Scribd
Upload
8 views251 pages

AWSforbeginnersv2 Compressed

Uploaded by

a.hamoud6161
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
8 views251 pages

AWSforbeginnersv2 Compressed

Uploaded by

a.hamoud6161
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 251

AWS Core Services Introduction For Beginners

Eissa Abousherif
DolfinED Founder and Lead Content Architect
Best Selling Instructor (120,000+ students, 180+ Countries)
Author of the highest rated AWS Content
Cloud Infrastructure Architect & AWS Certified Architect
Getting Organized

© DolfinED All rights reserved


Who Can Attend This
Course?

© DolfinED All rights reserved


Audience

• Anyone willing to learn AWS.


• Individuals starting or transforming their careers into IT.
• Managers and Project Managers who are keen on understand the AWS Cloud.
• Cloud and Multi-Cloud career aspirants.
• DevOps Engineering aspirants.

© DolfinED All rights reserved


Recommended
Prerequisites

© DolfinED All rights reserved


Pre-Requisites

• Basic IT knowledge
• Laptop and Internet connectivity
• IT and TCP/IP fundamentals course on DolfinED.com

https://www.dolfined.com/courses/ITF-Cloud-DevOps-TCPIP-fundamentals

© DolfinED All rights reserved


Introduction to
Cloud Computing
The IT Game Changer

© DolfinED All rights reserved


Introduction to (Web)
Applications

© DolfinED All rights reserved


Client-Server (Web) Applications

Web applications include websites, e-commerce websites, or any application


accessible over the public Internet!
• The application components are deployed to server(s)

The client initiates the request

The server processes the request


And sends a response

© DolfinED All rights reserved


Physical Servers

© DolfinED All rights reserved


Physical (Bare-metal) Servers

A physical server is basically a powerful computer with:


• A good-sized memory (RAM),
• One or more CPU(s),
• One or more Disk drives to store operating system and
data,
• One or more network interfaces, and GCPU

• One or more GCPUs.

• We need to install an operating system and then we can Physical Server


install one or more applications on the server.
• Servers can support 10s, 100s, or 1000s of users
because of their high specifications.

© DolfinED All rights reserved


Introduction to Data
Centers

© DolfinED All rights reserved


Data Centers Are Where We Host Application Servers

In Traditional IT, the servers and applications are hosted in client specific, purpose-
designed IT data centers (Separate physical locations or On-Premises).
• A data center is a considerable space size that is air conditioned, secured, and
manned to ensure continuous operations.

© DolfinED All rights reserved


Data Center Servers Are Placed In Racks

Rack-Mountable Servers
Racks are physically secured Mounted and cabled inside DC Racks
(locked and monitored)

© DolfinED All rights reserved


On-Premises / Data Center – All Yours to Build and Operate!

CAPEX App

Model Data

Runtime

Middleware

Operating
System

Virtualization

Hardware

Storage

Network

Customer is 100% responsible for it : Design, Cost, Build, Operations, Optimization, Upgrades, Security…etc

© DolfinED All rights reserved


On-Premises,
Private Data
Centers vs. Cloud

© DolfinED All rights reserved


Is A Data Center Equivalent To A Cloud?

A Data Center = A Cloud

A Data Center Infrastructure requires a layer of Orchestration and Automation to


become a Cloud (For provisioning, updating, and monitoring services).
A Data center is a component of a cloud but is not a synonym of a cloud.

© DolfinED All rights reserved


Is A Data Center Equivalent To A Cloud?

A Data Center

+ =
Automation/Orchestration
A Cloud

© DolfinED All rights reserved


Cloud – Is A Shared Responsibility!

In cloud computing, everything the customer needs is pre-built and ready


for use, starting from the infrastructure, all the way up to the applications,
databases, security, storage…etc

We are here at the


perfect time!

OPEX
Model

© DolfinED All rights reserved


Cloud Types - Private,
Public & Hybrid Cloud

© DolfinED All rights reserved


Private vs. Public Cloud

© DolfinED All rights reserved


Hybrid Cloud

A hybrid cloud is a mix of public and on-premises


private cloud that is orchestrated to run a single task.

Is a more complex cloud solution Suitable for cost effectiveness,


because the organization must backup, disaster recovery,
manage multiple platforms. development and testing.

© DolfinED All rights reserved


Multi Cloud

is the use of multiple cloud computing and storage


services in a single heterogeneous architecture.

Organizations will continue to use multiple cloud


providers for different use cases.

© DolfinED All rights reserved


AWS is Leading the Public Cloud Market for Years!

2021 2022

Microsoft Azure and Google’s GCP are catching up. Azure is narrowing the gap to AWS

© DolfinED All rights reserved


Hybrid Cloud & Multi Cloud

Hybrid Cloud:
Is a mix of public and on-
premises private cloud that
is orchestrated to run as
a single task.
Hybrid Multi-Cloud:
Deployment, Automation, and Orchestration
Multi Cloud:
Is the use of multiple cloud
computing and storage
services in a single
heterogeneous architecture.

© DolfinED All rights reserved


Cloud Services

IaaS, PaaS, SaaS, xaaS

© DolfinED All rights reserved


Cloud – as a Service (aaS) Model

App
Customer
Managed
Data

Runtime

Middleware

Operating
System

Virtualization

Hardware

Storage

Provider
Network Managed

Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) On-Premises

© DolfinED All rights reserved


Introduction to AWS
Services –Part I
High Level Introduction

© DolfinED All rights reserved


Section Outline

In this section we will learn:


• AWS Global Infrastructure
• AWS Regions and Availability Zones
• Walkthrough the AWS website
• Identity and Access Management (IAM) 101
• AWS Virtual Private Cloud (VPC) 101
• Public and Private subnets in a VPC in AWS
• Hybrid Connectivity Options 101

© DolfinED All rights reserved


AWS Global Infrastructure

© DolfinED All rights reserved


AWS Global Infrastructure

https://aws.amazon.com/about-aws/global-infrastructure/

© DolfinED All rights reserved


Deploying Applications In AWS - How To Choose Which Region To Use?

• Consider Data Compliance and Governance Limitations (Do you need to


keep the data access confined in a specific geography/region?)
• Choose the region to be closer to the bulk of users (lower latency)
• Ensure the selected region has the services you need
• AWS pricing differs per region for many services – choose the one that
meets your pricing expectations.

© DolfinED All rights reserved


Hands-on Labs (HoLs)

Creating an AWS Account

© DolfinED All rights reserved


Hands-on Labs (HoLs)

AWS Management Console


Walkthrough
&
Enabling Local Zones In An Account

© DolfinED All rights reserved


Hands-on Labs (HoLs)

AWS Free Tier Walkthrough

© DolfinED All rights reserved


Hands-on Labs (HoLs)

Creating A Cost Budget

© DolfinED All rights reserved


AWS IAM 101

© DolfinED All rights reserved


AWS Identity and Access
Management (IAM) 101

© DolfinED All rights reserved


IAM in a Nutshell

• IAM helps create and manage identities, authentication, and authorization for AWS
account(s).
• An AWS account trusts IAM and its decisions for authentication and authorization.

© DolfinED All rights reserved


IAM Features

• IAM is a Global AWS Service


• IAM provides shared access to AWS accounts.
• IAM allows for granular permissions.
• IAM can be used to secure access to AWS resources for applications
that run on AWS.
• AWS customers can enable Multi-Factor Authentication.
• IAM can be used to configure Identify Federation.

© DolfinED All rights reserved


IAM Features (cont.)

• We can maintain Identity information logs for audits and compliance purposes.
• IAM is PCI DSS (Payment Card Industry Data Security Standard) compliant.
• IAM is integrated with many AWS services.
• IAM is eventually consistent.
• IAM is free to use.
• We can provide temporary access using AWS STS.

© DolfinED All rights reserved


IAM Identities - Users, User Groups, and Roles

• IAM Identities are what we create to represent the entity that uses AWS resources.
• IAM Users, IAM User Groups, or IAM Role are IAM identities in AWS.
• Any identity that needs to use AWS resources must be authenticated and then
authorized to carry out the intended actions.
• One or more policies can be attached to an identity to define what permissions are
allowed for the identity, on which resources, and under what conditions.

© DolfinED All rights reserved


- IAM Identities – Users
- IAM Best Practices

© DolfinED All rights reserved


IAM User - Access to AWS & Multi Factor Authentication (MFA)

• For any user, we can assign a username and password and/or access key ID (Access key
and Secret Access key).
• Use MFA with the root user and any other privileged users in your account.

