AWS SAA summary-Exam 04

10 HA

10.1 Load balancers

AWS上有3中不同类型的负载均衡器

· Application Load balancers —>ALB, 最适合于http & https流量的负载均衡，工作在layer7，即应用层。你可以创建高级路由请求，将特定的请求发送到指定的 web server; ALBs are redundant across at least two subnets.

· Network Load balancers—>NLB, 最适合于需要极端性能的TCP 流量的负载均衡，工作在网络层（layer4），NLB能够处理每秒百万级的请求，同时能维持极低的延迟。Network load balancers can handle the extremely high request load

· Classic Load balancers—> ELB，这是传统的弹性负载均衡器，可以均衡 http/https应用层，如x-forward 和sticky会话；对于完全依赖于TCP协议的应用程序，也可以用于严格的layer4负载均衡。

An ALB offers SSL termination and makes the SSL offload process very simple through tight integration with SSL processes. While an ELB will handle SSL termination, it does not offer the management features that ALBs do.

ALBs offer the most flexibility in routing and load distribution.

Classic load balancers support both IPv4 and IPv6. They support HTTP/1 and HTTP/1.1, but only application load balancers support HTTP/2. Further, you must register individual instances, rather than target groups, with classic load balancers; registering target groups is a functionality only available with application load balancers.

如果你的应用程序停止了响应，ELB将响应504 error。这意味着应用程序有问题，这可能是web server的问题，也可能是 database的问题。失败应用程序的故障点，如果可能，可以进行横向或纵向扩展。

· 被ELB监控的实例都会上报 InService, or OutService

· 健康检查通过域实例交互检查实例健康状况

· 负载均衡器有他们自己的DNS 名称，不需要指定IP

Figure 42 No Cross AZ LB

Figure 43 Cross AZ LB

Figure 44 Cross AZ LB1

高级负载均衡器理论：

· ELB将每个请求独立地路由到负载最小的已注册的EC2实例

· 跨区负载均衡器，使你能够跨越多个可用区进行负载均衡

· Path patterns允许你根据请求中包含的url将流量定向到不同的EC2实例

Figure 45 Path pattern

· Sticky session允许你将用户的会话绑定到特定的EC2实例。这确保了在会话期间来自用户的所有请求都会发送到同样的instance

· 你也可以为ALB启用sticky session，但是流量会被发送到目标组级别

· ALBs are redundant across at least two subnets.

Figure 46 sticky session

ELB

· Pre-Warming

· Connection Draining

· Client-Side SSL certificates

· Server Order Preference

· Cross-Zone

· SSL termination

· ELB HTTPS listener does not support Client-Side SSL certificates

10.2 Auto scaling group

通过使用 AWS Auto Scaling，您可以在几分钟内为作为您的应用程序的AWS 资源配置自动扩展。AWS Auto Scaling 控制台提供了一个单一的用户界面，可以统一管理多个 AWS 服务的自动扩展功能。您可以为单个资源或整个应用程序配置自动扩展。

AWS Auto Scaling 对流量存在每日或每周变化的应用程序很有用，这包括：

· 周期性流量，例如正常营业时间内的高资源利用率和夜间的低资源利用率

· 打开和关闭工作负载模式，例如批处理、测试或定期分析

· 可变的流量模式，例如具有峰值增长的营销活动

对于auto scaling，用户是希望每次伸缩都遵从一定的规则，比如说基于CPU、memory、Disk的使用量，达到某个阈值在多长时间范围内，自动弹起或关闭一定数量的instance，并进行健康检查。新的instance和existing instance 提供同样的服务，从而提高系统性能。

新建ASG launch configuration，这相当于是为以后弹起的实例做了一个template，这就需要你按照业务需求，对实例进行相应的配置。

Figure 47 Create launch configuration

新建伸缩组ASG,这里需要指定已有的launch configuration，VPC及subnet（AZ）。考虑到高可用，可以指定几个AZ。

Figure 48 Create ASG

进一步设置 scaling policy, 包括范围，实例数量，伸缩指标等。

Figure 49 Config ASG

配置好以后的实际效果

Figure 50 ASG example

Exam tips:

· When creating an Auto Scaling group, you can specify the minimum and maximum size as well as a desired capacity and scaling policy. You cannot specify how many instances to add at once, nor the desired cost.

