AWS考试笔记

  1. Dedicated Hosts and Dedicated Instances
    都可以用来专享一个物理机,但dedicated host有更多控制。有了一个host就可以在它上面反复创建instance,主要用于自带licence的场景,按host收费。在CloudFormation创建EC2时指定HostId并将Tenancy设置为dedicated。
    dedicated instance按instance收费,每次创建instances是独立的,不一定在同一个物理机上。
  2. Stack Set
    用CloudFormation template可以创建一个Stack.借助Stack Set可以用一个template创建多个Stack,在当前帐号、其它关联帐号或AWS Organization中.创建的Stack可位于多个region但Stack Set本身只在一个Region.
  3. CloudFormation Drift
    CloudFormation创建的Stack可以绕过CloudFormation直接更改,利用Drift Detection可以探测Stack资源实际的配置是否与template一致。
  4. ingress traffic vs egress traffic

Data originating outside the local network that is transmitted to a station within the network. Contrast with "egress traffic," which is data originating within the local network that is transmitted to a station outside the network.

ingress traffic从外进入本网络,egress traffic离开本网络

  1. load balance 与 security group
    Classic or Application Load Balancer应该指定至少一个security group,而Network Load Balancer不使用security group.
    6.AWS Cost and Usage Report 与tag
    想要在生成的报告中按tag分类,需要在Billing & Cost Management Console中激活Cost allocation tags,分为自定义tag和AWS生成的tag.
  2. Beanstalk Immutable Deployment
    首先创建一个临时的Auto Scaling Group并放置于load balancer之后,然后创建一个新的Instance,通过Health Check后,创建与原来同样多的Instances,等都通过Health Check后将它们加入原来的Auto Scaling Group,并删除临时的Auto Scaling Group和旧的Instances.
  3. using IAM Policies for CodeCommit
    可以使用IAM来管理CodeCommit,例如禁止merge和push master、禁止所有操作based on tags、或用户IP.
  4. EC2 API keys

For applications, AWS CLI, and Tools for Windows PowerShell commands that run on the instance, you do not have to explicitly get the temporary security credentials—the AWS SDKs, AWS CLI, and Tools for Windows PowerShell automatically get the credentials from the EC2 instance metadata service and use them.

给EC2指定了role后,利用AWS CLI,SDK等就不用再自己操作accessKey等验证过程了。

  1. In-Memory Acceleration with DynamoDB Accelerator (DAX)
    使用DynamoDB时如果read远大于write时,可以用它自带的缓存。它适用于eventually consistent。
    注意当大部分read利用缓存时,就没必要加大read throughput了。
  2. AWS Beanstalk Configuration options
    按优先级从高到低分为四类。
    1> Settings applied directly to the environment
    用Console,CLI,SDK创建或更新时直接指定的参数。
    2>Saved Configurations
    配置文件位于:.elasticbeanstalk/saved_configs/
    3>Configuration Files (.ebextensions)
    4>Default Values
    前两种配置都可以CLI删除,这时3>或4>自动生效。Configuration Files需要更改文件后重新发布。
  3. Auto Scaling Health Check
    Auto Scaling可以根据三种方式确定一个Instance的Health status.
    1>Amazon EC2 Status Checks
    这个包含两类,一个是System status checks主要检查底层的AWS系统。另一个是Instance status checks检查当前实例的网络,文件系统等。
    2>Elastic Load Balancing (ELB) Health Checks
    3>Custom Health Checks
    其中自定义是用CLI或SDK设置Health状态。
  4. Elastic Load Balancing access log
    默认是关闭的,需要开启并配置S3 bucket来存储文件.
  5. CodeCommit Notifications and Triggers
    在CodeCommit的Settings里,可以配置nofications或trigger SNS和Lambda.
  6. CodeBuild Docker image
    AWS CodeBuild不支持Red Hat Enterprise Linux System的Docker Image.
  7. SNS HTTP HTTPS endpoint
    与发邮件类似,只是它是用HTTP POST把数据发到指定的URL.
  8. AWS Security Token Service

AWS Security Token Service (AWS STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).