© DolfinED All rights reserved


IAM Best Practices

• Lock away your AWS account root user console access credentials and lock away or
delete its access keys (an access key ID and secret access key).
• Create individual IAM users.
• Use AWS defined/managed policies to assign permissions whenever possible (AWS
ready policies).
• Use Groups to assign permissions to IAM users.
• Grant least privilege (AWS least privilege principle).
• Configure a strong password policy for users.
• Enable MFA for the root user and any privileged users.

© DolfinED All rights reserved


IAM Best Practices (cont.)

• Use roles for applications that run on AWS EC2 instances.


• Delegate by using roles instead of sharing credentials.
• Rotate credentials regularly.
• Remove unnecessary credentials.
• Use policy conditions for extra security.
• Monitor activity in your AWS account.
• Use access levels to review IAM permissions (AWS categorizes each service action into one
of four access levels based on what each action does: List, Read, Write, or Permissions
management).

© DolfinED All rights reserved


AWS Account – Password Policy for IAM Users

Default password policy is:


• Minimum password length is 8 characters
• The password is not identical to account name or email address
• The password has a mix of alphanumeric and special characters

When you change the password policy:


• Settings are enforced the next time the users change their password
• Users are not forced to change their existing passwords, even if they do not adhere to
the new policy.
• The expiration period is enforced immediately (for old passwords too).
• We cannot create a lockout policy to lock a user account after a certain number of failed
sign-in attempts.
• The password policy does not apply to the root user or the IAM Access keys.

© DolfinED All rights reserved


Hands-on Labs (HoLs)

AWS IAM Service Dashboard


Walkthrough & Creating an
IAM User

© DolfinED All rights reserved


TCP/IP –
Addresses and
Protocols 101

© DolfinED All rights reserved


Decimal Numbering System

© DolfinED All right reserved


Exponents – A Base To The Power x

The power of a number says how many times to use the number in a multiplication.
2
10 ^ 2 means 10 which also means 10 x 10

Exponent
2
10 10 x 10 100
Base

Any number ^ 0 = 1
© DolfinED All right reserved
Decimal Numbering System

• The base is 10
• We call each number a digit in decimal. Integer : 204
• Digits can have one of 10 values (0 to 9).
Decimal 204 can
• We have units, tens, hundreds..etc be represented as

Hundreds Tens Units


2 x 10 x 10 0 x 10 4x1

Or in an exponent format

2 x 102 0 x 101 4 x 100

© DolfinED All right reserved


Decimal Numbering System – The Weights Of Digit Positions

Thousands Hundreds Tens Units

x 103 x 102 x 101 x 100

© DolfinED All right reserved


Binary Numbering Ssytem

© DolfinED All right reserved


Binary Numbering System

Computer systems and digital system all use binary numbering internally.
• Binary numbering is based on two values 0 and 1.
• When we use decimal numbering in our applications, it is transferred
internally to in computer systems to binary.
• We call each number a binary digit (bit) in binary.

© DolfinED All right reserved


Binary Numbering System – The Weights Of Bit Positions

8th 7th 6th 5th 4th 3rd 2nd 1st


x 27 x 26 x 25 x 24 x 23 x 22 x 21 x 20

x 128 x 64 x 32 x 16 x8 x4 x2 x1

© DolfinED All right reserved


Binary Representation

7 6 5 4 3 0
Bit position in the octet (N) 2 (3rd ) 1 (2nd)
(8th - left) (7th ) (6th) (5th ) (4th ) (1st)

Decimal Weight 128 64 32 16 8 4 2 1

Decimal weight= 2^N


N is bit position

© DolfinED All right reserved


Binary Numbering System - Example

Find the Decimal equivalent of the Binary number 00001000

Binary: 00001100

8th 7th 6th 5th 4th 3rd 2nd 1st


1 x 27 1 x 26 0 x 25 0 x 24 1 x 23 1 x 22 0 x 21 0 x 20

0 0 0 0 8 0 0 0

Binary: 00001000 Decimal: 8

© DolfinED All right reserved


Binary Numbering System - Example

Find the Decimal equivalent of the Binary number 00001100

Binary: 00001100

8th 7th 6th 5th 4th 3rd 2nd 1st


1 x 27 1 x 26 0 x 25 0 x 24 1 x 23 1 x 22 0 x 21 0 x 20

0 0 0 0 8 4 0 0

Binary: 00001100 Decimal: 12

© DolfinED All right reserved


Binary Numbering System - Example

Find the Decimal equivalent of the Binary number 11001100

Binary: 11001100

8th 7th 6th 5th 4th 3rd 2nd 1st


1 x 27 1 x 26 0 x 25 0 x 24 1 x 23 1 x 22 0 x 21 0 x 20

128 64 0 0 8 4 0 0

Binary: 11001100 Decimal: 204

© DolfinED All right reserved


Binary Representation – Binary to Decimal Conversion Example

Binary: 1100 1100

7 6 5 4 3 0
Bit position in the octet (N) 2 (3rd ) 1 (2nd)
(8th - left) (7th ) (6th) (5th ) (4th ) (1st)
Decimal equivalent if
128 64 32 16 8 4 2 1
Binary Digit = 1
Decimal equivalent if
0 0 0 0 0 0 0 0
Binary Digit = 0

Decimal equivalent : 128 + 64 + 8 + 4 = 204

© DolfinED All right reserved


Decimal and Binary Numbering Systems

• As in Decimal numbering, each position in binary number has a weight.


• TCP/IP addresses are crucial topic to learn for cloud and IT in general.
• TCP/IP requires a minimum understanding of binary system to master it.
• We can use online calculators too (once we understand the theory behind it).

Decimal: 204 Binary: 11001100

© DolfinED All right reserved


Binary Representation – Binary to Decimal Conversion Example

Binary: 1010 0011

7 6 5 4 3 0
Bit position in the octet (N) 2 (3rd ) 1 (2nd)
(8th - left) (7th ) (6th) (5th ) (4th ) (1st)
Decimal equivalent if
128 64 32 16 8 4 2 1
Binary Digit = 1
Decimal equivalent if
0 0 0 0 0 0 0 0
Binary Digit = 0

Decimal equivalent : 128 + 32 + 2 + 1 = 163

© DolfinED All right reserved


Decimal to Binary
Conversion

© DolfinED All right reserved


Binary Representation – Decimal to Binary conversion example

Decimal: 191 Binary: ?

Bit position in the octet 8 7 6 5 4 3 2 1 0


(N) (9th) (8th) (7th ) (6th) (5th ) (4th ) (3rd ) (2nd) (1st)
Decimal Weight if
256 128 64 32 16 8 4 2 1
Binary Digit = 1
Decimal Weight if
Binary Digit = 0

© DolfinED All right reserved


IP Addresses 101

© DolfinED All rights reserved


Client-Server (Web) Applications – Open Questions!

• How can the client specify


which server to talk to? The client initiates the request
• How can the server know which
client to respond to?
• How can the internet get the
request from the client to the
correct server, and the response
from the server to the correct The server processes the request
client? And sends a response

This is done using:


• IP Addresses /Ports (for clients
and servers) and,
• IP Routing on the internet. Client IP Address Server IP Address
IP Routing

© DolfinED All rights reserved


IP Addresses – Why Do We Need Them?

• Almost all data transfer today happens over TCP/IP protocols,


• TCP/IP stands for Transmission Control Protocol / Internet Protocol
• Think of an IP Address like the business or home address of a person that is required to
correctly send a letter or a package to that person
Ø IP Addresses are used to identify the computing device and facilitate locating it and
forwarding traffic to it.
Elizabith
Nora 32 township rd IP Address 1
No 129 Lansing, Michigan
90th St. IP Address 2
USA
5th Settlement,
New Cairo. People need addresses
Cairo
to communicate by mail
Egypt
IP Address 3
Susan
Raj Computing devices need IP
822, 135
84 Mahatma Ghandi rd Addresses to communicate
Brompton Rd,
Bangaluru, Karnataka IP Address 4
London SW1X 7XL
India
United Kingdom
© DolfinED All rights reserved
TCP/IP Address - Versions

IPv4 IPv6
Decimal Notation Hexadecimal notation (0-9 & A-F)
• 32 bits long • 128 bits long
• 4 bytes or octets (each is 8 bits) • 8 fields each up to 16 bits (2 Octets)
• Example: 120.130.233.12 • Example:
• Requires a subnet mask 2001:0db8:85a3:0000:0000:8a2e:0370:7334
• Can have Public or Private ranges • Requires a subnet mask
• All public

© DolfinED All right reserved


TCP/IP Addressing & Binary Representation

• Any IPv4 address is composed of 4 octets.


• Each octet is 8 binary digits (bits).

