saa3_wk7

AWS Certified Solutions Architect - Associate
Week 7 Content Final Review
January 2023 Accelerator Cohort

Test Day Tips!
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Online Proctored Exam Tips & Tricks
Preparation and Test Day Tips if using Pearson or PSI Online – Proctoring!
• Pick the Right Space

• Use a personal computer (if able)
• Reboot / Update the day before
• Do the system check!
• Be polite – no matter the wait!
• Keep yourself in profile when on camera
– if you can’t see – Bring your Glasses!
• Take a deep breath – it’s just a test!
AWS Certified Solutions Architect - Associate
Helpful Resources
Training White Papers Exam Preparation

• AWS Partner Accreditation: • Overview of Amazon Web Services • Twitch Power Hours
Technical
• AWS Well-Architected Framework • Sample Questions
• AWS Well Architected Labs • Management and Governance Lens • Schedule an Exam
• AWS Global Infrastructure
• Shared Responsibility Model
• How AWS Pricing Works
• AWS Architecture Center
• Secure Content Delivery with Amazon
CloudFront
• IPv6 on AWS
• Overview of Deployment options on
AWS
• Organizing your AWS Environment
using multiple accounts
All Slide Content – Final Review
AWS Global Infrastructure
AWS Regions
A Region location around the world where AWS clusters data centers
Each AWS Region consists of multiple,

isolated, and physically separate Availability
Zones (AZ’s)
AWS Availability Zones (AZs)
One or more discrete data centers with redundant power, networking, and
connectivity located within an AWS Region
AZs give customers the ability to operate

production applications and databases that
are more highly available, fault tolerant, and
scalable than would be possible from a single
data center.
AZs are connected to each other with fast,

private, and secure fiber-optic networking,
enabling you to easily architect applications
that automatically fail-over between AZs
without interruption.
Points of Presence (PoP)
310+ Points of Presences and 13 regional edge locations
Smaller endpoints used for hosting cached,

frequently accessed, data.
Points of Presence enable Amazon

CloudFront to securely deliver data, videos,
applications, and APIs to customers globally
with low latency and high transfer speeds, all
within the security of the AWS network and a
developer-friendly environment.
IAM Policies
Policy Interpretation Deep Dive!
IAM Policies are the bedrock of strong IAM security. Understanding how the policies work and being able to
interpret them is critical for success as an Architect and on the exam
Policy Interpretation Deep Dive!
IAM Policies are the bedrock of strong IAM security. Understanding how the policies work and being able to
interpret them is critical for success as an Architect and on the exam
Amazon Resource Names (ARN)
A way to uniquely identify AWS resources
Security Token Service (STS)
Request temporary, limited-privilege credentials for AWS IAM
STS
Amazon Confidential © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Revoking Temporary Credentials
Remember that Roles can be assumed by MANY identities who will all get the same permissions. What
happens if those credentials are compromised?
AWS S3 – Overview
Amazon Simple Storage Service (S3)
Provides infinitely scalable, highly durable object storage in the AWS Cloud
Amazon Simple Storage Service (S3)
Provides infinitely scalable, highly durable object storage in the AWS Cloud
Your Choice of Amazon S3 Storage classes
Become familiar with which class you should choose – and when
S3 S3 S3 Glacier S3 Glacier S3 One S3 Outposts

S3 Standard
Intelligent- Standard-IA Deep Archive Zone-IA
Tiering
AWS Region  3 Availability Zones AWS Single AZ AWS Outposts

• Data with changing • Active, frequently • Infrequently • Archive data • Long-term archive • Re-creatable, less • On-premises data
access patterns accessed data accessed data • In minutes and hours data accessed data • Milliseconds access
• Opt in for automatic • Milliseconds access • Milliseconds access • Retrieval fee per GB • Select hours • Milliseconds access • Encrypted with SSE-S3
archiving • Retrieval fee per GB • Minimum storage • Retrieval fee per GB • Retrieval fee per GB
• Milliseconds access • Minimum storage duration • Minimum storage • Minimum storage
• No retrieval fees duration • Minimum object size duration duration
• Object monitoring • Minimum object size • Minimum object • Minimum object size
fee size
• Minimum storage
duration
AWS Elastic Compute Cloud (EC2)
Amazon EC2
Provides secure, resizable compute capacity in the AWS Cloud, enabling servers
to be spun up in minutes without the need for physical hardware.
Get started quickly through AWS Migration

