AWS solutions Architect Associate 시험 오답노트 2

1. EC2 에서 user data, meta data, public-ipv4 가져오는 방법

user data: curl http://169.254.169.254/latest/user-data/

meta data: curl http://169.254.169.254/latest/meta-data/

public-piv4: http://169.254.169.254/latest/meta-data/public-ipv4

 

2. AWS GLUE

AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics. 

Glue job을 통해 data를 압축시킬 수 있고, 압축 형태로 저장하면 저장비가 절약된다.

 

3. snowball

snowball을 통한 데이터는 처음에 무조건 s3로 가야한다!

비용은 Glacier Deep Archive < Glacier로 전자가 더 저렴.

 

4. ELB-ASG, target group deregistration process

scale-in시 ELB는 300초 동안 딜레이를 준다. 사라지는 인스턴스가 처리하고 있는 작업이 있을 수도 있기 때문이다.

만약 서비스가 최대 10분 정도 걸리는 작업을 수행한다면, deregistraion delay를 10분 이상 줘서, 사라지기 전에 이미 받은 request를

잘 처리할 수 있게 해줘야 한다.

 

5. launch template vs launch configuration

공통점:

it specifies instance configuration information such as the ID of the Amazon Machine Image (AMI), the instance type, a key pair, security groups, and the other parameters that you use to launch EC2 instances

차이점:

launch template은 on-demand instance와 spot instance를 동시에 쓰면서 여러 인스턴스 타입을 지정할 수 있다.

launch configuration은 이게 안된다.

 

6. Amazon Aurora

- MySQL and PostgreSQL-compatible relational database built for the cloud, that combines the performance and availability of traditional enterprise databases with the simplicity and cost-effectiveness of open source databases.

- distributed, fault-tolerant, self-healing storage system that auto-scales up to 64TB per database instance.

- not an in-memory database.

 

7. Amazon Aurora Global Database

Amazon Aurora Global Database is designed for globally distributed applications, allowing a single Amazon Aurora database to span multiple AWS regions. It replicates your data with no impact on database performance, enables fast local reads with low latency in each region, and provides disaster recovery from region-wide outages.

 

8. multi-AZ, Multi-Region, Read reaplicas

 

9. SQS

Standard queues

: offer maximum throughput, best-effort ordering, and at-least-once delivery.

SQS FIFO

: queues are designed to guarantee that messages are processed exactly once, in the exact order that they are sent.

Group ID

:If we don't specify a GroupID, then all the messages are in absolute order, but we can only have 1 consumer at most. To allow for multiple consumers to read data for each Desktop application, and to scale the number of consumers, we should use the "Group ID" attribute.

 

10. Amazon Kinesis Data Streams (KDS)

: is a massively scalable and durable real-time data streaming service. KDS can continuously capture gigabytes of data per second from hundreds of thousands of sources such as website clickstreams, database event streams, financial transactions, social media feeds, IT logs, and location-tracking events.

 

11. EBS volume

EBS volume이 EC2의 root volume으로 지정되면, ec2가 종료될 때 이 볼륨도 같이 종료되는 것이 default 옵션이다.

이 디폴트 옵션은 바꿀 수 있다. 

DeleteOnTermination attribute를 False로 바꾸면 된다.

EBS volume이 root volume이 아니면, ec2가 종료되도 ebs는 영구적으로 남는다.

 

12. Network Load Balancer 

Network Load Balancer is best suited for use-cases involving low latency and high throughput workloads that involve scaling to millions of requests per second. Network Load Balancer operates at the connection level (Layer 4), routing connections to targets - Amazon EC2 instances, microservices, and containers – within Amazon Virtual Private Cloud (Amazon VPC) based on IP protocol data.

 

13. ALB만 할 수 있는 것.

route traffic based on the content of the request은 ALB만 가능하다.

NLB, CLB는 불가능.

 

14. Elastic IP address, Private IP address, Public IP address

Elastic IP address

: An Elastic IP address is a static IPv4 address designed for dynamic cloud computing. An Elastic IP address is associated with your AWS account. With an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account.

Private IP address

: A private IPv4 address is an IP address that's not reachable over the Internet. You can use private IPv4 addresses for communication between instances in the same VPC.

Public IP address

: A public IP address is an IPv4 address that's reachable from the Internet. You can use public addresses for communication between your instances and the Internet.

