//TODO:
From Pluralsight: AWS Certified Developer – Associate (DVA-C01)
别人提到的:
- 工作中经常用到, 需要花时间学习理解的: vpc, subset, security group, eni, route53, acm, IAM
- 其次: load balancer, auto scaling, ddb throttle, api gateway。
- 其他: lambda, step function, cloudformation, s3, ec2, sqs, sns, cloudwatch, ecs, ecr, code deploy 等等
Core Services
EC2: Elastic Cloud Compute
AMI: Amazon Machine Image
EBS: Elastic Block Storage, used for EC2 files systems
Security Group: set of firewall rules that control the traffic for your single instance, for example, control who can ssh to EC2 instance, VPC is for groups of instance
S3: Simple Storage Service, maxmium file size is 5T, bucket is accessed via URL, the same as gcloud storage. Can be used for hosting static web site.
RDS: Relation Database Service
Route53: Domain Name System (DNS) servics, you can register your domain name!
EC2
Enhancing Services
EB: Elastic Beanstalk, application service running on EC2
Lambda: Serverless option for executing code, function as a service, only pay when the code is running, significant cost savings if you have infrequent activity. Great for small, irregular tasks, for example, nightly ETL kickoffs, notification type functions
DynamoDB: a managed NoSQL database, supports both key-values and document models
VPC: for securing your services, components in the VPC can connect each through private IP. Multiple subnets can be in VPC, for example, you can configure public subnet and private subnet.
How does VPC work?
- route table: control what goes where
- network ACL(access control list): act as subnet-level firewalls, control who can come and go
CloudWatch: monitoring resources and acting on alerts, for example, CPU usage on EC2 instances, DynamoDB read/write throughput, estimated billing charges
CloudFront: super fast CDN, works seamlessly with S3, EC2, load balancing and route53
CloudWatch
For example, Increasing network traffic -> EC2 -> alarm CloudWatch -> action -> Auto Scaling Group -> EC2. SNS can also be integrated to CloudWatch.
SNS: simple notification service, Pub/sub messaging for microservices and serverless applications. First create topic, then subscribe this with from email or SMS, etc
IAM
MFA, multi-factor authentication, reuqire more than one factor to authenticate.
MFA process: password + device code (app generated code refresh every 60 seconds) 类似将军令, 要先在手机上下载一个MFA app.
After loging aws console, click the account user name -> My security credentials -> MFA
IAM policy make it easy to assign permissions to users or groups in an administrative way. Users have no permission by default. Policy properties:
- Effect: allow, deny
- Action: operations user can perform
- Resources: user performs on
Root account permission is dangerious, follows amazon suggested best practices to have more securities. For example, create a admin grouo, attch policy to it, then add user to this group, use this user to login.
Access AWS
- Web console
- SDK, programming application uses: https://github.com/aws
- Command line, great for shell scripting: https://github.com/aws/aws-cli
To generate the access key for SDK and cli, after loging aws console, click the account user name -> My security credentials -> Access Keys.
Create ~/.aws/credentials file with content from your access key:
1 | [default] |
I use aws cli docker to run the commands, the docker container is ephemeral for each command (for convenience, set alias for docker run command), you need to mount the ~/.aws to container:
1 | docker run --rm -ti -v ~/.aws:/root/.aws amazon/aws-cli s3 ls |
For other methods installing
To aviod installing dependencies, you can use virtual machine to setup environment.
Demo Components
A pizza web site:
- EC2, host web application
- DynamoDB, store users & toppings
- RDS, store pizza
- S3, store images & assets
- ElastiCache, store sessions