AWS Certified Solutions Architect —

Study Notes

General Concepts —

A region is a physical location in the world that comprises clusters of

highly redundant data centers.

Within each region there are availability zones (AZs). An AZ

consists of one to six data centers, with redundant power supplies and
networking connectivity.

In addition to regions and AZs, AWS offers edge locations. In AWS, the
edge location is used to serve Amazon CloudFront and Amazon Route
53

More Details: https://aws.amazon.com/about-aws/global-

infrastructure/

Compute

AWS EC2

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that

provides secure, resizable compute capacity in the cloud. AWS use Xen
and Nitro Hypervisors.
 • On Demand

• Reserved

• Spot

• Dedicated Hosts

Standard Reserved Instances cannot be moved between regions. You

can choose if a Reserved Instance applies to either a specific
Availability Zone, or an Entire Region, but you cannot change the
region.

Instance Meta-data

• To view all categories of instance metadata from within a

running instance: http://169.254.169.254/latest/meta-data/

Amazon EC2 Auto Scaling

1. Amazon EC2 Auto Scaling helps in automatically scaling the

Amazon EC2 instances up and down as per the policies you
define.

AWS Lambda

1. AWS Lambda enables you to run code without provisioning or

managing any servers or infrastructure.
 2. You can also run code in response to event triggers such as
Amazon S3 uploads, Amazon DynamoDB updates, Amazon
Kinesis streams, Amazon API Gateway requests, and so on.

3. The pricing for using AWS Lambda is simple. You pay only for
the compute time when the code is getting executed; there is
no charge when the code is not running.

Amazon EC2 Container Service

1. There are no separate charges for Amazon ECS; you pay only
for the AWS resources used such as Amazon EC2 instances,
Amazon Elastic Block Storage (EBS) volumes, and so on.

Amazon Lightsail

1. Amazon’s Website Hosting Service (Virtual Private Service).

2. Small Scale deployment

AWS Elastic Beanstalk

1. AWS Elastic Beanstalk lets you run and manage web

applications without worrying about the underlying
infrastructure.

2. AWS Elastic Beanstalk automatically handles deployment,

load balancing, autoscaling, and application health
monitoring. At the same time, you have full control over the
AWS resource; you can access the underlying resources at any
time using the console
Security Groups

1. A security group acts as a virtual firewall for your instance to

control inbound and outbound traffic. When you launch an
instance in a VPC, you can assign up to five security groups to
the instance.

2. Security groups act at the instance level.

3. Security groups are stateful.

4. Evaluate all rules before deciding whether to allow traffic

————————————————————————————
———

NETWORKING

Amazon Virtual Private Cloud

1. A VPC spans all of the Availability Zones in the Region.

2. After creating a VPC, you can add one or more subnets in each
Availability Zone.

3. If you have multiple Amazon VPCs, you can connect them as

well using Amazon VPC peering.

4. Route Tables control traffic between subnets.

5. It must be noted that a subnet is tied to only one availability

zone. Of course, within an AZ you can have multiple subnets.
6. /16 is the largest VPC, and smallest is /28.

7. AWS uses 5 IP addresses per subnet.

8. VPC Flowlogs — VPC Flow Logs is a feature that enables you

to capture information about the IP traffic going to and from
network interfaces in your VPC. VPC Flow Logs can be created
at the VPC, subnet, and network interface levels.

9. Elastic IP Address — An Elastic IP address is a static IPv4

address designed for dynamic cloud computing. An Elastic IP
address is a public IPv4 address, which is reachable from the
internet.

10. Bastion or Jump Boxes — A Bastion host allows you to

securely administer (via SSH or RDP) an EC2 instance located
in a private subnet. Don’t confuse Bastions and NATs, which
allow outside traffic to reach an instance in a private subnet.

11. VPC Endpoint — A VPC endpoint enables you to privately

connect your VPC to supported AWS services and VPC
endpoint services powered by PrivateLink without requiring
an internet gateway, NAT device, VPN connection, or AWS
Direct Connect connection. There are two types of VPC
endpoints: interface endpoints and gateway endpoints.