 

15. Private Ip range

Private IP ranges are:

192.168.0.0 - 192.168.255.255 (65,536 IP addresses)

172.16.0.0 - 172.31.255.255 (1,048,576 IP addresses)

10.0.0.0 - 10.255.255.255 (16,777,216 IP addresses)

 

16. S3 Event Notifications

s3에서 이벤트 발생시(예. 업로드) event notification을 통해 Lambda, SNS, or SQS로 알림을 보낼 수 있다.

활용 예시: s3 -> SQS -> EC2에서 큐에 쌓인 작업을 처리함.

 

17. Amazon Kinesis Data Firehose

Amazon Kinesis Data Firehose is the easiest way to reliably load streaming data into data lakes, data stores, and analytics tools. It is a fully managed service that automatically scales to match the throughput of your data and requires no ongoing administration. It can also batch, compress, transform, and encrypt the data before loading it, minimizing the amount of storage used at the destination and increasing security.

When a Kinesis data stream is configured as the source of a Firehose delivery stream, Firehose’s PutRecord and PutRecordBatch operations are disabled and Kinesis Agent cannot write to Firehose delivery stream directly. Data needs to be added to the Kinesis data stream through the Kinesis Data Streams PutRecord and PutRecords operations instead.

 

18. Kinesis Agent

Kinesis Agent is a stand-alone Java software application that offers an easy way to collect and send data to Kinesis Data Streams or Kinesis Firehose.

 

19. Kinesis Firehose

Kinesis Firehose is a fully managed service that automatically scales to match the throughput of your data and requires no ongoing administration.

 

20.  SQS 메세지 삭제

It is the consumer application's responsibility to process the message from the queue and delete them once the processing is done. Otherwise, the message will be processed repeatedly by consumer applications. The SQS queue will not delete any messages unless the default retention period of 4 days is over. This is to make sure that the message is still available for processing by another consumer, in case the first consumer application fails while it is still processing the message.

If the consumer application is misconfigured to not delete messages after processing, then we can see this issue as described in the use-case. 

 

21. S3 static website endpoint pattern

http://bucket-name.s3-website.Region.amazonaws.com

http://bucket-name.s3-website-Region.amazonaws.com

 

22. SSD vs HDD

EBS 볼륨은 크게 ssd, hdd 두 타입으로 나뉜다.

SSD는 IOPS가 강점이다. 가볍고 빠르다(hdd에 비해). 빈번한 read/write transaction, small I/O size.

HDD는 large throughput이 강점. 무겁고 느리다(ssd에 비해).

 

23. WAF, NACL, AWS Shield

 

- WAF

: web application firewall. 

helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define.

ALB위에 WAF를 결합하면 requests를 과도하게 보내는 공격으로부터 서버를 보호할 수 있다.( rate-based rule 지정 가능)

 

- NACL(Network ACL)

: 특정 ip를 차단하는 기능 가능.

: subnet level에서 작동

 

-AWS Shield

WS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced.

AWS Shield Advanced provides enhanced resource-specific detection and employs advanced mitigation and routing techniques for sophisticated or larger attacks.

(rate-based rule 지정 불가능)

 

24. Transit Gateway

- 시나리오: 여러 계정에 여러 VPC가 있고, on-premises network까지 있는 상황에서 이 모두를 star network로 서로 연결시켜야 한다.

- 단일 게이트웨이로 VPC들과 on-premises network를 연결해준다. 

 

25. VPC Peering

: 두 VPC를 private IPv4 addresses 혹은 IPv6 addresses 를 통해  연결시킴.

: 서로 다른 region이어도 가능하다.

: 딱 2개만 서로 된다. 여러개가 있다면 각각 Peering을 맺어야 한다.

 

26. Private Link(아직 잘 이해가 안된다ㅜㅜ)

: simplifies the security of data shared with cloud-based applications by eliminating the exposure of data to the public Internet.

: provides private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network.

: is utilized to create a private connection between an application that is fronted by an NLB in an account, and an Elastic Network Interface (ENI) in another account, without the need of VPC peering, and allowing the connections between the two to remain within the AWS network.

 

27. Security Group

A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you can specify one or more security groups; otherwise, AWS uses the default security group. You can add rules to each security group that allows traffic to or from its associated instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group. To decide whether to allow traffic to reach an instance, AWS evaluates all the rules from all the security groups that are associated with the instance.

The following are the default rules for a default security group: Allow inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group. Allows all outbound traffic

So instance A can be pinged from other instances in the default security group.