192.16.65.130 192 16 65 130

1100 0000 0001 0000 0100 0001 1000 0010


Bit position in the 7 6 5 4 3
2 (3rd ) 1 (2nd) 0 (1st)
octet (N) (8th - left) (7th ) (6th) (5th ) (4th )
Maximum
Decimal Weight if
number in an Binary Digit = 1
128 64 32 16 8 4 2 1
octet is 255
Decimal Weight if
0 0 0 0 0 0 0 0
Binary Digit = 0

© DolfinED All right reserved


Client-Server (Web) Applications – IP Addresses

All devices on the Internet or


The client initiates the request
even on local (private) networks
use IP Addresses.
• This includes phones, wifi
devices at home, printers
connected to the network,
servers…etc
The server processes the request
And sends a response
• You can find your device’s IP
address using
Ø C:\> ipconfig on windows
Ø # ipconfig getifaddr en0

120.11.12.13 201.103.1.2
IP Routing

© DolfinED All rights reserved


TCP/IP Addressing – Network/Host of an IP address

192.168.240.1/24

192.168.240 .1 /24
Network Part Host Subnet Mask Length

Binary equivalent : 1100 0000 . 1010 1000 . 1111 0000 . 0000 0001

Network Part /24 Host Part

© DolfinED All right reserved


IP Addresses –
Networks and Subnets

© DolfinED All rights reserved


TCP/IP Addressing – CIDR

CIDR Range
Classless Inter Domain Routing
Examples 192.168.1.0/24
• 10.0.0.0/8,
• 192.168.1.0/24,
• 120.100.0.0/16
10.0.0.0/9
Subnets
Any CIDR can be broken down to a smaller 10.0.0.0/8
chunks called Subnets (Subnetting).
10.128.0.0/9

© DolfinED All right reserved


TCP/IP Addressing – Subnetting

CIDR : 192.168.240.0/24
IP Address Range 0 - 255

Host IP Range Host IP Range Host IP Range Host IP Range


0 - 63 64 - 127 128 - 191 192 - 255

Subnet Subnet Subnet Subnet


192.168.240.0 192.168.240.64 192.168.240.128 192.168.240.192

Subnet Mask Subnet Mask Subnet Mask Subnet Mask


/26 /26 /26 /26

© DolfinED All right reserved


TCP/IP Addressing – Subnetting

192.168.240.0/24
1100 0000 . 1010 1000 . 1111 0000 . 00 00 0000
IP Range 0 - 255

Subnet
1100 0000 . 1010 1000 . 1111 0000 . 00 00 0000
192.168.240.0

Subnet
1100 0000 . 1010 1000 . 1111 0000 . 01 00 0000
Subnet Mask 192.168.240.64
/26
Subnet
192.168.240.128 1100 0000 . 1010 1000 . 1111 0000 . 10 00 0000

Subnet
192.168.240.192 1100 0000 . 1010 1000 . 1111 0000 . 11 00 0000

© DolfinED All right reserved


TCP/IP Addressing – Number Of Hosts In The Different Subnet Sizes

192.168.240.0/24
IP Range 0 - 255

Subnet Mask Desired Bits to be No. of subnets Updated Subnet Host field No. of possible No. of useable
Length Subnets borrowed can z bits Mask length for Length hosts in the IP addresses
n i z represent each of the subnets k = 32-(n+z) network (m) (m-2)
/24 Up to 2 1 2 /25 7 128 126
/24 Up to 4 2 4 /26 6 64 62
/24 Up to 8 3 8 /27 5 32 30
/24 Up to 16 4 16 /28 4 16 14
/24 Up to 32 5 32 /29 3 8 6
/24 Up to 64 6 64 /30 2 4 2

i <= 2^z m = 2^k

© DolfinED All right reserved


TCP/IP Addressing – IPv4 Address Classes

Class Class IP Address Range Supports

1.0.0.0 to 16 M hosts on each of 127


Class A
126.255.255.255 networks
128.0.0.0 to 65K hosts on each of 16K
Class B
191.255.255.255 networks
192.0.0.0 to 254 hosts on each of 2M
Class C
223.255.255.255 networks
224.0. 0.0 to
Class D Multicast
239.255. 255.255
240.0. 0.0 to
Class E Reserved
255.255. 255.255

© DolfinED All right reserved


TCP/IP Addressing – Public (Internet Routable) vs. Private IP Ranges

Public or Internet Routable IP ranges


Are those assigned by internet registries and can be used on the public Internet.
• You cannot use these IP addresses on the Internet deliberately
• They get assigned based on approved requests to clients.

Private IP addresses
Are meant for use within/inside the enterprise networks
• They can not be used on the internet, and they can’t be reached from the Internet
directly

10.0.0.0/8, 172.16.0.0/12 , and 192.168.0.0/16 are Private ranges that can be used
freely within private networks.
• They are defined in RFC1918 and are supported in AWS.

© DolfinED All right reserved


Overlapping Subnets

© DolfinED All rights reserved


TCP/IP Addressing – Subnets Overlap

192.168.240.0/24 Host IP Range


0 - 255

Host IP Range Overlapping - 0 – 127


192.168.240.0/25
0 - 127 exists in Green Subnet

Host IP Range Overlapping - 0 – 63


192.168.240.0/26 exists in Green Subnet
0 - 63

Host IP Range Overlapping - 0 – 31


192.168.240.0/27 0 - 31 exists in Green Subnet

© DolfinED All right reserved


TCP/IP Addressing – Subnets Overlap (cont.)

192.168.240.0/24 Host IP Range


0 - 255

Host IP Range No overlapping


192.168.140.0/25
0 - 127 Different Network .140

Host IP Range No overlapping


192.168.40.0/26 Different Network .40
0 - 63

Host IP Range No Overlapping –


192.168.241.0/27 0 - 31 Different Network .241

© DolfinED All right reserved


Quick subnets for Hands-
On testing

© DolfinED All right reserved


TCP/IP Addressing – Quick Subnets - Can be used for experimenting

10.0.0.0 Range 192.168.0.0/16 Range


CIDR 10.0.0.0/16 CIDR 192.168.0.0/16
Subnet 1 10.0.1.0/24 Subnet 1 192.168.1.0/24
Subnet 2 10.0.2.0/24 Subnet 2 192.168.2.0/24
Subnet 3 10.0.3.0/24 Subnet 3 192.168.3.0/24

172.16.0.0/12 Range
CIDR 172.16.0.0/16
Subnet 1 172.16.1.0/24
Subnet 2 172.16.2.0/24
Subnet 3 172.16.3.0/24

© DolfinED All right reserved


Introduction to
Switching and Routing

© DolfinED All rights reserved


LAN Switches & Connecting Devices On The Same IP Network

LAN : Local Area Network


• Is a network that connects
compute devices in a close
physical proximity (same house,
office, building, or campus)
• Switches are the main LAN
devices used for connectivity.
• WiFi routers also connect WLAN
devices together (SOHO or
Campus)
• Switches are also used to
connect servers in a data center
or within Cloud infrastructure.

© DolfinED All rights reserved


Routers

Routers are required to connect separate IP Networks or Subnets

Dubai

Router Router

UK

© DolfinED All rights reserved


Router/Switch Devices

• Your home WiFi device has WLAN, Switch, and Router functionalities
• When two devices on the same subnet or IP network need to communicate, they do not
need to consult the routers (example printing on a WiFi-connected printer at home)

© DolfinED All rights reserved


The Internet

The Internet is a huge number of networks interconnected using routers.

The Internet High speed


connections

Internet
Routers

© DolfinED All rights reserved


IP Routing – How?

• Each router builds a routing table (database) of known destinations and how to reach them
• Routing tables can be configured statically (manually) – Static IP routing
• Routing tables can also be configured dynamically – Dynamic IP routing
Ø Requires using Dynamic routing protocols (OSPF, BGP are examples)

© DolfinED All right reserved


AWS Virtual Private
Cloud (VPC) 101
© DolfinED All rights reserved
AWS Virtual Private Cloud
(VPC)
Components

© DolfinED All rights reserved


Virtual Private Cloud (VPC) – What is it?

• A VPC is a virtual data center in the cloud.