12. An interface endpoint is an elastic network interface

with a private IP address from the IP address range of your
subnet that serves as an entry point for traffic destined to a
supported service.

13. A gateway endpoint is a gateway that you specify as a

target for a route in your route table for traffic destined to a
 supported AWS service. The following AWS services are
supported: Amazon S3 and DynamoDB

AWS DirectConnect and CrossConnect

Public Subnet

Private Subnet

Security Group —

• When we create a new security group, all outbound traffic is

allowed by default.

• Security Groups operate at the instance level, they support

“allow” rules only, and they evaluate all rules before deciding
whether to allow traffic.

The purpose of an “Egress-Only Internet Gateway” is to allow IPv6

based traffic within a VPC to access the Internet, whilst denying any
Internet based resources the possibility of initiating a connection back
into the VPC. Further information:

ROUTE TABLE

1. You can associate multiple subnets with the same route table.

2. When you create a VPC, Amazon VPC automatically creates

the main route table.
INTERNET GATEWAY

1. It must be noted that an IG is a horizontally scaled,

redundant, and highly available component in VPC.

NETWORK ADDRESS TRANSLATION

1. Using a NAT device, you can enable any instance in a private

subnet to connect to the Internet

2. There are two types of NAT devices available within AWS.

NAT instances and NAT Gateway

Network ACLs

1. A network access control list (ACL) is an optional layer of

security for your VPC that acts as a firewall for controlling
traffic in and out of one or more subnets.

2. Is stateless: Return traffic must be explicitly allowed by rules.

3. We process rules in number order when deciding whether to

allow traffic

Amazon Route 53

Amazon Route 53 is a highly available and scalable Domain Name

System (DNS) web service. You can use Route 53 to perform three
main functions in any combination: domain registration, DNS routing,
and health checking.

Common DNS types

Routing Policy -

1. Simple routing policy

2. Failover routing policy

3. Geolocation routing policy

4. Geoproximity routing policy

5. Latency routing policy

6. Multivalue answer routing policy

7. Weighted routing policy

Refer: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide
/Welcome.html

ELB

1. Elastic Load Balancing supports three types of load balancers:

Application Load Balancers, Network Load Balancers, and
Classic Load Balancers.

2. You configure your load balancer to accept incoming traffic by

specifying one or more listeners.

AWS Direct Connect

1. Using AWS Direct Connect, you can establish private,

dedicated network connectivity from your data center to AWS.
————————————————————————————
———

SECURITY AND COMPLIANCE

AWS Identity and Access Management

1. AWS Identity and Access Management (IAM) is used to create

users, groups, and roles.

AWS Certificate Manager

Amazon Inspector

————————————————————————————
———

STORAGE AND CONTENT DELIVERY

Storage offerings of AWS can be divided in 3 categories

1. Object — An object is a piece of data, like a document, image, or
video that is stored with some metadata in a flat structure. As a
example you can easily develop a web application which can call
(API)content on top of Amazon S3
2. File — In file storage, data is presented via a file system interface
and with file system semantics to instances.
3. Block — In block storage, data is presented to your instance as a
disk volume.
Amazon Simple Shared Storage (S3)

1. 99.999999999 percent durability

2. Object Storage

3. 100 buckets per account

4. You can store unlimited amount of data but each file size can’t
exceed 5TB.

5. It is a regional service; that is, content is automatically

replicated within a region for durability.

6. Amazon S3 supports multipart uploads

7. Amazon S3 is designed to provide 99.99 percent availability.

8. For DR Using cross-region replication, you can automatically

replicate each S3 object to a different bucket in a different
region.

9. Two type of consistency — read-after-write

consistency/Eventual Consistency.

10. Access Control — Access Policies / Bucket Policies / ACL

11. lifecycle management — Transition action/Expiration

Action

12. Storage Class :-

Amazon S3 Standard used for frequently accessed data,

synchronously copied across three facilities and designed to sustain the
loss of data in two facilities. Support SSL encryption of data in transit
and at rest. Designed for 99.99% availability over a given year

Amazon S3 Intelligent-Tiering (S3 Intelligent-

Tiering) Automatically moves objects between two access tiers based
on changing access patterns. Designed for 99.9% availability over a
given year

Amazon S3 RRS (Reduced Redundancy Storage) is a storage

option that is used to store noncritical, non-production data.

