Inaccurate Design

Amazon Solution Architect - Certification Prep Workshop Notes

Monday, 12 September 2016

Here are some terrible notes that I smashed out during an exam-preparation Webex!

General Exam Prep

  • 80 minutes to complete the exam
  • 50 questions
  • Approx. 1m.10s per question

Exam Approach

Need to do more self-study and hands on than the course.

  • Drake International is the best testing centre!
  • Will need two forms of ID, one needs a photo and signature.
  • Closed book exam
  • Can mark questions for review. Recommend do this if you can’t answer the question immediately. Review at the end
  • No penalty for wrong answers - answer all questions.
  • Will always tell you how many responses you need (eg. no ‘chose all that apply’)
  • Take the practice exam once you’ve done a bit of study, will get the best outcomes

Exam Guide and Materials

Domain 1.0 - Designing HA, cost-efficient and fault-tolerant systems

  • Accounts for 60% of the exam marks

  • Review Best Practices including

    • RTO/RPO DR design
    • Pricing/cost (e.g. on-demand vs. reserved instances vs spot)
    • Architectural designs and trade-offs (eg. using PaaS vs roll-your-own)
    • Hybrid IT architectures
    • IT scalability and elasticity
  • Region = collection of data centre facilities

    • AZ = collection of data centre facilities that are fault isolated from other AZs
    • An Edge Location is a point-of-presence into the AWS network
    • Globally Available Services run from Edge Locations. Inherently HA
      • CloudFront, Route53, etc.
    • Regionally-scoped services are across all AZs within a Region
      • ELB, DyanomoDB, S3, etc.
    • AZ-scoped services are within the specified AZ
  • Highly available (HA) some AWS services are themselves HA (e.g. ELB)

  • 5 pricing types - on-demand, spot, reserved instances, scheduled reserved, dedicated hosts
    • Understand the differences between them
  • For each question, understand the drivers
    • is it about cost, or availability?
S3 Storage
  • S3 types (normal, reduced redundancy, infrequent access, Glacier) and lifecycling
HA and Fault Tolerance
  • Fault-tolerant = no degradation or downtime
    • The system will continue to function without degradation in performance despite the complete failure of any component of the architecture
    • Only DyanomoDb and Route53
  • Highly-available = minimized downtime

  • Scalability = both services that scale (eg. SNS), and auto-scaling for other services

  • If you get a question on FT, generally ignore cost.

Decoupling Patterns
  • Don’t rely on identity of individual resources - instead consider

    • Load balancing
    • DNS and endpoint resolution
    • ???
  • ‘Design for failure and nothing will fail’

  • Do not assume health of components - use auto scaling, elastic IPs, and endpoints
  • Use designs that are resilient to reboot and relaunch
    • Stateless = better
    • ELB and CloudWatch to detect health of instances
  • Bootstrap instances (e.g. pass in user data at launch)
  • Store config and personalisation off-instance
  • Can be a key cost driver

Domain 2.0 - Implementation and Deployment

  • Makes up 20% of the exam
  • Includes

    • AMI configuration
    • Operate and extent service management in a hybrid IT architecture environment
    • Configure services to support compliance requirements in the cloud
    • Launch instances across AMI infrastructure
    • Configure IAM policies and best practices
  • This domain is concerned about ‘How to use it’. Domain 1 was about ‘What to use’

  • Use your time to only learn about key foundation services

    • Focus on groups (and key services)
      • Compute and Networking
        • EC2, VPC
      • Storage/CDN
        • S2, Glacier
      • Databases
        • RDS
      • Deployment and Management
        • CloudFormation, CloudWatch, IAM
      • App Services
        • SQS, SNS
    • Don’t worry about Developer Tools, Analytics (maybe EMR?), IOT, Game, Mobile
    • For the other non-key services, can read through the FAQs
      • Know basic use cases and patterns for non-core services
  • Know how to use metadata and userdata to bootstrap (recommended to do the quicklabs)

  • EC2 includes ELB, auto-scaling, and EBS.

  • VPC includes EC2 IP addressing.

EBS and Instance Storage
  • Every time you reboot an instance it comes back up on a new host
  • ‘Turn it off and on again’
  • EBS - network attached storage
  • Instance storage - physically within the host
  • S3 consistency model
    • storage classes and durability
    • multi-part upload
  • Glacier
    • retrieval times
    • encryption
    • S3 lifecycle
  • RDS multi-AZ Deployment - primary plus synchronous secondary in different AZ
  • Failover process
  • DNS endpoints vs IP addresses
  • Recovery process?
Deployment and management
  • CloudFormation
    • create and manage a group of resources
    • JSON based tempalte
    • install packages, create users, create files, etc
  • CloudWatch
    • monitor resources and apps
  • IAM
App Services
  • SQS
    • polling/pull model
  • SNS
    • Pub-Sub model (push)
    • HTTP, SQS, SMS, email

Domain 3.0 - Data Security

  • Includes

    • AWS shared responsibility model
    • Platform compliance
    • Security attributes
  • Need to understand the Shared Responsibility Model

    • AWS responsible for facilities, physical security, physical infrastructure, network infrastructure, virtualization infrastructure
    • Customer responsible for OS, app, security groups, OS firewalls, network config and acct management
  • Principle of least privilege

    • security tokens
    • master account
      • root, full privileges
      • should have MFA
      • not in daily use
    • IAM
      • groups/policies for access control
      • not authentication
    • Security Token Service/Federation
      • Temp tokens
        • service accounts, basically
        • grant rights temporarily
        • full control over privileges granted
  • Securing the Compute/Network layer w/ VPC

    • VPCs have subnets
    • VPCs have security groups and ACLs
    • can set internet gateways, virtual private gateways
    • 5 VPCs per region
  • Difference between security groups and ACLs

    • refer to screenshot
  • Can use internet gateway, virtual private gateway (to on-prem), and direct connect (dedicated fibre connect into VPC)

  • Routes

    • associated with subnets
    • define destination for IP ranges
      • local rules defined by default
      • route to internet gateway to get to the internet
  • Data in Transit

    • Transferring data in and out
      • SSL over web
      • VPN for IPSec
      • Direct connect
      • Import/Export
      • AWS API calls
  • Data encryption

    • Server side (AWS managed keys)
    • Server side (customer keys)
    • Client side
  • Native encryption in EBS, S3, Redshift. Not available in Elasticache, and DynamoDB.

    • look into others

Domain 4.0 - Troubleshooting

  • Troubleshooting Connectivity

    • os-level firewalls
    • security groups
    • NACLs
    • public IPs
    • routing table
    • routing rules on corp network
    • gateways
  • Be aware of AWS soft- and hard- limits for key services

    • Trusted Advisor can show these limits

<< EOF (and now I need to actually do some study)