Amazon Web Services (AWS)

Objectives

• Core infrastructure services discussion
• Ensure data integrity and data security on AWS technology
• Formulate solution plans and provide guidance on AWS
• Design and deploy scalable, highly available, and fault tolerant systems on AWS
• Decipher the inbound and outbound of data to and from AWS
• Select the appropriate AWS service based on data, compute, database, or security requirements.
• Estimate AWS costs and identify cost control mechanisms
• Identify the lift and shift of an existing on-premises application to AWS
• AWS Architecture best practices

Modules of the course

-            Module 01: Cloud Computing Overview

-            Module 02: AWS Overview

-            Module 03: Identity and Access Management

-            Module 04: Amazon Simple Storage Service (S3)

-            Module 05: Linux Introduction

-            Module 05: Elastic Compute Cloud (ec2)

-            Module 05: Networking Basics

-            Module 06: Virtual Private Cloud (VPC)

-            Module 07: Amazon Relational Database

-            Module 08: Amazon Route 53

-            Module 09: Security Services

-            Module 10: Application Services

-            Module 11: Amazon CDK and Command Line Interface

-            Module 12: High Availability and Disaster recovery solutions

-            Module 12: Migration Solutions (Server and Database)

-            Module 13: Hybrid Environment solutions

Prerequisites

•         Absolute Beginners. No prior AWS experience is necessary
•         Previous System Administration/ Development Knowledge would be an added advantage.
•        Cloud Computing enthusiasts

AWS Course Content

•         Introduction to Cloud Computing

o   Introduction to cloud computing

o   Essential Characteristics of Cloud Computing

o   Service Models in Cloud Computing

o   Deployment models in Cloud Computing

o   Introduction to AWS

o   AWS Account creation & free tier limitations overview

-        Identity Access Management

o   Root Account Vs IAM user

o   Multi Factor Authentication for Users

o   IAM Password Policies

o   Creating Customer Managed Policies.

o   Policy generator

o   Auditing User Activity

-        Storage

o   What is Simple Storage Service (S3)

o   Storage Classes

o   Versioning

o   Cross-region replication / Same Region replication

o   Life Cycle Management

o   Security & Encryption

o   KMS (Key Management Service)

o   Static Webhosting with S3 bucket

o   Events configuration on S3 buckets

o   Enabling cross account access for S3

o   S3 Data management and backup using 3^rd Party applications

o   Pre-Signed URLs

o   Storage Gateway

o   Direct Connect and AWS Snowball

-        Linux Introduction (Free Course)

o   Basics of Linux for AWS

o   Linux Installation and Basic commands overview

o   Web Server and Services Configurations

-        Compute

o   EC2 Instance Launch Wizard with Windows and Linux OS

o   EC2 Instance Types

o   Generating custom Public Key and Private keys for EC2 instances

o   Security groups

o   Volumes and Snapshots

o   Amazon Data Lifecycle manager (DLM)

o   Creating customized Amazon Machine Images

o   User Data and Metadata

o   Elastic Load Balancers

o   Creating Billing Alarm and EC2 instance alarms.

o   Auto Scaling Groups

o   CloudWatch

o   Amazon Eventbridge

o   Elastic File System / FSx

o   Elastic Beanstalk

o   Placement Groups

o   AWS CLI and IAM Roles

-        AWS Systems Manager

o   Run Command

o   Session Manager

o   Patch manager

o   Tag Editor and Resource Groups

o   AWS Secrets Manager

-        Route 53

o   DNS Records overview

o   Routing Policies

o   Hosting sample Website and configuring Policies.