· While you can specify triggers that are used to grow or shrink the group, you can not specify a memory allocation or a minimum processing threshold (neither is an actual AWS term).

· A launch configuration contains an AMI ID, key pair, instance type, security groups, and possibly a block device mapping.

· A launch configuration needs a single AMI ID to use for all instances it launches.

· There are a number of valid scaling policies for Auto Scaling: Maintain current instance levels, manual scaling, schedule-based scaling, and demand-based scaling

-You can choose to maintain current instance level at all times. This is essentially ensuring that no instances are added unless an instance fails its health checks and needs to be restarted or replaced.

- Demand-based scaling allows you to specify parameters to control scaling. One of those parameters can be CPU utilization, so this is the policy you’d use for this use case.

-Schedule-based scaling allows you to specify a particular time period during which resources should scale up or down.

- Manual scaling allows you to specify a minimum and maximum number of instances as well as a desired capacity. The Auto Scaling policy then handles maintaining that capacity.

autoscaling

· Scheduled scaling cannot be overlap

· choose greatest impact when Multiple Policies

· cooldown period

· Termination Policy

10.3 API gateway

只需要在AWS管理控制台中的几次点击，你就可以创建一个API当作“前门”，为应用程序访问数据、业务逻辑或从后台服务的功能，如应用程序运行在AWS EC2上，代码运行在AWS lambda上或任意的web 应用程序。

API网关的功能特性：

· 暴露https endpoint来定义RESTful API

· 无服务器地连接到类似Lambda和DynamoDB

· 将每个API endpoint发送到不同的目标

· 低成本高效运行

· 轻松伸缩

· 通过API key追踪和控制使用情况

· 限制请求以防止攻击

· 连接到CloudWatch记录所有请求，用于监控

· 维护多版本的API

如何配置API网关：

· 定义API(容器)

· 定义资源和嵌套资源 （url路劲）

· 为每个资源

- 选择受支持的http方法

- 设置安全

- 选择目标，如EC2, Lambda，DynamoDB等

- 设置请求和响应转换

Same origin policy--同源策略

在计算中，同源策略是web应用程序安全模型中的一个重要概念。根据该策略，web浏览器允许包含在第一个web页面中的脚本访问第二个web页面中的数据，但前提是两个web页面具有相同的来源。这样做是为了防止跨站点脚本攻击

· 由web浏览器强制执行

· 被Postman和curl这样的工具忽略

CORS—Cross-origin resource sharing是另一端的服务器（而不是浏览器中的客户端代码）轻松访问同源策略的一种方式。跨资源共享是一种机制，它允许从提供第一个资源的域之外的另一个域请求web页面上的受限资源，例如fonts。

API网关考试提示：

· 记住API网关是High level的

· API 网关有缓存功能，以提高性能

· 低成本，可自动扩展

· 限制请求以防止攻击

· 可以将结果记录到CloudWatch

· 如果使用Javascript/AJAX，使用多域名的API网关，确保启用了CORS

· 客户端可强制执行CORS

10.4 HA—High Availability

HA—高可用，其设计目的是用于故障转移和灾难恢复。如果条件允许，尽可能将你的应用程序部署在不同的AZ，甚至在不同的region。一般情况，HA的设计至少含3个AZ，可以容忍其中的某个AZ故障，程序仍可以正常对外提供服务。

