VPN connection through a virtual
private gateway. Subnet traffic can’t reach the internet through an internet gateway.

When creating a subnet, you can specify its IP addresses, depending on the VPC config. It
can be IPv4 only, dual-stack (IPv4 and IPv6) or IPv6 only.

Regardless of subnet, the internal IPv4 address is always private.

31
Amazon Web Services Fundamentals - 5 AWS Networking architecture - VPC

Amazon VPC (Virtual Private Cloud) – Network ACL

AWS NACL or Network Access Control List allows or denies specific

inbound or outbound traffic at a subnet level. You can either use the default
network ACL for your VPC or create custom network ACL for your VPC to
add an additional layer of security to your VPC. The following are basic
things you need to know about network ACLs.

• By default, each ACL denies all inbound and outbound traffic, until you
add rules.

• Each subnet in your VPC must be associated with a NACL. If you don’t
associate a NACL with a subnet, the subnet automatically is associated
with the default NACL.

• You can associate one NACL to multiple subnets. However, a subnet can
only be associated with one NACL at a time.

• AWS evaluates the network ACL rules when traffic enters and leaves the
subnet, but not as it’s routed within the subnet.

• NACL are stateless, meaning that responses to allowed inbound traffic

are subject to the rules of outbound traffic (and vice versa).

32
Amazon Web Services Fundamentals - 5. AWS Networking architecture - VPC

Amazon VPC (Virtual Private Cloud) – Route Tables

A route table contains a list of rules, called routes, which

determine where network traffic from your subnet or gateway
is directed towards.

Route tables are managed by routers, which act as

‘intersections’ within the network, they connect multiple routes
together and contain helpful information for getting traffic to its
destination.

Each VPC has an implicit VPC router, which has the function
to take all of the route tables defined within that VPC and
direct the traffic flow within that VPC, as well as to subnets
outside of the VPC, based on the routes defined within those
tables. Each subnet in your VPC must be associated with a
route table, which controls the routing for the subnet.

You can explicitly associate your subnet with a particular

route table. Otherwise, the subnet is implicitly associated with
the main route table. A subnet can only be associated with
one route table at a time, but multiple subnets can be
associated to the same route table.

33
 THANK YOU!

ANDREI DANEASA
PRINCIPAL DATA CONSULTANT, ENDAVA BHD

Petrus-Iulian Fatu
DevOps Consultant, Endava BHD
Q&A