§  Simple RP

§  Weighted RP

§  Failover RP

§  Geo Location RP

§  Failover RP

-        VPC (Virtual Private Cloud)

o   Networking Basics

§  Public Ips & Private Ips

§  CIDR Range

§  Subnet Calculations

o   Creating custom VPCs and custom Subnets

o   Network ACL’s

o   Route Tables & IGW

o   VPC Peering

o   Flowlog creation to S3 and Cloudwatch Logs Group

o   VPC Endpoints

o   AWS Transit gateway

o   VPC Configuration with AWS (OpenVPN/Site-to-site VPN)

-        Databases

o   Launching a RDS Instances (MySQL, MSSQL & Aurora)

o   Multi-AZ & Read Replicas for RDS instances

o   DynamoDB

o   Redshift and Elastichache overview

o   Database Migration Service

-        Security Options:

o   CloudTrail

o   AWS Config

o   Key Management Services

o   AWS Certificate Manager

o   AWS Inspector

o   AWS Trusted Advisor

o   AWS Global Accelerator

o   Content Delivery Networks / CloudFront

o   AWS Shield and WAF (Web Application Firewall)

-        Application Services

o   Simple Email Service

o   Simple Queue Service

o   Simple Notification Service

o   Directory Services and Adding EC2 instance to Domain

o   AWS Simple Monthly calculator

-        Migration Services

o   SMS – Server Migration Service (Migrating server from on-premises to cloud)

o   DMS – Database Migration Service

-        DevOps Tools Overview

o   What is DevOps in Cloud

o   Code Pipeline

o   Code Commit

o   Code Deploy

o   Lambda

o   Cloudformation

o   Amazon ECS with Fargate (Elastic Container Service)

o   AWS Backup

-        Monitoring on AWS:

o   AWS Budgets

o   AWS Cost Explorer

o   Creating Custom Metrics with CloudWatch

-        AWS Multi Account Management

o   AWS Organizations

o   Amazon Single Sign-On

-        Amazon white papers review

-        Quiz and Scenario based questions discussion

-        Resume Key Points and AWS Certifications overview

-        Certification Exam Question while discussing topics.

 

NOTES

Demo.txt

Day-1: https://youtu.be/AKviWcujI7w

Day-2: https://youtu.be/2NTBUXl2X6Q 

Day-3: https://youtu.be/Mk7BHG6i_iU 

Day-4: https://youtu.be/nE_n4Hk9LWI 

Day-5: https://youtu.be/Q6Whygv03i4 

Day-6: https://youtu.be/b4YHtSpckjkbe/AKviWcujI7w

Cloud Computing: Dropbox.. GDrive..

Laptop / Mobile : Uploading the data to GDrive/Dbox.. : we can access this data anywhere from the world.. (Internet) : Another user: Storage

Cloud Computing: Computing resources: (Network, Storage, Servers, Database): Pay-as-you-go: Pay for the resources you actually used

Server: 1 Hr : --> 1 Hr only

Gdrive: 100gb plan / 200 gb / 1 TB

Tendency:

• Shared: underlying h/w shared with another customers
• Dedicated: Underlying h/w won't share with another cust.. Dedicated to same user.

Physical Server: Compatibility

Virtual Server: Upgrade / Downgrade

Core Infra Services: Compute, storage, Network, Hosting, Database, IAM, Security, Application, Migration

Email Server: Exchange Server

Gmail: internet

CAPEX : Capital Expendature: No Capital Expen: No Upfront

OPEX: Operational Expendature: less OPEX

100: Small Server: Deliver

10k : medium server

100M: large

pay- as - you- go :

pay - as - you - grow:

------

Service Models : SaaS, Paas, IaaS

Deployment Models: Public, Private, Community, Hybrid

-------

Deployment Models:

• Public Cloud: Open for all.. ex: aws, azure, gcp, rackspace, ibm cloud..
• maintenance: Service provider
• Private Cloud: Open for individual organisation
• main: dedicated team of org / AMC to 3rd party org
• Community Cloud: Group of Org, they build the infra and only they use the infra..
• main: Dedicated team of one the org / AMC to 3rd party org
• Hybrid Cloud: Combination of one or more cloud platforms.. Ex: Onprem + aws / aws + azure / aws +gcp.. Main: Depends on the infra..
• 
  
• aws direct connect: Dedicated connection between local network to aws..
• Vpn

-----------------

Service Models of Cloud Computing:

Traditonal Model: On- Premise:

Requirement: I need a website, need to work anywhere from the world.