  1. Auto Scaling default termination policy
    先试图保持各可用区的实例数量平衡,然后是关闭the instances use the oldest launch template or configuration,最后是closest to the next billing hour.
  2. Elastic Beanstalk worker environments
    处理long-running task,它从SQS中取得数据,POST发送到 http://localhost/ ,然后在 daemon process中处理。
  3. Suspending and resuming scaling processes
    Amazon EC2 Auto Scaling可以暂时禁止 Launch、Terminate、AddToLoadBalancer、ReplaceUnhealthy等。
    其中禁用AddToLoadBalancer后它创建的Instances不会加入到Load Balancer中,再次启用后只对新创建的有效,之前已经创建的需要手动加入到Load Balancer中。
  4. AWS Beanstalk Customizing software
    在Beanstalk的配置文件中利用Packages、Groups、Users、Sources、Files、Commands、Services、Container commands可以安装包,创建用户,文件等。
    其中

Container commands run after the application and web server have been set up and the application version archive has been extracted, but before the application version is deployed.
You can use leader_only to only run the command on a single instance, or configure a test to only run the command when a test command evaluates to true.

  1. deployment configurations in CodeDeploy
    定义CodeDeploy以什么样的比例和时机发布新应用.其中AWS预定义的有
    1> for an EC2/on-premises compute platform
    CodeDeployDefault.AllAtOnce, HalfAtATime, OneAtATime
    2>on an Amazon ECS compute platform
    CodeDeployDefault.ECSLinear10PercentEvery1Minutes以及3Minutes
    线性地每次布署10%
    CodeDeployDefault.ECSCanary10Percent5Minutes以及15Minutes
    先布署10%,剩下的5分种后一次发布.
    CodeDeployDefault.ECSAllAtOnce
    3> for an AWS Lambda compute platform
    CodeDeployDefault.LambdaCanary10Percent5Minutes以及10分,15分,30分钟.
    CodeDeployDefault.LambdaLinear10PercentEvery1Minute以及2,3,10分钟.
    CodeDeployDefault.LambdaAllAtOnce
  2. Initializing Amazon EBS volumes

Empty EBS volumes receive their maximum performance the moment that they are created and do not require initialization (formerly known as pre-warming).
从snapshots创建的EBS volumes需要从S3上下载数据,这在初始化时会影响性能。

  1. CodeBuild 登录AWS ECR
    在CodeBuild的buildspec.yml要登录Amazon ECR
    $(aws ecr get-login --region $AWS_DEFAULT_REGION --no-include-email)
    get-login取得一个带登录信息的命令,要包在$()中执行它。
  2. AWS OpsWorks Stacks Lifecycle Events
    Each layer has a set of five lifecycle events: Setup, Configure, Deploy, Undeploy, Shutdown
    其中Conifgure Lifecycle Event在以下情况发生:
  • An instance enters or leaves the online state.
  • You associate an Elastic IP address with an instance or disassociate one from an instance.
  • You attach an Elastic Load Balancing load balancer to a layer, or detach one from a layer.
  1. Prevent updates to stack resources

After you set a stack policy, all of the resources in the stack are protected by default. To allow updates on specific resources, you specify an explicit Allow statement for those resources in your stack policy.

使用Stack policy可以使某些资源在AWS CloudFormation更新时不被更改。

  1. instance profiles
    Use an instance profile to pass an IAM role to an EC2 instance.

If you use the IAM console, the instance profile is managed for you and is mostly transparent to you. However, if you use the AWS CLI or API to create and manage the role and EC2 instance, then you must create the instance profile and assign the role to it as separate steps. Then, when you launch the instance, you must specify the instance profile name instead of the role name.

Instance Profiles将role和EC2联系起来,只不过用IAM console时,它自动创建了instance profiles,感觉只用设置roles.

  1. AWS CloudFormation Custom resources

Custom resources enable you to write custom provisioning logic in templates that AWS CloudFormation runs anytime you create, update (if you changed the custom resource), or delete stacks.

就像AWS预定义的EC2, Lambda一样,可以使用自定义的resource.
分为三步:template developer、custom resource provider、AWS CloudFormation

  1. Amazon EC2 Auto Scaling lifecycle hooks
    在启动或终止Instances时会进入一个等待状态,在此期间可以做指定的事,然后通知Auto Scaling继续进行。
  2. Monitoring Trusted Advisor check results with Amazon CloudWatch Events
    注意要选择 US East (N. Virginia) Region。
  3. AWS CloudFormation cfn-hup

The cfn-hup helper is a daemon that detects changes in resource metadata and runs user-specified actions when a change is detected.

  1. Auto Scaling instances terminate policies

Using termination policies, you can control which instances you prefer to terminate first when a scale-in event occurs.

例如:
1> OldestLaunchTemplate. Terminate instances that have the oldest launch template.
2> OldestLaunchConfiguration. Terminate instances that have the oldest launch configuration.
3> ClosestToNextInstanceHour. Terminate instances that are closest to the next billing hour.
4> NewestInstance. Terminate the newest instance in the group.

