CLOUD AND AWS

What is a Cloud?

In simple terms cloud computing is a global network of servers connected with the internet
that combine together to form a huge hard drive. Let's take a look at some examples like
when you are watching a youtube video , accessing PrepinstaPrime courses or maybe
listening to music on spotify you are using cloud. There are various platforms where you
can work with cloud like Google have GCP (Google cloud platform ) , Amazon have their
own product AWS (Amazon web services) ,Azure by microsoft. There are various types
of cloud deployment model like

 Public cloud
 Private cloud
 Hybrid cloud
 Community cloud

AWS is a public cloud which works on pay-as-you-go billing models. Public clouds are
managed by third parties which provide cloud services over the internet to the public, these
services are available as pay-as-you-go billing models.

What is Cloud Computing ?

Cloud computing is Internet-based computing which is a shared pool of resources that

is available over a broad network.Or in other terms It means accessing the services of
cloud on Pay as you go basis (PAYG)

PAYG allows a user to scale, customize or provision computing resources, including

software, storage and development platforms. Resource charges are based on used services,
versus an entire infrastructure. In simple terms you need to pay only for the resources that
you are using.

Public cloud resources approach and apply the PAYG model differently. For example, a
user provisioning a dedicated cloud server is generally billed according to server power and
usage and on a recurring basis. Software as a Service (SaaS) works similarly, where a user
leases software and customized features. Storage as a Service (SaaS) billing rotates on a
frequent basis because storage requirements increase are usually subject to gradually
increased pricing.

We will be discussing SaaS further in the course.

Advantages and Disadvantages of Cloud Computing

As everything has some pros and cons here we will discuss what all are the advantages and
disadvantages of using cloud computing.

Advantages

 Data backup (There is always a data backup available as its on cloud and one can
access it from anywhere if you have the right credentials )
 Accessibility and collaboration (This made the work from home easy as multiple
people can come together and collaborate and work)
 No maintenance cost (You don't have to maintain the servers its taken care by the
Amazon)
 Mobility ( If you have internet connection you can work from anywhere its mobile)
 Pay as you go (You only need to pay for what you are using )
 Unlimited storage (lets say your storage is full if you are using hard disk on need to
buy extra disk for new data but in cloud you can get extra space within fer seconds )
 Data security (There is a multiple security level that is applied by AWS )

Disadvantages

 Internet connectivity (If you don't have a good internet connection so you won't be
able to use the )
 Vendor lock in (Let's suppose if a company is using AWS as a cloud service at initial
stage and after 3-4 years the company want to change the vendor to GCP let’s say just
because of some features so all the data and everything that is there in AWS need to be
shifted to GCP and that can cause a lot of complications )
 Limited control (You only have a limited control of the services)
 Sense of security

Cloud deployment models

Public cloud
Typically have massive amounts of available space, which translates into easy scalability.
Recommended for software development and collaborative projects.

 Public cloud is open to all that is open to all to store and access information via the
Internet.
 Offer networking services compute virtualization & storage over the public network
 Very cost effective
 Not very secure
 No setup or maintenance required
Private

 Managed and used by a single organization.

 Offers greater control over the data and resources.
 Offers better privacy and higher level of security.
 More expensive than the Public Cloud.
 Since it is managed by a single organization, it has a significant maintenance cost.

Community

 Similar to public cloud but offers its services to a specific set of users who share a
common objective/interest.
 Managed and hosted internally or by a third-party vendor.
 Cheaper and more efficient than the public cloud.
 Not so popular hence is not available across all industries.

Hybrid

 It's a combinations of two or more models and offers

 flexible services.
 Cost effective as it can use the public cloud too.
 High level of security as it can use a private cloud too.
 It's a little complex to set-up.
 Critical use cases

Cloud computing service models

There are various cloud computing services some of the services are as follows

 SAAS(software as a service)
 IAAS(infrastructure as a service)
 PAAS(platform as a service)

SAAS
Software as a service (or SaaS) is a way of delivering applications over the Internet as a
service. Instead of installing and maintaining software, you simply access it via the
Internet, freeing yourself from complex software and hardware management. Examples of
SaaS: Microsoft Office 365, Salesforce, Cisco WebEx, Google Apps.
IAAS
Infrastructure as a service (IaaS) is a form of cloud computing that provides virtualized
computing resources over the internet. Examples of IaaS: Microsoft Azure, Amazon Web
Services (AWS), Cisco Metacloud, Google Compute Engine (GCE).

PAAS

Platform as a service (PaaS) is a cloud computing model where a third-party provider

delivers hardware and software tools to users over the internet. Usually, these tools are
needed for application development. Examples of PaaS: AWS Elastic Beanstalk, Apache
Stratos, Google App Engine, Microsoft Azure.

Cloud Deployment Providers

There are various cloud providers here we will be discussing about few of them

 AWS:- Being the Early in the market it has the Largest Computing Capacity and
Flexible pricing it also have various services
 Azure:- Azure is the Second best in the market.It Works great if you are familiar
with the Microsoft ecosystem.
 Google Cloud:- GCP is the Most Economical & has Exclusive features based on
search engine analytics.

