AWS

EC2

1. We can make 20 instances per region and 2 high i/o instances contact aws support for
extended instances nos
----------------------------------------------------

2. General Purpose Instances:

T2 - Burstable performance instances suitable for workloads with variable CPU utilization.
M5 - General-purpose instances with a balance of CPU and memory.

Compute-Optimized Instances:

C5 - Compute-optimized instances with a focus on CPU performance.

C6g - Compute-optimized instances with AMD EPYC processors.

Memory-Optimized Instances:

R5 - Memory-optimized instances with a balance of high memory and CPU.

X1 - Memory-optimized instances with very high memory capacity for in-memory databases.

Accelerated Computing Instances:

P3 - GPU instances designed for machine learning, deep learning, and high-performance
computing.
G4 - GPU instances for graphics-intensive applications and machine learning.

Storage-Optimized Instances:

I3 - Storage-optimized instances with high-speed, low-latency NVMe SSD storage.

D3 - Dense storage instances for data warehousing and big data analytics.
High Performance Computing (HPC) Instances:

HPC6i - HPC instances with Intel processors and low-latency networking.

FPGA Instances:

F1 - Instances with FPGA (Field-Programmable Gate Array) for custom hardware acceleration.
Bare Metal Instances:
I3 Bare Metal - Provides direct access to physical hardware, ideal for applications that require
bare metal performance.

Arm-Based Instances:

A1 - Instances powered by AWS Graviton processors, which are based on ARM architecture.

Mac Instances:

Mac1 - Instances designed for macOS workloads, including iOS app development.

Edge Computing Instances:

Snowball Edge Compute Optimized - Instances designed to run on AWS Snowball Edge
devices for edge computing use cases.

------------------------------------------------------------

On-Demand Instances:

With On-Demand instances, you pay for compute capacity by the hour or second, depending on
the instance type, with no long-term commitments.
This option is flexible and is ideal for workloads with variable or unpredictable usage patterns.

Reserved Instances (RIs):

RIs provide a significant discount in exchange for a one- or three-year commitment. They are
available in three payment options: All Upfront, Partial Upfront, and No Upfront.
RIs are suitable for applications with steady-state or predictable workloads and can offer
significant cost savings over On-Demand pricing.

Spot Instances:

Spot Instances allow you to bid on spare EC2 capacity, and you pay the current Spot price.
This option is highly cost-effective but can be terminated with short notice when the capacity is
needed for On-Demand or Reserved Instances.
Spot Instances are suitable for fault-tolerant, batch processing, or time-flexible workloads.

Dedicated Hosts:

Dedicated Hosts provide physical servers with dedicated resources for your use.
This option is useful for compliance and licensing requirements where you need full control over
the physical infrastructure.
Savings Plans:

Savings Plans provide a flexible way to save on Amazon EC2 usage, as well as Fargate and
Lambda.
They offer greater flexibility than RIs and automatically apply savings to your usage.

Capacity Reservations:

Capacity Reservations allow you to reserve capacity for your EC2 instances without specifying a
particular instance type.

This is ideal for applications with specific capacity requirements.

AWS Systems Manager Session Manager:

Versatile Access: Session Manager allows you to manage not only Amazon EC2 instances but
also virtual machines or servers in your on-premises environment that are configured for
Systems Manager. It's not limited to just EC2.

Browser-Based or CLI: You can connect to your instances through the AWS Management
Console (in a browser) or via the AWS CLI (Command Line Interface). There's no need to open
any inbound ports, manage SSH keys, or use bastion hosts.

Centralized Management: It integrates with AWS Systems Manager, which provides a unified
interface for centralized management of your AWS and on-premise systems.

Audit and Logging: Session Manager automatically logs all session activity to Amazon S3 or
CloudWatch Logs for auditing purposes. This gives you a detailed record of who did what and
when.

IAM Integration: It allows fine-grained access control using AWS Identity and Access
Management (IAM) policies.

EC2 Instance Connect:

EC2-Focused: Instance Connect is specifically designed for EC2 instances and doesn't support
on-premise servers or other AWS services.

SSH Connectivity: It provides a way to use SSH (Secure Shell) to connect to your EC2
instances, and it manages the SSH keys for you. It’s essentially a more secure and managed
way to use SSH.
Temporary Credentials: Instance Connect generates one-time use SSH keys, which enhances
security by ensuring that keys are not reusable.

IAM Integration: Just like Session Manager, Instance Connect also uses IAM to control who can
connect to EC2 instances.

Key Differences:
Scope: Session Manager can be used with a broader range of infrastructure, while Instance
Connect is specifically for EC2.
Connectivity: Session Manager does not require SSH and uses a browser-based or CLI
approach, while Instance Connect is an improved SSH experience that handles SSH keys for
you.
Integration: Session Manager is part of the larger Systems Manager suite, offering more
features and integration with other AWS services for comprehensive management.
In simple terms, if you just need to securely access your EC2 instances occasionally, EC2
Instance Connect is a straightforward option. But if you're looking for a more comprehensive
management tool that provides broader access and integrates with AWS Systems Manager's
features, Session Manager is the way to go.

An autoscaling group is like having a team of workers where you can automatically bring in
more workers or let some go based on how much work there is. If the workload increases, you
automatically get more workers. If it decreases, you don't need as many, and some can leave.
This helps you make sure that you always have just the right amount of workers to handle the
job without wasting resources.