• A VPC is isolated from other VPCs by default (we can choose to connect it to other VPCs).
• AWS clients have full control over their own VPCs.
• A VPC is confined to a single AWS region.
• A default VPC in created automatically in each AWS region when an AWS account is created.
• A VPC spans all AZs in a Region and can have one or more subnets

© DolfinED All rights reserved


VPC Components

• CIDR block (e.g, 10.0.0.0/16) and subnets


• Implied Router
• Route tables
• Internet Gateway (IGW)
• Virtual Private Gateway (VGW)
• Security Groups
• Network Access Control Lists (Network ACLs)

© DolfinED All rights reserved


VPC Components – CIDR Block

• The VPC’s main CIDR Block cannot be changed after it has been created.
• We can expand the VPC address pool by adding up to 4 additional secondary CIDR blocks.
Limitations can be found here:
https://docs.aws.amazon.com/vpc/latest/userguide/configure-your-vpc.html#vpc-cidr-
blocks

© DolfinED All rights reserved


VPC Components - Subnets

• We can configure multiple subnets per VPC


• In each AZ we can have one or more subnets
• A subnet cannot stretch between AZs
• Subnets in a VPC cannot overlap

© DolfinED All rights reserved


VPC Components – Implied Router

• The implied router is used to communicate among the subnets in a VPC and between the
VPC and the outside world (inside/outside of AWS).
• We cannot access or login to the implied router’s configuration, it is fully managed by AWS
• Routing among VPC subnets is guaranteed by default.

© DolfinED All rights reserved


VPC Components – Route Tables

• Each VPC has a default route table, the main route table.
• A subnet can attach to one route table at a time.
• A route table can be used by more than one subnet at the same time.
• We can create custom route tables as required.
• Routing among VPC subnets is guaranteed by default.

© DolfinED All rights reserved


VPC Components – Internet Gateway (IGW)

• The Internet Gateway (IGW) is a


fully managed service that is
horizontally scaled, redundant,
and highly available.
• It will never become a traffic
bottleneck.
• Only one Internet gateway can be
attached to a VPC at a time.
• IGWs support both IPv4 and IPv6.

© DolfinED All rights reserved


Hands-on Labs (HoLs)

Virtual Private Cloud (VPC)


Dashboard Walkthrough – Part I

© DolfinED All rights reserved


Public vs. Private Subnets
In a VPC

© DolfinED All rights reserved


TCP/IP Addressing – Public (Internet Routable) vs. Private IP Ranges

Public or Internet Routable IP ranges are those assigned by internet registries and can
be used on the public Internet.
• You can not use these IP addresses on the Internet deliberately
• They get assigned based on approved requests to clients.

Private IP addresses
• For use within/inside the enterprise networks.
• They can not be used on the internet (They are filter out by all Internet routers),
and they can’t be reached from the Internet directly.

RFC1918 IP Ranges:
10.0.0.0/8, 172.16.0.0/12 , and 192.168.0.0/16 are Private IP address ranges that can
be used freely. and are supported in AWS.

© DolfinED All right reserved


IPv6 Addressing

All IPv6 addresses are Public


• Therefore, AWS allocates the IPv6 address ranges to ensure no conflict or
overlapping ranges

© DolfinED All right reserved


Network Address Translation (NAT)

© DolfinED All right reserved


Public Subnet vs. Private Subnet in a VPC

A subnet can be considered a


public subnet if it satisfies two
conditions:
• It is in a VPC that has an
internet gateway attached,
• Its associated routing table
has a default route entry
pointing at the VPC’s IGW

© DolfinED All rights reserved


AWS Virtual Private Cloud
(VPC)
Components (cont.)

© DolfinED All rights reserved


VPC Components – Virtual Private Gateway (VGW)

• The Virtual Private Gateway (VGW) is


horizontally scaled, redundant, and
highly available.
• Fully managed by AWS.
• Only one virtual private gateway can
be attached to a VPC at a time.

Service limits: https://docs.aws.amazon.com/general/latest/gr/vpc-service.html

© DolfinED All rights reserved


Hybrid Cloud Connectivity Options in AWS

Two main hybrid cloud


connectivity options:
• A Virtual Private Network
(VPN)
Ø Over the Internet
Ø Not reliable
Ø Quick to deploy
Ø Cost effective
Ø Secure
• Direct Connect (DX) connection
Ø Long lead times
Ø Low latency and high
bandwidth
Ø Private but not secure.
© DolfinED All rights reserved
Hands-on Labs (HoLs)

Virtual Private Cloud (VPC)


Dashboard Walkthrough – Part II

© DolfinED All rights reserved


Introduction to AWS
Services –Part 2
High Level Introduction

© DolfinED All rights reserved


Section Outline

In this section, we will learn:


• Elastic Compute Cloud (EC2) fundamentals.
• Elastic Block Storage (EBS) fundamentals.
• Public, Elastic, and Private IP addresses.
• Security Groups.
• Blacklisting vs. Whitelisting in security.
• Network Access Control Lists (NACLs).
• Encryption 101.
• AWS Key Management Service (KMS) 101.
• Simple Notification Service (SNS) 101.
• Simple Queue Service (SQS) 101.
• Amazon CloudFront 101.
• Amazon Route 53 101.
• Market Advantages of running workloads on AWS

© DolfinED All rights reserved


Elastic Compute
Cloud (EC2) 101

© DolfinED All rights reserved


Virtual Machines

Physical
Server

© DolfinED All rights reserved


Types of Hypervisors

Type 1 Hypervisor – Bare metal Hypervisor


• The hypervisor runs directly on the underlying
host system.
• It does not require any base server operating
system. VM VM VM
• It has direct access to hardware resources.
Hypervisors
Examples:
VMware hypervisors like VMware vSphere, KVM, and
Microsoft Hyper-V Hardware

© DolfinED All rights reserved


Types of Hypervisors (cont.)

Type 2 Hypervisor – Hosted Hypervisor


• The hypervisor is a software installed on
an operating system VM VM VM

Examples: Hypervisors
• VMware Workstation
• Oracle VM VirtualBox Windows OS

Hardware

© DolfinED All rights reserved


Elastic Compute Cloud (EC2)

The EC2 service provides resizable compute capacity in the cloud.


• AWS customers have root access to each of the EC2 instances they create.
• An EC2 instance can be stopped, restarted, rebooted, or terminated.
• EC2 instances can be provisioned on shared hosts (with other AWS clients’ EC2
instances) or dedicated hosts (physical servers allocated to a single customer).
• 20 EC2 instances soft limit per account (can be changed).
• Each instance is launched and takes up a minimum of one private IPv4 address in a
subnet in an availability zone.

© DolfinED All rights reserved


Elastic Compute Cloud (EC2) and Elastic Block Store (EBS)

• Each instance is created with a virtual network interface called the Elastic Network
Interface or ENI.
• EBS volumes are persistent storage devices; their data does not get deleted unless the
volume is terminated/deleted.
• EC2 instances with EBS root volumes are called EBS-backed EC2 instances.
• EC2 Instances attach to their EBS volumes over the AWS network.

© DolfinED All rights reserved


Elastic Compute Cloud (EC2) and Instance-Store

• Instance store volumes are virtual


allocations of the host HDD or SSD
drives and are ephemeral storage
volumes; they are not persistent.
• EC2 instances with instance store
root volumes are called instance-
store backed EC2 instances.
• Access to instance store volumes is
much faster than EBS volumes.
• Instance store volumes can also be
used as data volumes.
• They can be used in distributed
architectures as the instance root
volume.

© DolfinED All rights reserved


Using SSH to Connect
to a Linux EC2
instance

© DolfinED All rights reserved


Connecting To a Linux EC2 instance Using Secure Shell (SSH)

• We can connect to a Linux EC2 instance


using SSH.
• The SSH protocol uses encryption to
secure the connection between a client
and a server.
• All user authentication, commands,
output, and file transfers are encrypted
to protect against attacks in the network

© DolfinED All rights reserved


Using EC2 Instance Connect To Connect (via SSH) To a Linux EC2 instance

We can SSH into the EC2 instance from within the management console using EC2 Instance
Connect.
• The Instance must have a public IP address
• Have Linux 2 AMI 2.0.20190618 or later
• Or Install the EC2 connect package for earlier versions.
• We need to ensure the user(s) that will use this feature have the IAM permissions to do so.
• The instance’s security group must allow SSH inbound from AWS public IP address ranges.

SSH
More on this here:
https://docs.aws.amazon.com/AWSEC2/latest/
UserGuide/ec2-instance-connect-set-up.html

© DolfinED All rights reserved


Hands-on Labs (HoLs)

Creating The First Linux EC2 Instance


And Connecting To It (Mac/Linux Users)

© DolfinED All rights reserved


HoL Objective - Connecting To a Linux EC2 instance Using Secure Shell (SSH)

• We do not need a password to login.


• We need a Key Pair to login, which is
a private key that you have and a
public key that is stored in AWS.
• We can download the private key
only once during instance launch.

© DolfinED All rights reserved


Hands-on Labs (HoLs)

Creating A Linux EC2 Instance


And Connecting To It Using SSH
(Windows 10) and Putty
Client for (All Windows Users)

© DolfinED All rights reserved


HoL Objective – Using SSH To Connect From a Windows PC to a Linux EC2 instance

For students with Windows PCs, we can SSH using the SSH service
(Windows 10) or the Putty SSH client.