GETTING STARTED WITH AWS

AWS and its Advantages

Let's take a look at the History of AWS , Availability of AWS is very high

In the year of 2000 it was a startup and they were in debt and they relaunched their product
in 2006 again as the competition came and AWS became better and better .

The AWS operates from over 25 regions globally which are spread over 6 continents and
over 200 edge location as CDN (content delivery network)

It provides storage services, bandwidth computing services EC2, S3 , cloudfront, RDBMS

and more.
Why should you use AWS?

The biggest advantage is availability as it has a large availability.

Another major advantage is recovery and backup. You can backup your data in multiple
regions EBS (Elastic bus storage) There is always a backup of a backup.

Better security there is multiple layers of operational security and it also does multiple
security checks.

Scalability: You can scale up or scale down based on the requirement.And its very flexible
it allows you to select what operating system you want to work on, Programming language,
web application platform and more.

So let's summarize the

 Location(availability)
 Recovery and backup
 Better security
 Scalability
 Flexibility
 Pricing

AWS Services and Domains

Here we will be discussing various services and domains of AWS

There are various domains like :-

Analytics :- Analytics is a primary source of growth As data gives valuable information to

the companies it offers various applications for this purpose

 EMR (Elastic mapreduce) : Provide hadoop framework that provide

 Amazon Kinesis : Helps in analysis real time streaming data
 Data pipeline : Helps to move data between different storage device within AWS
 Glue : It's a kind of computing service that runs code in response to events.

Compute :- Compute services is required for running any organizations

EC2 : its a type of instance (Elastic compute cloud)

Lambda : AWS Lambda is a serverless, event-driven compute service that lets you run
code for virtually any type of application or backend service without provisioning or
managing servers.

Elastic beanstalk : Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable,
high-performance block-storage service designed for Amazon Elastic Compute Cloud
(Amazon EC2).
Elastic Load Balancer : Elastic Load Balancing (ELB) is a load-balancing service used for
Amazon Web Services (AWS) deployments.

Developer tools: it helps developer to deliver a software quickly and safely also
maintaining source code and versions

 Codestar : Helps to Setup continuous pipeline within minutes

 X-Ray : helps in debug the application
 Codecommit : provide fully managed

Networking

 VPC:- Amazon Virtual Private Cloud (Amazon VPC) provides you with full control
over your virtual networking environment, including resource placement,
connectivity, and security.
 Snowball: its a data transportation solution that uses secure appliances to transfer
large amount of data in and out of the AWS cloud
 Cloudfront :- it helps to increase the availability and downloading speed of the data
or the content.
 Direct connect: AWS Direct Connect is a cloud service that links your network
directly to AWS to deliver consistent, low-latency performance.
 Route53 : Amazon Route 53 is a highly available and scalable cloud Domain Name
System (DNS) web service. It is designed to give developers and businesses an
extremely

Storage: There are 3 main types of storage available in AWS that is

 Object storage
 Block storage
 File storage

Within storage services there are services like (s3 buckets),glaciers (archive
data),EFS(Elastic File system) is a scalable storage solution that can be used for general
purpose solution EBS(Elastic Block storage) its used with EC2 instance for persistent data
storage & have high availability and low latency storage gateway is another which provide
you on primes access to unlimited cloud storage .

Security:

 It's a very important part of data security so here we will have a look at some
services that help to make the data secure.
 IAM (Identity access management ) : from this Admin can manage the user access
and encryption keys
 KMS(key management Service) : it uses hardware security modules FIPS 142 (its a
government recognised body)
BlockChain: it helps many parties to manage multiple transaction records Amazon
Managed Blockchain manages and creates blockchain networks. There is Something called
QLDB that creates a complete and accurate record of all financial transactions, such as
credit and debit transactions.

Machine Learning: Learning from existing data is called ML

Sagemaker: SageMaker enables developers to create, train, and deploy machine-learning

models in the cloud.

Macie: Amazon Macie is a fully managed data security and data privacy service that uses
machine learning and pattern matching to discover and protect your sensitive data in AWS.

Database : it's used to store data

RDS: Relational database service

DynamoDB : It provides database services for no sql databases

Redshift : Dataware which form part of larger cloud computing platform

ElastiCache : Fully managed in memory database

Timestream : Fully managed time series database

Aurora : provides high performance fully managed database services

Instance
What is an instance?

An Amazon EC2 instance is a virtual server that runs applications on Amazon's Elastic
Compute Cloud (EC2) infrastructure. AWS is a comprehensive and ever-evolving cloud
computing platform, and EC2 is a service that allows business subscribers to run application
programmes in a computing environment. It can be used to create virtually infinite virtual
machines (VMs).

To meet user needs, Amazon offers a variety of instances with different CPU, memory,
storage, and networking resource configurations. Each type is available in a variety of sizes
to meet the needs of different workloads.

