AWS Cloud Formation

It provides you with a simple way to create and manage a collection of AWS resources by provisioning
and updating them in an orderly and predictable way. In simple terms, it allows you to create and model
your infrastructure and applications without having to perform actions manually. By this way it will
reduce the problem of managing resources. An AWS CloudFormation template is a formatted text file in
JSON or YAML language that describes your AWS infrastructure. To create, view and modify templates,
you can use AWS CloudFormation Designer or any text editor tool.

Infrastructure as code is the process provisioning and managing your cloud resources by writing a
template file that is both readable and machine consumable. Similar to Terraform, but cloud formation
will works only for AWS.

------------------------------------------------------------------------------------------------

Tools to prevent DDOS (Distributed Denial of Service (DDoS)) Attack

 AWS Shield
 AWS WAF (Web Application Firewall): helps protect web applications from common
web exploits, such as SQL injection, cross-site scripting (XSS), and other malicious
activities. AWS WAF allows customers to set up rules to filter and monitor HTTP and
HTTPS traffic to their applications, providing an additional layer of security. We can do
rules based on conditions such as IP addresses, HTTP headers, or URI strings. Can be
configured to control the rate at which requests are allowed or blocked. Users can create
IP address lists to block or allow traffic from specific IP addresses or ranges. AWS WAF
integrates seamlessly with other AWS services, such as Amazon CloudFront, Amazon API
Gateway, and Application Load Balancers. This allows users to deploy AWS WAF in front
of their applications easily. Users can create rules based on the geographic location of
the source IP address. This feature is useful for blocking or allowing traffic from specific
regions or countries.
 Amazon Route53: is a scalable and highly available Domain Name System (DNS) web
service provided by Amazon Web Services (AWS). It is designed to route end-user
requests to endpoints globally, making it an integral part of the infrastructure for many
web applications and services.
 Amazon CloudFront: is a content delivery network (CDN) service provided by Amazon
Web Services (AWS). It is designed to deliver content, including web pages, videos,
images, and other static and dynamic assets, with low latency and high transfer speeds.
CloudFront enhances the performance, security, and scalability of applications by
distributing content to multiple edge locations worldwide. CloudFront caches content at
edge locations globally, reducing latency for end-users by serving content from the
nearest edge location. This results in faster load times for web applications and improved
user experience. CloudFront has a vast network of edge locations strategically located
around the world. These edge locations are points of presence (PoPs) where content is
cached, allowing for rapid delivery to end-users regardless of their geographic location.

 ELB: is a service that automatically distributes incoming application traffic across multiple
targets, such as Amazon EC2 instances, containers, and IP addresses, within one or more
availability zones. ELB helps enhance the availability, fault tolerance, and scalability of
 applications by ensuring that traffic is distributed evenly across healthy targets. Load
Balancer Types: Application Load Balancer (ALB): Operates at the application layer (Layer
7) and Network Load Balancer (NLB) Operates at the transport layer (Layer 4).

VPC: is a virtual network dedicated to an Amazon Web Services (AWS) account. It provides a logically
isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you
define. With VPC, you have control over your network environment, including selecting your own IP
address range, creating subnets, and configuring routing tables and network gateways. We can have up
to 200 Subnets per Amazon Virtual Private Cloud (VPC).

Here is a selection of security products and features on VPC

 Security groups - This acts as a firewall for the EC2 instances, controlling inbound and
outbound traffic at the instance level.
 Network access control lists - It acts as a firewall for the subnets, controlling inbound and
outbound traffic at the subnet level.
 Flow logs - These capture the inbound and outbound traffic from the network interfaces
in your VPC.

CIDR (Classless Inter-Domain Routing): is a method for efficiently allocating and routing IP addresses on
the internet.