The following are the default rules for a security group that you create: Allows no inbound traffic Allows all outbound traffic

So instance B cannot be pinged from other instances in the new security group created by the DevOps team because any new security group allows no inbound traffic by default.

 

28. CloudWatch로 ec2 healthcheck 하고, 특정 조건 시 instance stop, terminate, reboot, recover하는 것이 가능하다.

Using Amazon CloudWatch alarm actions, you can create alarms that automatically stop, terminate, reboot, or recover your EC2 instances. You can use the stop or terminate actions to help you save money when you no longer need an instance to be running. You can use the reboot and recover actions to automatically reboot those instances or recover them onto new hardware if a system impairment occurs.

You can create an Amazon CloudWatch alarm that monitors an Amazon EC2 instance and automatically reboots the instance. The reboot alarm action is recommended for Instance Health Check failures (as opposed to the recover alarm action, which is suited for System Health Check failures).

 

29. route 53 latency routing policy, Aurora DB read-replicas

 route 53 latency routing policy

: 여러 region에 서버가 있을 때, latency가 낮은 곳으로 트래픽을 보내는 기능.

유럽, 미국에 각각 서버가 있을 때 유럽 유저들은 유럽 서버로(미국 서버 latency > 유럽 서버 latency 일 테니까), 미국 유저는 미국 서버로 보내준다.

 

Aurora DB read-replicas

: 여러 region에 생성 가능.

 

30. route 53 geolocation routing policy

: lets you choose the resources that serve your traffic based on the geographic location of your users, meaning the location that DNS queries originate from. For example, you might want all queries from Europe to be routed to an ELB load balancer in the Frankfurt region. You can also use geolocation routing to restrict the distribution of content to only the locations in which you have distribution rights. You cannot use geolocation routing to reduce latency,

 

31. The Elastic Fabric Adapter (EFA)

 : a network interface for Amazon EC2 instances that enables customers to run HPC applications requiring high levels of inter-instance communications

활용 예시: computational fluid dynamics, weather modeling, and reservoir simulation, at scale on AWS.

 

32. Spot Instance, Spot Fleets 

:A Spot Instance is an unused EC2 instance that is available for less than the On-Demand price. Spot Instances provide great cost efficiency, but we need to select an instance type in advance.

 

:Spot Fleets are set to maintain target capacity by launching replacement instances after Spot Instances in the fleet are terminated.

 

33. Spot Instance with Spot Block

spot instance 사용 할 때 duration을 정하는 기능.
예를 들어 1시간로 지정하면 무조건 1시간 동안은 인스턴스가 terminate되지 않음이 보장된다.

 

34.  EMR

: Amazon EMR is the industry-leading cloud big data platform for processing vast amounts of data using open source tools such as Apache Spark, Apache Hive, Apache HBase, Apache Flink, Apache Hudi, and Presto. Amazon EMR uses Hadoop, an open-source framework, to distribute your data and processing across a resizable cluster of Amazon EC2 instances.

 

35. Byte Range Fetch 

: s3에 get 요청 보낼 때 어떤 객체의 앞 특정 바이트만 가져오는 요청.

: This helps you achieve higher aggregate throughput versus a single whole-object request. Fetching smaller ranges of a large object also allows your application to improve retry times when requests are interrupted.

 

36:  S3 object consists of

:Key – The name that you assign to an object. You use the object key to retrieve the object.

:Version ID – Within a bucket, a key and version ID uniquely identify an object.

:Value – The content that you are storing.

:Metadata – A set of name-value pairs with which you can store information regarding the object.

:Subresources – Amazon S3 uses the subresource mechanism to store object-specific additional information.

:Access Control Information – You can control access to the objects you store in Amazon S3.

 

Metadata는 encrypt 되지 않는다.

 

 

27. AWS CloudFormation 

: allows you to use programming languages or a simple text file (in YAML or JSON format) to model and provision, in an automated and secure manner, all the resources needed for your applications across all Regions and accounts.

 

28. AZ ID

AZ이름과 실제 az가 각각 계정마다 다를 수 있다.

예를 들어 계정 1과 2에서 각각 us-west-2a를 선택했을 때, 실제로는 서로 다른 az일 수도 있다.

따라서 서로 다른 계정에서 정말 똑같은 az를 선택하고 싶다면 az 이름이 아니라 AZ ID를 봐야한다.

AZ 아이디는 ec2 dashboard에서 볼 수 있다.