记住一下几点：

· HA总是为故障而设计

· 尽可能使用多个AZ和多个region

· 了解RDS Multi-AZ和 Read replicas之间的区别

- Multi-AZ: 为了故障转移和灾难恢复

- Read replicas： 为了提升读取性能

· 了解横向扩展和纵向扩展的区别

- 横向扩展：增加配置相同的机器，计算能力和带宽同时扩展

- 纵向扩展：增加本身机器的配置，如CPU, memory，可能会有网络瓶颈

Figure 51 HA architecture

11 CloudFormation, Elastic Beanstalk and Lambda

11.1 CloudFormation

CloudFormation的好处：

· 基础设施代码（Infrastructure as code）

- 不需要手动创建资源，这对控制非常好

- 可以使用git对代码进行版本控制

- 对Infrastructure的更改，通过代码进行审查

· 成本 cost

- 栈（stacks）中的每个资源都用一个标识符标记，因此你很容易看到一个栈要花费多少钱

- 你可以通过CloudFormation模板来估算资源成本

- 节约策略：在开发中，你可以在下午5点自动删除模板，并在早上8点安全地重新创建

· Productivity

- 能够在云上破坏和重建一个infrastructure

- 为你的模板自动生成图表（diagram）

- 声明式编程，不需要确定顺序和编制

· 关注分离（separation）： 为许多apps 和 layers创建许多堆栈（stacks）

- VPC stacks

- Network stacks

- APP stacks

· 不用重新开发 don’t re-invent the wheel

- 利用web上现有的模板

- 利用文档

CloudFormation如何工作：

· 模板必须在S3中上传，然后在CloudFormation中引用

· 要更新模板，我们不能编辑以前的版本，我们必须要上传新版的模板到AWS

· Stacks通过名称来标识

· 删除stack，将删除由CloudFormation创建的每个组件

· CloudFormation模板部署

- 手动方式

- 在CloudFormation设计器中编辑模板

- 使用控制台输入参数

- 自动方式

- 在YAML文件中编辑模板

- 使用AWS CLI 部署模板

- 当你完全想要你的流程自动化时，推荐此方法

· CloudFormation的构建模块

- 模板组件

- 资源：在模板中声明的AWS 资源 （Mandatory）

- 参数：模板动态输入

- Mapping： 模板的静态变量

- 输出： 参考已创建的内容

- 条件：列出对资源创建的条件

- Metadata—元数据

- 模板帮助器

- 参考

- 功能

CloudFormation allows you to automate provisioning and, in this case, to create standardized JSON scripts that can be lightly modified to stand up entire stacks for multiple applications that share a common structure.

By default, CloudFormation ensures all or nothing deployment. If there is an error at any step and CloudFormation is not able to proceed, then it will remove all AWS resources in a stack that were created by CloudFormation

11.2 Elastic Beanstalk

AWS Elastic Beanstalk 让开发人员能够更加轻松地在 AWS 云中快速部署和管理应用程序。开发人员只需上传应用程序，Elastic Beanstalk 将自动处理容量预配置、负载均衡、Auto Scaling 和应用程序运行状况监控的部署细节。

Elastic Beanstalk 支持在 Go、Java、.NET、Node.js、PHP、Python 和 Ruby 中开发的应用程序。当您部署应用程序时，Elastic Beanstalk 构建选定的受支持的平台版本并预置一个或多个 AWS 资源（如 Amazon EC2 实例）来运行您的应用程序。您可以使用 Elastic Beanstalk 控制台、AWS Command Line Interface (AWS CLI) 或 eb（为 Elastic Beanstalk 专门设计的高级 CLI）与 Elastic Beanstalk 进行交互。

Figure 52 Elastic Beanstalk work flow

AWS CloudFormation 与 AWS Elastic Beanstalk 有什么区别？

这些服务的设计目的是使二者相辅相成。AWS Elastic Beanstalk 提供了一个可在云中轻松部署和运行应用程序的环境。它与开发人员工具相集成，为您提供“一站式”的应用程序生命周期管理体验。AWS CloudFormation 是一种便捷的预置机制，支持种类广泛的 AWS 和第三方资源。它支持许多不同类型的应用程序的基础设施需求，如现有的企业级应用程序、旧式应用程序、使用各种 AWS 资源构建的应用程序，以及基于容器的解决方案（包括使用 AWS Elastic Beanstalk 构建而成的解决方案）。

AWS CloudFormation 支持 Elastic Beanstalk 应用程序环境，将其作为其中一种 AWS 资源类型。例如，这可使您创建和管理 AWS Elastic Beanstalk 托管的应用程序，以及用于存储应用程序数据的 RDS 数据库。除了 RDS 实例，还可向该组添加任何其他受支持的 AWS 资源。

Exam tips：

- Elastic Beanstalk is focused on code deployment. It provides that, and in the process, load balancing, Auto Scaling, health monitoring, and capacity provisioning

- Elastic Beanstalk is an Amazon service that spins up and manages a number of other services, in particular, compute. Even though you can configure other services, though, Beanstalk is considered to primarily be a code deployment tool and therefore is focused on compute services.