Amazon CloudWatch: It is designed to collect and track metrics, collect and monitor log files, and set
alarms to notify users of changes in their AWS resources. CloudWatch helps AWS users gain insights into
the performance, availability, and operational health of their applications and infrastructure. hHelps
you to monitor the application status of various AWS services and custom events. It helps you to
monitor:
 State changes in Amazon EC2
 Auto-scaling lifecycle events
 Scheduled events
 AWS API calls
 Console sign-in events

AWS services that are not region-specific are:

 IAM
 Route 53
 Web Application Firewall
 CloudFront

A Network Address Translation (NAT) gateway is a service that allows instances in a private subnet to
connect to services outside of a virtual private cloud (VPC). NAT gateways support IPv4 or IPv6 traffic.
Internet GW allows both inbound and outbound access to the internet whereas the NAT Gateway only
allows outbound access. There is no additional cost to use Internet Gateway whereas NAT Gateway
incurs charges based on the creation and usage.
A NAT instance provides network address translation (NAT). You can use a NAT instance to allow
resources in a private subnet to communicate with destinations outside the virtual private cloud (VPC),
such as the internet or an on-premises network

NAT gateway is always best

Mention the different types of instances in Amazon EC2 and explain its features.

1. General Purpose Instances: They are used to compute a range of workloads and aid in the
allocation of processing, memory, and networking resources. m7g.medium, m6, m5, m4, T4,
T3, T2.
2. Compute Optimized: These are ideal for compute-intensive applications. They can handle
batch processing workloads, high-performance web servers, machine learning inference, and
various other tasks. C7, C6, C5
3. Memory Optimized: They process workloads that handle massive datasets in memory and
deliver them quickly. R8, R7 to R2, X2, X1
4. Accelerated Computing: It aids in the execution of floating-point number calculations, data
pattern matching, and graphics processing. These functions are carried out using hardware
accelerators. P5, P2, G, I, D, F,
5. Storage Optimised: They handle tasks that require sequential read and write access to big
data sets on local storage. I,D,

EC2 provides virtual computing environments called “instances.”

Security best practices for Amazon EC2 include using Identity and Access Management (IAM)

The Key-Pairs are password-protected login credentials for the Virtual Machines that are used to prove
our identity while connecting the Amazon EC2 instances. The Key-Pairs are made up of a Private Key and
a Public Key which lets us connect to the instances.

Elastic Block Storage (EBS) – 17.6 TB

A VPC is the best way of connecting to your cloud resources from your own data center. Once you
connect your datacenter to the VPC in which your instances are present, each instance is assigned a
private IP address that can be accessed from your data center. That way, you can access your public
cloud resources as if they were on your own private network. Subnets

IPV4: 123.1.1.123
IPV6: 12.12.123.123

Here is a selection of security products and features on VPC

 Security groups - This acts as a firewall for the EC2 instances, controlling inbound and
outbound traffic at the instance level.
 Network access control lists - It acts as a firewall for the subnets, controlling inbound and
outbound traffic at the subnet level.
 Flow logs - These capture the inbound and outbound traffic from the network interfaces in
your VPC.

We can have up to 200 Subnets per Amazon Virtual Private Cloud (VPC).

Amazon RDS is a database management service for relational databases. It manages patching,
upgrading, and data backups automatically. It’s a database management service for structured data only.
On the other hand, DynamoDB is a NoSQL database service for dealing with unstructured data.

RTO or Recovery Time Objective is the maximum time your business or organization is willing to wait for
a recovery to complete in the wake of an outage. On the other hand, RPO or Recovery Point Objective is
the maximum amount of data loss your company is willing to accept as measured in time.

AWS CloudFormation is a service that helps you model and set up your AWS resources so that you can
spend less time managing those resources and more time focusing on your applications that run in AWS.
You create a template that describes all the AWS resources that you want (like Amazon EC2 instances or
Amazon RDS DB instances), and CloudFormation takes care of provisioning and configuring those
resources for you. You don't need to individually create and configure AWS resources and figure out
what's dependent on what; CloudFormation handles that. The following scenarios demonstrate how
CloudFormation can help.

Application Load Balancer: Used if you need flexible application management and TLS termination.
Network Load Balancer: Used if you require extreme performance and static IPs for your applications.
Classic Load Balancer: Used if your application is built within the EC2 Classic network

Amazon Route 53 is a scalable and highly available Domain Name System (DNS). The name refers to TCP
or UDP port 53, where DNS server requests are addressed.