오른쪽이 AZ ID

 

29. AWS Kinesis Data Streams

: is a massively scalable and durable real-time data streaming service. KDS can continuously capture gigabytes of data per second from hundreds of thousands of sources such as website clickstreams, database event streams, financial transactions, social media feeds, IT logs, and location-tracking events. The data collected is available in milliseconds to enable real-time analytics use cases such as real-time dashboards, real-time anomaly detection, dynamic pricing, and more.

Amazon Kinesis Data Streams enables real-time processing of streaming big data. It provides ordering of records, as well as the ability to read and/or replay records in the same order to multiple Amazon Kinesis Applications. The Amazon Kinesis Client Library (KCL) delivers all records for a given partition key to the same record processor, making it easier to build multiple applications reading from the same Amazon Kinesis data stream (for example, to perform counting, aggregation, and filtering). Amazon Kinesis Data Streams is recommended when you need the ability to consume records in the same order a few hours later.

For example, you have a billing application and an audit application that runs a few hours behind the billing application. Because Amazon Kinesis Data Streams stores data for up to 7 days, you can run the audit application up to 7 days behind the billing application.

 

30. AWS Kinesis Data Firehose

: is the easiest way to load streaming data into data stores and analytics tools.

31. AWS Kinesis Data Analytics

:is the easiest way to analyze streaming data in real-time. 

 

32. AWS Systems Manager

AWS Systems Manager is an AWS service that you can use to view and control your infrastructure on AWS. Using the Systems Manager console, you can view operational data from multiple AWS services and automate operational tasks across your AWS resources. With Systems Manager, you can group resources, like Amazon EC2 instances, Amazon S3 buckets, or Amazon RDS instances, by application, view operational data for monitoring and troubleshooting, and take action on your groups of resources. It does not offer any feedback about architectural best practices.

 

33. tenancy

Each EC2 instance that you launch into a VPC has a tenancy attribute. This attribute has the following values.

dedicated -> host, host -> dedicated로만 변경 가능하고 이외에는 불가능하다.

 

34. AWS Config 

"Use AWS Config to review resource configurations to meet compliance guidelines and maintain a history of resource configuration changes"

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. You can use Config to answer questions such as - “What did my AWS resource look like at xyz point in time?”.

 

35. NAT instance

- NAT instance can be used as a bastion server

- Security Groups can be associated with a NAT instance

- NAT instance supports port forwarding

 

-NAT gateway는 bastion으로 못쓰고, 포트 포워딩 안되고, SG 못쓴다!.

 

35. Delay queues, Visibility timeout

- Delay queues let you postpone the delivery of new messages to a queue for several seconds, for example, when your consumer application needs additional time to process messages. If you create a delay queue, any messages that you send to the queue remain invisible to consumers for the duration of the delay period. The default (minimum) delay for a queue is 0 seconds. The maximum is 15 minutes.

 

- Visibility timeout is a period during which Amazon SQS prevents other consumers from receiving and processing a given message. The default visibility timeout for a message is 30 seconds. The minimum is 0 seconds. The maximum is 12 hours. You cannot use visibility timeout to postpone the delivery of new messages to the queue for a few seconds.

 

36. S3 Glacier

encryption by default for both data at rest as well as in-transit

 

37. VPN CloudHub

site-to-site VPN이 여러개 연결되있거나, Direct Connetion이 여러개 연결되어 있을 때 VPN CloudHub를 사용해서 한 번에 모든 것을 연결 시킬 수 있다.

 

38.  SQS long poiing, short polling

디폴트는 short polling. reponse를 즉각 보낸다(메세지가 없어도)

long polling은 기본적으로 메세지가 최소 1개는 있어야 response를 보낸다. (물론 wait time 초과하면 resposne를 결국 보내긴 한다)

long polling을 쓰면 비용절감이 가능하다. emptry receives를 줄일 수 있기 때문.

 

Amazon SQS provides short polling and long polling to receive messages from a queue. By default, queues use short polling. With short polling, Amazon SQS sends the response right away, even if the query found no messages. With long polling, Amazon SQS sends a response after it collects at least one available message, up to the maximum number of messages specified in the request. Amazon SQS sends an empty response only if the polling wait time expires.

Long polling makes it inexpensive to retrieve messages from your Amazon SQS queue as soon as the messages are available. Using long polling can reduce the cost of using SQS because you can reduce the number of empty receives.

Short Polling vs Long Polling