- Elastic Beanstalk can deploy your code and handle capacity provisioning, load balancing, and setting up Auto Scaling and health checks, all with very little oversight. Note that you’d still need personnel to keep an application like this running, but Elastic Beanstalk can reduce initial resources needed for application deployment.

- Rolling deployment – Updates a batch of instances. Each batch is taken out of service and available capacity is reduced by the number of instances in the batch. All at once deploys new version to all instances simultaneously. Instances are out of service for a short period. Rolling with additional batch – Launches additional batch of instances to maintain full capacity during deployment. It deploys version in batches. Immutable – Deploys new version to a fresh set of instances

11.3 Lambda

Lambda基础

Lambda是最终的提取层：

· 数据中心

· 硬件

· 汇编代码/协议

· 高级语言

· 操作系统

· 应用层 /AWS APIs

· AWS lambda

你可以用以下方式来使用lambda：

· 作为一个事件驱动的计算服务，AWS运行你的代码以响应事件。这些事件可以是对Amazon S3 bucket或Amazon DynamoDB表中的数据更改

· 作为一个计算服务，运行你的代码以响应使用API网关的HTTP请求或使用AWS sdk进行的API调用。

Figure 53 Lambda classic

传统架构 vs 无服务器架构

Figure 54 Traditional vs serverless

Lambda考试提示：

· Lambda自动进行横向扩展，而不是纵向

· Lambda功能是独立的，一个事件=一个功能

· Lambda是serverless

· Lambda功能可以触发其他Lambda功能，这也就意味着一个事件可以等于多个功能

· Lambda架构可以变得极其复杂，AWS X-ray允许你调试正在发生的事件

· Lambda可以做全局的事情，你可以用它把S3 bucket 备份到其他S3 bucket

· 清楚知道你的触发器是什么

· By default, Lambda allows 1000 concurrent executions across all functions within a region. You can increase this limit by contacting support.

· By default, Lambda allows outbound calls to internet

· With Lambda, you have to choose amount of memory needed to execute your function. Based on the memory configuration, proportional CPU capacity is allocated.

· Lambda support versioning and you can maintain one or more versions of your lambda function. Each lambda function has a unique ARN. Lambda also supports Alias for each of your functions. Lambda alias is a pointer to a specific lambda function version. Alias enables you to promote new lambda function versions to production and if you need to rollback a function, you can simply update the alias to point to the desired version. Event source needs to use Alias ARN for invoking the lambda function.

Serverless website 案例

Figure 55 Serverless website example

12 Mornitoring

13 Other services

13.1 AWS Organizations

· 全局服务

· 允许管理多个AWS账户

· 主账号是master account，你不能更改

· 其他账户是member account

· member account只能是一个organization的一部分

· 跨所有账户合并账单à单一付款方法

· 从合并用量中得到价格优惠（容量打折）

· API 可以用于自动创建AWS 账户

OU & Service control policies (SCPs)

· Organization account 在organization unit（OU）中

- 可以是任何事： dev/test/prod or finance /HR/IT

- 可以嵌套OU

· 将SCPs用于OU

- 允许/拒绝访问AWS

- SCP的语法类似于IAM

- 它是对IAM 的过滤

· 有助于创建 sandbox账户

· 有助于分离开发和产品资源

· 有助于只允许已批准的服务

Figure 56 OU nest

13.2 AWS WorkSpaces

· 托管的，安全的云桌面

· 极大地消除了On-promise VDI的管理 VDI(Virtual desktop infrastructure)

