AWS Solutions architect 1 - AWS and SA Fundamentals

In

Architecture 101

Access Management

  1. Principal: a person of application that can make an authentication or anonymous request to perform an action on a system
  2. Authentication: process of authenticating a principal against identity. This could be via username and password or API keys
  3. Identity: objects that require authentication and are authroized to access resources
  4. Authorization: the process of checking and allowing or denying access to a resource for an identity

Shared responsibility

Security model

  • Customer
    • Customer data
    • Platform, appliciation, identity, access
    • Operating system, Network and Firewall configuration
    • Encryption and network protection
  • AWS
    • Software
      • Compute
      • Storage
      • Database
      • Network
    • Hardware / AWS Global Infrastructure
      • Regions
      • Availability zones
      • Edeg locations

Service models

  • Iaas: Infrastructure as a Service
  • Paas: Platform as a Service
  • SaaS: Software as a Service
  • FaaS: Function as a Service (just a single one -> AWS Lambda)
System stack\model Iaas Paas SaaS
Data You You Yes
Applications You You AWS
Runtime You AWS AWS
Operating System You AWS AWS
Virtualization AWS AWS AWS
Host/Server AWS AWS AWS
Network storage AWS AWS AWS
Data center AWS AWS AWS

Availability

  • High availability: hardware, software and configuration allowing a system to recover quickly in the moment of a failure -> Downtime
graph LR

A[Users]
B[Instance - ok]
C[Instance - ko]
D[Recovery - ok]

A --> B;
B --> C;
C --> D;
A --> D;
  • Fault tolerance: system designed to operate through a failure with no user impact -> Expensive, no downtime
graph LR

A[Users]
B[load balancer]
C[Instance - ok]
D[Instance - ko]
E[Instance - ok]

A --> B
B --> C
B --> D
B --> E

RPO vs. RTO

  • Recovery Point Time (RPT): how much a business can tolerate to lose, expressed in time. The maximum time between a failure and the last successful backup
  • Recovery Time Objective (RTO): the maximum ammount of time a system can be down. How long a slution takes to recover
graph LR

A[Backup]
B[Disaster event]
C[Recovery]

A -- RPO --> B;
B -- RTO --> C;

Scaling

  • Vertical scaling: (a bigger machine) achivable by adding additional resources in the form of CP or memory to extend a machine so it can serve additional customers or be faster
    • eventually, maximum machine sizes will contraint your abuility to scale (technically or by cost -> exponencial cost increase)
  • Horizontal scaling: (paralel systems) adding additional machines into a pool of resources
    • does not suffer the limitations of vertical scaling, but needs applications support to scale effectively

Tiered application design

  • Architectural application tiers (if all code is mixed -> monolithic)

    • Presentation tier: interatcs with the consumer
    • Logic tier: delivers functionality
    • Data tier: controls interactions with DB

  • Tier

    • Isolated component
    • Independent performance -> may be provioned on separate machines

Encryption

  • types
    • symmetrical: same key for encrypt and decrypt
    • asymmetricl: different keys for encrypt and decrypt (public and private)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
echo "Cats are Amazing" > hiddenmessage.txt

## symmetrical encryption
# encrypt
gpg -c hiddenmessage.txt
cat hiddenmessage.txt.gpg
# this clears the cached password
echo RELOADAGENT | gpg-connect-agent
# decrypt
gpg -o output.txt hiddenmessage.txt.gpg
#clear
rm hiddenmessage.txt.gpg
rm output.txt

## assymetrical encryption
gpg --gen-key
# check keys
gpg --armor --output pubkey.txt --export 'User'
gpg --armor --output privkey.asc --export-secret-keys 'User'
# encrypt
gpg --encrypt --recipient 'User' hiddenmessage.txt
# decrypt
gpg --output decrypted.txt --decrypt hiddenmessage.txt.gpg

Architecture odds and ends

  • Cost efficient / cost effective:implementing a solution within AWS using products or features that provide the reqired service for as little initial and ongoing cost as possible. Using your fund effectively and knowing if product X is better or worse than product Y for a given solution.
  • Secure: in systems architecture context, implementing a given solution that secures data and operations as much as possible from an internal or external attack.
  • Application session state: data that represents what a customer is doing, what they have chosen, or what they have configured.
  • Undifferentiated heavy lifting: a part of an application, system or platform that is not specific to your business. Allowing a vendor (AWS) to handle part frees your staff to work on adding direct value to your customer.