Increase or decrease capacity within minutes and Tools, AWS Managed Services, or Amazon
provide 99.99% availability for each Amazon EC2 Lightsail with the help from AWS Professional
region. Services, AWS Support and APN Partners.
Provide various security standards and features, Offer five pricing models to pay for Amazon EC2
reduce the risk of human error and eliminate the instances: On-Demand, Savings Plans, Dedicated
attack surface. Hosts, Spot Instances and Per Second Billing.
Amazon EC2
Automatically add or remove EC2 instances

according to conditions you define. There is
no additional fee for Auto Scaling
Amazon EC2 Billing
Lower prices on Amazon Pay for compute Take advantage of Use your eligible
EC2 instance usage capacity by the second unused EC2 capacity in software licenses from
regardless of instance with no long-term the AWS cloud. Spot vendors such as
family, size, OS, tenancy, commitments. instances can provide up Microsoft and Oracle on
or AWS Region for to 90% savings over on- Amazon EC2
commitments on usage. demand instance types.
EC2 Placement Groups
EC2 Placement Groups
There are three types of placement groups you can use with EC2 instances. Each has their advantages and
disadvantages to your proposed architecture.
Cluster Spread Partition
Cluster Placement Group
Placement Groups are the bread and butter of a Solutions Architect. Understanding when, and how, to
deploy your resources is a critical skillset
A cluster placement group is a logical grouping

of instances within a single Availability Zone. A
cluster placement group can span peered VPCs in
the same Region.
Cluster placement groups are recommended for

applications that benefit from low network
latency, high network throughput, or both. They
are also recommended when the majority of the
network traffic is between the instances in the
group.
Spread Placement Group
A spread placement group is a group of instances

that are each placed on distinct racks, with each
rack having its own network and power source.
The image – at right - shows seven instances in a

single AZ that are placed into a spread
placement group.
Spread placement groups are recommended for

applications that have a small number of critical
instances that should be kept separate from each
other.
Partition Placement Group
Partition placement groups help reduce the

likelihood of correlated hardware failures for
your application. When using partition
placement groups, Amazon EC2 divides each
group into logical segments called partitions.
Partition placement groups can be used to

deploy large distributed and replicated
workloads, such as HDFS, HBase, and Cassandra,
across distinct racks.
AWS Caching & File Servers
Amazon ElastiCache
A fully managed, in-memory caching service
Amazon ElastiCache – Reddis vs. MemcacheD
A fully managed, in-memory caching service
• Simple data structures • Advanced Structures

• No replication • Multi-AZ capable
• Multiple Nodes (Sharding) • Replication (Scale Reads)
• No backups • Backup & Restore
• Multi-threaded • Transactions
Amazon Elastic File System (EFS)
Simple, Serverless, set-and-forget file system
Amazon FSx for Windows File Server
Fully Managed file storage built on Windows Server
AWS Database Offerings
AWS Purpose-built Database Offerings
Relational Key - Value Document In Memory
Graph Time Series Ledger Wide Column
Move to fully managed databases
Migrate on-premises or self-managed databases to fully managed services
Amazon Amazon Amazon Amazon Amazon

Aurora RDS DocumentDB ElastiCache Keyspaces
Relational Non-relational
databases databases
Amazon RDS (Relational Database Service)
Set up, operate, and scale a fully managed RDS with just a few clicks
PostgreSQL-Compatible MySQL-Compatible
Edition Edition
Easy to Secure and Available and Performant and

administer compliant durable scalable
Easily deploy and Data encryption at rest Automatic Multi-AZ Scale compute
maintain hardware, and in transit, data replication, with and storage with a few clicks,
OS, and DB software, with industry compliance automated backup, plus minimal downtime for
with built-in and assurance programs snapshots, and your application
monitoring
failover
Amazon Aurora
MySQL and PostgreSQL compatible relational database – built for the cloud
Fault-tolerant, self-healing 5x throughput of standard Managed by RDS: no

storage; six copies of MySQL and 3x of standard server provisioning,
data across three PostgreSQL; scale-out up software patching, setup,
Availability Zones; to 15 read replicas configuration, or backups
continuous backup
to Amazon S3
Amazon DynamoDB
Fast and Flexible Key-Value database service for any scale
DynamoDB Accelerator (DAX)
Your applications Fully managed, highly

available cache for DynamoDB
Even faster—
DAX microsecond latency
Scales to millions of
requests per second
DynamoDB API compatible

AWS Security
Amazon CloudTrail
CloudTrail logs, continuously monitors, and retains account activity related to actions across your AWS
infrastructure, giving you control over storage, analysis, and remediation actions.
Some Use Cases

Audit activity
Monitor, store, and validate activity events for
authenticity. Easily generate audit reports
required by internal policies and external
regulations.
Identify security incidents