There are two types of scaling - vertical scaling and horizontal scaling. Vertical scaling lets you vertically
scale up your master database with the press of a button. A database can only be scaled vertically, and
there are 18 different instances in which you can resize the RDS. On the other hand, horizontal scaling is
good for replicas. These are read-only replicas that can only be done through Amazon Aurora.
STEPS FOLLOWED IN VPLAYED

AWS CloudFront is a service that makes it easy for you to distribute your web content to multiple
endpoints. With CloudFront, you can distribute your static web content (such as images and style
sheets), as well as dynamic content (such as blog posts and e-commerce products). You can also use
CloudFront to distribute your web application load balancer (WALB) traffic, so you can rendezvous traffic
with clients behind a WALB.

Terraform - Create infrastructure

 Terraform Script
 Docker file
 Docker Image
 Docker container/Kubernetes pod

Ansible - Provisioning the infrastructure

RDS - MySQL,

EC2 Instances - No SQL databases.

ECR - Container registry

Auto-scale

Load balancer

Docker

Kubernetes

CDN

Route 53

Amazon Redshift: Financial institutions leverage Amazon Redshift for powerful data warehousing and
analytics. It enables the processing of large datasets for business intelligence, reporting, and trend
analysis.

Amazon SageMaker: Financial applications benefit from Amazon SageMaker for building, training, and
deploying machine learning models. This can be applied to fraud detection, risk assessment, customer
segmentation, and other predictive analytics use cases.

AWS Key Management Service (KMS) and AWS Cloud HSM: For financial applications that require
stringent security and compliance measures, AWS provides key management services and hardware
security modules (HSM) to protect sensitive data and ensure regulatory compliance. AWS Key
Management Service (AWS KMS) is a managed service that makes it easy for you to create and control
the cryptographic keys that are used to protect your data. AWS KMS uses hardware security modules
(HSM) to protect and validate your AWS KMS keys under the FIPS 140-2 Cryptographic Module Validation
Program.

ECS (Elastic Container Service) is a fully managed container orchestration service provided by Amazon
Web Services (AWS). It simplifies the deployment, management, and scaling of containerized
applications using Docker containers. ECS is designed to make it easier for developers to run and scale
Amazon Redshift: Financial institutions leverage Amazon Redshift for powerful data warehousing and
analytics. It enables the processing of large datasets for business intelligence, reporting, and trend
analysis.

Amazon SageMaker: Financial applications benefit from Amazon SageMaker for building, training, and
deploying machine learning models. This can be applied to fraud detection, risk assessment, customer
segmentation, and other predictive analytics use cases.

AWS Key Management Service (KMS) and AWS CloudHSM: For financial applications that require
stringent security and compliance measures, AWS provides key management services and hardware
security modules (HSM) to protect sensitive data and ensure regulatory compliance. AWS Key
Management Service (AWS KMS) is a managed service that makes it easy for you to create and control
the cryptographic keys that are used to protect your data. AWS KMS uses hardware security modules
(HSM) to protect and validate your AWS KMS keys under the FIPS 140-2 Cryptographic Module Validation
Program.

ECS (Elastic Container Service) is a fully managed container orchestration service provided by Amazon
Web Services (AWS). It simplifies the deployment, management, and scaling of containerized
applications using Docker containers. ECS is designed to make it easier for developers to run and scale
containerized applications in a highly available and fault-tolerant manner. Amazon ECS is a fully managed
container orchestration service that allows you to run, stop, and manage Docker containers on a cluster.

A cluster is a pool of compute and memory resources where tasks and services can be run.

AWS Fargate is a serverless compute engine for containers. It allows you to run containers without
managing the underlying infrastructure, providing a fully managed experience for deploying and scaling
containerized applications.

Amazon EKS is a managed Kubernetes service that makes it easy to run Kubernetes on AWS without the
need to manage the control plane. It provides a scalable and highly available Kubernetes environment.

Amazon ECR is a fully managed Docker container registry that makes it easy to store, manage, and
deploy Docker container images. It integrates seamlessly with Amazon ECS and EKS.
AWS Copilot is a command-line interface (CLI) tool that simplifies the development, deployment, and
operation of containerized applications on AWS. It streamlines common tasks associated with
containerized development.

Explain the concept of high availability in AWS.