• SaaS : Lightsail
• PaaS : Beanstalk
• IaaS : ec2

Build a website and deliver to everyone...!!

--------------

AWS Provides the Cloud Computing services. it offers Compute, Network, storage and Database Services on Pay-as-you-go.

2003: Prepared documentation: Chris Pinkman and Benjamin Black

2004: SQS: Simple Quene Service

2006 - March: AWS officially Launched (S3, ec2, sqs)

2012: Annual Conference (AWS Re:Invent  Nov- Dec)

-------------

Security: Shared responsibility model for Security

• Security of the Cloud: AWS Responsibility: DC, Physical Security, Servers
• Security in the Cloud: Customer Responsibility: Encryption, Mfa, Port restrictions.

 

Global infrastructure: 

How to create an AWS account

IAM: Identity and Access management: Create users, Manage user Access: Least Privilages mechanism

S3: Simple Storage Service: AWS Version of GDrive. (Storage classes/encrypt/versioning/lcr/crr)

EC2: Elastic compute cloud: Launch / run servers.. (windows launch & Linux  launch, storage, elb, asg, patching, management, groups, IAM role, cli)

route53: AWS DNS service: how to purchase domain, Map domain to aws resources, Routing.

VPC: Virtual private cloud: Networking part... (Ip address, public ip / private ip, subnet, cidr, VPC (public sn/private sn/vpn/tg/endpoints))

RDS: Relational Database Service: mysql/mssql/postgre/maria/aurora/oracle.. backup, HA, DR.. nosql/dynamodb, DAX, redshift, elasticache

app services: cloud9, cdk, IaaC, Serverless (lambda), ECS (fargate), cicd

----------------------

AWS Global Infrastructure:

• Regions: Geographical location / Physical location. contains min of  2 AZs..
• 26 Regions..
• Mumbai: ap-south-1
• hyd : ap-south-2
• Nv: us-east-1
• AZs: one or more data centers with redundant power, network. with in Region. Even regions DC are interconnected each other with highend fiber connectivity for low latency.
• 3 AZs in Mumbai: ap-south-1a, 1b & 1c
• Hyd: ap-south-2a, 2b & 2c
• PoP/Edge Locations: CDN (Content Delivery Network) Endpoint: Cached Location:
• 230+ edge locations across the globe.. : Cloudfront

---------------------

https://aws.amazon.com/free

12 Months Free Tier Eligibility: 90% of the times we use Free tier limitation...!!

S3: 5 gb Standard storage with 2000 PUT, 20k GET operation

Ec2: 750 Hrs/Month for t2.micro windows & Linux (1500 Hrs)

rds: 750 hrs/Month for db.t2.micro

S3: Simple Storage Service: Storage service in AWS: AWS Version of Google Drive/ Dropbox: Bucket (Folder with Unique name)

ec2: Elastic Compute Cloud: Service to launch and run our Servers (Instances)..

Instance = Server

VPC: Virtual Private Cloud: Service to configure the Network..

RDS: Relational Database Service: Launch and run database.. (mysql, mssql, oracle)

Root User: Email address to create AWS account:

Step 1: Provide Email address, Password, Account Name

Step 2: Provide Contact information: personal: Name, Address

Step 3: Provide the Payment information: cc/dc: Visa, mastercard, amex: 2 INR (refund)

