Network ACLs are stateless, and security groups are stateful
The ALB stops sending traffic to the instance.
Run the clusters on-premises using Amazon EKS Distro.
DynamoDB:
Storing metadata for S3 objects
High-performance reads and writes for online transaction processing (OLTP) workloads
Managing web session data
Amazon Fargate 是适用于 Amazon ECS 和 Amazon EKS 的计算引擎,允许您在无需管理服务器或集群的情况下运行容器。
Amazon MSK 使得利用完全托管的 Apache Kafka 实时摄入和处理流数据变得很简单
Amazon AppFlow 。其允许开发者更加轻松地在 AWS 和 SaaS 应用程序之间传递数据,
user-data/
When you launch an instance in Amazon EC2, you have the option of passing user data to the instance that can be used to perform common automated configuration tasks and even run scripts after the instance starts. You can pass two types of user data to Amazon EC2: shell scripts and cloud-init directives.
Use RDS to host your database. Create a cross-region read replica of your database. In the event of a failure, promote the read replica to be a standalone database. Send new reads and writes to this database.
DAX Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache that can reduce Amazon DynamoDB response times from milliseconds to microseconds, even at millions of requests per second.
Elastic Beanstalk,当开发人员开发完应用后,不用关心传统实现方式运行这些应用程序的基础设施的工作,
The application code is trying to upload files to S3 as a single object. Changes in code are required to be able to upload files using S3 multipart upload
Alexa service->Amazon Transcribe Amazon Lex Amazon Polly
Amazon Rekognition:一种图像识别和视频分析服务,可用于对图像和视频进行分类、识别和检测。
Snowball encrypts your data.
Direct Connect->A private, dedicated network connection between your facilities and AWS
VPN->It provides a connection between an on-premises network and a VPC, using a secure and private connection with IPsec and TLS.
AWS Trusted Advisor->is an online tool that provides you realtime guidance to help you provision your resources following AWS best practices. Trusted Advisor checks help optimize your AWS infrastructure, increase security and performance, reduce your overall costs, and monitor service limits.
You can assign up to five security groups to the instance.
Transfer Acceleration 利用Amazon CloudFront中的全球分布式边缘站点。当数据到达某个边缘站点时,会通过经过优化的网络路径路由至 Amazon S3
AWS WAF(Wed应用程序防火墙)如何帮助您保护您的云安全。让您的 Web 应用程序不遭受常见漏洞攻击。在此使用 AWS WAF 既没最低费用也没预先承诺
Each subnet maps to a single Availability Zone. Every subnet you create is associated with the main route table for the VPC.
Amazon Macie is a fully-managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
If a subnet's traffic is routed to an internet gateway, the subnet is known as a public subnet.
the default network ACL is configured to allow all traffic to flow in and out of the subnets with which it is associated. You are able to add and remove your own rules from the default network ACL
You can't delete default security group, however, you can change the group's rules.
Amazon Detective, you can analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities.
Amazon Fraud Detector is an AWS AI service that is built to detect fraud in your data.
AWS Firewall Manager is a security management service in a single pane of glass. This allows you to centrally set up and manage firewall rules across multiple AWS accounts and applications in AWS Organizations.
To create a launch template to use with an Auto Scaling group, create the template from scratch, create a new version of an existing template, or copy the parameters from a launch configuration, running instance, or other template.
AWS X-Ray collects data about requests that your application serves and helps gain insights into that data to identify issues and opportunities for optimization. AWS Lambda integrates easily with AWS X-Ray by toggling the feature on within the function configuration.
Deploy a GraphQL interface via AWS AppSync.
AWS Glue to export the data from DynamoDB, transform the data, and then load the data back into DynamoDB.
Amazon Redshift->Near real-time complex querying on massive data sets
Amazon Kinesis Data Firehose is the easiest way to reliably load streaming data into data lakes, data stores, and analytics tools. It can capture, transform, and load streaming data into Amazon S3, Amazon Redshift,
Amazon Managed Service for Apache Flink (formerly Amazon Kinesis Data Analytics
Amazon RDS Read Replicas for MySQL and MariaDB now support Multi-AZ deployments. Combining Read Replicas with Multi-AZ enables you to build a resilient disaster recovery strategy and simplify your database engine upgrade process. Amazon RDS Read Replicas enable you to create one or more read-only copies of your database instance within the same AWS Region or in a different AWS Region.
The cooldown period helps you prevent your Auto Scaling group from launching or terminating additional instances before the effects of previous activities are visible. You can configure the length of time based on your instance startup time or other application needs
Amazon Elastic Transcoder allows businesses and developers to convert media files from their original source format into versions that are optimized for various devices, such as smartphones, tablets, and PCs
Amazon Kinesis Video Streams->摄像头捕获
AWS Trusted Advisor 可帮助您优化成本、提高性能、提高安全性和韧性,并在云中大规模运营。
Amazon Kinesis Video Streams is used to stream media content from a large number of devices to AWS and then run analytics, machine learning, playback, and other processing.
Amazon Forecast is a time-series forecasting service that uses machine learning and provides business insights.
AWS Compute Optimizer allows you to automate the collection of metrics for underutilized and underperforming compute instances. It can then generate recommendations for you to save money.
AWS Managed VPN lets you reuse existing VPN equipment and processes and also use existing internet connections.
SageMaker Savings Plans offer the maximum savings potential for all SageMaker components, and the one-year agreement type falls within the two-year period
Implement AWS Organizations and create a hierarchical structure of the AWS accounts, implement AWS Identity Center to centralize identity management.
IAM has database authentication capabilities that would allow an RDS database to only be accessed using the profile credentials specific to your EC2 instances.
AWS Control Tower allows you to implement account governance and compliance enforcement for an AWS organization. It leverages SCPs for preventative guardrails and AWS Config for detective guardrails.
CloudWatch-》Monitor Auto Scaling Groups and optimize resource utilization
AWS CloudTrail-》AWS CloudTrail is used to monitor and record all API calls made in your AWS infrastructure.
Amazon Macie is a quick and efficient way to discover what personally identifiable information (PII) is being stored in S3.
Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: AWS CloudTrail management event logs, AWS CloudTrail data events for S3, DNS logs, EKS audit logs, and VPC flow logs.
AWS Security Hub is a Cloud Security Posture Management service that performs security best practice checks, aggregates alerts, and enables automated remediation.
EBS volume can be used normally while the snapshot is in progress.
Customers can buy VMware Cloud on AWS directly through AWS and AWS Partner Network (APN) Partners in the AWS Solution Provider Program. This allows customers the flexibility to purchase VMware Cloud on AWS either through AWS or VMware, or the AWS Solution Provider or VMware VPN Solution Provider of their choice. VMware Cloud on AWS offers a Disaster Recovery feature that uses familiar VMware vSPhere and Site Recovery Manager technologies while leveraging cloud economics.
DynamoDB is a NoSQL database and has serverless deployment
Neptune-》This is a graph database and would be suitable to handle graph queries.
CloudFront Signed URL's are commonly used to distribute paid content through dynamically generated signed URL's.
EFS allows you to have centralized storage for your EC2 instances。
Signed cookies are useful when you want to access multiple files.
Amazon EBS Multi-Attach enables you to attach a single Provisioned IOPS SSD (io1 or io2) volume to multiple instances that are in the same Availability Zone. This means you cannot have a stateless application with EC2 instances running across different Availability Zones and sharing the same EBS volume.
Create an elastic IP address and assign it to your EC2 instance. This will give you a fixed IP address.
This golden AMI would have the software pre-installed and would be ready to use in a scaling event. Reference: The Golden AMI Pipeline
Route 53 geo-proximity routing directs users to the nearest endpoint, which is suitable for serving users around the world efficiently. Using an EC2 Auto Scaling group allows you to dynamically adjust the number of EC2 instances based on the traffic load, ensuring that the application can handle bursts of traffic. An Application Load Balancer (ALB) is used to distribute traffic evenly among the EC2 instances, optimizing performance and fault tolerance. Implementing Amazon ElastiCache for caching helps reduce the load on the RDS database during bursts of traffic.
SQS scales automatically.
AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router; each new connection is only made once.
DynamoDB is a NoSQL database that allows constant updates to schemas without any downtime or performance issues.
ProvisionedThroughputExceededException->Use DynamoDB auto-scaling.
EBS Provisioned IOPS SSD (io2 Block Express) is the highest-performance SSD volume designed for business-critical latency-sensitive transactional workloads.
Amazon Kendra allows you to create an intelligent search service powered by machine learning.
For immediate processing of large genetic data sets, FSx Lustre Scratch volumes are suitable, optimized for high-speed and short-term data processing. For storing and accessing completed genetic analysis results, FSx Lustre Persistent volumes are recommended, offering long-term data durability and accessibility.
You can associate an AWS Direct Connect gateway with a transit gateway when you need to connect multiple VPCs in the same Region.
Predictive scaling uses machine learning to forecast traffic and capacity needs. Predictive scaling is more flexible and can adapt to changes in traffic patterns, which is why it is the best choice for the given scenario.
Create a root AWS account using AWS Organizations and connect all subsequent AWS accounts to the Organization. You can then take advantage of consolidated billing.
Amazon S3 Glacier Instant Retrieval is the lowest-cost storage for long-lived data that is rarely accessed and requires retrieval in milliseconds
FSx for Lustre can deliver high throughput and low latency, making it suitable for processing large training datasets quickly.
Amazon Keyspaces->This is a Cassandra-compatible database and is the best choice for this scenario.
S3 Infrequent Access is suitable for files that will be accessed only occasionally but require instant retrieval.
AWS STS(Security Token Service)->This gives you temporary credentials to access an account.
Set up an AWS WAF and create rules that prevent SQL injections. Associate the WAF to your application load balancer.
Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
AWS Secrets Manager is designed to store your key confidential data.
AWS Fargate 是一种无服务器、随用随付的计算引擎,可让您专注于构建应用程序,而无需管理服务器。
AWS Security Hub is a single place to view all your security alerts from services like Amazon GuardDuty, Amazon Inspector, Amazon Macie, and AWS Firewall Manager.
Instance Metadata describes all the data about the EC2 instance.
Creating a VPC endpoint for S3 will allow communication from your EC2 instances to the S3 buckets without the need to traverse the internet, as all communication goes via the Amazon network.
Host images in Amazon ECR repositories with scan on push enabled.
Amazon ECR 是一个安全、完全管理和高可用的容器注册中心,每周服务 150 多亿个映像提取,并提供集成的生命周期管理、复制、映像扫描和缓存功能
event notification destinations for S3 buckets->Lambda SNS SQS
AWS Amplify offers developers a set of tools for easily deploying full stack applications to AWS. AWS Amplify 托管 Web 应用程序
Storage optimized instances are designed for workloads that require high, sequential read and write access to very large data sets on local storage. Provisioned IOPS SSD volumes are recommended for I/O-intensive database workloads that require sustained IOPS performance
IAM roles are designed so that your applications can securely make API requests from your instances, without requiring you to manage the security credentials that the applications use.
Amazon Rekognition automates the recognition of pictures and videos using deep learning and neural networks.
iSCSI->Storage Gateway Volume Gateway
AWS IoT Core is a service that is specifically designed for this type of scenario. Its purpose is for connecting IoT devices and handling large-scale data ingestion from sensors and devices.
Amazon ECS Fargate allows the easiest transition to running containers in AWS. It allows them to mimic what is currently running, while also minimizing the operational overhead required to managing and orchestrating containers.
Amazon Fargate 是适用于 Amazon ECS 和 Amazon EKS 的计算引擎,允许您在无需管理服务器或集群的情况下运行容器。
Amazon S3, AWS Batch, and Amazon Redshift
12-month AWS Free Tier offers are only available to new AWS customers.
Among the always free services provided by AWS Free Tier is 1 million free AWS Lambda requests per month.
AWS Free Tier includes free trials, specific amounts of specified services for 12 months, and many always free services.
Cost Explorer allows you to visualize and analyze your AWS costs and usage over time.
Cold HDD (sc1) is the best low-cost choice for infrequently accessed data that has sequential I/O operations
Amazon DynamoDB Accelerator (DAX) 是适用于 DynamoDB 的完全托管且高度可用的内存中缓存,可实现高达 10 倍的性能提升(
Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for vulnerabilities.
Use AWS Systems Manager Session Manager to provide secure access to EC2 instances. Administrators and developers can use the AWS Management Console or the AWS CLI to start a session with an instance, without the need to open inbound ports or manage SSH keys. Session Manager uses IAM policies to control access and logs all sessions for auditing purposes.
Create an inbound rule in the security group that allows incoming traffic on port 80 from 0.0.0.0/0 (any IP address).
Add an IPv6 CIDR block to the VPC, assign ranges from this block to the subnets, create the IPv6 egress-only internet gateway, and attach to the VPC. Modify the chosen subnets route tables to add a destination of ::/0 with a target of the egress-only internet gateway.
Security groups operate at the instance level.
You can assign multiple security groups to a resource.
Amazon S3 Glacier Instant Retrieval delivers the lowest-cost storage for long-lived data that is rarely accessed and enables retrieval in milliseconds.
Amazon Detective 使您可以更轻松地分析、调查和快速确定潜在安全问题或可疑活动的根本原因。Amazon Detective 会自动从您的 AWS 资源中收集日志数据并使用机器学习、统计分析和图论来构建一组关联的数据,使您能够轻松地进行更快、更有效的安全调查。
Create a mapping in the template. Define the unique AMI value per region.
Use Microsoft Active Directory Federation Service (AD FS) to create a SAML 2.0-based federation.
AWS Device Farm offers real mobile devices, hosted in and by AWS, to be used for testing of mobile applications and web applications.
WS Outposts servers-》 extend AWS to your on-premises environment while minimizing the space requirements.
Amazon Comprehend uses natural-language processing (NLP) to help you understand the meaning and sentiment in your text.
Amazon Comprehend 是一项自然语言处理 (NLP) 服务,可使用机器学习发现文本中有价值的见解和关联。
DynamoDB is highly scalable and provides very high performance, supporting 24,000 read units per second and 3,300 write units per second.
Leverage the AWS Application Migration Service to incrementally perform migrations of all VMs in the data center to AWS as AMIs for Amazon EC2.
Amazon RDS Proxy effectively manages and optimizes database connections, particularly beneficial in scenarios with a substantial number of concurrent connections from serverless components.
AWS MGN is a service meant to simplify and optimize the lift-and-shift process for migrating existing on-premises infrastructure to the AWS cloud. It will automatically convert and launch your servers into AWS, so you can take advantage of all of the AWS benefits.
AWS 应用程序迁移服务 (AWS MGN) 允许您快速将服务器和应用程序迁移到 AWS,无需更改且停机时间最短。
better served by an Application Load Balancer->Path-based routing
Amazon Timestream->most cost-effective solution for storing time-series data
This is the most cost-effective storage medium, One Zone-IA balances cost with redundancy, as only one AZ is used for storing the data while still allowing instant access to the data stored.
AWS Pricing Calculator->是一款免费使用的工具。它提供了您的 Amazon 费用和收费的估算值,但估算值不包括任何可能适用的税款。
Trusted Advisor evaluates your account by using checks. These checks identify ways to optimize your AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas.
AWS Direct Connect can reduce network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections.
AppFlow offers a fully managed service for easily automating the bidirectional exchange of data to SaaS vendors from AWS services like Amazon S3. This helps avoid resource constraints.
Kinesis Data Streams can be used to continuously collect data about player-game interactions and feed the data into your gaming platform.
There is a vCPU-based On-Demand Instance limit per Region
Alexa->Lex Transcribe Polly
VPN connection->It provides a connection between an on-premises network and a VPC, using a secure and private connection with IPsec and TLS.
Direct Connect provides->A private, dedicated network connection between your facilities and AWS
AWS Cost and Usage Reports offers the greatest amount of detail for spending reports. They can also be set up to automatically store updated reports in Amazon S3 every 24 hours.
AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount. You can also use AWS Budgets to set reservation utilization or coverage targets and receive alerts when your utilization drops below the threshold you define.
Every subnet you create is associated with the main route table for the VPC.
Each subnet maps to a single Availability Zone.
The EC2 instance does not have a public IP address.
The second subnet does not have a route in the route table to the internet gateway.
VPC-to-VPC->AWS Network Firewall
Set up an Amazon EventBridge rule that is triggered by the AWS Health event. Target a Lambda function to parse the incoming event and reference the Amazon EC2 instance, ID included. Have the function perform a stop and start of the instance.
AWS Glue to export the data from DynamoDB, transform the data, and then load the data back into DynamoDB.
A launch template is similar to a launch configuration, in that it specifies instance configuration information. I
Amazon Kinesis Data Firehose cannot load streaming data to Athena.
Amazon Kinesis Data Firehose is the easiest way to reliably load streaming data into data lakes, data stores, and analytics tools. It can capture, transform, and load streaming data into Amazon S3, Amazon Redshift, Amazon Elasticsearch Service,
AWS Compute Optimizer allows you to automate the collection of metrics for underutilized and underperforming compute instances. It can then generate recommendations for you to save money.
Implement AWS Organizations and create a hierarchical structure of the AWS accounts, implement AWS Identity Center to centralize identity management.
A File Gateway supports storage on S3 and combines a service and a virtual software appliance. By using this combination, you can store and retrieve objects in Amazon S3 using industry-standard file protocols such as Network File System (NFS) and Server Message Block (SMB).
For immediate processing of large genetic data sets, FSx Lustre Scratch volumes are suitable, optimized for high-speed and short-term data processing. For storing and accessing completed genetic analysis results, FSx Lustre Persistent volumes are recommended, offering long-term data durability and accessibility.
500 users->A serverless website using API Gateway, Lambda, and DynamoDB
Create a new Direct Connect gateway and set this up with the existing Direct Connect connection. Set up a transit gateway between the AWS accounts and connect the transit gateway to the Direct Connect gateway.
Amazon S3 Glacier Instant Retrieval for archiving completed processed training sets
mazon FSx for Lustre for processing training sets
Use an S3 Infrequent Access storage bucket. Create a role in IAM granting S3 access and attach this role to your EC2 instance.