EXAM PRACTICE - 2
Scored: 49/61 (80%)
Q4. EC2: Access AWS resources?
EC2 Instance Role (EC2 Instance Profile)
Q28. S3: Encryption
SSE-S3: Admin can see the data ⭐ SSE-C: Custom’s Key ⭐⭐ SSE-KMS: Key Rotation, Role Separation ⭐⭐⭐
Q30. Site to Site VPN - Problem
Q31. DDoS Attach + ALB
AWS Shield Standard: L3/L4 AWS Shield Advanced: L7 👉 DDoS Protection
Q35. Scale out based on S3 event
SNS -> SQS -> ASG
Q36. NACL vs SG
-
NACL:
- Associated with a subnet 👉 applied to all instances in that subnet
- Support both ALLOW/DENY rule
-
SG:
- Associated with an instance
- Only support ALLOW rule
Q46. Which components are needed to create a custom public VPC for an EC2 instance to access public internet?
VPC Resource Map
-
Virtual Private Cloud (VPC)
-
Availability Zones
-
AZ-A
-
Subnets: Need connect to public internet
-
Subnet: (Public)
-
EC2 Instance:
- Associated SG
- Be default has no public IPv4 address 👉 Be default, these instances can communicate with each other, but can’t access the internet.
-
Associated NACL.
-
Associated Route Table (or default main route table)
- route traffics to IGW
-
-
Subnet: (Private)
-
EC2 Instance:
- Associated SG
-
Associated NACL.
-
Associated Route Table (or default main route table)
- route traffics to NATGW
-
-
-
NAT Gateways (NATGW)
-
-
AZ-B
-
-
Router:
- Route Tables: Explicitly associate a subnet with a particular route table.
- Main Route Table: Otherwise, the subnet is implicitly associated with the main route table.
-
NACLs:
- Associated with subnets
- ALLOW/DENY IN OR OUTBOUND
-
Default NACL: ALLOW all traffics (~ Has no effect)
-
Security Groups (SGs):
- Associated with AWS resources
- ALLOW IN (& OUTBOUND)
-
-
AWS Public Zone
- Internet Gateway (IGW)
-
Public Internet
-
Default VPC:
172.31.0.0/16-
AZs:
-
AZ-A
-
Default Subnet (Public):
/20-
EC2 instance: (if created)
- Automatically assign public DNS hostname with public IP addresses
-
Associated with default NACL
-
Associated with main route table
-
-
-
AZ-B
-
AZ-C
-
-
Router:
-
Main Route Table:
- Send all (
0.0.0.0/0) traffics to the IGW.
- Send all (
-
-
Default NACL: ALLOW all traffics (~ Has no effect): associated with default VPC
-
Default SG: associated with default VPC
-
Associate the default DHCP options set for your AWS account with default VPC.
-
-
AWS Public Zone:
- IGW: connected to default VPC.
Q58. VPC: Private Subnet. How to ensure the instance have outgoing access to the internet?
-
IPv4: Use a NATGW
-
IPv6: Use a Egress-Only IGW
Q47. RDS Single AZ vs RDS Multi-AZ vs RDS Multi-Region vs RDS Read Replicas
-
RDS Single AZ
-
RDS Multi-AZ: 1 or 2 standby DB instances 👉 high availability
-
RDS Multi-AZ Instance: Multi-AZ with one standby
-
1 Primary instance
-
1 Standby replica:
- can’t be used for reads / write 👈 not for performance scaling, only for availability
- kept in sync Synchronously with the primary instance
-
-
[RDS Multi-AZ Cluster](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RDS_Fea_Regions_DB-eng.Feature.MultiAZDBClusters.html: Multi-AZ with two readable standbys
-
1 Writer DB instance
-
2 Reader DB instances:
- can be used for read 👈 limited read scaling
- kept in sync Synchronously with the Writer instance 👈 replication lag (aka Replica lag)
-
-
-
RDS Multi-Region: 👉 disaster recovery and local performance (Not supported for all DB engines)
-
Aurora:
- Aurora Global Databases
- Aurora Multi-Master:
- Multiple read-write instances of your Aurora database across multiple AZs.
- Multi-Master is no longer available as of Feb 28, 2023. Source
-
Other engines:
- Multi-Region = Cross-Region Read Replicas
- Multi-Region = Cross-Region automated backups
-
-
RDS Read Replica: 👉 scalability (performance)
Scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads.
Maximum Read Replica per DB instance:
- 5: Oracle, SQL Server
- 15: MySQL, MariaDB, PostgreSQL, (and Aurora)
References:
| Endpoints | High Availability | Read Scalability | |
|---|---|---|---|
| Single AZ | Instance endpoint 1 | 🔳 | 🔳 |
| Multi-AZ Instance | Instance endpoint | ⬜ | 🔳 |
| (Automatically failover to standby replica 5) | |||
| Multi-AZ Cluster 10 | Multiple: | ⬜⬜ | ⬜⬜ |
| - Cluster endpoint (Writer endpoint) | |||
| - Reader endpoint | |||
| - Instance endpoints | |||
| Read Replicas | Multiple: | ⬜⬜⬜ | ⬜⬜⬜ |
| - Source DB instance endpoint | |||
| - Each replica has its own instance endpoint 20 | |||
| - (Aurora) Custom endpoints 21 |
Q50. ENI
An EC2 instance can have multiple ENIs attached, but these ENIs must be in the same AZ.
Q54. Multicast for EC2
Transit Gateway supports routing multicast traffic between subnets of attached VPCs
Q55. Big number of users need to access AWS resources?
Q56. EC2 - Connect to Linux instance
-
Connect from your local OS (machine)
- SSH
-
Connect from any local OS (machine)
-
-
Introduced in Sep 2018
-
Provides a browser-based
- interactive shell, CLI
- remote desktop access for managing instances on your cloud, or on-premises and edge devices
without the need to open inbound ports, manage SSH keys, or use bastion hosts
-
-
-
Introduced in June 2019.
-
With EC2 Instance Connect, you use IAM policies and principals to control SSH access to your instances, removing the need to share and manage SSH key.
-
Option 1: Using your own key and any SSH client
-
Manually create SSH.
$ ssh-keygen -t rsa -f my_key -
Use EC2 Instance Connect to push our SSH public key to the instance.
$ aws ec2-instance-connect send-ssh-public-key -
Connect to the instance using our private key
$ ssh 0i my_key <EC2_INSTANCE_DNS_NAME_OR_IP_ADDRESS>
-
-
Option 2: Using AWS CLI
ec2-instance-connect sshcommand-
Specify the instance ID
$ aws ec2-instance-connect ssh --instance-id i-1234567890example -
Specify the instance ID and our own key
$ aws ec2-instance-connect ssh --instance-id i-1234567890example --private-key-file /path/to/key.pem
-
-
-
With EC2 Instance Connect Endpoint (introduced in Jun 2023), the EC2 instance even doesn’t need a public IP address.
-
-
Q57. SQS & ASG scale based on queue length: What will happen if SQS doesn’t have Dead Letter Queue?
Messages fill up the queue, ASG scale up 👉 A lot of money will go away