Step 4: Verify the Identity: Phone / Email

• Enter the ph no and call me now... XXXX 
• call from aws, enter the pin

Step 5: Choose the Support Plan

1. Account and Billing Related - 24x7 support
2. Technical Support - Depends on SP

• Basic SP: Free, 1&2 Supports.. 7 Core area checks from AWS Trusted Advisor..
• No Technical Support.. Technical Support :  AWS Developer Forum. AWS Knowledgebase articles,  Re:post..
• Developer SP: Cost: 29$/Month.. 2
• 12 -24 local Business hrs support form Cloud Support Associate.. 7 Core area checks from AWS Trusted Advisor.. 1 Primary contact / Unlimited tickets..
• General Guidance : < 24 Hrs
• System Impaired : < 12 Hrs
• Business SP: 100$/Month.. 2 
• 24x7 phone, email and chat support from Cloud Support Engineer.. Full AWS Trusted Advisor checks..  Unlimited users/unlimited tickets
• General Guidance: < 24Hrs
• System Impaired: < 12 Hrs
• Production system impaired: <4 Hrs
• Production System Down: <1 Hr
• Enterprise Sp: 15,000$/Month.. 2 
• 24x7 phone, email and chat support from sr. Cloud Support Engineer... Full AWS Trusted Advisor Checks.. Unlimited  users/Unlimited ticketes
• Annual Architectural and Operation Reviews from AWS
• Dedicated TAM (technical account manager)
• General Guidance: < 24 Hrs
• System Impaired: < 12 Hrs
• Production system impaired: < 4 Hrs
• Production System Down: < 1 Hr
• Business Critical System Down: < 15 Min

• AWS Login Console: aws.com     ..  https://aws.amazon.com/console

--------------------

How to enable MFA to root user.??

root user: Email used to create an AWS account, called root user. Root user have highest permissions/previlages on our aws account.

Email id and Password..!!

Virtual MFA: Microsoft authenticator, Google authenticator, Authy2factor..

Hardware MFA: Supported devices...!!

yuby2key (u2f) key : usb key, Connect this device to the laptop where you want to login

--------------------

IAM User Vs Root User

IAM: Identity and Access Management:

Least Privilages Mechanism is suggested and we always follow.

AdminUser: Full Access:

S3Admin: Manages Storage: S3 Full Access:

ec2admin: Manages Compute: ec2 Full Access

IAM User Creation:

Username: AdminUser

• Account type:
• programatic Access: CLI: AccessKeyID and SecretAccessKey: aws cli, sdk, cdk, 3rd party app
• Management console access: GUI: Username, Pwd, sign-In URL: Browser
• 
  
• Permissions: AdministratorAccess
• Create/choose a Group, Add permissions to group, Add this user to group.
• Copy permissions from another user.
• Associate permissions directly to user.
• 
  
• Policy: Set of Permissions on our aws account. Policy writtens in JSON format.
• AWS Managed - Job Function
• AWS Managed Policy
• Customer Managed Policy
• 
  
• Add Tags:
• 
  
• Review and Create IAM User:
• 
  
• Create a User Avinash_T Associate "AdminAccess", Same user for daily activities.
• 
  
• Support:
1. Account and billing related issues /query
2. Technical issues
3. 
   
• Basic SP: Free.. 1 free 24x7 support..
• 
  
• Developer SP: 29$/Month..
• free 24x7 support.. 
• 12-24 local business hours support (8AM - 8PM).. Cloud engineer.. Unlimited tickets / 1 user can raise ticket
• 
  
• Business SP: 100$/Month.. 
• free 24x7 support..
• 24x7 support, Sr cloud engineer email/phone/chat support.. Unlimited tickets/ any user can raise ticket.. Case seviarity: 1 hour..
• 
  
• Enterprise SP: 15000$/month.. 
• free 24x7 support..
• 24x7 support,  Sr cloud engineer email/phone/chat support... Unlimited tickets / any user can raise ticket.. Case seviarity: 15 Minutes.. 
• AWS annual architectural and operationla reviews.. TAM (Technical Account manager).. AWS trainings..
• 
  