Amazon S3 Standard-Infrequent Access (IA) is an Amazon S3

storage class that is often used for storing data that is accessed less
frequently. Support SSL encryption of data in transit and at rest.
Designed for 99.9% availability over a given year

Amazon S3 One Zone-IA is a new storage class for storing data that
is accessed less frequently, but requires rapid access when needed. One
Zone-IA stores data in a single AZ. Designed for 99.5% availability over
a given year

Amazon Glacier

1. Object Storage

2. expedited (1–5 mins), standard (hours), and bulk

retrievals(day).
 3. To upload a file in Glacier first, you need to create a vault

Amazon S3 Glacier Deep Archive (S3 Glacier Deep

Archive) S3 Glacier Deep Archive is Amazon S3’s lowest-cost storage
class and supports long-term retention and digital preservation for
data that may be accessed once or twice in a year.

Elastic File System (EFS)

1. File Storage service that can be shared between EC2 instances

2. Support NFS v4

3. Data is stored across multiple AZ’s

4. Read after write consistency

5. EFS Storage Classes — Infrequent Access and Standard

Elastic Block Storage (EBS)

1. Block Storage 3 TYPES (Amazon EC2 instance store , Amazon

EBS SSD-backed volume, Amazon EBS HDD-backed volume)

2. Amazon EBS replication is stored within the same availability

zone, not across multiple zones.

3. EBS Instance Store (Ephemeral Store)

4. A persistent storage (means the storage is independent

outside the life span of an EC2 instance)
 5. EBS, EFS, and FSx are all storage services base on Block
storage

6. Snapshot goes to S3

7. AMI’s can be created from both Snapshot and Volumes

8. EC2 — Take Snapshot — Create AMI (Amazon Machine

Images)from Snapshot — Use AMI to Launch Instance

AWS Storage Gateway

1. AWS Storage Gateway is a hybrid cloud storage service that

gives you on-premises access to virtually unlimited cloud
storage.
 2. The service provides three different types of gateways — Tape
Gateway, File Gateway, and Volume Gateway

3. The file gateway enables you to store and retrieve objects in

Amazon S3 using file protocols, such as NFS. Objects written
through file gateway can be directly accessed in S3.

4. The tape gateway provides your backup application with an

iSCSI virtual tape library (VTL) interface, consisting of a
virtual media changer, virtual tape drives, and virtual tapes.
Virtual tape data is stored in Amazon S3 or can be archived to
Amazon S3 Glacier

5. The volume gateway provides block storage to your

applications using the iSCSI protocol. Data on the volumes is
stored in Amazon S3. To access your iSCSI volumes in AWS,
you can take EBS snapshots which can be used to create EBS
volumes.

Storage Gateway Creation

Image from AWS

Import/Export Options (Snowball)

1. Import-Export Disk’s

2. Puts data in S3 (and pulls from it if we want data exported out

of AWS)

3. Snowballs come with two storage sizes: 50TB and 80TB

4. Snowball Edge is up to 100 TB and also has on-device

compute capability. For example, the suitcase can run code to
pull data in and store it.

5. Snowmobile is a truck, Exabyte scale data transfer. 100 PB

storage limit.

Amazon CloudFront

1. Amazon CloudFront is the global content delivery network

(CDN) service of AWS.

2. Amazon CloudFront provides advanced CDN features such as

SSL support, geographic restriction, and private content.
DATABASE
1. Multi AZ’s vs Read Replicas

2. OLTP vs OLAP

3. Two type of Backups — Automated and Snapshot

4. Restore version of DB will be always new instance with new

end point.

5. Amazon Athena is an interactive query service that makes it

easy to analyze data in Amazon S3 using standard SQL.
Athena is serverless, so there is no infrastructure to manage,
and you pay only for the queries that you run.

6. RAID

Amazon Relational Database Service

1. Amazon Relational Database Service (Amazon RDS)-

optimized for memory, performance or I/O — and provides
you with six familiar database engines to choose from,
including Amazon
Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database,
and SQL Server. You can use the AWS Database Migration
Service to easily migrate or replicate your existing databases
to Amazon RDS.

