AWS Cloud

//TODO:

From Pluralsight: AWS Certified Developer – Associate (DVA-C01)

别人提到的:

  1. 工作中经常用到, 需要花时间学习理解的: vpc, subset, security group, eni, route53, acm, IAM
  2. 其次: load balancer, auto scaling, ddb throttle, api gateway。
  3. 其他: lambda, step function, cloudformation, s3, ec2, sqs, sns, cloudwatch, ecs, ecr, code deploy 等等

Core Services

EC2: Elastic Cloud Compute AMI: Amazon Machine Image EBS: Elastic Block Storage, used for EC2 files systems Security Group: set of firewall rules that control the traffic for your single instance, for example, control who can ssh to EC2 instance, VPC is for groups of instance

S3: Simple Storage Service, maxmium file size is 5T, bucket is accessed via URL, the same as gcloud storage. Can be used for hosting static web site.

RDS: Relation Database Service Route53: Domain Name System (DNS) servics, you can register your domain name!

EC2

Enhancing Services

EB: Elastic Beanstalk, application service running on EC2

Lambda: Serverless option for executing code, function as a service, only pay when the code is running, significant cost savings if you have infrequent activity. Great for small, irregular tasks, for example, nightly ETL kickoffs, notification type functions

DynamoDB: a managed NoSQL database, supports both key-values and document models

VPC: for securing your services, components in the VPC can connect each through private IP. Multiple subnets can be in VPC, for example, you can configure public subnet and private subnet.

How does VPC work?

  • route table: control what goes where
  • network ACL(access control list): act as subnet-level firewalls, control who can come and go

CloudWatch: monitoring resources and acting on alerts, for example, CPU usage on EC2 instances, DynamoDB read/write throughput, estimated billing charges

CloudFront: super fast CDN, works seamlessly with S3, EC2, load balancing and route53

CloudWatch

For example, Increasing network traffic -> EC2 -> alarm CloudWatch -> action -> Auto Scaling Group -> EC2. SNS can also be integrated to CloudWatch.

SNS: simple notification service, Pub/sub messaging for microservices and serverless applications. First create topic, then subscribe this with from email or SMS, etc

IAM

MFA, multi-factor authentication, reuqire more than one factor to authenticate. MFA process: password + device code (app generated code refresh every 60 seconds) 类似将军令, 要先在手机上下载一个MFA app.

After loging aws console, click the account user name -> My security credentials -> MFA

IAM policy make it easy to assign permissions to users or groups in an administrative way. Users have no permission by default. Policy properties:

  • Effect: allow, deny
  • Action: operations user can perform
  • Resources: user performs on

Root account permission is dangerious, follows amazon suggested best practices to have more securities. For example, create a admin grouo, attch policy to it, then add user to this group, use this user to login.

Access AWS

To generate the access key for SDK and cli, after loging aws console, click the account user name -> My security credentials -> Access Keys.

Create ~/.aws/credentials file with content from your access key:

1
2
3
4
5
[default]
aws_access_key_id=AKIAIVHU6XLsd3J7IAKA
aws_secret_access_key=Vemdu3nD65uY1cWC0fznCEfUhvsUT9NIjMT790zqK
region=us-west-2
output=json

I use aws cli docker to run the commands, the docker container is ephemeral for each command (for convenience, set alias for docker run command), you need to mount the ~/.aws to container:

1
docker run --rm -ti -v ~/.aws:/root/.aws amazon/aws-cli s3 ls

For other methods installing

To aviod installing dependencies, you can use virtual machine to setup environment.

Demo Components

A pizza web site:

  • EC2, host web application
  • DynamoDB, store users & toppings
  • RDS, store pizza
  • S3, store images & assets
  • ElastiCache, store sessions
0%