• Requirement:
• 
  
• IAM user with S3 Full Access: S3Adming:
• IAM user with EC2 Full Access: EC2Admin:
• 
  
• Policy: Set of permissions on AWS env..
• 
  
• IAM user with Admin access = root - acc management/changing sp
• 
  
• Task: Create an IAM user, provide him "AdministratorAccess".. Login as this user and verify his access on billing information.
• provide billing information to the created user.
• 
  
• Policy: Document contains set of permissions on AWS environment. It written in JSON format.
• 
  
• AWS managed policy (Based on Service):
• AWS managed policy - Job function (based on standard jobs in market):
• Customer managed Policy:
• 
  
• https://avinash.s3.amazonaws.com/demo.tx
• 
  
• https://avinash.s3.amazonaws.com/aws.pdf
• 
  
• phani@nareshit.com
• avizway@gmail.com

----------------

• Task: Activate MFA.
• Task 1: Create an IAM User.. Allocate "AdministratorAccess" policy. Login as IAM user and verify his access on "Billing Dashboard".
• Provide billing access to an IAM user.
• Password policy:

-------------------------------

• Policy: Document contains set of permissions writtens in JSON format. Policy provide permissions on AWS resources for users/groups/roles.
• 
  
• AWS Managed Policy: S3 (full, readonly), ec2 (ec2read, moniroting, full)
• AWS Managed Policy - Job Function: Network Admin, Database Admin
• Customer Managed Policy:

 

S3.txt

Ec2.txt

EC2: Elastic Compute Cloud: Server class: Region specific service

 

CPU, Memory/RAM, Storage/HDD/SDD, Network (wifi, bt, NIC/ENI)

 

Instance = Server = Azure VM = Compute engine = box

 

Client Class OS: Win7, Win10

Server Class OS: Windows Server 2008 r2, 2012, 2012 r2, 2016, 2019,

 

On-Demand ec2 instances: When we have unpredictable workloads.. Testing our application for the firsttime.. “FREE TIER ELIGIBILITY”

Pricing: /sec (with min of 60 sec)

 

Reserved ec2 instances: When out workload is stable and predictable... for longer durations… we can reserve the capacity for 1yr/3yr.. “NO FREE TIER ELIGIBILITY”

 

               Standard RI: We cannot change config during the period.

               Convertible RI: We can change the config during the period.

               Scheduled RI: if we have persistant/repeated requests. (N V)

 

Pricing:

Full Upfront: Pay 100% as onetime.

Partial upfront: Pay 30-50% as onetime, Then remaining amount pay monthly basis with redused hourly price, based on usage.

No upfront: Pay everything monthly basis.

è AWS Marketplace: We can sell our resources.

 

Spot instances: When we have flexible start/stop durations… No Critical data/ application is delivering..!! Test env.. Bid your price against AWS pricing. If our quoted price is equal or greater than aws pricing, we will get the instance.

è High confi server at low cost for temp requ.

“NO FREE TIER ELIGIBILITY”

è Quoted price is equal or greater than aws pricing, we will get the instance.

è If price increased, AWS will terminate (delete) our instance.

 

1 hr 50 min: Price increased, AWS Terminated our Instance: 1 Hr

1 hr 50 Min: Price not increased, You Terminated our Instance: 1 Hr 50 Min

Task: Create a policy to Allow an IAM user to work only on specific region (ap-south-1)

 

Only on-Demand ec2 instances comes under free tier eligibility.

** Fix to one region. Ap-south-1

 

Windows ec2 instance launch:

Step 1: Choose an AMI (Amazon Machine Image) : Operating System: Windows server 2016 base

Step 2: Choose an Instance type: vCPU, Memory(RAM), Network perf

è t2.micro

 

General Purpose: Stable/balanced performance of compute, memory and network resources.

Type: t2, t3, t4, m5

 

Compute Optimized: We will get more CPU performances from these instances. We will have high perf processors in these instances.