  1. AWS API Gatew/Lambda canary release deployment
    canary release deployment是在API Gatewa里面设置的,Lambda Function Console里面没有相关设置。
  2. IAM database authentication for MySQL and PostgreSQL

You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication. IAM database authentication works with MySQL and PostgreSQL. With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you use an authentication token.

注意这种方式每秒的连接数不能过多。几百个左右。
35 . Deploy strategies
Bule/Green和Red/Black是一个方式。
A/B Testing测试两个版本,找出最好的一个最终发布。

  1. Amazon S3 Analytics

Automated analysis and visualization of Amazon S3 storage patterns to help you decide when to shift data to a different storage class.

S3 Analytics可以用来分析数据,节省开支。

  1. AWS Compute Optimizer

AWS Compute Optimizer recommends optimal AWS resources for your workloads to reduce costs and improve performance by using machine learning to analyze historical utilization metrics.

通过分析来推荐合理的配置,以降低成本并满足需求。

  1. AWS Auto Healing Feature
    OpsWorks有auto-healing功能,Beanstalk没有。
  2. Elastic IP limitation
    默认每个帐号在每个region最多有5个Elastic IP.
  3. Managing large Amazon SQS messages using Amazon S3
    使用S3和Amazon SQS Extended Client Library for Java可以保存最大2G的Queue Message.
  4. Warm Standby
    Standby环境具有全部功能,但是instance的数量较少,切换后要根据负载调整。
  5. AWS Macie
    数据源有两个S3和 CloudTrail
  6. Real-time Processing of Log Data with Subscriptions
    CloudWatch log能Stream到Lambda和ElasticSearch等。
  7. Changing the launch configuration for an Auto Scaling group
    Auto Scaling group的launch configuration创建后不能再更改,要基于现有的复制一份再做修改。
  8. launch configuration 和 launch template
    创建Auto Scaling group时可以用launch configuration或launch template。
    launch template相当于把配置放在一个文件里了,所有它有版本管理,并且可以配置On-Demand and Spot Instances的比例。
  9. Network maximum transmission unit (MTU) for your EC2 instance

the most common format is the standard Ethernet v2 frame format. It supports 1500 MTU, which is the largest Ethernet packet size supported over most of the internet.
Jumbo frames (9001 MTU) allow more than 1500 bytes.

注意Jumbo frame不是网络标准,所以它适合在vpc内部的通讯。

  1. Database snapshot
    Automated RDS snapshots不能被直接share,需要先手动复制一份。
  2. DynamoDB Global Tables

Amazon DynamoDB global tables provide a fully managed solution for deploying a multiregion, multi-active database, without having to build and maintain your own replication solution.

  1. DBSnapshotIdentifier

By specifying this property, AWS CloudFormation create a DB instance from the specified DB snapshot.

  1. Active Directory Connector

AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud.

  1. Advanced environment customization with configuration files (.ebextensions)

You can add AWS Elastic Beanstalk configuration files (.ebextensions) to your web application's source code to configure your environment and customize the AWS resources that it contains. Configuration files are YAML- or JSON-formatted documents with a .config file extension that you place in a folder named .ebextensions and deploy in your application source bundle.

  1. AWS Lambda function scaling

Your functions' concurrency is the number of instances that serve requests at a given time.

它有默认的限制。

When the burst concurrency limit is reached, the function starts to scale linearly. If this isn't enough concurrency to serve all requests, additional requests are throttled and should be retried.

  1. Amazon Inspector
    AWS Systems Manager(SSM)用来安装Amazon Inspector agent.
  2. AWS Systems Manager Managed Instances
    在它的Managed Instances console中,Instances ID以mi-开头的是on-premises或virtual machine(VM)managed instance. EC以i-开头。
  3. DynamoDB Stream
    DynamoDB table和DynamoDB Streams的数据都是加密的。
  4. Elastic Beanstalk .ebextensions For Linux machines

Configuration files support the following keys that affect the Linux server your application runs on.
Packages
Groups
Users
Sources
Files
Commands
Services
Container commands

注意
1> Container commands run after the application and web server have been set up and the application version archive has been extracted, but before the application version is deployed. Non-container commands and other customization operations are performed prior to the application source code being extracted.
2>Elastic Beanstalk 支持: yum, rubygems, python, and rpm. Packages are processed in the following order: rpm, yum, and then rubygems and python. There is no ordering between rubygems and python. Within each package manager, package installation order isn't guaranteed.

  1. Automate the creation of EBS Snapshots
    可以用Cloudwatch EvenT定时创建EBS Snapshots
  2. AWS CloudFormation DeletionPolicy attribute

With the DeletionPolicy attribute you can preserve or (in some cases) backup a resource when its stack is deleted.