 General purpose instance

 Compute optimized
 Memory optimized
 Accelerated Computing
  Storage optimized
 GPU
 Micro

Setting up the account

Free Tire Services here is the services that you will get access for the next 12 months.

EC2

 750 hrs/month of Linux, RHEL or SLES t2 micro instance

 750 hrs/month of Windows t2.micro instance usage.

Elastic Load Balancer

 750 hrs +15 GB data processing

Elastic Block Storage

 30 GB in combination of SSD +2 million I/O and 1 GB of snapshot storage.

Amazon Web Services

 15GB of Bandwidth aggregated across all services.

 1GB of Regional data transfer

Launching an Instance
 Step 1:- Go to sign in to the console and sign as a root user
 Step 2:- Type your password and captcha
 Step 3:- Select EC2 as a service in the search bar
 Step 4:- Select the AMI (Amazon machine instance )that you want to launch, let's
say we select wordpress.
 Step 5:- click on next and choose an instance type as t2.micro
 Step 6:- next select the configuration instance details where you can select number of
instances and subnet and lot more
 Step 7 :- Select the storage you need to select the limited storage lets say we add 15
GB
 Step 8 :- select configure security group
 Here you can add the security rules, you can make a new security rule or you can use
the security group that was defined previously.
 Step 9:- Now Select key pairs for the first time we will create a new security group
What is AMI?
An Amazon Machine Image (AMI) provides the information required to launch an
instance. When launching a new instance, you must specify an AMI. When you need
several instances with the same configuration, you can launch them all from a single AMI.
When you need instances with different configurations, you can use various AMIs to
launch them. The following are components of an AMI:

 One or more Amazon Elastic Block Store (Amazon EBS) snapshots, or a template
for the instance's root volume in case of instance-store-backed AMIs (for example,
an operating system, an application server, and applications).
 Permissions for launching instances using the AMI that control which AWS accounts
can do so.
 When the instance is launched, this block device mapping specifies the volumes to
attach to it.

Getting a free domain

 First get a free domain name from freenom by following the steps mentioned in the
video
 Head over to the AWS Management console and search for route 53
 Click on create hosted zone and type your domain name and then click create hosted
zone
 When you create a public hosted zone route53 will give you 4 Name servers and
SOA start of authorization (Underlying information of DNS server)
 Our main goal is if we type the domain name we will get the instance that we have
launched to appear on the domain name.
 Go to the AWS ec2 instance page and you can see the instance that you have created
 The Public IP address its dynamic nature means if you reboot or restart the instance
you will get a new ip address every time.
 Go to route53 and add the record name to redirect the user to the ip address of the
instance that you have created.
 To remove the problem click on elastic ip address and click on allocate allocate ip
address then then click on create.
 Select the elastic ip address that you have created and click action and select the
Wordpress instance that you have created and then click on associate.
 Then go to route53 and add the elastic ip address as a a record

S3 Revising storage
Why do we need storage? To store the data and to keep it secure.

1. EBS:- Elastic bus storage is very scalable and fast retrieval if you have access to the
instance to which it is attached.
2. EFS:- its much more collaborative and the data retrieval and all is scalable
3. Glaciers :- Its in archival form of data the retrieval is not that fast
 4. Storage gateway:- AWS Storage Gateway is a set of hybrid cloud storage services
that provide on-premises access to virtually unlimited cloud storage.

S3 and its Advantages

S3 is a global service means you can store the files in a bucket and when you store the file
in s3 it will make a bucket where you need to select which region you need to store it data.
consider the bucket as a folder, so the data is stored in the form of object in the buckets.

 Ease of use
 Reliability
 Integration
 Scalability
 Migration

S3 storage classes

Amazon S3 Standard (S3 Standard)

Key Features:

 Low latency and high throughput performance

 Designed for durability of 99.999999999% of objects across multiple Availability
Zones
 Resilient against events that impact an entire Availability Zone
 Designed for 99.99% availability over a given year

Amazon S3 Intelligent-Tiering (S3 Intelligent-Tiering)

Key Features:

 Frequent, Infrequent, and Archive Instant Access tiers have the same low-latency and
high-throughput performance of S3 Standard
 The Infrequent Access tier saves up to 40% on storage costs
 Deep Archive Access tier has the same performance as Glacier Deep Archive and
saves up to 95% for rarely accessed objects
 Designed for durability of 99.999999999% of objects across multiple Availability
Zones and for 99.9% availability over a given year

Amazon S3 Standard-Infrequent Access(S3 Standard-IA)

Key Features:

 Same low latency and high throughput performance of S3 Standard

 Designed for durability of 99.999999999% of objects across multiple Availability
Zones
 Resilient against events that impact an entire Availability Zone
 Data is resilient in the event of one entire Availability Zone destruction
 Designed for 99.9% availability over a given year

Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA)

Key Features:

 Same low latency and high throughput performance of S3 Standard

 Designed for durability of 99.999999999% of objects in a single Availability Zone†
 Designed for 99.5% availability over a given year
 Backed with the Amazon S3 Service Level Agreement for availability

Amazon S3 Glacier Instant Retrieval storage class

Key Features:

 Data retrieval in milliseconds with the same performance as S3 Standard

 Designed for durability of 99.999999999% of objects across multiple Availability
Zones
 Data is resilient in the event of the destruction of one entire Availability Zone
 Designed for 99.9% data availability in a given year
 128 KB minimum object size

Amazon S3 Glacier Flexible Retrieval (Formerly S3 Glacier) storage class

Key Features:

 Designed for durability of 99.999999999% of objects across multiple Availability

Zones
 Data is resilient in the event of one entire Availability Zone destruction
 Supports SSL for data in transit and encryption of data at rest
 Ideal for backup and disaster recovery use cases when large sets of data occasionally
need to be retrieved in minutes, without concern for costs
 Configurable retrieval times, from minutes to hours, with free bulk retrievals
Amazon S3 Glacier Deep Archive (S3 Glacier Deep Archive)

Key Features:

 Designed for durability of 99.999999999% of objects across multiple Availability

Zones
 Lowest cost storage class designed for long-term retention of data that will be retained
for 7-10 years
 Ideal alternative to magnetic tape libraries
 Retrieval time within 12 hours

Creating and deleting a bucket

S3 is a global service while instances are not

 Go to AWS management console and click on s3

 Then click create s3 bucket
 While naming the bucket take care that it should be unique and no spaces and special
characters are allowed.
 Select the region where the bucket will be created and leave all the settings by
default .
 And you have created the bucket. This is an empty bucket if you want you can add
files to the bucket.
 Click upload file to add the data
 To Delete the bucket you first need to empty the bucket first select the bucket and
delete all the data .
 Now the bucket is empty you can delete the bucket.

Versioning and lifecycle

While uploading the data If the versioning is on one can see the different versions of the
data that we have stored previously in the course.

What is versioning?

Versioning is the means of keeping the multiple forms of an object in the same s3 bucket.
Versioning can be used to retrieve, preserve and restore every version of an object in s3
bucket.

If you overwrite the object it creates a new version of the object and also restores the
previous version of the object.

Now let's see how this versioning works. Create a new s3 bucket this time enable the
versioning section. Now upload the file and upload the same file again you will be able to
see the different versions of the same file that you have uploaded.
To understand the life cycle you must take care that the versioning is enabled for the
bucket.

 Go to the management section there click on create lifecycle rule

 Let's say a data that is important for the first 30 days after that is required but we will
keep a redundant copy of it.
 So we want to store the data in s3 bucket for the first 30 days and after that we will
be shifting the data to the glacier one for that we will be creating the life cycle rule.
 Let's give a name to the lifecycle
 Choose the storage class transition that is glacier in our case and select the number of
days as 30
 Click on create rule

Cross region replication

Cross region replication is used to replicate the data from one bucket to another bucket
which could be in a different region.

Lets understand this using example we will be creating 2 buckets and the versioning must
be enabled in order to do this practical.

 Make two s3 buckets, let's say destination and one bucket as source bucket, select a
different region for destination bucket and versioning must be enabled in both the
buckets.
 Go to source bucket and then on management and create replication rule.Give this
rule a name let’s say transfer
 Next select the source bucket and give it a prefix let's say source to destination.
 Now you need to select the destination bucket in that select bucket in this account
and specify the destination bucket
 In Additional Replica options check mark replica modification Sync that will update
the destination if there is modification in source bucket .
 And then click on save and the replication rule is created.

Bucket policies
There are ways from which we can give access to some user, that is which person has
access to which part of the data.

 Create another bucket enable versioning for both the buckets

 Upload any file to this bucket and then go to permissions.
 You can see the column for bucket policy.
 Go to browser and search for AWS policy generator now select the type of policy as
s3
 In effect select deny as we are denying the access.
 Principal as * That means it will be applied to everyone that is there in the
dashboard.
  In the action lets select delete bucket so the user won't be able to delete the bucket .
 For ARN (Amazon resource number ) go back to the s3 bucket and click on copy
ARN.
 Then click on add statement and then click on generate policy. Now copy all the
JSON
 Then go back to the console in the permission and policy section click on edit and
paste the JSON that you have copied from there.

To check if the above policy is implemented or not we will first empty the bucket and then
try to delete the bucket you won't be able to delete the bucket.

[Note:- Sometimes event after removing everything from the bucket their is some metadata
left so you can click on empty to clear the bucket]

S3 Data Acceleration
It helps in quick , easy and safe transfer of file distance between client and s3 bucket is
usually large so cloudfront helps to accelerate the data transfer and they charge extra
charges for that as it's accelerated service.

S3 transfer acceleration utilizes the cloudfront edge network to accelerate upload to s3

instead of directly uploading the data or file to s3 bucket you will get a distinct URL that
will upload the data to the nearest edge location.