A placement group, on the other hand, is like organizing the desks in your office to make sure
that workers can communicate really quickly or have enough space to do their jobs without
getting in each other's way. In computer terms, this means that servers are either placed very
close together to work fast together or spread out to reduce the chance of many failing at once.

So, in the context of cloud computing:

An autoscaling group adjusts the number of servers (or instances) based on demand.
A placement group controls how servers are positioned in the cloud to optimize for network
performance or reliability.

Cluster Placement Group: All the computers are put close together so they can talk to each
other super quickly. Great for when they need to work on something together really fast.

Spread Placement Group: Each computer is kept far from the others, so if one has a problem,
the others are fine. This is good when you want to make sure that if one computer goes down, it
doesn't affect the rest.
Partition Placement Group: Computers are grouped into separate areas. If one area has a
problem, the other areas keep working normally. This is a mix of working together and staying
safe if something goes wrong.

An Elastic Network Interface (ENI) in cloud computing, particularly in Amazon Web Services
(AWS), is like a virtual network card. It's attached to an EC2 instance (which is like a virtual
computer) and enables that instance to connect to different network resources within the AWS
environment.

Here's what it can do, in simple terms:

It gives the EC2 instance an IP address so that it can communicate with the internet or other
instances.
It can handle the traffic rules, deciding what kind of access the instance should have.
You can add more than one ENI to an instance if you need to connect it to different network
segments or if you need a separate network for management traffic.

Think of an ENI as your computer's plug into the internet, but it also has some extra settings that
let you control what kind of data goes in and out.

Hibernating an EC2 instance in AWS is like putting your laptop to sleep with all your open
applications and documents so that when you turn it back on, everything is exactly as you left it.

When you hibernate an EC2 instance:

The current state of the system (memory) is saved to a file on the root EBS (Elastic Block Store)
volume.
The instance is then stopped, not terminated. You're not paying for instance usage while it's
stopped.
When you restart the instance, the memory saved to the EBS volume is reloaded, and the
system resumes from where it was. It means you don't have to save your work and can pick up
right where you left off.
This is particularly useful for long-running processes or complex setups that you don't want to
rebuild every time you start the instance.

AMI (Amazon Machine Image):

An AMI is a pre-configured virtual machine image, which includes the necessary information to
launch an instance, i.e., a virtual server, in the cloud. It contains the operating system,
application server, and applications.

Snapshot:

A snapshot is a point-in-time copy of the data on an Amazon Elastic Block Store (EBS) volume.
EBS is a type of storage in AWS that can be attached to EC2 instances. Snapshots are often
used for backup and to create new EBS volumes with the same data.
In summary:

AMI is an image that includes an entire machine setup (OS, applications, configurations) and is
used to launch new instances.

Snapshot is a backup of the data on an EBS volume, and it's often used for data recovery and
to create new volumes.

---------------------------------------------------------------------------------

VPC

Nat Instance

Purpose:

NAT instances are used to provide internet access to private instances within a VPC.
They act as an intermediary for outbound traffic from private instances, translating their private
IP addresses to a public IP address for communication with the internet.

Types of NAT in AWS:

NAT Instances: These are EC2 instances created by the user in the public subnet of the VPC.
They run NAT software, like iptables, and are managed by the user.

NAT Gateways: These are managed AWS services that offer high availability, scalability, and are
easier to set up. NAT gateways are recommended for most use cases, but NAT instances can
still be useful in some situations.
Configuration of NAT Instances:
A NAT instance must be deployed in a public subnet and must have an Elastic IP (EIP)
associated with it. An EIP provides a static public IP address that is used for NAT translation.
The security group for the NAT instance should allow outbound traffic but restrict inbound traffic
to only necessary protocols and ports.
The route table for private subnets should be configured to route outbound traffic to the NAT
instance.

Outbound Traffic Flow:

When a private instance in the VPC wants to access the internet, it sends its traffic to the NAT
instance.
The NAT instance translates the private IP address of the sender to its own public IP address,
allowing the traffic to reach the internet.

The response traffic from the internet is sent back to the NAT instance, which then forwards it to
the original private instance.
----------------------------------------------

vpc endpoint

A VPC endpoint in Amazon Web Services (AWS) is a networking component that allows you to
privately connect your Amazon Virtual Private Cloud (VPC) to AWS services and resources
without the need for public internet access. VPC endpoints enhance security, reduce data
transfer costs, and improve network performance by providing a direct, private connection to
AWS services. There are two types of VPC endpoints:

1. Gateway Endpoints (S3 and DynamoDB):

S3 Gateway Endpoint: This allows your VPC to privately access Amazon S3 (Simple Storage
Service) without needing to go over the public internet. It helps enhance security and reduce
data transfer costs for S3 operations.

DynamoDB Gateway Endpoint: Similar to the S3 gateway endpoint, this allows private
connectivity to Amazon DynamoDB for VPC resources. It keeps traffic between your VPC and
DynamoDB within the AWS network.

2. Interface Endpoints:

Interface Endpoints for AWS Services: These are used for privately connecting to various AWS
services, such as AWS Systems Manager, AWS Secrets Manager, Amazon SNS (Simple
Notification Service), and others. They provide a more flexible way to access these services
securely.
Key points about VPC endpoints:

Security: VPC endpoints enhance security by keeping traffic within the AWS network, avoiding
exposure to the public internet. This helps protect sensitive data and resources.