· 按需的，根据使用付费 pay as you go

· 安全，加密，网络隔离

· 与Microsoft Access Directory 集成

Figure 57 WorkSpaces

13.3 AWS AppSync

· 通过移动和web应用程序实时存储和同步数据

· 使用GraphQL （来自Facebook的移动技术）

· 客户端代码可自动生成

· 实时订阅

· 与DynamoDB / Lambda集成

· 离线数据同步 （代替Cognito 同步）

· 细粒度安全

13.4 AWS Single Sign On (SSO)

· 跨多个AWS账户和业务程序（office365，salesforce，box），集中管理单点登录

· 一次登录就能让你安全地访问所有东西

· 与Microsoft Access Directory 集成

· 有助于减少公司设立SSO的过程

· 只对 web 浏览器有帮助，支持SAML2.0 的应用程序

13.5 ECSàElastic Container Service

13.5.1 ECS concept

ECS Cluster： 一系列EC2实例

ECS Service： 运行在 ECS cluster上的应用程序定义

ECS task + definition: 运行容器用于创建应用程序

ECS IAM roles: 分配给tasks的角色，用于与AWS交互

Figure 58 ECS cluster

· ECS是一个容器编制服务

· ECS帮助你在EC2实例上运行docker容器

· ECS比较复杂，由以下组成：

- ECS core：运行ECS在用户提供的EC2实例是

- Fargate： 在由AWS 提供的计算服务上运行ECS task （serverless）

- EKS: 在AWS 驱动的K8S(跑在EC2上) 上运行ECS

- ECR: 由AWS托管的docker 容器注册表

· ECS和Docker都是非常流行的微服务

· 目前只有ECS core和ECR 在考试范围

· IAM 和角色是在ECS任务级

· ECS Scheduler is responsible for placing the tasks on container instances. Service is where you configure long running tasks and how many containers you need.

· For each task copy, containers that are defined as part of a single task definition are placed together.

13.5.2 Docker

· Docker是一个容器技术

· 运行容器程序在任意安装了Docker的机器上

· 容器允许我们的运用程序以相同的方式运行在任何地方

· 容器是相互隔离的

· 你可控制分配容器的CPU和内存

· 能够做网络规则限制

· 比虚拟机效率高

· 容器能看快速伸缩（秒级）

AWS ECS use case

· 运行微服务

- 能够在同一机器上运行多个docker容器

- 对于通讯增强，可以轻松实现服务恢复

- 直接与ALB集成

- 自动伸缩

· 运行批处理 / 定时任务

- 计划ECS 容器来运行 On-demand / reserved / spot 实例

· 迁移应用程序到云上

- 对在本地运行的遗留应用程序进行dockerize （容器化）

- 将docker容器移到ECS上运行

13.5.3 AWS ECS 与ALB的集成：

· ALB与ECS 有直接集成的特性，叫“port mapping”端口映射

· 这允许由相同应用程序的实例在同一个EC2机器上

· Use cases

- 增加弹性，即时运行在一个EC2 实例上

- 最大化 CPU / cores的利用率

- 能够执行升级回滚，而不影响应用程序的运行

Figure 59 ECS-ALB

ECS setup & config file

运行EC2实例，安装ECS代理和配置文件

使用ECS-Ready的AMI,也需要修改配置文件

ECS 配置文件： /etc/ecs/ecs.config

13.5.4 ECR—>Elastic Container Registry

· 在AWS 上存储，管理和部署你的容器

· 完全与IAM & ECS集成

· 用HTTPS 传输和静态加密

Figure 60 ECR workflow

13.6 Amazon EMR

· EMR—> Elastic MapReduce

· EMR帮助创建Hadoop集群（大数据），用于分析和处理大量数据

· 集群可由上百个EC2实例组成

· 支持Apache Spark，Hbase, Presto, Flink ……….

· EMR关注所有的Provisioning 和 configuration

· 自动伸缩和与spot实例集成

· Use case: 数据处理，机器学习，web 检索，大数据

13.7 AWS Step Function

· 对编排的你的lambda function，构建无服务器的可视化workflow

· 代表流为JSON 状态机

· 特点： 顺序执行，并行，条件，timeouts，错误处理……

· 可以与EC2, ECS, On premise servers, API 网关集成

· 最大执行时间是1年

· 有能力实施人为批复特性

· Use cases

- 顺序执行 order fulfillment

- 数据处理

- Web 应用程序

- 任意workflow

Figure 61 Step function

13.8 AWS SWF – Simple workflow service

SWF是一种web 服务，它可以方便地跨分布式应用程序组件协调工作。SWF支持一序列的应用程序，包括media处理，web程序后端，业务流程工作流和分析 pipeline，将其设计为任务的协调。任务表示应用程序中的各种处理步骤，可由可执行代码、web服务调用、人工操作和脚本执行。

· 协调运用程序间的工作

· 代码运行在EC2上（ not serverless）

· 最长运行时间是1年

· “Activity step” 和 “Decision step”