AWS Architecture 101

AWS accounts

  • Authentication domain
    • AWS accounts are oslated
    • Create account = root user for that account -> the only identity that can use (autheticate to) the account
    • Account credentials leaked -> impact is limited to that account
  • Authorization
    • Controled by account basis
    • Root = full control
    • Additional identities can be created, and externall identities may be grnted access
    • Unless defined otherwise, only root can access to a service/resource
  • Billing
    • Accounts can be linked to allow consolidated billing, where a master account is charged for all member accounts usage
    • Every AWS account has its own isolated billing information -> default: attached credit card, can be changed to term invoice

AWS physical and networking layer

Terms

  • Region: has at least 2 Availability Zones (isolated networks)
    • AZs are connected with redundat, high-speed, low-latency network connections
    • Edge locations: small pockets of AWS compute, storage and networking close to major populations and generally used for edge computing and content delivery
    • Points of Presence:dge Locations that, by being closer to remote users, provide better performance for them

Well-architected framework

  • Security: ability to protect information, systems and assets
    • implement strong identity foundation
    • enable traceability
    • apply security at all layers
    • automate security best practices
    • protect data in transit
    • and at rest
    • prepare for security events
  • Reliability: ability to recover from infrastructure disruptions, dynamically acquire computing resources to meet demand and mitigate those discruptions
    • test recovery procedures
    • automatically recover from failure
    • scale horizontally to increase aggregate systems availability
    • stop guessing capacity
    • manage change in automation
  • Performance efficency: ability to use computing resources efficient to meet system requirements and to maintain that efficiently as demand changes and technology evolves
    • democratize advanced technologies
    • go global in minutes
    • experiment more often
    • mechanical sympathy
  • Operational excellence: ability to run andn monitor systems to deliver business value and to continually improve supporting processes and procedures
    • perform operations as code
    • annotate documentation
    • make frequent, small, reversible changes
    • refine operations procedures frequently
    • anticipate failure
    • learn from all operational failures
  • Cost optimization: ability to avoid or eliminate unneeded cost or suboptimal resources
    • adpot a consumption model
    • measure efficiently
    • stop spending money on data center operations
    • analyse and attribute expenditure
    • use managed services to reduce cost of ownership

More info at AWS well-architected framework

Elasticity

  • Vertical scaling: increase size of servers
  • Horizontal scaling: increase number of server
  • Elastic: automation and horizonatal scaling are used in conjunction to match capacity with demand
    • demand is rarely linear: it can increase and decrease -> an efficient platform should scale OUT and IN

AWS product fundamentals

Introduction to S3

  • S3 (Simple Storage Service): global object storage
  • Region -> Bucket -> Object
  • Object
    • similar to a file
    • Has a key (name) and a value (data)
    • Can contain 0 bits
    • has an unique name in the bucket
      • 3-63 characters
      • start with lowercase letter or number, can’t be like an IP address
    • default: 100 buckets per account, hard limit=1000
    • unlimited objects in bucket
    • unlimited total capacity for bucket
    • object size: 0 to 5TB

Introduction to CloudFormation

  • CloudFormation (CFN): IaC product, to create, manage and remove infrastructure via json or YAML

  • Template -> Stack -> Physical objects

    • Template: contains logical resources and configuration
    • Stack: created and modified based on templates, which can be changed and used to update a stack
    • Physical object: stacks take logical resources from sa template and create, update o delete the physical resources in AWS

  • CFN is effective if you frequently deploy the same infrastructure or require guaranteed consitent configuration

  • Template format

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    ---
    AWSTemplateFormatVersion: "2020-03-27"

    Description:
      this template does XXXX
      
    Metadata:
      template metadata
      
    Parameters:
      set of parameters
      
    Mappings:
      set of mappings
      
    Conditions:
      set of conditions

    Transform:
      set of transforms
      
    Resources:
      set of resources
      
    Outputs:
      set of outputs

  • Resource format 

    1
    2
    3
    4
    5
    6
    7
    {
      "Resources": {
        "demoBucket": {
          "Type": "AWS:S3:Bucket"
        }
      }
    }

  • Facts

    • Template: max=200 resources
    • Stack deleted -> resources deleted
    • Stack update -> upload a new template
    • New logical resources -> new physical resources
    • Removed logical resource -> deleted physical resource
    • Changed local resources update with some disruption or replace physical resources