Performance: By using VPC endpoints, you can reduce data transfer latency and improve
network performance since the traffic doesn't need to traverse the public internet.

No NAT Gateway Required: VPC endpoints eliminate the need for Network Address Translation
(NAT) gateways to connect to AWS services, which can reduce operational overhead and cost.

Private Connectivity: VPC endpoints provide a private, secure connection, making them suitable
for scenarios where public internet access is not desired or allowed.

Resource Access: VPC endpoints can be configured to control which resources within your VPC
can access the associated service. This provides fine-grained control over access.

Monitoring and Logging: VPC endpoints often offer monitoring and logging capabilities, allowing
you to track and analyze traffic to and from the connected service.
-----------------------------------------------------------

In summary, VPC endpoints in AWS are essential for securely connecting your VPC to AWS
services without exposing your data to the public internet. They enhance security, reduce data
transfer costs, and improve network performance for your AWS resources.
------------------------------------------------------

VPC flow logs

VPC (Virtual Private Cloud) Flow Logs are a feature provided by Amazon Web Services (AWS)
that allow you to capture information about the IP traffic going to and from network interfaces in
your VPC. These logs provide valuable insights into network traffic and can be used for various
purposes, including security, troubleshooting, and compliance. Here are the key details about

VPC Flow Logs:

Traffic Visibility:

VPC Flow Logs capture information about the traffic that flows to and from network interfaces in
your VPC.
This includes details such as source and destination IP addresses, port numbers, protocol,
packet and byte counts, and more.
Monitoring and Troubleshooting:
Flow Logs are a valuable tool for monitoring and troubleshooting network issues within your
VPC.
You can use them to track network behavior, diagnose connectivity problems, and investigate
potential security incidents.

Security and Compliance:

Flow Logs can be used for security and compliance purposes, helping you detect and
investigate potentially unauthorized or malicious traffic.
They can aid in compliance with regulatory requirements and security best practices.
Customization:

You have the flexibility to choose which network interfaces and traffic types you want to log.
You can configure Flow Logs at the VPC, subnet, or network interface level.
Integration with Other AWS Services:

Flow Logs can be sent to other AWS services for further analysis, such as Amazon CloudWatch
Logs for monitoring, Amazon S3 for storage, or third-party analysis tools.
Retention and Storage:

Flow Logs are typically stored in Amazon CloudWatch Logs or Amazon S3, depending on your
configuration.
You can specify the retention period for the logs to meet your compliance and analysis needs.
Log Record Format:

Flow Logs are stored in a specific format that includes fields like the source and destination IP
addresses, source and destination port numbers, protocol, and action (ACCEPT or REJECT).
CloudWatch Alarms:

You can create CloudWatch Alarms based on specific Flow Log data patterns, allowing you to
receive notifications when certain network events occur.
Resource Overhead:

Enabling Flow Logs does consume some additional network resources, as it logs network traffic
data. However, this overhead is generally low.
Access Control:

You can control access to your Flow Logs by configuring the associated IAM (Identity and
Access Management) roles and permissions.
-------------------------------------------------------

A Site-to-Site VPN (Virtual Private Network) in Amazon Web Services (AWS) involves
connecting an AWS Virtual Private Cloud (VPC) to an on-premises network or another remote
network. It typically includes the following components:
Customer Gateway (CGW):

A Customer Gateway represents the customer's side of the VPN connection.

It's typically a physical device or software appliance located in the customer's data center or
on-premises network.
The Customer Gateway device is responsible for establishing the secure connection to AWS
over the internet using IPsec VPN protocols.

Virtual Private Gateway (VPG):

A Virtual Private Gateway is the AWS-side component of the VPN connection.

It is attached to the VPC and facilitates communication between the VPC and the on-premises
network.
It acts as a termination point for the VPN connection from the Customer Gateway.
Site-to-Site VPN Connection:

The Site-to-Site VPN Connection represents the logical connection between the Customer
Gateway and the Virtual Private Gateway.
It includes configuration information for the VPN connection, such as encryption settings,
routing, and pre-shared keys.
The Site-to-Site VPN Connection allows secure, encrypted traffic to flow between the
on-premises network and the VPC.
Here's an overview of how these components work together:

The Customer Gateway device establishes an encrypted connection to the Virtual Private
Gateway in AWS over the public internet. This connection forms the VPN tunnel.

Once the VPN tunnel is established, traffic between the on-premises network and the VPC is
encrypted and securely transmitted over the tunnel.

Routing tables in both the VPC and the on-premises network are updated to direct traffic to and
from the VPN connection.

The Virtual Private Gateway handles the decryption and routing of traffic within the AWS
network, directing it to the appropriate VPC.

Similarly, the Customer Gateway handles the traffic within the on-premises network, directing it
to the appropriate resources.

This setup allows secure and private communication between resources in the VPC and the
on-premises network, effectively extending your on-premises network into your VPC.
Site-to-Site VPNs are commonly used for scenarios where you need to connect your AWS
resources with on-premises data centers, branch offices, or other remote networks. It provides a
secure and encrypted connection over the public internet, allowing for seamless communication
between the two networks.

-----------------------------------------------------------

Direct connect and direct connect gtw

Amazon Direct Connect and Direct Connect Gateway are networking services offered by
Amazon Web Services (AWS) that facilitate private and dedicated connections between
on-premises data centers and AWS regions. However, they serve different purposes and are
used in various network architectures:

Amazon Direct Connect:

Purpose:

Amazon Direct Connect is a service that provides dedicated, private network connections from
your on-premises data center to specific AWS regions.
It allows you to establish a dedicated physical connection that offers lower latency, more
consistent network performance, and higher data transfer rates compared to internet-based
connections.
Connection Types:

Amazon Direct Connect offers two primary connection types:

Dedicated Connections: These provide a single, private connection from your on-premises
network to an AWS Direct Connect location.
Hosted Connections: These are provided by AWS Direct Connect Partners and allow you to
connect to AWS over the partner's network.
Use Cases:

Amazon Direct Connect is commonly used for applications that require low-latency and reliable
network connections, such as data migration, real-time data analysis, hybrid cloud deployments,
and disaster recovery scenarios.
Direct Connect Gateway:

Purpose:

The Direct Connect Gateway is a service introduced by AWS that simplifies and centralizes
connectivity between your on-premises network and multiple VPCs (Virtual Private Clouds) in
different AWS regions.
It allows you to establish a single Direct Connect connection from your data center to the Direct
Connect Gateway, and from there, extend private connectivity to multiple VPCs in different AWS
regions.
Use Cases:

Direct Connect Gateway is useful when you need to connect your on-premises network to
multiple VPCs across different AWS regions. This simplifies network architecture and reduces
the need for multiple Direct Connect connections.
Connection Types:

Direct Connect Gateway supports both private and transit virtual interfaces. Private virtual
interfaces connect to a single VPC, while transit virtual interfaces connect to multiple VPCs.
Routing:

Direct Connect Gateway simplifies the routing of traffic between the Direct Connect location and
the VPCs, reducing the complexity of setting up BGP (Border Gateway Protocol) sessions for
each VPC.

In summary, Amazon Direct Connect provides dedicated connections from your on-premises
data center to specific AWS regions, offering high-performance, low-latency connections. Direct
Connect Gateway, on the other hand, simplifies the connectivity between your data center and
multiple VPCs across different AWS regions, making it easier to manage and extend private
connections in a multi-region AWS environment. These services can be used individually or in
conjunction to meet specific network requirements.

--------------------------------------------------------------------------

Transit gateway

An AWS Transit Gateway is a networking service provided by Amazon Web Services (AWS)
that simplifies the connectivity and routing between multiple Virtual Private Clouds (VPCs), VPN
connections, and Direct Connect connections. It acts as a hub that allows you to consolidate
and centrally manage network traffic within your AWS infrastructure. Here are key features and
details about Transit Gateways:

1. Centralized Hub:

Transit Gateways serve as a centralized hub for connecting multiple VPCs, remote networks
(through VPN and Direct Connect), and various AWS services.
2. Simplified Routing:

Transit Gateway simplifies the network architecture by providing a single point of entry and exit
for traffic between your on-premises network or remote networks and your VPCs.
3. Dynamic Routing:

Transit Gateway supports dynamic routing using the Border Gateway Protocol (BGP). This
allows for automated and efficient routing updates between the Transit Gateway and connected
networks.
4. Scalability:

Transit Gateways are designed for high scalability, allowing you to connect to hundreds of VPCs
and remote networks.
5. Simplified Security and Network Policies:

Transit Gateway simplifies security and network policies by centralizing control and allowing you
to implement routing and security rules at the Transit Gateway level.
6. VPC Peering:

Transit Gateway supports VPC peering, allowing VPCs connected to the same Transit Gateway
to communicate with each other without the need for complex VPC peering arrangements.
7. Integration with AWS Direct Connect Gateway:

Transit Gateway can be integrated with AWS Direct Connect Gateway to extend connectivity
and routing for hybrid cloud configurations that include AWS Direct Connect connections.
8. Multicast Support:

AWS Transit Gateway also supports multicast traffic for scenarios that require multicast support.
9. Simplified Hybrid Cloud Architectures:

Transit Gateway simplifies the design of hybrid cloud architectures by providing a single point of
connectivity for on-premises networks, remote data centers, and VPCs in the AWS cloud.
10. Monitoring and Logging:

You can use Amazon CloudWatch and VPC Flow Logs to monitor and analyze traffic patterns
and network performance.
11. AWS Network Manager:

AWS Network Manager can be used to simplify the management of Transit Gateways and
associated resources, providing visibility and control over your network.

In summary, AWS Transit Gateway simplifies network architecture and management by

centralizing network connectivity and routing for VPCs, remote networks, and AWS services. It
is designed for scalability and is particularly useful in complex, multi-VPC and hybrid cloud
configurations where centralized control and simplified routing are important.

----------------------------------------------------
Igress internet gtw

Internet Gateway (IGW):

Purpose:

An Internet Gateway is a horizontally scaled, highly available AWS service that allows
communication between instances in your Virtual Private Cloud (VPC) and the public internet.
It enables instances within your VPC to have outbound internet connectivity and also allows
inbound traffic from the internet to reach instances in your VPC.

Routing:

An Internet Gateway is attached to a VPC and is used to route traffic from instances with public
IP addresses or Elastic IP addresses to the internet.
In the route table of your VPC, there is a default route via the Internet Gateway for public
internet-bound traffic.

Security and Access Control:

Access control to instances in your VPC is managed through security groups and network
access control lists (NACLs).
The Internet Gateway does not have security groups or access control lists associated with it; it
is a routing and connectivity component.

Egress-Only Internet Gateway:

Purpose:

An Egress-Only Internet Gateway is used to allow outbound IPv6 traffic from instances in your
VPC to the public IPv6 internet, while preventing inbound traffic initiated from the internet from
reaching your instances.

IPv6 Egress Traffic:

It specifically addresses the needs of IPv6 connectivity. It enables instances with IPv6
addresses in your VPC to access external IPv6 resources on the public internet.
Ingress Traffic Restriction:

Egress-Only Internet Gateways prevent unsolicited incoming traffic from the public IPv6 internet
from reaching instances in your VPC. This is important for security.
In summary, the Internet Gateway (IGW) is used for providing outbound and inbound internet
connectivity for instances within a VPC, while the Egress-Only Internet Gateway is used to
enable outbound IPv6 traffic from instances in your VPC while restricting unsolicited inbound
traffic from the public IPv6 internet. Both gateways are used to facilitate internet communication
in VPCs, but they serve different purposes and address different connectivity requirements.

----------------------------------------------------------

Firewall

AWS Web Application Firewall (WAF):

AWS WAF is a web application firewall that helps protect your web applications from common
web exploits.
It allows you to define rules to filter traffic, block malicious requests, and filter out unwanted
traffic.

Security Groups:

Security Groups are stateful firewalls that control inbound and outbound traffic to Amazon EC2
instances.
You can define rules to allow or deny specific types of traffic to your instances based on IP
addresses, ports, and protocols.

Network Access Control Lists (NACLs):

NACLs are stateless firewalls that control traffic at the subnet level in a VPC.
They allow you to define rules to control inbound and outbound traffic based on IP addresses
and port ranges.

VPC Peering:

VPC peering allows you to create private, direct connections between VPCs.
This can help control and secure traffic between different VPCs.
Amazon GuardDuty:

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity
and unauthorized behavior in your AWS environment.
AWS Network ACL Logging:

You can enable VPC Network ACL logging to monitor and analyze traffic flows and detect
unusual patterns or potential security issues.
Third-Party Firewalls:
You can also deploy third-party firewall solutions within your AWS environment to provide
advanced firewall capabilities.
--------------------------------------------------------.

VPC: The overall container that holds all the following components. Think of it like a virtual data
center.

Subnets: Sections within the VPC. A VPC can contain multiple subnets. Subnets can be either:

Private: No direct access from the outside.

Public: Has a direct route to the public internet, usually through an Internet Gateway.

Internet Gateway (IGW): Acts as a bridge between your VPC and the internet. It allows
resources in your VPC to communicate with the internet.

Route Tables: They define rules on how traffic should be directed. For instance, you can set a
route to direct traffic from your subnet to the internet via the IGW.

Network Access Control Lists (NACLs): Act as a firewall for controlling traffic in and out of
subnets. You can define allow or deny rules.

Security Groups: They are like firewalls for individual instances (like VMs) and operate at the
instance level. You set rules for inbound and outbound traffic.

Elastic IP: A static, public IPv4 address that can be dynamically mapped to any instance in your
VPC. Useful for hosting websites, for instance.

NAT (Network Address Translation) Gateway/Instances: Allow instances in a private subnet to

initiate outbound traffic to the internet but prevent unsolicited inbound traffic from the internet.

Peering: Connects one VPC with another in a secure way. This allows for inter-VPC resource
communication.

VPN Gateway: Helps in connecting a VPC to a physical data center or other network via a
secure VPN connection.

Endpoint: A specific route for directing traffic within the VPC to avoid using the public internet.
g
Flow Logs: Records of network traffic in the VPC, useful for monitoring and debugging.
--------------------------------------------------------------

Storage types
Amazon Simple Storage Service (S3)

S3 Standard: General-purpose object storage.

S3 Intelligent-Tiering: Automatically moves objects between two access tiers (frequent and
infrequent access) depending on changing access patterns.
S3 Standard-IA (Infrequent Access): For data that is accessed less frequently but requires rapid
access when needed.
S3 One Zone-IA: Stores data in a single availability zone and costs less than Standard-IA.
S3 Glacier & S3 Glacier Deep Archive: For long-term data archiving and backup. Glacier is for
retrievals within minutes to hours, while Deep Archive is for retrieval within 12 hours.

Amazon Elastic Block Store (EBS)

Provides block-level storage volumes for Amazon EC2 instances.

Types include:
EBS Provisioned IOPS SSD (io1 & io2): For I/O intensive applications.
EBS General Purpose SSD (gp2 & gp3): Balanced price and performance.
EBS Throughput Optimized HDD (st1): For frequently accessed, throughput-intensive
workloads.
EBS Cold HDD (sc1): For less frequently accessed workloads.
EBS Magnetic (standard): Previous generation, lower-cost option.

Amazon Elastic File System (EFS)

Managed file storage service that can be mounted onto several EC2 instances.

Amazon FSx

Amazon FSx for Windows File Server: Supports Windows-based applications.

Amazon FSx for Lustre: For compute-intensive workloads, integrates with S3.

Amazon Storage Gateway

Hybrid cloud storage service that integrates on-premises environments with cloud storage.
Types include:
File Gateway: For flat files, integrated with S3.
Volume Gateway: Block storage, snapshots as EBS, backups as S3.
Tape Gateway: Virtual tape backup, integrated with S3 Glacier.

AWS Snow Family

Data migration services including:

Snowcone: Small, portable edge computing and data transfer device.
Snowball & Snowball Edge: Devices for large-scale data migrations and edge workloads.
Snowmobile: An exabyte-scale data transfer service used in vehicles.

AWS Backup

Centralized backup service across AWS services.

-------------------------------------------------------

Block Storage

What is it?
Block storage splits data into fixed-sized blocks (or "chunks") and stores them with a unique
identifier.
Characteristics:
Low Latency: Generally faster and has lower latency than object storage.
File System: Operates at a lower level and does not have a built-in file system or metadata. The
operating system on which it's mounted decides how the data is organized.
Use Cases:
Databases: Because of the fast read/write operations, databases often use block storage.
Elastic Compute: Virtual machine file systems like those on AWS EC2 instances with EBS
(Elastic Block Store) volumes.
Advantages:
Performance: Generally more performant for operations that require fast and frequent read/write
operations.
Disadvantages:
Scalability: Not as easily scalable as object storage. You typically need to decide the storage
size in advance, and resizing can be complex.
Cost: Can be more expensive per GB than object storage.

Object Storage
What is it?
Object storage manages data as objects (and not as a file hierarchy or blocks). Each object
contains the data, metadata, and a unique identifier.
Characteristics:
Metadata: Stores rich metadata with the data, making it easier to manage and search.
Flat Namespace: Unlike hierarchical file systems, it uses a flat namespace, meaning objects are
retrieved using their unique ID and not by a file path.
Use Cases:
Archiving: For long-term storage and backup solutions.
Content Distribution: For multimedia content, images, videos, etc.
Big Data: Suitable for analytics and machine learning datasets.
Web Applications: To store user-generated content like photos, videos, and more.
Advantages:
Scalability: Easily scalable to store vast amounts of data.
Web Integration: Built to be accessed over HTTP/HTTPS, making integration with web apps
more straightforward.
Cost-effective: Generally more affordable for storing large amounts of data.
Disadvantages:
Latency: Generally has higher latency compared to block storage.
Not Suitable for Primary Storage: While it can be used for primary storage, its design suits
secondary storage tasks like backups and archives better.

---------------------------------------------

Amazon S3: Simplified Explanation

Amazon S3 is like a big digital storage box in the cloud where you can put and get your files.
Each file can be like a photo, a document, a video, etc. When you put a file in S3, you store it in
a "bucket" (think of it like a folder). You can then share a link to the file or keep it private, and
you can get to it from anywhere in the world.

Amazon S3: Detailed Explanation

What is it?

Amazon S3 is a scalable object storage service from AWS. It's designed to store and retrieve
any amount of data from anywhere on the web.
Buckets:

Buckets are the primary containers in S3, similar to folders or directories. Every object (file) in
S3 is stored in a bucket. Buckets have a unique name globally across S3.
Objects:

An object is essentially a file and its metadata. Each object has a unique key (like its file name)
that helps in its retrieval.
Data Lifecycle:

S3 allows you to set lifecycle policies on objects. For instance, you can automatically move
older data to cheaper storage classes or delete them after a certain period.
Storage Classes:

S3 offers different storage classes that vary in durability, availability, and cost. Examples include:
S3 Standard: For general-purpose storage.
S3 Intelligent-Tiering: Automatically moves objects between two access tiers based on how
often they're accessed.
S3 Standard-IA: For less frequently accessed data that still needs quick access when called.
S3 Glacier & Glacier Deep Archive: For long-term archival, with Glacier allowing quicker access
than Deep Archive.
Security & Access Control:

S3 provides features to control access to your data using bucket policies, Access Control Lists
(ACLs), and AWS Identity and Access Management (IAM) policies.
It also offers server-side encryption to protect your data at rest.
Data Transfer Acceleration:

An S3 feature that speeds up transferring files to and from S3 by using Amazon's CloudFront's
globally distributed edge locations.
Event Notification:

You can set up event notifications on your S3 buckets to trigger a Lambda function, SQS queue,
or SNS topic upon certain events (e.g., object creation or deletion).
Versioning:

This feature allows you to keep multiple variants of an object in the same bucket. Useful for
backup and recovery.
Replication:

You can set up S3 to automatically replicate objects across different buckets or AWS regions for
better availability and redundancy.
------------------------------------------------------------------------

EBS

Amazon EBS: Detailed Explanation

What is it?

Amazon EBS provides block storage, similar to the hard drives in your computer but in the
cloud. You can use it with Amazon EC2 instances.
Durability:

EBS volumes are automatically replicated within their Availability Zone (AZ), making them more
durable and ensuring data isn't lost due to a single failure.
Types of EBS Volumes:

General Purpose SSD (gp2 & gp3): Good for most workloads, like web servers or dev/test
environments.
Provisioned IOPS SSD (io1 & io2): Best for I/O-intensive applications like databases.
Throughput Optimized HDD (st1): Ideal for frequently accessed, throughput-intensive workloads
like data lakes.
Cold HDD (sc1): Designed for infrequent access.
Magnetic: Older generation, infrequently accessed storage.
Snapshots:

You can take backups of your EBS volumes. These backups, called snapshots, are stored in
Amazon S3.
Security:

Data on EBS can be encrypted both in transit and at rest. AWS provides keys for encryption, or
you can use your own.
Flexibility:

EBS volumes can be easily resized, and you can also change their type based on your needs.
Availability:

While an EBS volume can only be attached to one EC2 instance at a time, it can be detached
and attached to another instance. This makes data migration or recovery easier.