IAM Part 1
At the time of login to AWS management console you will be able to see two kinds of
login one is root login and the other is IAM user. Root is the admin and admin can create
multiple IAM users IAM stands for (Identity access management). Let’s say if you are a
root user and there is another member in your team who wants to access the EC-2 instance
then what you as a root user can do is create a new IAM user that is username and
password with the access to the EC-2 instance and give that credentials to the other
member. There are various features that we will be discussing in this course:-

 Shared access
 Granular Permission
 MFA (Multi factor authentication )
 Identity Federation
 Free to use
 PCI DSS (Payment Card Industry Data Security Standard)
 Password Policies
IAM Part 2
Once you create an IAM User there are different ways let's discuss them here.

User :- if you want to set permissions for a single user to access the ec2 instance then what
you as a root user can do is generate email and password for that user and give the
permission directly.

User Group :- Let's say there are 200 members in a team working on a project and you
want only 50 of them to access a particular ec2 instance then what you can do is make a
group and then give them the access to whatever the use case is.

Policies:- In this you can customize let's say if you want a user to access the instance only
and only if the user is there in ohio region then only the user will be able to access the
instance

And you can also set up some other policies.

Working on IAM
1. It is a global service so first we will be creating an IAM user then we will be giving
access to some of the services like s3 bucket.
2. Go to IAM and click on user > create user
3. Give it a username and
4. Select the AWS access type as Password AWS Management console for console
password select custom password.
5. Select the required password that will allow the user to set a custom password at the
time of first login.
6. Click on create next and then you will be able to see the review and then click on
create user.
7. You will get a 12 digit key copy and at the time of login select the IAM user and in
the Account id paste the 12 digit id that you have copied.
8. Then It will ask for Password ,Username and for the first time it will ask to change
the password > Login to IAM user
1. > At this time you don't have access to any of the services
9. To Give IAM user permission to services go to the root user and then click on user >
permission
10.and select the permission that you want to assign to that user lets say full access to s3
bucket.
1. > In IAM user now you will be able to see the s3 bucket that we have created
Working on IAM Part 2

To remove the permission what you can do is to remove all the permission one by one and
another is AWSDeny all will nullify all the permission that you have given to the user
previously.

You can also create groups and give a group permission. For example you have created a
group S3access and this group have permissions to s3 buckets so you can do it by clicking
on the s3access and go to permission then give the access to s3 permission.

If you are an IAM user then you won't be able to go to the IAM. That is you as an IAM
user can't create further IAM users.

IAM Policies Part 1

Policy is another way through which you can give access to the user

Lets create a new user group and give it a name.Now let’s create a custom policy and then
go to json . in a new tab search for AWS policy generator

 In the type select the IAM as a type in effect select allow.

 In ARN type * that represent all
 We need to add some Additional conditions so in condition select stringlike, In Key
select Ec2-region and in the value select the region of that particular in our Ohio the
region is us-east-1
 Click on add condition and then generate the policy then copy the json.
 Go to the main console and click on policies > create a new policy, go to json and
paste the above copied.
 Give the policies a name lets say EC2forOhio give it a description
 Now go to the user group that we have created previously.
 Go to the Permissions and then attach policies you will be able to see the
EC2forOhio at the top that you have created, click on it and then add permission .

Activation MFA
AWS Multi-Factor Authentication (MFA) is a simple best practice that adds an extra layer
of protection on top of your user name and password. With MFA enabled, when a user
signs in to an AWS Management Console, they will be prompted for their username and
password (the first factor—what they know), as well as for an authentication code from
their AWS MFA device (the second factor—what they have).

To enable MFA go to IAM and on the top right corner of the dashboard click on the Add
MFA
  It will ask you choose MFA device in that select virtual MFA device
 Click on continue and then you will be able to see a QR code
 For this you need to download google authenticator download it and scan the qr
 Next you will ge two MFA code enter the code

After activating the MFA code if you sign out and login again to the aws management
console as a root user then you will be asked for a MFA code that you will be getting in
google authenticator app .

Roles
An IAM role is a specific permissioned IAM identity that you can create in your account. An
IAM role, like an IAM user, is an AWS identity with permission policies that govern what
the identity can and cannot do in AWS. A role, on the other hand, is intended to be available
for anyone who needs it, rather than being uniquely associated with one person. A role also
does not have any standard long-term credentials associated with it, such as a password or
access keys. Instead, when you assume a role, you are given temporary security credentials
for the duration of your role session .

Billing and Budget

1. In this section we will look at how to set a budget for the account and all about
billing.
2. Make sure you are logged in as a root user on the top right corner, click on your
account and then go to ( My billing dashboard ).
3. You will be able to see the charts that will show the spend summary and the services
for which you are charged.
4. You can create a budget as a free tire you can only create 2 budgets but as a paid user
you can create multiple budgets.
5. Go to the billing preferences and click on receive billing alerts and the click on save
preferences.
6. Go to budget and then click on create budget here you can set a custom budget that
alerts you when you exceed your budget threshold.
7. Click on set custom budget and for monthly basis and then select the budget
effective date as recurring will be fine,And then you need to enter the budget
amount, add description and then click on next.