  1. cloudformation-stack-drift-detection-check
    可以用AWS Config检测CloudFormation实际资源与template是否一致。

The rule and the stack are COMPLIANT when the stack drift status is IN_SYNC. The rule and the stack are NON_COMPLIANT when the stack drift status is DRIFTED.

  1. AWS Elastic Beanstalk Requirements

using a proxy server is not supported for Linux instances.

  1. Web Access Control List (Web ACL)

A web access control list (web ACL) gives you fine-grained control over the web requests that your protected resource responds to. You can protect Amazon CloudFront, Amazon API Gateway, Application Load Balancer, and AWS AppSync resources.
例如根据用户IP,地理位置,请求内容来阻止请求。

  1. AWS SMS

AWS Server Migration Service automates the migration of your on-premises VMware vSphere, Microsoft Hyper-V/SCVMM, and Azure virtual machines to the AWS Cloud.

  1. 控制cloudformation新建stack
    例如通常EC2创建运行后就被认为创建完成,想要在创建的EC2安装指定的程序,只有当所安装的程序正常运行后才标志为完成。这时可以为EC2指定CreationPolicy,并用cfn-signal helper script来通知cloudFormation其创建完成。
  2. AWS OpsWorks Stacks Operating Systems
    一个stack可以运行Linux或Windows,但不能混着用。
  3. Lambda@Edge


    image.png

    可以有收到Viewer request后查询缓存前,发送Origin request前或者收到Origin response后执行Lambda.

  4. Amazon Cloudsearch vs Elasticsearch

Amazon Cloudsearch is a cloud-based solution, which is fully managed by AWS.
Elasticsearch is an open-source database and search engine tool.
Amazon Elasticsearch is a cloud-based solution provided by AWS.
因为Cloudsearch可以拿来就用,适用于快速布署。注意CloudFormation不支持它,要用AWS CLI或SDK来配置数据。

  1. State Machine Execution in Response to Amazon S3 Events

You can use Amazon CloudWatch Events to execute an AWS Step Functions state machine in response to an event or on a schedule.

  1. Build environment reference for AWS CodeBuild
    可以用AWS提供的Managed image,包括Amazon Linux,Ubuntu ,Windows Server或私有的custom image.
  2. Beanstalk lifecycle
    可以用an application version lifecycle policy来避免 Elastic Beanstalk application version超过限制。
  3. Elastic Load Balancing Access logs
    默认是停用的,开启后会将Log放到指定的S3 bucket.
  4. AWS CloudTrail global service

For most services, events are recorded in the region where the action occurred. For global services such as AWS Identity and Access Management (IAM), AWS STS, and Amazon CloudFront, events are delivered to any trail that includes global services.

  1. tests your Android app with AWS Device Farm
    可以在CodePipeline中添加AWS DeviceFarm作为Action provider.
  2. Amazon Inspector rules packages and rules
    Inspector用rules来完成评估。不同的rules检查不同的内容。
    1>Common vulnerabilities and exposures

The rules in this package help verify whether the EC2 instances in your assessment targets are exposed to common vulnerabilities and exposures (CVEs).
2>Network Reachability
The rules in the Network Reachability package analyze your network configurations to find security vulnerabilities of your EC2 instances.

  1. AWS OpsWorks DeploymentCommand
    AWS DeploymentCommand has a rollback option in it. 它能最多存储5个版本,执行roolback会回滚到上一个版本。
  2. External Cookbook on a Linux Instance
    可以用Berkshelf,但Berkshelf is available only for Chef 11.10 Linux stacks.
  3. Application Load Balancer traffic
    注意ALB没有NetworkIn metric,只有EC2有。ALB有NewConnectionCount
  4. AWS OpsWork Installing Custom Cookbooks

To have a stack install and use custom cookbooks, you must configure the stack to enable custom cookbooks, if it is not already configured.

  1. CodeDeploy config file
    on-premise必须要有The application specification file appspec.yml
    lambda也可以用json.
最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 205,033评论 6 478
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 87,725评论 2 381
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 151,473评论 0 338
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 54,846评论 1 277
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 63,848评论 5 368
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 48,691评论 1 282
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 38,053评论 3 399
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 36,700评论 0 258
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 42,856评论 1 300
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 35,676评论 2 323
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 37,787评论 1 333
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 33,430评论 4 321
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 39,034评论 3 307
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 29,990评论 0 19
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 31,218评论 1 260
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 45,174评论 2 352
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 42,526评论 2 343

推荐阅读更多精彩内容