 Availability Zones (AZs):

 Elastic Load Balancing (ELB)
 Auto Scaling
 Multi-Region Architectures
 Amazon Route 53
 Amazon CloudWatch Alarms and Monitoring
 Deploy RDS, services in multiple zones


Can you explain the difference between horizontal and vertical scaling?

How would you optimize costs in an AWS project?

 Rightsize Instances:
 Reserved Instances (Ris) and Savings Plans:
 Auto Scaling:
 Use AWS CloudWatch, AWS Cost Explorer, and other monitoring tools to track resource usage
and costs.
 Set up billing alerts to receive notifications when your costs exceed predefined thresholds.
 Identify and terminate idle or underutilized resources, such as instances, EBS volumes, and
databases.
 Implement automated scripts or tools to stop or terminate resources during non-business hours.
 Explore AWS Cost Explorer Recommendations to receive personalized, data-driven
recommendations for cost savings based on your usage patterns.
 Use resource tagging to categorize and label resources based on their purpose, owner, or
environment.

How do you manage dependencies in a project that involves multiple AWS services?

 Use IaC tools like AWS CloudFormation or Terraform to define and provision your infrastructure.
IaC enables you to version-control your infrastructure, track changes, and replicate environments
easily.
 Manage sensitive information such as API keys, database credentials, and
access tokens using AWS Secrets Manager

What are some common challenges in migrating on-premises applications to AWS, and how would you
address them?

 Legacy Infrastructure and Applications

 Data Migration
 Downtime and Business Continuity
  Security and Compliance
 Lack of Cloud Skills
 Application Dependencies and Integration
 Cost Management
 Operational Changes
 Performance Optimization

How would you ensure compliance with industry regulations in an AWS project?

 Understand Regulatory Requirements

 Implement Security Best Practices
 AWS Compliance Programs
 Data Encryption and Key Management
 Audit Logging and Monitoring
 Regular Risk Assessments
 Incident Response Plan
 Third-Party Audits and Assessments

Explain how AWS can support disaster recovery planning.

 Multi-Region Deployments:
 Availability Zones (AZs):
 Amazon S3 Versioning:
 Amazon RDS Multi-AZ Deployments:
 AWS Elastic Load Balancing (ELB):
 Amazon Glacier for Backup and Archiving:
 AWS Backup:
 AWS Import/Export Snowball:

SERVICES USED IN VPLAYED

Primarily we are using Storage, Computing, Network

Amazon Route 53

Amazon Route 53 is a scalable and highly available Domain Name System (DNS). The name refers to TCP
or UDP port 53, where DNS server requests are addressed.

Amazon S3

Elemental Media Convert

Elemental Media Package

AWS Elemental MediaPackage (MediaPackage) is a just-in-time video packaging and origination service
that runs in the AWS Cloud. With MediaPackage, you can deliver highly secure, scalable, and reliable
video streams to a wide variety of playback devices and content delivery networks (CDNs).
MediaPackage offers a broadcast-grade viewing experience for viewers, while allowing you the flexibility
to control and protect your content. Additionally, the built-in resiliency and scalability of MediaPackage
means that you have the right amount of resources at the right time, with no manual intervention
required.

MySQL RDS

is a managed relational database service allows you to set up, operate, and scale a relational database in
the cloud without the need for extensive administrative tasks. RDS supports various database engines,
making it easy to deploy and manage popular relational database systems.

Grafana

CDN

Amazon SES

Deployment: Docker and Kubernetes

Load Balancer

Auto-Scale

Enables you to automatically adjust the number of compute resources within your application or fleet of
instances based on demand or predefined conditions. Auto Scaling helps ensure that you have the right
number of instances available to handle your application's load while optimizing costs.

Launch Configuration

Auto Scaling groups

Worker Node

is commonly associated with container orchestration services like Amazon Elastic

Container Service (ECS) or Amazon Elastic Kubernetes Service (EKS). Worker nodes
are instances that form part of a cluster and are responsible for running the
containers that make up your applications.

AWS Landing Zone

AWS account, Shared services Account, log archive account and security account
Unlike IAM where we can create a account and give access based on the rules,
landing zone can give permission to create and manage multiple account in an
organization. Expert can help or using Control Tower we can create landing zone
Control Tower
SSO
Guard Duty