[Note:- you can also set budget on the monthly basis like in the month of june we can set
different budget and for different month we can set other amount ]
As of now there is no alert you can set threshold alert you can add recipients emails and
then click on next review this budget and then click on create budget.

VPC Part-1
It allows developers to create a virtual network of resources in an isolated section of AWS
cloud.(VPC is not a global service ). Amazon Virtual Private Cloud (Amazon VPC) allows
you to launch AWS resources into a predefined virtual network. This virtual network
closely resembles a traditional network that you would run in your own data centre, but
with the added benefit of using the AWS's scalable infrastructure.

AWS also sets a limit to the size of vpc. A user can’t change the size of vpc once the vpc is
created. VPC also has a limit of 200 subnets per vpc each of which support 14 ip addresses.
If you have created a VPC in a particular region and if you change the region then you
won’t be able to access that VPC.

Let's discuss about what is IP address and CIDR (classless Inter-Domain Routing)

What is an IP address?

It's a string of numbers separated by “.”, An IP address is a unique address that identifies a
device on the internet or a local network. IP stands for "Internet Protocol," which is the set
of rules governing the format of data sent via the internet or local network.Its allocated by
organization IANA (Internet Assigned Numbers Authority ).The IP address is assigned to
you by your ISP (internet service provider)

What is CIDR (classless Inter-Domain Routing) ?

It's also known as supernetting, a method of assigning an ip address that improves the
efficiency of address distribution and replaces the previous system that was based on class
A,B,C network.The initial goal was to slow down the routing tables across the internet.

What are CIDR blocks?

CIDR blocks are groups of addresses that share the same prefix and contain the same
number of bits.
What is CIDR notation?

CIDR notation (Classless Inter-Domain Routing) is an alternate method of representing a

subnet mask. It is simply a count of the number of network bits (bits that are set to 1) in the
subnet mask.

VPC Part-2

Why do we need VPC?

It's more secure, it gives an isolated environment, it also allows you to set up subnets of
different ip ranges and network configuration as per your preferences.

VPC is the best way to connect your data center to your instances on your aws.In other way
its best way in order to create a private channel between your own channel and the Data
center.

Security Groups is a software firewall used to manage the inbound and outbound traffic
rules.

There are two types of VPCs

Default VPC

 ✓ Already there for the user as soon as the first instance is provisioned.
 ✓ Has a private as well as a public IPv4 address.
 ✓ Has access to the internet by default.
 ✓ Already has an Internet Gateway & is ready to use.
 ✓ One VPC per region.

Custom VPC

Is to be created by the user.

 ✓ Has only a private IPv4 address.

 ✓ Has no access to the internet by default.
 ✓ Doesn't have any Internet Gateways.
 ✓ Five VPC per region by default.
Component of VPC

There are various components of VPC

 Route table — A set of rules, called routes, that are used to determine where
network traffic is directed.
 Subnet — A range of IP addresses in your VPC.
 Security groups — Security Groups is a software firewall used to manage the
inbound and outbound traffic rules.
 NAT gateway: A managed AWS service that allows EC2 instances in private
subnets to connect to the internet, other VPCs, or on-premises networks.
 NACL(Network ACLs) An optional layer of security for your VPC that acts as a
firewall for controlling traffic in and out of your subnets.
 VPC Peering :- allows you to router traffic between two VPC using ipv4 and ipv6 ip
addresses It allows you to facilitate the data transfer.
 Elastic IP address:- Its used to make permanent IP address
 Network Interface :- Its a connection between

 Customer gateway :- A customer gateway is a resource that you create in AWS that
represents the customer gateway device in your on-premises network.
 VPC Endpoint :- A VPC endpoint is a horizontally scaled, redundant, and highly
available virtual device that allows communication between EC2 instances in your
Virtual Private Cloud and other supported AWS services without introducing
availability risks or bandwidth constraints on your network traffic.

Creating VPCm subnet and route Tables

Create vpc ,subnet and route table

 Open your console, click on VPC and select the region in which you want to create
the VPC.
 Give vpc a name, let's say myVPC in this case.
 To create VPC click on create vpc give it a name and ipv4 CIDR range as
10.0.0.0/16,in tenancy leave it default
 Then click on create VPC.

Next we will be creating two subnets public subnet and private subnet go to subnet section
and click on create subnet

 This will ask for selecting the vpc id select the VPC the you have created previously
 Give this subnet name let's say private subnet
 In the subnet settings You can select the availability zone as US East Ohio and Ipv4
CIDR range as (10.0.0.1/24)
 Then click on create subnet
 Next we will create a new subnet that will be a public subnet and select the same vpc
that you have selected for making the previous subnet.
 Give this subnet name is public subnet & select Ipv4 CIDR range as (10.0.0.1/24)
  and then click on create subnet.