Detect unauthorized access using the Who,
What, and When information in CloudTrail
Events. Respond with rules-based EventBridge
alerts and automated workflows.
Amazon WAF
AWS WAF is a web application firewall that helps protect web applications from attacks by allowing you to
configure rules that allow, block, or monitor (count) web requests based on conditions that you define
Amazon Shield
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards
applications running on AWS.
Amazon Macie
Amazon Macie continually evaluates your Amazon S3 environment and provides an S3 resource
summary across all of your accounts.
Amazon GuardDuty
Monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings
for visibility and remediation.
Key Benefits
Amazon GuardDuty makes it easy for you to
continuously monitor your AWS accounts,
workloads, and data stored in Amazon S3.
GuardDuty operates completely independently

from your resources, so there is no risk of
performance or availability impacts to your
workloads.
There are no upfront costs and you pay only for

the events analyzed, with no additional
software to deploy or threat intelligence feed
subscriptions required.
Amazon GuardDuty analyzes AWS CloudTrail,

VPC Flow Logs, and AWS DNS logs for
malicious activity and anomalous behavior.
Amazon Inspector
An automated vulnerability management service that continually scans Amazon Elastic Compute Cloud
(EC2) and container workloads for software vulnerabilities and unintended network exposure.
Use Cases
Use up-to-date common vulnerabilities and
exposures (CVE) information combined with
factors such as network accessibility to create
context-based risk scores that help you
prioritize and address vulnerable resources.
Support compliance requirements and best

practices for NIST CSF, PCI DSS, and other
regulations with Amazon Inspector scans.
Identify zero-day vulnerabilities sooner
AWS Security Groups and NACLs
AWS Security Groups & NACLS
Two AWS features to increase security in your VPC: security groups and network ACLs.
• Network ACLs are stateless
• Security groups are stateful
AWS Security Groups & NACLS
• Use network ACLs to control access to your

subnets and use security groups to control
traffic to EC2 instances in your subnets.
• When you add subnets to your VPC, choose

multiple Availability Zones (AZs) to ensure that
the resources hosted in those subnets are highly
available. An AZ is one or more discrete data
centers with redundant power, networking, and
connectivity in an AWS Region. AZs enable you
to make production applications highly available,
fault tolerant, and scalable.
AWS Security Groups
A security group acts as a virtual firewall, controlling the traffic that is allowed to reach and leave
the resources that it is associated with
Inbound
Source Protocol Port range Description
• Name
• Description Allows inbound
• Protocol traffic from
The security group
• Port range resources that are
ID (its own resource All All
• IP address assigned to the
ID)
• IP range same security
• Security Group name group.
Outbound
Destination Protocol Port range Description
Allows all outbound

0.0.0.0/0 All All
IPv4 traffic.
Allows all outbound
IPv6 traffic. This
rule is added only if
::/0 All All
your VPC has an
• Your default VPCs and any VPCs that you create come associated IPv6
with a default security group. You can't delete a CIDR block.
default security group.
AWS NACLs
A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall
for controlling traffic in and out of one or more subnets
Inbound
Rule # Type Protocol Port range Source Allow/Deny
You might set up network ACLs with rules similar to All IPv4
100 All All 0.0.0.0/0 ALLOW
your security groups in order to add an additional layer traffic
of security to your VPC.
All IPv4
* All All 0.0.0.0/0 DENY
traffic
Outbound
Destinati
Rule # Type Protocol Port range Allow/Deny
on
All IPv4
100 All All 0.0.0.0/0 ALLOW
traffic
All IPv4
* All All 0.0.0.0/0 DENY
traffic
Virtual Private Cloud (VPC)
Amazon Virtual Private Cloud (VPC)
Provision a Logically Isolated Section of the AWS Cloud
• Control your virtual networking environment
• Subnets
• Route tables
• Security Groups
• Network ACLs
• Connect to your on-premises network via VPN or
Direct Connect
• Control if and how your instances access the
internet
Amazon Virtual Private Cloud (VPC)
AWS Cloud
VPC
Amazon EC2 AWS Lambda Amazon RDS Amazon Redshift Amazon Amazon Simple Storage
DynamoDB Service (S3)
Your Network Goes Here
VPC IP Addressing
Bring your own addressing plan.
Plan your IP address space before creating it!
• Consider future AWS region expansion.
• Consider future connectivity to corporate
networks.
• Consider subnet design.
• VPCs can be /16 between and /28.
• CIDR cannot be modified once created
• But you can add new CIDRs to
expand the VPC IP addressing
• Overlapping IP spaces = future headache!
How to segment my networks inside a VPC?
VPC Subnets
VPC 10.0.0.0/16
• You can add one or more subnets Availability Zone A Availability Zone B
in each Availability Zone
Subnet A1 Subnet B1
• AZs provides fault isolations
10.0.0.0/24 10.0.2.0/24
• Subnets are allocated as a subset
of the VPC CIDR range
Subnet A2 Subnet B2
10.0.1.0/24 10.0.3.0/24
How to direct traffic out of my Subnets
VPC Subnets VPC
• Each subnet can have a unique Route Table Internet gateway

• Route Tables direct traffic out of the VPC,
towards: Public subnet VPC
• Internet Gateway
• Virtual Private Gateway Public subnet
Route table
• VPC Endpoints
• Direct Connect
• VPC Peering
Private subnet Router Route table
• AWS Transit Gateway
• Subnets are named “Public Subnets” when
connected to an Internet Gateway Corporate data center
Route table
How to connect my VPC to the Internet?
Internet Gateway Internet
• Horizontally scaled, redundant, highly VPC
available VPC component
• Connect your VPC Subnets to the Internet Internet gateway
• Must be referenced on the Route Table

Public subnet
• Performs NAT between Public and Private
IP Addresses Private IP: 10.0.0.1
Public IP: 198.51.100.2
EC2
Instance
Route table
Private subnet
Private IP: 10.1.1.1

EC2
Instance
Route table
How does my instance get an IP address?
Elastic IP Address Internet
• Static, Public IPv4 address, associated VPC
with your AWS account
• Can be associated with an instance or Internet gateway
network interface
• Can be remapped to another instance in Public subnet
your account
Private IP: 10.0.0.1 Private IP: 10.0.0.2
• Useful for redundancy when Load Elastic IP: 198.51.100.2 Elastic IP: 198.51.100.2
EC2 EC2
Balancers are not an option Instance Instance
Private subnet

EC2
Instance
Can I have outbound only Internet access?
NAT Gateway Internet
• Enable outbound connection to the VPC

internet
• No incoming connection - useful for Internet gateway
OS/packages updates, public web services
access Public subnet
• Fully managed by AWS
• Highly available
EC2 NAT
• Up to 10Gbps bandwidth Instance gateway
• Supports TCP, UDP, and ICMP protocols
• Network ACLs apply to NAT gateway’s Private subnet
traffic
Route table
EC2
Instance
Can I have one account owning the VPC, and other using it?
Shared VPC
• VPC Owner can create VPC
and edit VPC
Components Subnet Beta
• VPC Participants can

launch resources in their AWS Account Alpha
assigned Subnets AWS Account Beta VPC Owner
VPC Participant EC2 Instance Lambda function
• Each participant pays for Create/Modify/Delete:
their own resources and Subnets
data transfer costs Route Tables
Network ACL
• Based on AWS Resource Subnet Gama VPC Peering
Access Manager, under VPC Endpoints
Internet Gateways
AWS Organizations
NAT Gateways
Virtual Private Gateways
AWS Account Gama Transit Gateway
EC2 Instance Lambda function
VPC Participant attachment
Can I filter traffic reaching my instances?
VPC
Security Groups
Internet gateway
• VPC Virtual stateful firewall HTTPS (TCP 443)
Security group “Web ELB”
• Inbound and Outbound customer
defined rules
• Instance/Interface level inspection
Elastic Load Balancing (ELB)
Micro segmentation
“Web ELB” HTTP (TCP 80)
Mandatory, all instances have an Security group “Web Tier”
associated Security Group
• Can be cross referenced
Web Server Web Server
Works across VPC Peering Amazon EC2
• Only supports allow rules “Web Tier” MySQL (TCP 3306)

Security group “DB Tier”
Implicit deny all at the end
MySQL DB / Amazon Aurora
0.0.0.0/0
Can I filter traffic on a subnet level? HTTPS
(TCP 443)
Network Access Control List NACL “External Access”
• Inbound and Outbound Public subnet
• Subnet level inspection

• Optional level of security Network
access
• By default, allow all traffic control list Amazon EC2
• Stateless
• IP and TCP/UDP port based 10.0.0.0/16 MySQL (TCP 3306)
NACL “Database Access”
• Supports allow and deny rules
• Deny all at the end Private subnet
Other IPs
Other Ports
Network
access
control list MySQL DB
Amazon Aurora
How to connect privately to public AWS Services?
VPC Endpoints
• Connect your VPC to: Amazon VPC PrivateLink
• Supported AWS services VPC VPC
• VPC endpoint services

powered by PrivateLink Internet gateway
• Doesn’t require public IPs or Public subnet Network Load Balancer

Internet connectivity (NLB)
• Traffic does not leave the AWS VPC Endpoint
network. EC2
Instance Service
• Horizontally scaled, redundant, VPC Endpoint
and highly available
Private subnet
• Robust access control
Amazon S3
EC2
VPC Endpoint
Instance
AWS KMS
How to connect directly to other VPCs?
VPC Peering
VPC VPC
• Scalable and high available
Public subnet Public subnet
• Inter-account peering
VPC Peering
• Same or different AWS Regions
• Bi-directional traffic EC2 EC2
• Remote Security groups can be Instance Instance
Route table Route table
referenced
• Routing policy with Route Tables;
not all subnets need to connect
Private subnet Private subnet
to each other
• No transitive routing, requires
full-mesh to interconnect
multiple VPCs EC2 EC2
Instance Instance
• No support for overlapping IP Route table Route table
addresses
Route 53 (DNS)
Amazon Route 53
A reliable and cost-effective way to route end users to Internet applications
Connects user requests to infrastructure running in AWS. Highly available and scalable
cloud Domain Name System (DNS) web service
Amazon Route 53 DNS Resolution Request
Domain Names to IP Address Amazon Route 53
Yes Main No
• AWS DNS service Site
Healthy
• Domain Registration
• Domain name resolution Region us-east-1 Region us-west-2
(N. Virginia) (Oregon)
• 100% availability SLA
App Version A App Version B App DR
• Health Checks 95% Traffic A/B 5% Traffic
Testing
• DNS Failover
• Latency Based Routing
• Geo Based Routing
• Weighted Round Robin Elastic Load Balancer Elastic Load Balancer Elastic Load Balancer
• Private DNS for VPC

Web Service Web Service Web Service
Amazon Route 53
Resolver for VPC VPC 10.0.0.0/16, 2001:db8:ec2::/56
• AmazonProvidedDNS
• VPC+2 resolver
• 169.254.169.253
• fd00:ec2::253 Instance
• DNS host names ip-10-0-0-12.us-east-2.compute.internal

• Private DNS name i-0e718ecec005e295e.us-east-2.compute.internal
• Resource based private ec2-3-3-3-3.us-east-2.compute.amazonaws.com
DNS name 10.0.0.2 /
• Public DNS name fd00:ec2::253
Route 53 Resolver
Route 53 Resolver endpoints
Inbound endpoint
VPC 10.0.0.0/16, 2001:db8:ec2::/56
Instance
Inbound
endpoint 10.0.0.2
Route 53 Resolver
PRIVATE HOSTED ZONE: example.aws
Route 53 Resolver endpoints
Outbound endpoint
VPC 10.0.0.0/16, 2001:db8:ec2::/56
Instance
10.0.0.2 / fd00:ec2::253
Route 53 Resolver
Outbound
endpoint Resolver rules
Direct Connect
AWS Direct Connect
Use AWS Direct Connect to securely link your on-premise environment to AWS
Directly connect your data center to AWS over a standard 1 gigabit or 10 gigabit
Ethernet fiber-optic connection
AWS Direct Connect
How to add redundancy to my dedicated circuits?
• For redundancy, DX can deployed
with single or multiples: AWS Cloud
• Circuits
• Providers
• Customer Gateways Direct Connect Direct Connect
Location Location
• Direct Connect Locations
• Customer data centers AWS DX Device AWS DX Device AWS DX Device AWS DX Device
• BGP Routing for redundancy

• AWS VPN can also be used as Corporate Corporate
backup path data center data center
Customer Customer
gateway gateway
AWS Direct Connect
How to access my VPCs or AWS Public Services over my DX?
AWS Cloud
• VIFs: Virtual Interface
VPC 1A VPC 1B Public AWS Services
• Private VIFs
• Access to VPC IP address
• Public VIFs Private Private Amazon Simple Storage
Virtual Interface Virtual Interface Service (S3)
• Access to AWS Public IP
address space Public
Virtual Private Virtual Interface
Gateways
Direct Connect
Location
AWS DX Device
Corporate
data center
Customer gateway
AWS Direct Connect Gateway
How to connect to multiple AWS Regions/Accounts over DX?
AWS Cloud
• Global resource
Region 1 Region 2
• Connect to multiple VPCs
• VPCs can be on same or different VPC 1A VPC 1B VPC 2A
• Regions
Private Private Private
• Accounts (same Payer ID) Virtual Interface Virtual Interface Virtual Interface
• Enables traffic flow from the VPC

to the DX connection
• For VPC to VPC Traffic, AWS Direct Connect Gateway
consider using AWS Transit
Gateway Direct Connect
Location AWS DX Device
Corporate data center

Customer gateway
Transit Gateway
How to connect directly to other VPCs?
AWS Cloud
AWS Transit Gateway
VPC VPC VPC
• Connect thousands of VPC across
accounts …
• Connect your VPCs and on-
premises through a single
gateway
• Centralize VPN and AWS Direct
Routing Domain A Routing Domain B
Connect connections
• Control segmentations and data
flow with Routing Tables Route table Route table
AWS Transit Gateway
• Hub and Spoke design
• Up to 50 Gbps per VPC
connection (burst) VPC Shared Services VPC
How to connect at scale across accounts / Regions?
AWS Transit Gateway + AWS DX Gateway
AWS Cloud
• Transit VIF
Region 1 Region 2
• Connects to a AWS Transit
Gateway VPC 1A VPC 1B VPC 2A
• Simplify your network
architecture and management
overhead
AWS Transit Gateway
• Create a hub-and-spoke model
that spans multiple
• VPCs
AWS Direct Connect Gateway
• Regions
• AWS accounts Direct Connect
Location AWS DX Device
Corporate
data center Customer gateway
AWS Global Accelerator
Improve Availability and Performance of Global Services
AWS Global Accelerator
• Uses AWS Global Network Users in US Users in Europe
from Edge to Region www.example.com www.example.com
IP: 198.51.100.2 AWS Global Accelerator IP: 198.51.100.2
• Client traffic ingresses via
closest available Edge location AWS Cloud
• Route client to closest healthy

endpoint Edge location Edge location Edge location Edge location
• No DNS switchover required,

same IP address globally Redundant path
• Static IP Anycast
Region us-east-1 (N. Virginia) Region eu-west-1 (Ireland)
Elastic Load Balancer Elastic Load Balancer
Service Service
IPv4 vs. IPv6
IPv4 Addressing
Availability Zone Availability Zone
VPC - 10.0.0.0/16 , 10.1.0.0/16

Reserved
10.0.0.0 – VPC Base Public subnet - 10.0.1.0/24 Public subnet - 10.0.2.0/24
+ 2
---------- EIP: 52.34.234.27
10.0.0.2 – Route 53 Resolver - 10.0.2.200
54.203.236.116
10.0.1.0 – Network Address - 10.0.1.38
- 10.0.2.47
10.0.1.1 – VPC Router - 10.0.1.112
10.0.1.2 – Reserved
10.0.1.3 – Reserved
10.0.1.255 – Network Broadcast Private subnet - 10.0.128.0/24 Private subnet - 10.1.129.0/24
...
10.0.128.0 – Network Address

10.0.128.1 – VPC Router
10.0.128.2 – Reserved
10.0.128.3 – Reserved
10.0.128.255 – Network Broadcast
IPv6 Addressing
Availability Zone Availability Zone
VPC - 10.0.0.0/16 , 10.1.0.0/16

2001:db8:ec2::/56 Reserved
Public subnet - 10.0.1.0/24 Public subnet - 10.0.2.0/24 fd00:ec2::/32 - Reserved
2001:db8:ec2:01::/64 2001:db8:ec2:02::/64 fe80::X:Xff:feX:X/64 – VPC Router
EIP: 52.34.234.27
- 10.0.2.200 2001:db8:ec2:01::0
54.203.236.116 2001:db8:ec2:01::1
- 10.0.1.38 2001:db8:ec2:01::2
- 10.0.2.47
- 10.0.1.112 2001:db8:ec2:01::3
- 2001:db8:ec2:1::1 2001:db8:ec2:01:ffff:ffff:ffff:ffff
...
Private subnet Private subnet - 10.1.129.0/24
2001:db8:ec2:80::/64 2001:db8:ec2:80::0
2001:db8:ec2:80::1
2001:db8:ec2:80::2
- 2001:db8:ec2:80::1 2001:db8:ec2:80::3
2001:db8:ec2:80:ffff:ffff:ffff:ffff
Auto Scaling
Auto Scaling
Automatically launch or terminate Amazon EC2 instances
• User-defined policies driven by CloudWatch

• Health status checks
• Schedules
• Manually using set-desired-capacity in the CLI
Scale out to meet demand, scale in to reduce costs.

Auto Scaling
Dynamically react to changing demand, optimize cost
Improve fault tolerance
Increase application availability
Amazon EC2
Auto Scaling
Lower costs
Auto Scaling simplifies capacity provisioning through automation

Auto Scaling
Include Spot, On-Demand, and RIs in a single Auto Scaling Group (ASG)
VPC
m4.large Spot ASG Min: 1 Max: 10
ASG’s combines
purchase options,
instance types, and m5.large Spot ASG Min: 1 Max: 10
AZs in a single ASG
c4.xlarge O-D ASG Min: 1 Max: 10
Availability Availability Availability

Zone 1 Zone 2 Zone 3
Elastic Load Balancer
Elastic Load Balancing
Distribute network traffic to improve the scalability of your applications
Automatically distributes incoming application traffic across multiple targets, such as
Amazon EC2 instances, containers, IP addresses, Lambda functions, and virtual
appliances
Elastic Load Balancing
Type of load balancers
Application Load Network Load Gateway Load

Balancer Balancer Balancer
• Layer 7 • Layer 4 • Layer 3 gateway and Layer 4

• Targets: IP, instance, AWS Lambda • Targets: IP, instance, load balancing
• Terminates flows Application Load Balancer • Targets: IP, instance
• Listener: HTTP, HTTPS, gRPC • Terminates flows • Transparent pass through
• Front end: virtual IP • Listener: TCP, UDP, TLS of flows
• Front end: virtual IP • Listener: IP
• Route table entry
Classic Load Balancer • L4-7 load balancing

• Built for the EC2-Classic environment
Application Load Balancer (ALB)
Amazon Route 53 AWS Certificate Auto Scaling

Manager
HTTP(S)
Clients Application Load Balancer ECS / EKS
AWS Lambda
AWS WAF Amazon Cognito
Network Load Balancer (NLB)
Amazon Route 53 AWS Certificate

Auto Scaling
Manager
ECS / EKS
Clients Network
Load
Balancer
Direct Connect
PrivateLink IAM
Decoupling and Messaging
Amazon Simple Queue Service (SQS)
A fully managed message queue for microservices, distributed systems, and serverless applications
Amazon SQS Queue Types
Standard vs. FIFO – What’s the difference and why should I care?
Amazon Simple Notification Service (SNS)
Fully managed pub/sub messaging, SMS, email, and mobile push notifications
The A2A pub/sub functionality provides topics for

high-throughput, push-based, many-to-many
messaging between distributed systems,
microservices, and event-driven serverless
applications.
Amazon Simple Notification Service (SNS)
Fully managed pub/sub messaging, SMS, email, and mobile push notifications
• Simplify and reduce costs with message filtering

and batching
• Ensure accuracy with message ordering and

deduplication
• Capture and fan out events from AWS services
• Increase security with message encryption and

privacy
• Increase durability with message archiving,

delivery retries, and DLQ
• Send A2P notifications via SMS, mobile push,

and email
Amazon Kinesis
Amazon Kinesis
Easily collect, process, and analyze video and data streams in real time
• Kinesis Data Streams
• Kinesis Video Streams
• Kinesis Data Firehose
• Kinesis Data Analytics
Amazon Kinesis Data Streams
Capture, Process, and Store data streams in real time
Amazon Kinesis Data Streams is a scalable and

durable real-time data streaming service that can
continuously capture gigabytes of data per second
from hundreds of thousands of sources.
• Zillow uses Kinesis Data Streams to collect public

record data and MLS listings, and then update
home value estimates in near real-time so home
buyers and sellers can get the most up to date
home value estimates.
• Zillow also sends the same data to its Amazon S3

data lake using Kinesis Data Firehose, so that all
the applications can work with the most recent
information.
Amazon Kinesis Video Streams
Capture, Process, and Store Video in real-time
Amazon Kinesis Video Streams makes it easy to

securely stream video from connected devices to
AWS for analytics, machine learning (ML), and other
processing.
Veritone Inc. a leading (AI) and cognitive solutions

provider, combines a powerful suite of applications
with over 120 best-in-class cognitive engines
including facial and object recognition, transcription,
geolocation, sentiment detection, and translation.
With Amazon Kinesis Video Streams, customers can

easily stream their content to AWS, where Veritone
processes and enriches their content with AI, in near
real-time and at scale.
Amazon Kinesis Data Firehose
Reliably load real-time streams into data lakes, warehouses, and analytical services
Amazon Kinesis Data Firehose is an extract,

transform, and load (ETL) service that reliably
captures, transforms, and delivers streaming data to
data lakes, data stores, and analytics services.
Some of the world’s leading travel technology

companies rely on 3Victors to help determine how to
best engage travelers and what specific marketing
content to offer them to maximize engagement
while optimizing profit.
3Victors ingests data from the world’s largest

reservations systems to provide data analytics
solutions to sellers of travel across the globe.
Amazon Kinesis Data Analytics
Gain actionable insights from streaming data with serverless, fully managed Apache Flink
Amazon Kinesis Data Analytics is the easiest way to

transform and analyze streaming data in real time
using Apache Flink. Perform real time analytics on
your Kinesis Data Streams.
Netflix uses Amazon Web Services (AWS) for nearly all its
computing and storage needs, including databases,
analytics, recommendation engines, video transcoding,
and more. Monitoring and optimizing its network is
critical for Netflix to continue improving customer
experience, increasing efficiency, and reducing costs.
In particular, Netflix needed a solution for ingesting,

augmenting, and analyzing the multiple terabytes of data
its network generates daily in the form of virtual private
cloud (VPC) flow logs.
Amazon Cognito
Amazon Cognito
Simple and Secure User Sign-Up, Sign-In, and Access Control
Amazon Cognito provides authentication,

authorization, and user management for your web
and mobile apps. Your users can sign in directly with
a user name and password, or through a third party
such as Facebook, Amazon, Google or Apple.
You can enable your users to authenticate with a user

pool. Your app users can sign in either directly
through a user pool, or federate through a third-
party identity provider (IdP).
The user pool manages the overhead of handling the

tokens that are returned from social sign-in through
Facebook, Google, Amazon, and Apple, and from
OpenID Connect (OIDC) and SAML IdPs. After a
successful authentication, your web or mobile app
will receive user pool tokens from Amazon Cognito.
AWS Lambda
AWS Lambda
Run code without thinking about servers or clusters!
File Processing
AWS Lambda is a serverless, event-driven compute

service that lets you run code for virtually any type of
application or backend service without provisioning
or managing servers.
Web Applications
You can trigger Lambda from over 200 AWS services
and software as a service (SaaS) applications, and
only pay for what you use.
AWS Lambda – A closer look
File Processing
• Run code without provisioning or managing

infrastructure. Simply write and upload code as a
.zip file or container image.
• Automatically respond to code execution requests

at any scale, from a dozen events per day to
hundreds of thousands per second. Web Applications
• Optimize code execution time and performance

with the right function memory size. Respond to
high demand in double-digit milliseconds with
Provisioned Concurrency.
AWS Lambda – Customer Use Case
Built on Coca-Cola’s existing Amazon Web Services

(AWS) serverless architecture, the new contactless
Coca-Cola Freestyle solution enables consumers to
choose and pour drinks from their phones in just a
few seconds, without having to create an account or
download an app.
The mobile experience is currently rolling out to all

Coca-Cola Freestyle dispensers across the United
States.
The Freestyle team created a serverless web app—

while working remotely, no less—that integrates
with the Coca-Cola Freestyle machines to deliver a
touchless user experience. Coca-Cola Freestyle
deployed the frictionless, near-real-time solution less
than 4 months after the initial idea.
Containers on AWS
AWS Fargate
Serverless compute for containers
Serverless, pay-as-you-go compute engine that lets you focus on building applications
without managing servers
Amazon Elastic Container Service
Highly secure, reliable, and scalable way to run containers
Fully managed container orchestration service that helps you easily deploy, manage, and
scale containerized applications
Amazon Elastic Kubernetes Service
The most trusted way to run Kubernetes
Gives you the flexibility to start, run, and scale Kubernetes applications in the AWS Cloud
or on-premises. Runs upstream Kubernetes and is certified Kubernetes conformant
Thank you!

saa3_wk7

Uploaded by

Copyright:

Available Formats

saa3_wk7

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

saa3_wk7

Uploaded by

Copyright:

Available Formats

AWS Certified Solutions Architect - Associate

Week 7 Content Final Review

January 2023 Accelerator Cohort

• Pick the Right Space

Training White Papers Exam Preparation

Each AWS Region consists of multiple,

AZs give customers the ability to operate

AZs are connected to each other with fast,

Smaller endpoints used for hosting cached,

Points of Presence enable Amazon

S3 S3 S3 Glacier S3 Glacier S3 One S3 Outposts

AWS Region  3 Availability Zones AWS Single AZ AWS Outposts

Get started quickly through AWS Migration

Automatically add or remove EC2 instances

Cluster Spread Partition

A cluster placement group is a logical grouping

Cluster placement groups are recommended for

A spread placement group is a group of instances

The image – at right - shows seven instances in a

Spread placement groups are recommended for

Partition placement groups help reduce the

Partition placement groups can be used to

• Simple data structures • Advanced Structures

Graph Time Series Ledger Wide Column

Amazon Amazon Amazon Amazon Amazon

Easy to Secure and Available and Performant and

Fault-tolerant, self-healing 5x throughput of standard Managed by RDS: no

Your applications Fully managed, highly

DynamoDB API compatible

Some Use Cases

Identify security incidents

GuardDuty operates completely independently

There are no upfront costs and you pay only for

Amazon GuardDuty analyzes AWS CloudTrail,

Support compliance requirements and best

• Network ACLs are stateless

• Security groups are stateful

• Use network ACLs to control access to your

• When you add subnets to your VPC, choose

Allows all outbound

Your Network Goes Here

• Each subnet can have a unique Route Table Internet gateway

• Must be referenced on the Route Table

Private IP: 10.1.1.1

Private IP: 10.1.1.1

• Enable outbound connection to the VPC

• VPC Participants can

• Only supports allow rules “Web Tier” MySQL (TCP 3306)

MySQL DB / Amazon Aurora

Network Access Control List NACL “External Access”

• Inbound and Outbound Public subnet

• Subnet level inspection

• VPC endpoint services

• Doesn’t require public IPs or Public subnet Network Load Balancer

Domain Names to IP Address Amazon Route 53

• Private DNS for VPC

• DNS host names ip-10-0-0-12.us-east-2.compute.internal

PRIVATE HOSTED ZONE: example.aws

• BGP Routing for redundancy

• Enables traffic flow from the VPC