Windows Client

© DolfinED All rights reserved


Private, Public, and Elastic
IP addresses

© DolfinED All rights reserved


Internet Gateway - Network Address Translation (NAT)

NAT Table Entry for 10.1.1.1


Public IP Private IP
25.52.10.38 10.1.1.1

NAT

© DolfinED All rights reserved


Private, Public and Elastic (EIP) IP Addresses

Private Public Elastic


Accessibility to/from the Is not internet routable Is internet routable Is internet routable
internet
Assignment Dynamic during launch Dynamic during launch Manual
Released when the instance No Yes No
is stopped
Released when the instance Yes Yes No, it remains assigned to
is terminated the VPC
Changes every time the No Yes No
instance is stopped
Association to the Instance Directly on the ENI Configured on the IGW and Configured on the IGW and
mapped through NAT mapped through NAT
Chargeable No No Only if assigned and not
used

© DolfinED All rights reserved


Whitelisting vs. Blacklisting

Whitelisting/Allowlisting Blacklisting/Blocklisting
Start with everything blocked. Start with everything allowed.
• Add permit rules as • Add deny rules as required.
required. • Example: internet web
• Example: corporate applications or web sites.
confidential information.

© DolfinED All rights reserved


Use Case - Whitelisting Of Your AWS Infrastructure Using Elastic IP Addresses

© DolfinED All rights reserved


Elastic IP Address - Pricing

• One Elastic IP (EIP) address associated with a running instance at no charge.


• If you associate additional EIPs with that instance, you will be charged for each
additional EIP associated with that instance per hour on a pro rata basis.
• Additional EIPs are only available in Amazon VPC.

Example : N Virginia region


• $0.005 per additional IP address associated with a running instance per hour on a
pro rata basis
• $0.005 per Elastic IP address not associated with a running instance per hour on a
pro rata basis
• $0.00 per Elastic IP address remap for the first 100 remaps per month
• $0.10 per Elastic IP address remap for additional remaps over 100 per month

© DolfinED All rights reserved


Hands-on Labs (HoLs)

Private, Public, and Elastic IP


Addresses

© DolfinED All rights reserved


OSI Model and TCP/IP
Packets/Ports

© DolfinED All right reserved


OSI Reference Model

It was designed to allow for interoperability


between different vendors in data
communications.
• 7 Layers.
• Includes specifications for each layer.

© DolfinED All right reserved


Anatomy Of A TCP/IP Packet - Simplified
Version IHL ToS Length

Other fields
TTL Protocol Checksum
Source IP Address
Destination IP Address
Other fields
Source Port Destination Port

Other Fields

Payload / Data

• Protocol : TCP =6, UDP=17


• Source Address/Port: Sender’s IP address/Port
• Destination Address/Port: Receiver’s IP address/Port

© DolfinED All right reserved


Client to Server Communications – Understanding Source/Destination Ports!

Source and Destination ports in a TCP/IP packet are like apartment numbers when the
sender and received of a mail reside in residential buildings.

From: Sarah Haleem


Apt 308
122 Elmaydan St.
Dokki, Cairo
P.O Box 1345 To : John Smith
Egypt Apt 502
32 University St.
Boston, MA
USA 40444

From: John Smith


Apt 502
32 University St.
Boston, MA To: Sarah Haleem
USA 40444 Apt 308
122 Elmaydan St.
Dokki, Cairo
P.O Box 1345
Egypt

© DolfinED All rights reserved


Client to Server Communications – Understanding Source/Destination Ports!

From Client to Server:


• Destination port is the port the application at the destination server is listening on.
• Source port is picked randomly/dynamically from an available range (1024-65535
OR 49152-65535).

© DolfinED All rights reserved


Understanding
Security Groups

© DolfinED All rights reserved


Understanding Security Groups

• The security group is a virtual firewall


that applies at the instance’s ENI level.
• In a security group we can configure
permit rules only (no deny rules).
• All rules are in a security group are
evaluated to find a permit (order is not
security security
critical). Group A Group B
• Up to 16 (5 is the default) security
groups can be attached per EC2
instance interface (ENI).
• It has an Implicit deny rule at the end.
• Changes made take effect immediately.

© DolfinED All rights reserved


Understanding Traffic Directions in Security Groups

• Inbound is traffic coming from the outside to the instance.


• Outbound is traffic leaving the instance to the outside

OUTBOUND

INBOUND

security security
group group

© DolfinED All rights reserved


Security Groups Are Stateful

Security groups are stateful. OUTBOUND


INBOUND
If traffic in one direction is allowed by the
security group, the response to that traffic is
automatically allowed in the opposite
direction regardless what security group
rules are in place for the response direction. RESPONSE

• The same is true whether the initial


traffic was inbound or outbound.
security
group

© DolfinED All rights reserved


Security Groups – Possible Sources

• You can use the security group name Instance A Instance B Instance C

as the source in its own inbound Security Group 1 Rule:


security group rules. Source : Security Group 1 Protocol: Any Port: Any
• You can use Security Group IDs as Security Group 1
the source or destination in another
security group’s rules.
• Security groups are directional.
Instance A Instance B Instance C

SSH

Instance D Instance E

Security Group 2

Security Group 2 Rule:


Source : Security Group 1 Protocol: TCP Port: 22

© DolfinED All rights reserved


Hands-on Labs (HoLs)

Security Groups

© DolfinED All rights reserved


HoL - Security Groups

Use ICMP Ping to test reachability to the public IP address of the EC2 instance.
• Understand the source and destination IP ranges in the inbound and outbound directions.
• Demonstrate that security groups can only have allow rules.
• Demonstrate that the source / destination of the security group can be a security group ID.

© DolfinED All rights reserved


Understanding Network
Access Control Lists
(NACLs)

© DolfinED All rights reserved


Network Access Control Lists (NACLs)

VPC

• A Network ACL functions at a subnet Route Route


level. Table Table
Blue Implied Green
• It is applied at the implied router level. Router
NACL
• NACLs are stateless. Blue
NACL
Green
• It can include permit and deny rules.
• Each NACL rule has a sequence number.
• Rules are evaluated from lowest to
highest sequence number. Sec Group 1 Sec Group 2

• It ends with an explicit deny any rule.


EC2 B
EC2 A

Subnet Blue Subnet Green

© DolfinED All rights reserved


Network Access Control Lists (NACLs) – Traffic Directions

VPC
Inbound means:
Traffic heading from outside the Route
subnet to inside the subnet. Implied Table
Router
Outbound means:
Traffic heading from within the subnet
to outside the subnet. Inbound Outbound

Traffic between instances in the same


subnet (within the subnet) is not Sec Group Sec Group

affected/filtered by the NACL attached


to the subnet.
Subnet

© DolfinED All rights reserved


Network Access Control List vs. Security Group – Impact on Traffic

VPC

• A Network ACL associated with a Implied Route Route


Table Table
subnet impacts all instances in the Router Blue Green
subnet equally.
NACL NACL
Ø EC2 instances in the same Blue Green

subnet are under the same


NACL rules.
• Security Group impact is at the
Sec Group 1 Sec Group 3 Sec Group 1
instance level only.
• Multiple EC2 instances in the same EC2 A EC2 C EC2 B

subnet can have different security


groups, and hence different rules. Subnet Blue Subnet Green

© DolfinED All rights reserved


Security Groups vs. Network Access Control Lists (NACLs)

Security Groups Network Access Control Lists (NACLs)

Operates at the Instance (ENI) level as the first Operates at the subnet level as a second layer of
layer of defense (from EC2 instance perspective) defense (from EC2 instance perspective)

Supports allow rules only Supports allow and deny rules


Filtering applies to instances communicating Filtering does not apply to instances
within a subnet communicating within a subnet
Is Stateful Is Stateless
Rules are processed in order until a match is
All rules are evaluated before a decision is made
found (from lower to higher rule number)

Applies only to instances where the security Applies to all instances in the subnet(s) where
group is associated/applied the NACL is applied

© DolfinED All rights reserved


Hands-on Labs (HoLs)

Network Access Control Lists


(NACLs)

© DolfinED All rights reserved


HoL – Network ACLs

Use ICMP Ping to test reachability to the public IP address of the EC2 instance.
• Understand the source and destination IP ranges in the inbound and outbound directions.
• Demonstrate that NACLs can have allow or deny rules.
• Demonstrate that the source / destination of the NACLs cannot be a security group ID.