—-------------------------------------------------------------------------------

EFS vs EBS
Amazon Elastic File System (Amazon EFS) is a fully managed file storage service provided by
Amazon Web Services (AWS). It is designed to provide scalable and highly available file
storage for use with Amazon EC2 instances and other AWS services. Here are some key points
about Amazon EFS:

Scalable and Elastic:

Amazon EFS can automatically grow or shrink in size as you add or remove files, providing a
scalable and elastic file storage solution.
Shared File Storage:

EFS allows multiple EC2 instances to access the same file system concurrently, making it
suitable for shared workloads and applications that require shared access to data.
Support for Network File System (NFS) Protocol:

EFS supports the industry-standard NFSv4 protocol, making it compatible with a wide range of
applications and systems.
Performance:
EFS is designed to provide low-latency performance for a variety of workloads. It can scale its
throughput automatically based on the amount of data stored.
Data Lifecycle Management:

Amazon EFS provides features like lifecycle management to automatically move files to
lower-cost storage classes as they age, helping you optimize costs.
High Availability and Durability:

EFS is designed for high availability and durability. It stores data across multiple Availability
Zones within a region to ensure resilience.
Use Cases:

Shared workloads and applications that require shared access to files.

Content management systems, web serving, development environments, and more.
Mount Targets:

To access an Amazon EFS file system, you need to create mount targets in your Virtual Private
Cloud (VPC). Each mount target provides an IP address that you use to mount the file system
on your EC2 instances.
Encryption:

EFS supports encryption at rest and in transit, providing security for your file data.
Pay-as-You-Go Pricing:

Amazon EFS follows a pay-as-you-go pricing model, where you pay for the storage you use.
Amazon EFS is a versatile and managed file storage solution that simplifies the process of
setting up and managing shared file systems in the cloud. It's suitable for a wide range of
applications and workloads that require scalable and shared file storage.

User
ebs vs efs
ChatGPT
Amazon Elastic Block Store (EBS) and Amazon Elastic File System (EFS) are both storage
services offered by AWS, but they serve different purposes and are designed for different use
cases. Here's a comparison between EBS and EFS:

Amazon EBS (Elastic Block Store):

Type of Storage:

EBS provides block-level storage, which is essentially raw storage that can be attached to an
EC2 instance. It appears as a block device to the instance.
Use Cases:
EBS is suitable for use cases where you need low-latency and high-performance storage for a
single EC2 instance, such as database storage or boot volumes for EC2 instances.
Performance:

EBS volumes come in different types, including General Purpose SSD (gp2), Provisioned IOPS
SSD (io1/io2), Throughput Optimized HDD (st1), Cold HDD (sc1), and Magnetic (standard).
Each type is optimized for different performance characteristics and use cases.
Single EC2 Instance:

Each EBS volume is typically attached to a single EC2 instance. While you can detach and
move volumes between instances, only one instance can access a particular EBS volume at a
time.
Amazon EFS (Elastic File System):

Type of Storage:

EFS provides file-level storage, offering a file system that can be mounted by multiple EC2
instances simultaneously. It uses the NFSv4 protocol.
Use Cases:

EFS is designed for use cases that require shared access to files across multiple EC2
instances. It's suitable for applications that need shared data, such as content management
systems, development environments, and data-sharing workflows.
Scalability:

EFS is highly scalable and elastic, automatically growing or shrinking in size based on the
amount of data stored. It supports concurrent access from multiple EC2 instances.
Performance:

EFS is designed to provide low-latency performance for a wide range of workloads. It can
automatically scale its throughput based on the storage size.
Availability:

EFS is designed for high availability and durability, storing data across multiple Availability
Zones within a region.
Choosing Between EBS and EFS:

Choose EBS when you need block-level storage for a single EC2 instance with specific
performance characteristics.
Choose EFS when you need shared file storage that can be accessed by multiple EC2
instances simultaneously, and you require the flexibility to grow or shrink your storage capacity
dynamically.

----------------------------------------------------------------------------------
ELB

Application Load Balancer (ALB):

Layer:

Operates at Layer 7 (Application Layer) of the OSI model.

Use Cases:

Routing HTTP/HTTPS traffic.

Best suited for web applications with URL-based routing.
Features:

Content-based routing.
Supports host-based and path-based routing.
Can route to multiple applications on a single EC2 instance.
Integration with AWS WAF (Web Application Firewall).
Protocols:

Supports HTTP and HTTPS.

Network Load Balancer (NLB):

Layer:

Operates at Layer 4 (Transport Layer) of the OSI model.

Use Cases:

Ultra-high performance applications.

TCP, UDP, and TLS traffic where low latency is crucial.
Static or elastic IP addresses for applications.
Features:

Can handle millions of requests per second.

Suitable for sudden and volatile traffic patterns.
Maintains source IP address, allowing the back-end to see the IP address of the client.
Protocols:

Supports TCP, UDP, and TLS.