· 有人为干预的步骤

· 从web到warehouse交付是顺序执行的

· 对新的应用程序，推荐使用step function, 除了：

- 如果你需要外部信号在过程中进行干预

- 如果你需要返回值到父进程的子进程

SWF Actors

· Workflow starters--- 可以初始化启动工作流的应用程序，这可以是电子商务网站下的订单，也可以是移动app 搜索公交时间等

· Deciders---控制工作流执行中的活动任务流，如果工作流中的某个任务完成或失败了，Decider将决定下一步要做什么

· Activity workers---执行活动任务

Exam tips:

· SWF provides an API, but it is neither the AWS-specific API nor language specific. Instead, SWF supports standard HTTP requests and responses.

· SWF is typically thought of as an asynchronous service, but it also supports synchronous tasking when needed.

· A SWF domain is a collection of related workflows.

13.9 SQS—> simple queue service

· SQS 是基于pull，而不是push

· 消息大小256kb

· 消息可以在队列里保留从1分钟到14天，缺省条件下的保存期是4天

· 可见超时，是指读取器获取消息后，消息在SQS中是不可见的时间量。如果在可见超时过期前处理作业，则消息将从队列中删除。如果在这段时间内没有处理作业，则消息将再次可见，另一个读取器将处理它。这可能导致相同消息被传递两次

· 可见超时最长12小时

· SQS保证你的消息将至少被处理一次

· SQS 长轮询是一种从SQS检索消息的方法。常规的短轮询是立即返回的，即使正在轮询的消息队列是空的，而长轮询直到消息到达消息队列或长轮询超时才返回响应

· QS queues only make an “attempt” to deliver messages in order (more or less a FIFO approach) but do not guarantee FIFO. If strict FIFO is needed, that option can be selected.

SWF vs SQS

· SQS的最长保存期14天，SWF工作流执行最多可持续1年

· SQS 提供一个面向消息message-oriented的API, SWF 提供一个面向任务task-oriented的API

· 使用SQS，需要处理重复消息，这可能需要确保消息只能被处理一次；SWF确保任务只分配一次，并且不会重复

· 使用SQS，你要实现自己的应用程序级的跟踪，特别是在应用程序使用多个队列的情况下， SWF跟踪应用程序中的所有任务和事件

13.10 SNS

· SNS--- Simple notification service

· 及时的，基于push的交付（无轮询）

· 简单的APIs和易于集成的应用程序

· 灵活的消息传递，多传输协议

· 便宜，按需付费，不用预付

· 基于web 的AWS 管理console，提供简单的 point-and-click接口

SNS vs SQS

· 都是AWS的消息服务

· SNS-- Push

· SQS—Pull

Messages in SWF are tasks; messages in SQS are messages; messages in SNS are notifications

13.11 Elastic transcoder

· 云上的media 编码器

· 将media 从其原始格式转换到不同的格式，可以在智能手机、平板电脑、个人电脑等上播放的不同格式

· 提供流行的输出格式编码预置，这意味着你不需要的猜测哪些设置在特使设备上工作的最好

· 根据你转码的分钟数和转码的分辨率来支付

Figure 62 Elastic transcoder workflow

13.12 Kinesis

流式数据是由数千个数据源连续生成的数据，这些数据源通常是同时发送数据记录，并且是小尺寸的（kb 顺序），如：

· 网购

· 股票价格

· 游戏数据

· 社交网络数据

· 地理空间数据（uber，didi）

· IoT传感器数据

Kinesis是AWS上一个处理流式数据的平台，使加载和分析流数据变得容易，还提供了为业务需求构建自定义应用程序的能力。3种不同形式的kinesis：

· Kinesis stream

· Kinesis firehose

· Kinesis analytics

Kinesis Streams has a maximum retention of 7 days and Kinesis Firehose has a retention of 1 day

Figure 63 Kinesis stream

Kinesis stream 由shards组成：

· 对于读取，每秒5个事务，最大的总数据读取速率为 每秒2MB

· 对于写，每秒最多1000条记录，最大的总数据写速率为 每秒1MB,包括分区键

· Stream的数据容量是指定流的shards数量的函数，总容量是shards容量的总和

Figure 64 Kinesis Firehose

Kinesis stream数据可以持久，而Kinesis firehose 数据不能持久。

Figure 65 Kinesis Analytics

Figure 66 Kinesis components comparison

Kinesis Data Streams

Real-time data capture

Ingest and store data streams from hundreds of thousands of data sources:

• Log and event data collection
• IoT device data capture
• Mobile data collection
• Gaming data feed

Kinesis Data Firehose

Load real-time data

Load streaming data into data lakes, data stores, and analytics tools for:

• Log and event analytics
• IoT data analytics
• Clickstream analytics
• Security monitoring

Kinesis Data Analytics

Get insights in real time

Analyze streaming data and gain actionable insights in real time:

• Real-time streaming ETL
• Real-time log analytics
• Ad tech and digital marketing analytics
• Real-time IoT device monitoring

13.13 CloudFront

Delivery

· Request-Route53-edge location-Origin server

· Supports both static and dynamic content

RMTPà Real Time Messaging Protocol（实时消息传输协议）

· S3 bucket as the origin

· users view media files using the media player that is provided by cloudfront; not the locally installed

· Web distribution for media Player and RMTP distribution for media files

· private content

· OAIà Origin Access Identity

· add header in http server, Origin to verify the request has come from CloudFront

· feature

· signed URLs and signed cookies

· for RTMP distribution

· restrict access to individual files

· access to multiple restricted files

Caching Based on Request Headers

Geo Restriction

Compressed Files

· Content-Encoding header on the file must not be gzip

· viewer uncompresses the file

· multi-upload to S3

SNI

Server Name Indication， 同一个IP可用选择多个hostname, 用自己的SSL证书时选择，一般是客户端浏览器的选项

Dedicated IP

专属主机IP，不和其他hostname共用，传统SSL使用，现在大部分用SNI

https with S3, s3不能独立用https， 但是结合cloudfront, 用 ACMà Amazon Certificate Manager 生成的证书可以通讯

Price

· Charge with: data out, request, Invalidation request, SSL certificates

· CloudFront is intended to cache and deliver static files from your origin servers to users or clients. Dynamic content is also servable through CloudFront from EC2 or other web servers. as CloudFront is a distribution mechanism, not a storage facility.

· Edge locations are used by CloudFront distributions to store cached content, EC2 instances can serve content from processes.

· CloudFront is AWS’s distribution network. It’s a content caching system that is ultimately a networking component of your AWS buildout.

· CloudFront can front a number of AWS services: AWS Shield, S3, ELBs (including ALBs), and EC2 instances. It also most recently supports Lambda@Edge as an origin.

· As CloudFront is typically associated with performance, and not a lot else. However, CloudFront also provides deep integration with many managed AWS services, such as S3, EC2, ELBs, and even Route53

· CloudFront automatically provides AWS Shield (standard) to protect from DDoS, and it also can integrate with AWS WAF and AWS Shield advanced. These combine to secure content at the edge. HTTPS is not required, and there is no KMS involvement with CloudFront.

· Edge locations number more than both regions and availability zones

· CloudFront is easy to set up and lets you create a global content delivery network without contracts. It’s also a mechanism for distributing content at low latency. Creating websites and the actual file storage are not features of CloudFront but of LightSail (for example) and S3, respectively.

· When you create a CloudFront distribution, you register a domain name for your static and dynamic content. This domain should then be used by clients.

· CloudFront will always handle requests that it receives. It will either return the requested content if cached or retrieve that content by requesting it from an origin server. It will not redirect the client, nor will it pass the request on directly.

· There is no charge associated with data moving from any region to a CloudFront edge location.

· CloudFront can store and serve both static (HTML and CSS) and dynamic (PHP,) content. SQL queries cannot be directly returned, nor can an actual Lambda function. You can front the result of a Lambda@Edge function, but not the function itself.

· An edge location is a data center that delivers CloudFront content. Edge locations are spread across the world.

· A distribution is the setup including your origin servers and how the content from those servers is distributed via CloudFront. It does not specifically refer to cached content at any given point in time.

· Edge locations check for updated content every 24 hours by default, but this value can be changed.

· Edge locations can be set to have a 0-second expiration period, which effectively means no caching occurs.

· RDS instances cannot be origin servers

· A collection of edge locations is a distribution.