© DolfinED All rights reserved


Encryption 101

© DolfinED All rights reserved


Data Encryption (Protection) 101

Man In The Middle


(MITM) Attack

The key is required to


Encrypt it
In Transit = Encrypted while on the way At Rest = Encrypted while
Protect it =
stored after delivery
Encrypt it

• Always encrypt sensitive data in-transit and at rest.


• Encryption/Decryption requires an encryption algorithm and
Cryptographic keys.
Ø Who generates these keys? A key Generator,
The key is required to
Ø How can we maintain and protect them? PKI, Decrypt it
Ø Different types of keys - Asymmetric/Symmetric,
Ø Can anyone use any keys?
© DolfinED All rights reserved
Data Encryption (Protection) 101

Encryption
Decryption

!$5Wa&^ Hello
Hello @#$@$ World
World WER$@

Encrypted Data
Key Key

© DolfinED All rights reserved


Encryption In-Transit Using Asymmetric Keys – Session Negotiation

• Encryption in-transit
involves a key pair, a private
key and a public key.
• It requires a key generator to
create the key pair.
• The key pair owner holds the
private key and shares the
public key with clients.

© DolfinED All rights reserved


Encryption In-Transit Using Asymmetric Keys – Data Exchange

• HTTPS/TLS/SSL are the most common protocols used to encrypt data in-transit.
• HTTPS/TLS/SSL are NOT used to encrypt data at rest.

© DolfinED All rights reserved


Encryption In-transit Using Symmetric Keys

• Uses the same key and encryption algorithm for encryption/decryption.


• Shared secret (symmetric) key encryption is more efficient than asymmetric.
• AWS KMS can use both asymmetric and symmetric keys.
• Asymmetric cryptography can be used to share the symmetric (shared secret) key.

© DolfinED All rights reserved


AWS Key Management
Service (KMS) 101

© DolfinED All rights reserved


AWS Key Management Service (KMS)

KMS is an AWS managed Key Management Service that allows customers to create and
manage cryptographic keys.
• KMS controls the keys’ usage across a range of AWS services and applications.
• KMS is Federal Information Processing Standard - FIPS-140-2 compliant.
• KMS integrates with many AWS services to simplify encryption of data across
workloads.
• KMS is highly durable and highly available.
• KMS integrates with CloudTrail for audit and compliance purposes.

• It costs $1/month for each key you create, and free for keys created by AWS services.

© DolfinED All rights reserved


AWS KMS – KMS Keys

• KMS keys are the primary resource in AWS KMS.


• KMS supports both symmetric and asymmetric keys (depends on the AWS service).
• AWS recommends using symmetric keys where possible.
• AWS services, Users and Applications with IAM roles can request KMS keys from KMS.

© DolfinED All rights reserved


AWS KMS Keys

• KMS Keys can be used to encrypt and decrypt data up to 4 KBs in size.
• If the data is larger than 4KBs, then the application needs to do the encryption tasks.
• Envelope Encryption: Encryption (Data) keys can be generated using KMS keys.
• KMS keys never leave KMS.
• KMS does not store customer data (encryption) keys.

© DolfinED All rights reserved


AWS KMS – Creating a KMS Key

• AWS-Managed KMS Keys are created, managed and used on a customer’s behalf by an
AWS services that integrates with KMS.
• Customer-Managed KMS keys are created and managed by customers using KMS.
Ø The customer can create, delete, rotate, control access to, enable and disable these
keys.
• KMS keys are region specific (We can create multi-region keys as well).
• Rotating keys frequently is a good security practice.

© DolfinED All rights reserved


AWS KMS – Operations on Symmetric Data (Encryption) Key

You can request a data


key from KMS using a
specific KMS key to
create that key.

KMS can generate an


encrypted data key, or
both plaintext and
encrypted versions.

© DolfinED All rights reserved


KMS Keys - AWS Managed vs. Customer Managed

AWS Managed KMS Key Customer Managed KMS Key


Customer can view Key metadata Yes Yes
Customer can Manage KMS Key No Yes
Used only for the customer account Yes Yes
Automatic rotation of keys Required every 3 years Optional- every 1 year if
chosen

© DolfinED All rights reserved


Hands-on Labs (HoLs)

Encrypting An EC2 Instance’s EBS


Volume During An EC2 Instance Launch

© DolfinED All rights reserved


Simple Storage
Service (S3) 101

© DolfinED All rights reserved


Block Storage vs. Object Storage

Block Storage Object Storage


• Block Storage divides the data into • An object is the data itself, its
equal sized blocks. metadata, and a unique ID (such as
Ø Data blocks do not contain the file name).
metadata. • Object storage stores the object as a
• It keeps an index for the block whole (including metadata).
storage location. • Is suitable for data that can be
• Block storage is suitable for updated incrementally and does not
databases, random read/write loads. require a lot of writes/updates.
• EBS is an example. • Photos, videos, music, static web
content, data backups are examples
of objects.
• Cannot be mounted as a virtual drive.

© DolfinED All rights reserved


More about Object Storage

• Ideally suited for distributed architectures.


• Cheaper.
• Better scalability and durability.
• No limit on the amount of data or metadata in an object.
• Cannot be mounted as drive, or directory to an EC2 instance.
• Ideal for data growth storage.

© DolfinED All rights reserved


AWS Simple Storage Service (S3) – Object Storage in AWS

• AWS Simple Storage Service (S3) is


an object storage for the internet
that features a simple web service
interface.
• You can store unlimited amount of
data.
• A single object size can be from 0
bytes up to a maximum of 5TB.

© DolfinED All rights reserved


AWS Simple Storage Service (S3) – Object Storage in AWS

• Objects are stored in S3 Buckets.


• A bucket is confined to an AWS
Region.
• Data stored in an S3 bucket never
leaves the region, unless you
explicitly configure it to do so.

© DolfinED All rights reserved


AWS Simple Storage Service (S3) – Buckets

A bucket is owned by the account


(not the user or App) that creates
it, and this ownership cannot be
transferred between accounts.
• The S3 bucket is owned by
customer account but is not
launched inside a VPC.

© DolfinED All rights reserved


AWS Simple Storage Service (S3) – Object Storage in AWS

Objects are redundantly stored in


multiple locations within the same AWS
region (where the bucket is created) for
higher durability.
• An object in S3 is uniquely identified
and accessed through:
• Service endpoint,
• The bucket name where it is stored,
• The object key (or name), and
• An object version.

© DolfinED All rights reserved


Hands-on Labs (HoLs)

Simple Storage Service (S3)


Walkthrough and Creating
The First S3 Bucket

© DolfinED All rights reserved


IAM Access Keys for
Programmatic access to
AWS Services

© DolfinED All rights reserved


IAM And Programmatic Access to AWS.

For any user, we can assign an access key (Access Key ID


and Secret Access Key) to access AWS programmatically.

© DolfinED All rights reserved


IAM Access Keys

• Access Keys (Access Key ID and Secret Access Key) are required for
AWS users to make programmatic calls to AWS.
• Access Keys can be created, modified, viewed, and rotated.
• Secret access keys are accessible only at the time of creation.
• For CLI access, you need to configure your laptop or Mac with access
keys such that AWS can know you when sending requests to AWS.

© DolfinED All rights reserved


Hands-on Labs (HoLs)

AWS Command Line Interface (CLI)


And IAM Access Keys

© DolfinED All rights reserved


Location Of AWS Credentials Files

The shared AWS config and credentials files are plaintext files that reside by default in a
folder named .aws that is placed in the "home" folder on your computer.
• On Linux and macOS, this is typically shown as ~/.aws.
• On Windows, it is %USERPROFILE%\.aws.

More on this here,


https://docs.aws.amazon.com/sdkref/latest/guide/file-location.html

© DolfinED All rights reserved


AWS IAM – Elements &
Policies

© DolfinED All rights reserved


AWS IAM Elements

• IAM User, IAM Roles, Federated Users, or


Applications can be IAM principals
• An IAM Group cannot be an IAM Principal

© DolfinED All rights reserved


IAM & Authorization - IAM Policies

• An IAM policy must be attached to an identity or a resource.


• An identity can have more than one policy attached.
• You can use an AWS-managed, Customer-managed, or inline policy.

© DolfinED All rights reserved


IAM Policies – Policy Effect (Allow/Deny)

Policies can be IAM identity-based or Resource-based.


• By default, all requests are denied.
• An explicit allow overrides the default &
• An explicit deny overrides all allows
• Policies are stored as JSON documents in AWS.

© DolfinED All rights reserved


Hands-on Labs (HoLs)

AWS IAM Policies Walkthrough

© DolfinED All rights reserved


EC2 IAM Roles

© DolfinED All rights reserved


IAM Role for Amazon EC2 Instances

• An IAM role is an IAM identity that you


create in your account with specific
permissions.
• It can be assumed by anyone (An
application or a user) who needs it and
is allowed to use it.
• You can attach an IAM role to an EC2
instance during or after launch.
• Only one IAM role can be attached to an
EC2 instance at a time.
• IAM roles provide STS (temporary)
credentials.
• IAM roles are universal.

© DolfinED All rights reserved


Hands-on Labs (HoLs)

Creating / Attaching an IAM Role


To an EC2 Instance

© DolfinED All rights reserved


HoL - IAM Roles

SSH

SSH

© DolfinED All rights reserved


Amazon Route53 101

© DolfinED All rights reserved


Domain Name Service (DNS) – Why do we need it?

• It is much easier to remember a domain name than an IP address.


• Websites and similar destinations on the internet use IP addresses.
• Domain Name Servers (DNS) are databases on the internet mapping domain
names to IP address(es).
• Each device connected to the internet must have a DNS in its TCP/IP configuration.

IP: 1.1.1.1

www.dolfined.com?
IP is : 23.45.36.11

IP: 23.45.36.11

© DolfinED All rights reserved


AWS DNS - Amazon Route 53

• Amazon Route 53 is AWS’s Domain Name Service.


• You can configure Domain Name to IP address mapping in hosted zones (records)
• Route 53 supports public hosted zones for Internet facing workload, and Private
hosted zones for private workloads.

IP: 1.1.1.1

IP is : 23.45.36.11

www.dolfined.com?

IP: 23.45.36.11

© DolfinED All rights reserved


Section Quiz _ Introduction
to AWS Services II
Time for some practice!

© DolfinED All right reserved


Key Architecture
Pillars & EC2
Think the Architect way!

© DolfinED All rights reserved


Section Outline

In this section, we will learn:


• Elasticity and Scalability 101.
• High availability, Fault tolerance, and Elastic Load balancing 101
• Reliability and Resiliency 101.
• Disaster Recovery (DR) in AWS – 101.
• Disaster Recovery (DR) Approaches.
• Elastic Compute Cloud (EC2)
Ø Instance User data
Ø EC2 Instance Meta Data Service (IMDS)

© DolfinED All rights reserved


Elasticity and Scalability,
101
Introduction

© DolfinED All rights reserved


Elasticity

Elasticity is the degree to which a system can adjust to workload changes.


• In other words, it is the system’s ability to provision and deprovision resources
automatically to ensure that the available resources match the need.
• Scaling-out adds more processing power whereas scaling-in removes
unnecessary processing power to save costs.
• Auto Scaling groups can be configured for EC2 instances.

Scale Out

Scale In

Horizontal Scaling
(Out and In)

© DolfinED All rights reserved


Scalability

Scalability refers to the system’s ability to


handle the growing amount of work or load by
adding resources.
• It can be Vertical Scaling (Up/Down) Or
Horizontal Scaling (Out/in).

Vertical Scaling
(Up and Down)

© DolfinED All rights reserved


High Availability, Fault
Tolerance, and Elastic Load
Balancing,
Introduction

© DolfinED All rights reserved


High Availability vs. Fault Tolerance

120%

0%

60%

0%

60%

© DolfinED All rights reserved


Elastic Load Balancing (ELB) 101

© DolfinED All rights reserved


Elastic Load Balancing (ELB) 101

© DolfinED All rights reserved


Reliability and
Resiliency 101

© DolfinED All rights reserved


Reliability and Resilience

A reliable workload must be designed to


• Automatically recover from failure
• Scale horizontally to increase aggregate workload availability

The reliability of a workload depends on the workload’s Resiliency


The definition of Resiliency is the ability of a workload to:
• Recover from infrastructure or service disruptions,
• Dynamically acquire computing resources to meet demand, and
• Mitigate disruptions, such as misconfigurations or transient network issues.

© DolfinED All rights reserved


Disaster Recovery (DR)
& DR Approaches in
AWS

Introduction

© DolfinED All rights reserved


Disaster Recovery – What is it?

• A disaster is any event that can


negatively impact a company’s
business continuity or finances.
• Disaster Recovery (DR) is about
being ready for and recovering
from disaster situations.
• A disaster recovery strategy must
be in place, tested, and ready for
use in case of a disaster situation.
• The right DR strategy depends on
an analysis to identify the impact
of a disaster on the business and
finances.

© DolfinED All rights reserved


Disaster Recovery - RTO & RPO

• Recovery Time Objective


(RTO) is the time taken
after a disruption to
restore a business process
or infrastructure to the
right service level in
normal conditions.

• Recovery Point Objective


(RPO) is the acceptable
data loss due to a disaster
measured in time.

© DolfinED All rights reserved


Disaster Recovery Strategies/Approaches in AWS

© DolfinED All rights reserved


Disaster Recovery Approaches

• Copy AMIs and • Maintain the • Maintain a scaled • Full running version
backup data and minimal version of down version of the of the infrastructure
store in AWS in a core infrastructure environment in in AWS.
different region components active AWS.
in AWS • Active/Active
• No active DR site • Scale it up in the
until a disaster • Ongoing data event of a disaster • Failover to DR in
happens replication between case of a disaster.
the two sites. • Faster and more
• Cheapest expensive than Pilot • Most expensive and
• Faster than Backup light. fastest to recovery.
• Longest to restore and restore

© DolfinED All rights reserved


Elastic Compute Cloud (EC2)

© DolfinED All rights reserved


EC2 Instance MetaData

© DolfinED All rights reserved


Instance Meta Data Service (IMDS)

Instance meta data is data about the instance that we can use to configure or manage the
instance.
• Examples are IPv4 address, IPv6 address, DNS hostnames, AMI-ID, instance-ID, instance-
Type, local-hostname, public keys, & security groups.
• You can also use instance metadata to access user data that you specified when launching
your instance.

© DolfinED All rights reserved


Instance Meta Data Service (IMDS)

• The IMDS also makes the AWS credentials available for any IAM role that is attached to
the instance.
• Meta data is not protected by authentication or encryption (cryptography).
Ø Anyone with access to the instance or any application running on the instance can
view the metadata
Ø Do not store any sensitive data (secrets, passwords, or long-lived encryption keys or
long-term credentials in the instance user data)
• AWS does not charge for requests to metadata.

© DolfinED All rights reserved


Instance Metadata (cont.)

We can access instance metadata from a running instance using one of the following
methods:
• Instance Metadata Service Version 1 (IMDSv1) – a request/response method
• Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method

© DolfinED All rights reserved


Instance Metadata – IMDSv2

• With IMDSv2, every request is now protected by session authentication


• A request for a TOKEN (password) to access IMDSv2 must be the first step to access the
metadata.
• The token is never stored by IMDSv2 and can never be retrieved by subsequent calls, so a
session and its token are effectively destroyed when the process using the token
terminates.

© DolfinED All rights reserved


Instance Metadata – IMDSv2 (cont.)

• For added security, a session token can only be used directly from the EC2 instance
where that session began.
• We can configure the instance metadata service on each instance such that local code or
users must use IMDSv2 (which means IMDSv1 cannot be used then).
• We can completely disable access to instance metadata if required (ensure applications
on the instance do not need to access the metadata).

© DolfinED All rights reserved


Instance Metadata (cont.)

To view an EC2 Instance’s metadata, use the following URIs (using Link-local addresses)
IPv4:
http://169.254.169.254/latest/meta-data/

For IPv6 enabled instances


http://[fd00:ec2::254]/latest/meta-data/

link-local addresses are valid/accessible only from the instance

https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

© DolfinED All rights reserved


Hands-on Labs (HoLs)

EC2 Instance Meta Data


Service (IMDS)

© DolfinED All rights reserved


EC2 Instance User data

© DolfinED All rights reserved


Instance User Data

Is data supplied by the user at instance launch in the form of a script to be


executed during the instance boot. It is limited to 16KB in size.

• User data can be changed. To do so, the instance needs to be stopped first.
(EBS-Backed EC2 Instances).
• User data is not protected by encryption, so do not include passwords or
sensitive data in the user data scripts.
• AWS does not charge for requests to read user data.

To read user data


https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-add-user-data.html

To execute user data every time the instance is launched:


https://aws.amazon.com/premiumsupport/knowledge-center/execute-user-data-ec2/

© DolfinED All rights reserved


Hands-on Labs (HoLs)

EC2 Instance User Data

© DolfinED All rights reserved


Elastic Load Balancing
and Auto Scaling on
AWS
Deep Dive

© DolfinED All rights reserved


Section Outline

In this section, we will learn:


• Elastic Load Balancing:
Ø Listeners and Health Checks.
• Auto Scaling:
Ø Amazon Application Auto Scaling.
Ø Amazon EC2 Auto Scaling.

© DolfinED All rights reserved


Elastic Load Balancing

© DolfinED All rights reserved


Elastic Load Balancing -
Introduction

© DolfinED All rights reserved


Elastic Load Balancing - Overview

www.dolfined.com

om
d .c .2 3
)
fi n e 65
w. dol 4. 33.
r ww e s s (5
o r
IP f dd
s t he 1 IP a
at i nod
e
Wh E L B
U se

An Elastic Load Balancer is a regional resource.


• It can load balance between AZ’s in one
region.
• It cannot load balance between two regions.

© DolfinED All rights reserved


Elastic Load Balancing – High Availability

www.dolfined.com

om
d .c .2 3
)
fi n e 65
w. dol 4. 33.
r ww e s s (5
o r
IP f dd
s t he 1 IP a
at i nod
e
Wh E L B
U se

For High Availability, launch you ELB in at


least two availability zones.

© DolfinED All rights reserved


Elastic Load Balancing – Internal vs. Internet-Facing ELBs

www.dolfined.com

om
d .c .2 3
)
fi n e 65
w. dol 4. 33.
r ww e s s (5
o r
IP f dd
s t he 1 IP a
at i nod
e
Wh E L B
U se

An Elastic Load Balancer can be launched as:


• Internet-facing (for web-facing workload)
• Internal (to load balance in a VPC).

© DolfinED All rights reserved


Elastic Load Balancing – Under The Hood

When we launch an ELB, under the hood;


• The ELB nodes will be created in the
AZ’s where you selected to enable the
ELB.
• The ELB nodes will be created in an
ELB-service managed VPC.
• An ENI will be dropped in your VPC in
each AZ where the ELB is enabled and
will be the means for that AZ to
communicate with the created ELB
node(s).

© DolfinED All rights reserved


Elastic Load Balancing – Under The Hood

• For the Internet-facing ELB, the subnets where the ELB is enabled MUST be public subnets.
Ø This is not required for Internal ELBs
• When using Internet-facing ELBs, customer workload can be in private (recommended) or
public subnets.

© DolfinED All rights reserved


ELB –
Types, Listeners, and Target
Groups

© DolfinED All rights reserved


ELB Target Groups and Backend Instances

Previous Generation

Gateway Load Balancer

© DolfinED All rights reserved


Target Groups

A target group is a logical grouping of targets (EC2 Instances, IP addresses, or ECS


microservices).
• A target is an endpoint registered with the ALB/NLB as part of a target group.
• A target group is a regional construct.
• IP addresses can be used to add targets that are instances in a peered VPC, on-
premises servers, and any AWS resources that can be addressed by IP and port.
• ALB/NLB can route traffic to multiple target groups.
• A target can be registered with a target group multiple times using different ports.

© DolfinED All rights reserved


ELB Listeners

Frontend Backend

• A listener is the process that


HTTP/ HTTP/
checks for connection HTTPS HTTPS

requests to the ELB nodes.


• Multiple listeners can be
configured on the ELB.
TCP/
• On ALB/NLB, the backend is TCP/
SSL SSL
configured at the target group.

© DolfinED All rights reserved


ELB Listeners (cont.)

Frontend Backend
• All ELB types can have one Target Group 1
A Listener : A process listening
or more frontend listeners (waiting or expecting) for
(listening on different ports) connections on a specific port
• An ELB listener expects
traffic on its configured Listener HTTP
port. HTTP (80) (80)
• Each target group has a HTTP
forwarding port on which
the backend is listening HTTPS
Client
(ready to receive traffic on).
Ø The load balancer Listener
HTTPS (443)
forwards traffic to that HTTPS
port using the Target (443)
group
Target Group 2

© DolfinED All rights reserved


ELB –
Health Checks,
Listener Rules,
& Pricing

© DolfinED All rights reserved


Elastic Load Balancing – Health Checks

A load balancer decouples the


application layer by concealing the
failure in one tier from the other
tiers.
• The ELB increases the
availability of the application.
• Health checks are used by the
elastic load balancer to track the
health and responsiveness of
the backend.
• Health check ports and
thresholds are configurable.

© DolfinED All rights reserved


Listener Rules

Target Group 1

• A target group has a forwarding


port, targets, and a configured
health check. Listener
HTTP
(80)
Rule
• A rule is like the glue that HTTP
HTTP (80)

connects the Frontend listener


with the backend target groups Client
HTTPS
Rule 1

• Each rule consists of a target Rule

group, priority, action, optional Listener


HTTPS (443)
host condition, and optional HTTPS
(443)
path condition.
Target Group 2

© DolfinED All rights reserved


Target Groups & Rules

Default Rule Default + additional Rule(s)

A target being a
member of multiple
target groups
Health check at
The target group
level

© DolfinED All rights reserved


Elastic Load Balancing – Pricing

Free Tier:
• 750 Hours per month (ALB)
• 15 Load Balancer Capacity Units used (LCUs) for ALB

Charges:
• ALB :
Ø Per hour or partial hour while it is running.
Ø Number of LCUs used per hour.
• NLB:
Ø Per hour or partial hour while it is running.
Ø Number of Network Load Balancer Capacity Units (NLCUs)
• GWLB
Ø Per hour or partial hour while it is running.
Ø Number of GWLB Capacity Units used.

https://aws.amazon.com/elasticloadbalancing/pricing/
© DolfinED All rights reserved
Hands-on Labs (HoLs)

Launching an Application Load Balancer

© DolfinED All rights reserved


Hands-On Lab : Setup

Objective: Demonstrate the creation of Target Groups, adding instances, and creating
and using an Application Load Balancer.
• Approach: Launch two EC2 instances with a user data script to identify the instance
and its AZ. Test public access to the instances using HTTP. Launch an Elastic Load
Balancer (ALB) and use it to load balance to two public instances.
AWS Cloud

Route 53
VPC
ALB AZ : US-East-1a Public subnet 1

AZ : US-East-1b Public subnet 2

© DolfinED All rights reserved


Amazon Auto-Scaling

© DolfinED All rights reserved


Amazon Auto Scaling

© DolfinED All rights reserved


Auto Scaling

• AWS Auto Scaling allows for the configuration of automatic scaling for the AWS
resources that are part of an application very quickly.
• Automatic scaling can be configured for individual resources or for applications.
• Auto Scaling can be used with EC2, EC2 Spot Instances, DynamoDB, Aurora, Amazon
ECS among other services.

Scale Out

Scale In

EC2 Auto Scaling - Horizontal Scaling


(Out and In)

© DolfinED All rights reserved


Amazon Auto Scaling

Auto Scaling is useful for applications that experience daily or weekly variations in
traffic flow such as:
• Cyclical (repetitive) traffic patterns (e.g., business hours).
• On and Off traffic patterns (e.g., batch processing)
• Variable traffic patterns (e.g., spiky traffic).

© DolfinED All rights reserved


Application Auto Scaling

Application Auto Scaling is a web service used to scale resources


automatically for services beyond Amazon EC2.
• It can be used to configure auto scaling for the following services and
their resources:
Ø Amazon RDS
Ø ECS services
Ø Spot Fleet requests
Ø EMR Clusters
Ø AppStream 2.0 fleets
Ø Aurora Replicas
Ø DynamoDB Read and Write Capacity units
Ø SageMaker endpoints
Ø Amazon Comprehend

© DolfinED All rights reserved


EC2 Auto Scaling

© DolfinED All rights reserved


Amazon EC2 Auto Scaling – Components

The EC2 Auto Scaling configuration components are:


An auto scaling group
• Is the logical grouping of managed instances.

A Launch template
• The template for instance configurations.

A scaling policy (plan)


• Defines the when and how to scale out or in.

© DolfinED All rights reserved


Amazon EC2 Auto Scaling – Features

• An AS Group can can span multiple


Availability Zones in the same AWS
Region.
• It integrates with ELB, CloudWatch,
and CloudTrail.
• An AS Group will try to balance
resources across Availability Zones.
• Auto Scaling is free to use,
customers pay for EC2 and EBS
resources used.

© DolfinED All rights reserved


Amazon EC2 Auto Scaling - Benefits

• Better fault tolerance (ASGs can span multiple AZs).


• Better availability.
• Better cost management.

© DolfinED All rights reserved


Hands-on Labs (HoLs)

EC2 Auto Scaling –


Launch Configurations &
Launch Templates

© DolfinED All rights reserved


Hands-on Labs (HoLs)

Auto Scaling Walkthrough –


Manual Scaling Using a
Launch Configuration

© DolfinED All rights reserved

You might also like