Gateway Load Balancer (GWLB):

Layer:
Operates at Layer 3 (Network Layer) of the OSI model.
Use Cases:

Introducing third-party virtual appliances (e.g., firewalls, intrusion detection systems) into
network paths.
"Bump-in-the-wire" or "transparent interception" scenarios.
Features:

Seamlessly and transparently route traffic to and from virtual appliances.

Works in conjunction with GPRS (Gateway Load Balancer Endpoints).
Traffic stickiness ensures consistent routing to specific targets.
Supports jumbo frames and enhanced networking features like SR-IOV.

Protocols:Amazon RDS: Overview

Managed Service:

AWS takes care of routine database tasks such as provisioning, patching, backup, recovery,
and scaling. This allows developers to focus on their application and not the underlying
database operations.
Database Engines:

RDS supports several popular database engines:

MySQL
PostgreSQL
MariaDB
Oracle
SQL Server
Amazon Aurora (A custom-built database by AWS that is compatible with MySQL and
PostgreSQL but offers better performance and scalability).
Scalability:

Offers automatic scaling to handle increased loads. With Aurora, you can also have serverless
configurations where scaling is even more flexible.
Backup and Recovery:

Automated backups, database snapshots, and automated replication are provided to enhance
availability and reliability.
Allows for point-in-time recovery.
High Availability with Multi-AZ Deployments:

RDS provides the option for Multi-AZ deployments where a primary database is replicated in
another availability zone (AZ). This ensures database availability in case of an AZ failure.
Read Replicas:
To balance the load and optimize read-heavy database workloads, you can create one or more
replicas of your database.
Security:

Data can be encrypted at rest and in transit.

Integration with AWS Key Management Service (KMS) for managing encryption keys.
Supports VPCs, allowing you to isolate your database in your own virtual network.
Offers IAM (Identity and Access Management) integration for access control.
Maintenance and Updates:

RDS regularly updates the database software to patch known vulnerabilities. You can set
maintenance windows to control when these updates should occur.
Monitoring and Insights:

Integration with Amazon CloudWatch to monitor database performance metrics.

Offers RDS Performance Insights for an extended look into database performance and to
identify potential bottlenecks.
Pricing:

Pay-as-you-go model based on the database instance hours, storage, and data transfer.
-------------------------------------------------------------------------------------------

load balancer

Focuses on flow-based, bidirectional traffic patterns, not specific to any particular transport
protocol.
In Summary:
ALB is best for routing HTTP/HTTPS traffic and offers advanced routing features.
NLB is designed for ultra-high performance and low latency, handling TCP, UDP, and TLS traffic.
GWLB is tailored for situations where you need to route traffic through virtual network
appliances, working at the network layer for general flow-based bidirectional traffic.
Choosing between them depends on the specific requirements of your application and network
architecture.

------------------------------------------------------------------------------------------------------------

AWS IAM deep dive

Users:
Represents an individual person or service that interacts with AWS.
Users have unique credentials and can be assigned individual permissions.
Groups:

Collections of users.
Permissions are assigned to groups, and all users in that group inherit those permissions.
Useful for managing permissions for a set of users with similar responsibilities.
Roles:

Set of permissions that grant access to resources but are not associated directly with a specific
user or group.
Instead, roles are assumed by AWS services or users when they need to perform certain tasks.
Crucial for scenarios like assigning permissions to applications running on EC2 or delegating
permissions across AWS accounts.
Policies:

Documents (in JSON format) that define what actions are allowed or denied on which
resources.
Policies can be attached to users, groups, or roles.
AWS provides managed policies, or you can create custom policies.
Permissions Boundaries:

An advanced feature where an administrator sets the maximum permissions that a user or role
can have.
It’s a way to delegate permissions management to other users without them exceeding a certain
boundary.
Identity Providers & Federation:

IAM can integrate with external identity systems like Microsoft Active Directory using SAML
(Security Assertion Markup Language).

Allows users to log in to AWS using external credentials.

Multi-Factor Authentication (MFA):

An additional layer of security.

Requires users to present two or more separate forms of identification (something they know,
like a password, and something they have, like an authentication code from a device).
Credential Report:

A document that lists all of your account's users and the status of their various credentials
(passwords, access keys, MFA, etc.).

Access Advisor:
Tool within IAM that shows which services a user, group, role, or policy has permissions to use
and when those services were last accessed.
Helps in refining permissions to adhere to the principle of least privilege.
Service Control Policies (SCPs):

Used in AWS Organizations to set permission boundaries for member accounts.

Defines what services and actions accounts can and cannot use.
Access Analyzer:

Analyzes resource policies to help ensure that the resources are not shared unintentionally with
entities outside of your AWS account.

STS (Security Token Service):

Provides temporary, limited-privilege credentials for IAM and AWS resources. Useful for
scenarios like cross-account access or granting temporary access.
Best Practices:
Least Privilege Principle: Start with minimum permissions and grant additional permissions as
necessary.
Avoid Root Account: Don't use the root AWS account for daily tasks; create individual IAM
users.
Use Roles: For EC2 instances or AWS Lambda functions, use IAM roles to grant permissions.
Regularly Rotate Credentials: Rotate and remove unnecessary IAM access keys regularly.
Audit with CloudTrail: Use AWS CloudTrail to keep an audit log of all actions done by IAM users.
----------------------------------------------------