· An RTMP distribution is the Adobe Real-Time Messaging Protocol and is suitable for using S3 buckets as an origin server to serve streaming media

· CloudFront supports both web distributions and RTMP distributions.

· An Origin Access Identity is a special user that you will set up the CloudFront service to use to access you restricted content

· The invalidation API is the fastest way to remove a file or object, although it will typically incur additional cost.

· While edge locations are typically read from by clients, they are also writeable. You can store objects on edge locations as well as read from them.

· CloudFront will always handle requests that it receives. It will either return the requested content if cached (A) or retrieve that content by requesting it from an origin server (C). It will not redirect the client (D), nor will it pass the request on directly (B).

13.14 CloudWatch

CloudWatch provides disk read operations, CPU usage, and inbound network traffic but does not provide memory usage by default.

13.15 WAF & Shield

A PUT request is used for establishing a session with IMDS version 2. In response, IMDS issues a session token that is valid for TTL specified in the PUT call. With IMDS v2, all calls to metadata service must include the token in the X-aws-ec2-metadata-token header. PUT is used as several firewalls, and proxies do not forward PUTs. Besides, IMDS V2 does not issue a token when the PUT request has an X-Forwarded-For header.

13.15.1 WAFà Web Application Firewall

AWS WAF Protect your web applications from common web exploits

AWS WAF is a web application firewall service that lets you monitor web requests that are forwarded to an Amazon API Gateway API, an Amazon CloudFront distribution, or an Application Load Balancer. You can protect those resources based on conditions that you specify, such as the IP addresses that the requests originate from.

With WAF IP Address sets, you have a scalable solution for whitelisting or blacklisting. This solution supports 1000s of IP address blocks. The WAF IP Address sets and Regex Pattern Sets are reusable across different Web ACLs. Security Group has a limit of a few hundred entries, and Network ACL has a limit of a few 10s of entries.

13.15.2 Shield

AWS Shield provides expanded DDoS attack protection for your AWS resources. Get 24/7 support from our DDoS response team and detailed visibility into DDoS events.

As an AWS customer, you automatically have basic DDoS protection with the AWS Shield Standard plan, at no additional cost beyond what you already pay for AWS WAF and your other AWS services. For an additional cost, you can get advanced DDoS protection by activating the AWS Shield Advanced plan.

AWS Shield standard:

§ Protect agaist layer3 and 4 attacks

§ DDos and other infrastructure level attacks

§ Included for all customers

§ Free

UDP reflection attack (layer 3)

SYN Flood (layer 4)

13.16 Manage resources at scale

Systems Manager also provides a browser-based command line and shell interface for managing Windows and Linux instances. A big benefit is administrators can use IAM to grant and revoke access to the system. The allows you to control through IAM which user can access each instance including the option to provide non-root access. The users can connect to the system without SSH or RDP or Bastion host. This approach vastly simplifies your setup as you no longer need to manage SSH keys or passwords for the servers and eliminates the need for bastion hosts.

AWS config continuously monitors your infrastructure, checks for compliance, and alerts you of changes. Using the managed rules in Config, you can quickly get started with best practices to keep your infrastructure compliant with your enterprise policies. You can also customize by writing your own rules. CloudTrail maintains an audit trail of all changes to pinpoint who made the changes and when. With Systems Manager, you get visibility and control of your ec2 and on-premises server infrastructure. With AWS Trusted Advisor, you can benchmark your environment against AWS Best Practices.

With AWS Inspector, you can quickly find out security exposures and vulnerabilities in your EC2 instance. It can identify the ports that are reachable from outside of VPC, and it will also identify the process that is listening on the port. The inspector will compare the installed OS and software against known vulnerabilities in the CVE list. It evaluates your instance against the center for industry security (CIS) benchmarks for host hardening. The inspector also checks your instance against AWS security best practices. Inspector will prioritize the findings based on the severity

Trusted Advisor is an online tool that provides real-time guidance to help you provision your resources following AWS best practices. By following recommendations provided by Trusted Advisor regularly, you can provision your resources optimally

AWS Trusted Advisor is an online resource that helps you reduce cost as well as increase performance and improve security.

14 Cloud migration

Tools for cost estimation

AWS support plan