Next go to route table it contains set of routes here we will create 2 new route table one for
public subnet and other for private subnet

We will be creating routes

 Give this route a name (Public subnet route) ,Select the vpc that you have created
before
 Next create another route (Private subnet route), Select same vpc
 As this is not yet connected to any subnet now so lets connect this with subnet click
on the Public subnet route and below you will be able to see subnet Association go to
that
 You can edit the subnet association and select the public subnet from the options.
 Do the same step for the Private subnet route

Now the Public subnet route is connected to the private subnet and the Public subnet route
is connected with the public subnet.

Creating VPCm subnet and route Tables Part 2

In the previous step we have

Internet gateway:- Its a logical connection between an Amazon VPC

 To create Internet gateway click on create gateway and give it a name prepvpc, But
as of now it's not linked with any subnet or VPC.
 Click on the internet gateway that you have created and on the top right corner you
will be able to see the attach VPC option.
 Click on attach VPC select public one.

Now how do you control these subnets going to communicate with the internet, And this is
done by route

Select the public route and you will be able to see the route section click on edit route (This
is the destination of VPC).

Select route that is 0.0.0.0/0 and in target select internet gateway (That you have just
created)

And this is how the subnet is connected to the internet gateway through the routes .
KMS Theory

There is a key on the server side that is used to encrypt the data and there is a decryption
key that is used by the client side to decrypt the data.

Amazon KMS provides a single view of all the aws keys that are in use creating centralized
encryption keys.

KMS manages the CMK (customer master keys)

The encrypted data is sent to the CMK and is decrypted using CMK. AWS also uses
concepts like hardware security like even if someone tries to access the data then it will
delete the data.

CMK is not a global service so it will be in the same region.

To encrypt the data CMK generates a data key and also generates an encrypted data key,
And you have to encrypt a large number of files.

So suppose you have a data file and the data key that is generated by cmk, Using the data
key it will send it to the encryption algorithm after that it will generate a cipher text then
this will create an encrypted message.

And if you want to decrypt the message then you can use the encrypted data key generated
by CMK.

Creating VPCm subnet and route Tables Part 3

Here we will be discussing how to create ec-2 instance into vpc that you have created

Click on ec-2 instance select any ami let's say Amazon Linux 2 AMI click on next

And in the settings select the VPC that you have created before and in the subnet select that
subnet that was created previously select the public subnet,for auto assign Public IP enable
it.

For add storage and add tags leave it by default and in the step 6 add security group add 2
more rules HTTP and HTTPS for the port range as 80 and 443 respectively. Next click on
review and launch.
Create one more instance using the same steps but for this time select a different subnet
that is a private one and for auto assign Public IP disable it.

And this is how you can launch an instance in a public and private subnet respectively.

Subnet
What is subnet?
Subnet is a segmented piece of a large network, It's a logical partition of a ip network into
multiple smaller ip ranges.

How does the subnet work?

Routers are used to connect between subnets, The size of the subnet depends on the
connectivity requirements.

The IP address have 2 parts that is network prefix and other is host id

Subnet mask is used to identify the part of the address that should be used as a subnet id
subnet mask is applied to the full network address.

The network prefix and the host id division will depend on the ip address means in which
class the ip belongs to.

Uses of subsets

 Reallocating IP address.
 Relieving network congestion
 Improving network security

There is two types of subnets public subnet and private subnet

 Public subnet

No internet but communicate with instances

 Private subnet

Routes to 0.0.0.0/0 Through IGW (internet gateway)

The traffic in private subnet is routed through NAT in the public subnet you can also
restrict the route to 0.0.0.0/0 to make it as a private subnet with no internet access.

Route Tables
Route table contains a set of rules that contains routes.The routes table controls the routing
of the subnets and subnets can be associated with only one route table but you can connect
multiple subnets to the route table.

The internet gateway is always attached to the public subnets. Each of the subnets is
connected to the route table as a set of rules that the vpa needs to follow in order to
communicate with the outside world (Internet).

Internet gateway is a horizontal scaled redundant and a highly available VPC component that
allow communication between the VPC and the internet

The internet gateway

IPv4 It was brought in action for production within APRNET. It was an early version of the
internet that was the 1980's. Its 32 bit which can be expressed in decimal notation

IPV6 is a network layer protocol that allows communication to take place over the internet.
It was designed by IETF internet engineering task force

N AT gateways Part 1
Network address translation (NAT)

We use NAT so that the instances are in the private subnet that is outside of the VPC .

When we create a NAT gateway it ask us to specify the connectivity that we want there is 2
categories that is public and private one

When you set up a NAT gateway, you choose one of the following connectivity types:

Public – (Default) Private subnet instances can connect to the internet via a public NAT
gateway, but they cannot receive unsolicited inbound connections from the internet. When
you create a public NAT gateway in a public subnet, you must assign it an elastic IP
address at the time of creation. You route traffic from the NAT gateway to the VPC's
internet gateway. You can also connect to other VPCs or your on-premises network using a
public NAT gateway. In this case, traffic is routed from the NAT gateway via a transit
gateway or a virtual private gateway.