Type: c4, c5, c6 (Compute / CPU)

 

Memory Optimized: We will get more RAM perf. Workloads required to process large set of data via memory.

Type: r4, r5, r6, x1, z1, u1 (RAM)

 

GPU Optimized / Accelerated computing: We will get more graphic processings, Efficient for data pattern matching, High level gaming.

Type: p2, p3, p4, g3, g4, f1

 

Storage optimized: we will get more Storage/ Hard Disk performance. For the application required more IOPS, we use this types.

Type: d2, d3, i3

 

m5.large : 2 CPU, 8 RAM

c5.xlarge : 4 cpu, 8 ram

t3.medium: 2 cpu, 4 ram

 

Maintenance windows: Sat 03 AM IST… : Greenzone window: CRQ (Change Request)

Step 3: Configure additional settings

               VPC, Roles, userdata

              

               Instance Termination protection: Enable (Protect against accidental termination)

               Shutdown behaviour: STOP

Step 4: Choose Storage

               root volume: volume that contains operating system: 30gb for windows

Step 5:  Add Tags: Combination of key and value pairs.

Name:

Project:

Platform: Windows/Linux

Cost Center: AAZAA

 

Step 6: Configure Security Group: Security group acts as Firewall at Instance level.

OS Ports/protocols: 0 – 65535

 

Windows: RDP: 3389

Linux: SSH: 22

Webserver: http: 80

Secure web: https: 443

Mysql: 3306

Mssql: 1433

NFS: 2049

 

Source: From where you want to connect to this instance.

MyIP: It picks currently connected network ip address. No one can connect to the server apart from this particular network users.

Custom: We can give any network IPs.

Anywhere: Anyone with valid credentials can connect to the server. (username and pwd)

 

Step 7: Review and launch with keypair.

Keypair: key pair contains public key and private key. (.pem)

 

AWS Holds the public key. This will be stored in our launched ec2 instances.

Customer/WE holdes the Private key. Used to decrypt/generate the password for initial instance connect.

 

Public IP: Unique across the globe: Use this to connect to your instance.

Private IP: Unique with in the aws network

Connect to Windows Instance:

è Open “run” , type “mstsc” , Click enter.. Provide instance “Public IP”.

è Choose instance “connect”, choose “RDP Client”, “Download remote desktop file”

MAC: https://apps.apple.com/us/app/microsoft-remote-desktop/id1295203466?mt=12

 

Start/stop: 10 days work.. 1 month.. : stop, start the server

Terminate: Delete the server..

Task: Launch windows ec2 instance and using keypair get connect to ec2 instance.

Task 2: Change the password of “Administrator”, Disconnect from the instance. Now try to  login to ec2 instance using “keypair pwd”, “Custom password”.

Task 3: “Create a new user” in ec2 instance and provide him “Local administrator rights”, also provide him “Remote desktop permissions”.. Take  a session with this user along with administrator.

FREE TIER: 750 Hrs/Month t2.micro windows instance (ondemand)

750 Hrs/Month t2.micro Linux instance (ondemand)

 

1 instance x 24 hrs x 31 days = 744 Hrs     à 750 Hrs Free tier

2 instance x 24 hrs x 16 days = 768 Hrs

Task: Connect to Linux instance. Get familiar with Instance launch process.

chmod 400  keypair ==>    Works only in Linux. For windows use Github option.

whoami -->  tells us as what user we are working.

sudo --> allow user to execute the command with root level permissions

sudo su --> Switch to root user

exit --> Exit from root user to ec2 - user

clear --> Clear the screen

ls --> List the files/folders

ls -a --> List all including hidden files

pwd --> print work directory

mkdir --> create a Directory/Folder

touch --> 0 bytes file/ plain file

cd --> change directory

rmdir --> remove empty directory

rm -rf foldername/ --> Delete a directory that contains files

copy and paste: cp

cut and paste: mv

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Book: