- Gateway-Stored volumes store your primary data locally, while asynchronously backing up that data to AWS.
- Depending on the Cache allocated you can achieve the same with File Gateway.
- https://docs.aws.amazon.com/storagegateway/latest/userguide/resource-gateway-limits.html
- Gateway-Cached and File Gateway volumes retain a copy of frequently accessed data subsets locally. Cached volumes offer a substantial cost savings on primary storage and minimize the need to scale your storage on-premises. Note that AWS recently changed the naming. You should know both forms for the exam.
- AWS does not copy launch permissions, user-defined tags, or Amazon S3 bucket permissions from the source AMI to the new AMI.
- Launch permissions, S3 bucket permissions, and user-defined tags must be copied manually to an instance based on an AMI. User data is part of the AMI, itself, and does not need to be copied manually. Further information
- http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html
- You should generate a password for each user and give these passwords to your system administrators. You should then have each user set up multi factor authentication once they have been able to log in to the console. You cannot use the secret access key and access key id to log in to the AWS console; rather, these credentials are used to call Amazon API’s.
- Network throughput is the obvious bottleneck. You are not told in this question whether the proxy server is in a public or private subnet. If it is in a public subnet, the proxy server instance size itself may not be large enough to cope with the current network throughput. If the proxy server is in a private subnet, then it must be using a NAT instance or NAT gateway to communicate out to the internet. If it is a NAT instance, this may also be inadequately provisioned in terms of size. You should therefore increase the size of the proxy server and/or the NAT solution.
- There are two issues here: how to handle stale data to avoid paying for high provisioned throughput for infrequently used data, and how to design a partition key that will distribute IO from sequential data across partitions evenly to avoid performance bottlenecks.
- When interacting with DynamoDB directly, there is a short list of header attributes that are required.
- You should consider; using ElastiCache, using RDS Read Replicas Scaling up may also resolve the contention, however it may be more expensive than offloading the read activities to cache or Read-Replicas. RDS Multi-AZ is for resilience only.
- You should consider either increasing the bid price for the task nodes so that your nodes are not terminated or even converting the task nodes to on demand instances so as to ensure they are not prematurely terminated.
- For all new AWS accounts, there is a soft limit of 20 EC2 instances per region. You should submit the limit increase form and retry the template after your limit has been increased.
- Currently the S3 Classes are; Standard, Standard-Infrequent Access, One Zone-Infrequent Access, Reduced Redundancy Storage and for archive, Glacier & Glacier Deep Archive. Reduced Redundancy Storage is the only S3 Class that does not offer 99.999999999% durability and therefore any of the answers that contain Reduced Redundancy Storage cannot be correct.
- The valid ways of encrypting data on S3 are
- Server Side Encryption (SSE)-S3,
- SSE-C,
- SSE-KMS or a client library such as Amazon S3 Encryption Client.
- Route 53 has the following routing policies –
- Simple,
- Weighted,
- Latency,
- Failover,
- Multivalue answer,
- Geoproximity
- Geolocation
- DynamoDB allows for the storage of large text and binary objects, but there is a limit of 400 KB.
- The Owner concept comes into play especially when setting or locking down access to various objects.
- Both the Oracle and SQL Server database engines have limits to how many databases that can run per instance. Primarily, this is due to the underlying technology being proprietary and requiring specific licensing to operate.
- The database engines based on Open Source technology such as Aurora, MySQL, MariaDB or PostgreSQL have no such limits. Further information: https://aws.amazon.com/rds/faqs/
- Security Groups are stateful and updates are applied immediately.
- To see the process by which federated users are granted access to the AWS console.
- The Question describes a situation where low cost OneZone-IA would be perfect. However it also says that there is a high licence cost with each meme generation. The storage savings between IA and OneZone-IA are about $0.0025 this is small compared to the $10 for licensing. Therefore you may well be better to pay for full S3-IA.
- You cannot tag individual folders within an S3 bucket. If you create an individual user for each staff member, there will be no way to keep their active directory credentials synched when they change their password. You should either create a federation proxy or identity provider and then use AWS security token service to create temporary tokens. You will then need to create the appropriate IAM role for which the users will assume when writing to the S3 bucket. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
- The aim is to direct sessions to the host that will provide the correct language. Geolocation is the best option because it is based on national borders.
- Geoproximity routing is another option where the decision can be based on distance. While latency-based routing will usually direct the client to the correct host, connectivity issues with the US Regions might direct traffic to AP. In this case, the word “ensure” is operative: users MUST connect to the English-language site.
- Additional clones of your production environment, ElastiCache, and CloudFront can all help improve your site performance. Changing your autoscaling policies will not help improve performance times as it is much more likely that the performance issue is with the database back end rather than the front end. The Provisioned IOPS would also not help, as the bottleneck is with the memory, not the storage.
- There are many features which are native to the KMS service. However, of the above, only import your own keys, disable and re-enable keys and define key management roles in IAM are valid. Importing keys into a custom key store and migrating keys from the default key store to a custom key store are not possible. Lastly operating as a private, native HSM is a function of CloudHSM and is not possible directly within KMS. https://aws.amazon.com/kms/faqs/
- The essence of a stateless installation is that the scalable components are disposable, and configuration is stored away from the disposable components. The best way to solve this type of problem is by elimination. Storage Gateway offers no advantage in this situation. CloudWatch is a reporting tool and will not help. An ELB will distribute load but will not really specific to stateless design. Elasticache is well suited for very short fast cycle data and is very suitable to replace in memory or on disk state data previously held on the web servers. RDS is well suited to structured and long cycle data, and DynamoDB is well suited for unstructured and medium cycle data. Both can be used for certain types of stateful data either in partner with or instead of Elasticache.
- The tenancy of an instance can only be change between variants of ‘dedicated’ tenancy hosting. It cannot be changed from or to default tenancy hosting.
- In total there are 9 valid sections allowed within a CloudFormation template. In the answers above, only “Parameters”, “Resources” and “Outputs” are considered valid. “Options” is not a template section.
- How to deliver Security and Auditing in AWS needs to be considered in designs.
- An Elastic Load Balancer can help you deliver stateful services, but not stateless. Elastic Map Reduce is a data crunching services and is not related to servicing web traffic.
- AutoScaling scales-in according to a hierarchy of decisions.
- You need to ensure that your application in your custom VPC can communicate back to the on-premise data center. You can do this by either using a site to site VPN or Direct Connect. It will be using an internal IP address range, so you must make sure that your internal IP addresses do not overlap.
- The term consistency has specific meaning in relationship to DynamoDB.
- https://aws.amazon.com/dynamodb/faqs/
- http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.DataConsistency.html
- https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadConsistency.html
- https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ProvisionedThroughput.html
- https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/CapacityUnitCalculations.html
- A /28 subnet will only have 16 addresses available. AWS reserve both the first four and last IP addresses in each subnet’s CIDR block. It is likely that your autoscaling group has provisioned too many EC2 instances and you have run out of internal private IP addresses.
- VPC peering only routes traffic between source and destination VPCs.
- VPC peering does not support edge to edge routing.
- http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/invalid-peering-configurations.html
- The visibility timeout controls how long a message is invisible in the queue while it is being worked on by a processing instance. This interval should not be confused with how long the message can remain in the queue.
- Consolidated Billing is a feature of AWS Organisations. Once enabled and configured, you will receive a bill containing the costs and charges for all of the AWS accounts within the Organisation. Although each of the individual AWS accounts are combined into a single bill, they can still be tracked individually and the cost data can be downloaded in a separate file. Using Consolidated Billing may ultimately reduce the amount you pay, as you may qualify for Volume Discounts. There is no charge for using Consolidated Billing.
- DynamoDB makes use of parallel processing to achieve predictable performance. You visualise each partition as an independent DB server of fixed size. Each responsible for a defined block of data. In SQL terminology it is called sharding. The documentation is specific about the SSDs, but makes no mention of read-replicas or EBS-Optimised. Caching in-front of DDB is an option (DAX), but it is not inherent to DDB.
- There is no route connecting your VPC back to the on premise data center. You need to add this route to the route table and then enable propagation on the Virtual Private Gateway.
- Spread placement groups have a specific limitation that you can only have a maximum of 7 running instances per Availability Zone and therefore this is the only correct option. Deploying instances in a single Availability Zone is unique to Cluster Placement Groups only and therefore is not correct. The last two remaining options are common to all placement group types and so are not specific to Spread Placement Groups. Spread Placement Groups are recommended for applications that have a small number of critical instances which need to be kept separate from each other. Launching instances in a Spread Placement Group reduces the risk of simultaneous failures that might occur when instances share the same underlying hardware. Spread Placement Groups provide access to distinct hardware, and are therefore suitable for mixing instance types or launching instances over time. In this case, deploying the EC2 instances in a Spread Placement Group is the only correct option. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html
- Caching content is not always effective. Sometimes, optimal solutions cannot be achieved; so you need to figure out the next best way to keep the show going.
- http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html
- http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html
- http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Limits.html
- http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Expiration.html
- Remember under the shared security model that AWS can see the instance, but not inside the instance to what it is doing. AWS can see that you have Memory, but how much of the memory is being used cannot be seen by AWS. In the case of CPU AWS can see how much of CPU you are using, but cannot see what you are using if for.
- The consumption of provisioned throughput units, and I/O bottlenecks are not a simple average over the table. Consumption is measured in terms of load on each individual partition, as well as load on each Local & Global Secondary Index. https://aws.amazon.com/blogs/aws/optimizing-provisioned-throughput-in-amazon-dynamodb/
- S3 domain names
- Allow versioning on the bucket and to protect the objects by enabling protected access using Multi-Factor Authentication.
- Messages can be retained in SQS for up to 14 days. https://aws.amazon.com/sqs/details/
- Route 53 has a security feature that prevents internal DNS from being read by external sources. The work around is to create a EC2 hosted DNS instance that does zone transfers from the internal DNS, and allows itself to be queried by external servers.
- This question has two parts which need to be considered, the type of queue and the type of polling. The question states that messages, “can be delivered more than once” but, “must be delivered in the order that they have arrived”, which means that it can only be a FIFO queue as it is the only SQS type which will deliver messages in order, regardless of how many times the message is delivered. The question also states that the queue, “must allow for efficient polling” and in this case long polling is the most efficient and cost effective option in situations where the queue will be polled constantly. The correct answer is therefore to configure a FIFO SQS queue with long polling enabled.
- With NAT instances, the most common oversight is forgetting to disable Source/Destination Checks. http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck
- You cannot create an unencrypted volume from an encrypted snapshot or encrypt an existing volume. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
- The most likely answer is that the EC2 instance was backed by an instance store volume. Instance store volumes are ephemeral, meaning that they exist ONLY in conjunction with their accompanying EC2 instance.
- You would either use EBS or EFS. S3 is for object storage, not applications; and Glacier is for data archiving.
- Adding a read replica on its own won’t solve your problem, you would need to alter the code for Magento to use the read replica (which was not in the offered options). Multi-AZ is a reliability technique not a performance technique. The best answer available is to migrate the database to Aurora which has superior Read performance due to its design. Implementing ElastiCache, is relatively easy and will also offload some of the Read traffic.
- Simply stop the instances will eliminate charges until the instances are restarted
- Request Headers provide in line control of how the object will be handled and stored by S3.
- Using the default settings metrics are sent every 5 minutes to CloudWatch. Using the detailed settings, metrics are then sent every 1 minute.
- Amazon ElastiCache offers a fully managed Memcached and Redis service. Although the name only suggests caching functionality, the Redis service in particular can offer a number of operations such as Pub/Sub, Sorted Sets and an In-Memory Data Store. However, ElastiCache is only a key-value store and cannot therefore store relational data.
- S3, SQS & DynamoDB are already built in a fault tolerant fashion, you do not need to provision these services across multiple availability zones. Therefore the correct answers are RDS and EC2.
- Although it is possible to run Docker containers on all of the above AWS services, only ECS, Elastic Beanstalk and Fargate allow containers to run natively. EC2 instances can run Docker containers, but Docker has to be installed separately before a container can be deployed.
- Use cases include storing JSON data, BLOB data and storing web session data. You cannot run relational joins on DynamoDB and storing archived data would be better placed on Glacier.
- Route 53 has a security feature that prevents internal DNS from being read by external sources. The work around is to create a EC2 hosted DNS instance that does zone transfers from the internal DNS, and allows itself to be queried by external servers.
- Any migration project needs to consider how to manage legacy data and data formats. This includes backup and archives. A 3rd party archive service is viable, but would be an ongoing expense. Storage Gateway can be used to efficiently move data into AWS. Old tapes could either be restored to the Storage Gateway volume, or migrated to Virtual tapes inside AWS using Tape Gateway.
https://aws.amazon.com/importexport/disk/ - With proper scripting and scaling policies, the On-demand instances behind the Spot instances will deliver the most cost-effective solution because the on-demand will only spin up if the spot instances are not available. DynamoDB is a regional service, there is no need to explicitly create a multi-AZ deployment. RDS could be used, but DynamoDB lends itself better to supporting stateless web/app installations.
- AWS have a standard solution that makes use of a VPC with; a private subnet, Hardware VPN Access, a VPG, and an on-premise Customer Gateway.
- Once a VPC is set to Dedicated hosting, it can be changed back to default hosting via the CLI, SDK or API. Note that this will not change hosting settings for existing instances, only future ones. Existing instances can be changed via CLI, SDK or API but need to be in a stopped state to do so.
- There are three key aspects: RTO, RPO, and cost. All three must be balanced and meet objectives for the design to be considered acceptable.
- With the Resource Groups tool, you use a single page to view and manage your resources.
- The termination IP address on the AWS side is not at the gateway. It is defined as part of the AWS VPN configuration process. Direct Connect could be a carrier, but is not a VPN itself.
- Poor timing of SQS processes can significantly impact the cost effectiveness of the solution.
- http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-delay-queues.html
- http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/AboutVT.html
- http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-long-polling.html
- http://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_ChangeMessageVisibility.html
- Using an ALB will provide a very fault tolerant setup. When creating a record in Route 53 to other AWS resources, including ALB’s, you should use Alias records where available. The alternate option of attaching Elastic IPs directly to the instances with an “A” record accomplishes similar results, but doesn’t incur the cost of an ALB.
- AWS has removed the Firewall appliance from the hub of the network and implemented the firewall functionality as stateful Security Groups, and stateless subnet NACLs. This is not a new concept in networking, but rarely implemented at this scale. In this case an IAM role by itself will not be enough to gain access to the AWS infrastructure – an IAM user will also be required.
- If you configure the auto-scaling to maintain 50% per AZ, then if you lose any one AZ the remaining two will carry the full load between them. This does mean that you carry and extra cost, but if the Board has decided that this level of resiliency is needed, that will be the cost.
- Proactive Cyclic Scaling allows you to scale during the desired time window.
- https://media.amazonwebservices.com/AWS_Cloud_Best_Practices.pdf
- When considering network traffic, you need to understand the difference between storage traffic and general network traffic, and the ways to address each.
- The 10Gbps is a red-herring, in that the 500Mbps only occurs for short intervals, and therefore your sustained throughput is not 10Gpbs.
- Wherever possible, use simple solutions such as spreading the load out rather than expensive high tech solutions.