Amazon Certification Architect Professional

1. AWS And General IT Knowledge

Disaster Recovery

Storage Gateway

there 3 ways to use it

  1. Gateway-cached volumes— You can store your primary data in Amazon S3 and retain your frequently accessed data locally
  2. Gateway-stored volumes— In the event that you need low-latency access to your entire data set, you can configure your gateway to store your primary data locally, and asynchronously back up point-in-time snapshots of this data to Amazon S3
  3. Gateway-virtual tape library (gateway-VTL) — With gateway-VTL, you can have an almostlimitless collection of virtual tapes. You can store each virtual tape in a virtual tape library (VTL) backed by Amazon S3 or a virtual tape shelf (VTS) backed by Amazon Glacier

Elastic Load Balancer , change policy

with these commands it is possible send the requestor ip for a tcp protocol from the balancer to the ec2 machine where there is the nginx installed

 aws elb create-load-balancer-policy --load-balancer-name ophy-pipp-ElasticL-1KUZ4IS2YGYY0 --policy-name linuxacademy-protocol-policy --policy-type-name ProxyProtocolPolicyType --policy-attributes AttributeName=ProxyProtocol,AttributeValue=true

aws elb describe-load-balancer-policies --load-balancer-name ophy-pipp-ElasticL-1KUZ4IS2YGYY0
    "PolicyDescriptions": [
            "PolicyAttributeDescriptions": [
                    "AttributeName": "ProxyProtocol",
                    "AttributeValue": "true"
            "PolicyName": "linuxacademy-protocol-policy",
            "PolicyTypeName": "ProxyProtocolPolicyType"

aws elb set-load-balancer-policies-for-backend-server --load-balancer-name ophy-pipp-ElasticL-1KUZ4IS2YGYY0 --instance-port 80 --policy-names linuxacademy-protocol-policy

if you also change the main nginx.conf so the ip of the requestor is logged in the main log file
 server {
 listen 80 proxy_protocol;
 listen [::]:80 proxy_protocol;
 real_ip_header proxy_protocol;
 server_name _;
 root /usr/share/nginx/html;

 http {
 log_format main ‘$proxy_protocol_addr - $remote_user [$time_local] “$request” ‘
 ‘$status $body_bytes_sent “$http_referer” ‘
 ‘”$http_user_agent” “$http_x_forwarded_for”’;

after that if you do a tail on the log you will see the public ip instead of the ELB private ip - - [10/Jul/2017:10:09:47 -0400] "GET /favicon.ico HTTP/1.1" 404 3650 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36" "-" - - [10/Jul/2017:10:29:21 -0400] "PROXY TCP4 15682 80" 400 173 "-" "-" "-"

2. Enterprise Account Management


  • Budgets are used to track how close your current costs are to exceeding the set “budget” for a given billing period.
  • Budgets are updated every 24 hours
  • Budgets do not show refunds
  • Budgets can work with SNS/CloudWatch for billing alerts to receive notifications

Temporary Access Using Roles and STS (Security Token Service)

  • The endpoint is
  • Temporary credentials require the “token” as well as the access key and secret access key in order to make API calls
  • you can view and access the temporary credentials using the following command

Federated Access Using SAML

still not so clear

  • If your Identity Provider does not support SAML 2.0 , you need to write your custom identity broker application

Web Identity Federation

  • Let users sign using a third party identity provider like Amazon, Facebook, Google or any OpenID 2.0 compatible provider.
  • You can allow the authenticated user access to STS to gain temporary role


  • CloudTrails are configured on a per region basis and a region can include global services
  • CloudTrails log files from different regions can be sent to the same S3 buckets
  • CloudTrail can integrate into SNS, CloudWatch, and CloudWatch logs to send notifications when specific API events occur
  • Limit and control access to CloudTrail and CloudTrail logs


  • Customer Master Key (CMK) – A logical key that represents the top of a customer ’s key hierarchy
  • If another key is not specified then by default the CMK is used to encrypt the resources.
  • CMK settings cannot be modified

If key rotation is enabled for a specific CMK

  • KMS will create a new version of the backing key for each rotation
  • KMS will automatically use the latest version of the backing key to perform data encryption.
  • To decrypt data KMS will determine which key (the old or new) that the data was encrypted with and it will automatically decrypt it with that correct CMK.