2. RDS runs on VMs. It’s not serverless.

3. Amazon RDS Multi-AZ deployment, automatically provisions

and maintains a synchronous “standby” replica in a different
Availability Zone.
Amazon Aurora

1. Amazon Aurora is Amazon’s relational database built for the

cloud. It supports two open source RDBMS engines: MySQL
and PostgreSQL.

2. By default, the data is mirrored across three AZs, and six

copies of the data are kept.

Amazon DynamoDB

1. Amazon DynamoDB is a fully managed NoSQL database

service of AWS.

2. Stored on SSD, Spread across 3 geographically distinct DCs.

Eventual Consistent Reads and Strongly Consistent Reads

Amazon Redshift

1. DWH

2. Redshift Spectrum is a feature of Amazon Redshift that

enables you to run queries against exabytes of unstructured
data in Amazon S3, with no loading or ETL required.

Amazon ElastiCache

1. Amazon ElastiCache — offers fully

managed Redis and Memcached. open source compatible
in-memory data stores
Content from AWS Website

————————————————————————————
———

Analytics

Amazon Athena

1. Amazon Athena is an interactive query service that makes it

easy to analyze data in Amazon S3 using standard SQL.

2. Athena is serverless, so there is no infrastructure to manage,

and you pay only for the queries that you run.

3. Athena is out-of-the-box integrated with AWS Glue Data

Catalog, allowing you to create a unified metadata repository
across various services, crawl data sources to discover
schemas and populate your Catalog with new and modified
table and partition definitions, and maintain schema
versioning.
Amazon EMR

1. EMR provides a managed Hadoop framework that makes it

easy, fast, and cost-effective to process vast amounts of data
across dynamically scalable Amazon EC2 instances

Amazon CloudSearch

1. is a managed service in the AWS Cloud that makes it simple

and cost-effective to set up, manage, and scale a search
solution for your website or application.

Amazon Elasticsearch

1. Service makes it easy to deploy, secure, operate, and scale

Elasticsearch to search, analyze, and visualize data in real-time.

Amazon Kinesis

1. makes it easy to collect, process, and analyze real-time,

streaming data so you can get timely insights and react
quickly to new information.

2. Kinesis Data Firehose, Kinesis Data Analytics, Kinesis Data

Streams, and Kinesis Video Streams

————————————————————————————
———

MANAGEMENT TOOLS
AWS CloudFormation

1. IaaC, Infrastructure as Code. The artifacts are called

Templates

AWS Service Catalog

1. Manage a catalog of approved services for the AWS account.

Used by enterprises

Amazon CloudWatch

1. Used for monitoring performance

2. Can create CloudWatch Alarms

3. Standard Monitoring — 5 mins

4. Detailed Monitoring — 1 mins

5. Can create dashboards and alarms

AWS CloudTrail

1. CCTV

2. CloudWatch is all about performance monitoring but

CloudTrail is about auditing

3. CloudTrail monitors API calls

————————————————————————————
———
DEVELOPER TOOLS

AWS CodeCommit

1. AWS CodeCommit is a fully managed source control service

that makes it easy to host highly scalable private Git
repositories securely.

AWS CodePipeline

1. AWS CodePipeline builds, tests, and deploys code every time

the code is modified, updated, and checked in based on the
release process models you define.

AWS CodeBuild

1. Fully managed build service that builds and compiles source

code, runs tests, and produces software packages that are
ready to deploy,

AWS CodeDeploy

1. Automates code deployments

————————————————————————————
———

MESSAGING

Amazon Simple Queue Service (SQS)

 1. SQS is always pull based not push based

2. Messages — 256 KB — can go upto 2G (S3)

3. Visibility timeout

4. Amazon SQS supports both standard and FIFO queues.

Amazon Simple Notification Service

Amazon Simple Email Service

————————————————————————————
———

APPLICATION SERVICES

Amazon API Gateway

Amazon Simple Workflow Service (SWF)

AWS Step Functions

Amazon Elastic Transcoder