Private NAT gateways allow instances in private subnets to connect to other VPCs or your
on-premises network. Traffic from the NAT gateway can be routed through a transit
gateway or a virtual private gateway. An elastic IP address cannot be linked to a private
NAT gateway. You can connect an internet gateway to a VPC via a private NAT gateway,
but routing traffic from the private NAT gateway to the internet gateway causes the internet
gateway to drop the traffic.
NAT gateways Part 2
To create NAT gateway click on NAT gateway

 Give this NAT gateway name “MyNAT”, select the subnet as the public subnet that
you have created previously.
 Next we will allocate an Elastic IP address so that it can communicate with the
internet .
 Now click on create NAT gateway

In the route table private subroute it already has a route add one more route that will point
to the NAT gateway that we have created and select the destination as 0.0.0.0/0.

The NAT gateway is linked to the subnets and the route tables which are also linked to the
subnets.

Security groups and Network ACL’s

It acts as a virtual firewall that is a security ,The security group acts at the instance level .

Each instance in a subnet in your VPC can be assigned to a different set of security
groups.

An instance in a security group can't communicate with any other security group until and
unless you have added a rule for that particular part.

Network ACL -: An access control list (ACL) contains rules that grant or deny access to
certain digital environments.

Security Group

 Operates at instance level.

 'Allow' rule only.
 Return traffic is allowed by default.
 Rules are evaluated all at once.
 Needs to be specified while launching an instance.

Network ACL

 Operates at subnet level.

 'Allow' and 'Deny rule.
 Return traffic needs to be allowed.
 Rules are evaluated in order.
 Automatically applies to all instances in the subnet.
VPC Peering and VPN
The instance in the different VPC can communicate with each other as they are in same
network

AWS uses existing infrastructure of the VPC

A VPC peering connection is a networking connection that allows you to route traffic
between two VPCs using private IPv4 or IPv6 addresses. Instances in either VPC can
communicate as if they were in the same network. You can establish a VPC peering
connection between your own VPCs or with another AWS account's VPC. VPCs can be
located in various regions (also known as an inter-region VPC peering connection).

A VPC peering connection allows you to speed up data transfer. If you have more than one
AWS account, for example, you can peer the VPCs across those accounts to create a file
sharing network. A VPC peering connection can also be used to allow other VPCs to access
resources in one of your VPCs.

You can establish peering relationships between VPCs across different AWS Regions (also
called inter-Region VPC peering).

Direct Connect
AWS direct connect links your internal network to an AWS direct connect location over a
standard ethernet fiber optic cable. One end will be connected to your router and another
one to the aws direct connect.

Component of Direct connect

 Connections
 Virtual interfaces

There are two types of virtual interfaces Public virtual interfaces which enable access to
public services like s3 Private virtual interfaces enables access to VPC

Cloud watch theory

It's a serverless event that makes it easier to build event driven applications at scale using
events generated for your application.

You can set up routing rules to determine where to send data to build application
architecture that will react in realtime to the data sources.
Previously known as Cloud Watch Events

Features of eventbridge

 Event driven architecture

 Saas connection
 Reduce operational overhead
 Less Custom code

With event bridge it reduces operational overhead there is no additional software server
required to provision, patch and manage servers

It has a built in distributed availability and fault tolerance.you can represent events as
strongly typed objects in your code.

Eventbridge Part 1
In the AWS console search for cloudwatch it's the same as eventbridge. And we want to get
notifications as soon as any instance is launched or start any paused instance, so let's create
a new rule as of now you won't be able to see any rules so let's create a new rule.

1. Give this rule a description

2. Now we will be creating a new ec2 instance, select the ami security and storage as
default and click on launch instance.
3. In the event bridge you can see there are different event types that you can select
from here we will select the ec2 instance state change notification
4. You also need to select the target to invoke when an event matches your event
pattern or when the schedule.
5. Here we will be selecting SNS (simple notification service) Because we want to be
notified via email, sms and all
6. Let’s make a new SNS go to a new tab and search for SNS go to subscription and
click on create subscription.
7. Name it instance-state-change for protocol select the medium through which you
want the notification here let's say we select the Email, add the email and next click
on create subscription. (You will receive a mail you jes need to cirim the
subscription once)
8. Next go back to the event bridge that you are creating and in the topic select the
instance-state-change the notification subscription that you have created recently.
9. And then click on create.
10.Now if you stop or start instance again

Eventbridge Part 2
Go to the rule that you have created and edit it in the select target where we have selected
the type of notification.

Here go to configure input you need to mention the input path and input template
Type this in the input path

{
“State” : “$.details.state”,

“Instance” : “$.detail.instance-id”

In the template type in

“The ec2 instance has been altered, Having the instance id <instance> has been modified to
<state> state.”

Next click on save

Now try to start the instance again and you will again get an email.