  • Quorum-based access - No single amazon employee can gain access to a customers master keys.
  • Regional Independence - AWS provides regional independence for customer data, in other words the key usage is isolated within an AWS region.


  • preserves the data for up to 24 hours
  • Can stream from as little as a few megabytes to several terabytes per hour

3. Amazon EC2 And Design Patterns

  • Not all AZ's support EBS optimized instance types ensure which ones do before migrating

Architecting For Performance: Burstable CPU Credits:

Burstable instances are perfect for workloads that do not use the full CPU often but casually need to burst.

  • T2 instance types have “burstable” CPU performance
  • Each instance has a “base line” performance but can “burst” to greater CPU usage if credits allow
  • One CPU “credit” is equal to one vCPU running at 100% utilization for one minute
  • One CPU “credit” is equal to one vCPU running at 50% utilization for two minutes, etc
  • “Credits” are accrued when the instance uses LESS than it’s base level performance

Architecting For Performance: Storage

  • General Purpose: not disk intensive 1GiB – 16TiB, 160MiB/s, baseline performance of 3 IOPS/GiB with burstable “credits”
  • Provisioned IOPS: production and database 4GiB – 16TiB, 320MiB/s, Up to 20,000 IOPS per volume
  • Magnetic: infrequent 1GiB – 1TiB, 40-90MiB/s, 100 IOPS with burstable to hundreds of IOPS

Increasing Performance With RAID Configurations

With RAID 0 you will get whatever additional throughput you provision on attached EBS volumes. Striping together two 20,000 volumes in RAID 0 will result in 40,000 IOPS I/O

Problem: After 8-10 EBS volumes striped together your bottleneck becomes instance bandwidth. How can you get more throughput?
Solution: Use Instance-store backed instances, stripe the ephemeral storage devices attached for several hundred thousand IOPS depending on instance size

To keep the data do a DRBD Asynchronous Replication AZ 2


Placement group
  • A placement group is a logical grouping of instances within a single Availability Zone. When using a placement group the application can take advantage of lowQ latency, 10Gbps network.
  • An already running instance cannot be added to a placement group
  • Use the same instance type to help ensure the instances are located as close as possibile. AWS groups physical hardware based off of instance type.
  • If you receive a capacity error when launching an instance in a placement group, stop and restart the instances in the placement group, and then try the launch again.
  • Auto Scaling can be used to launch instances in placement groups based of of CloudWatch metrics
SR-QIOV (Enhanced Networking)
  • Single Root I/O Virtualization that creates enhanced networking abilities on instances which results in higher performance of packets per second, lower latency, and reduced jitter (jitter = noise on the wire)
  • Supported Instance Types: C3, C4, D2, I2, M4, R3 (notice GPU) instances are not listed!
  • Supports only HVM virtualization and Amazon Linux has it on by default and in order to enable it the kernel module ixgbevf is required

DDoS Mitigation Strategies

  • CloudFront has built in abilities to absorb and deter DDoS attacks while still serving traffic to legit users. This is done as part of the CloudFront service and requires no additional configuration.
  • CloudFront can scale to handle any increase in traffic which helps absorb attacks
  • CloudFront uses filtering techniques to ensure that only valid TCP connections and HTTP requests are successful in passing through the edge locations
  • Solves UDP and SYN flood DDoS attacks

Networking monitoring

  • promiscuous mode is not allowed so the hypervisor has it disabled so it will not deliver any traffic to instances that is not specifically addressed to the instances.
  • Place an IDS inside of your cluster and allow your EC2 instances to send “copies” of of the traffic to the instances for “monitoring” only.
  • Place IDS software on your EC2 instances that deliver your primary “front end” application
  • The first 4 and last 1 IP addresses of a given subnet are not available due to AWS reservations of the IP addresses for networking purposes.

Direct Connect

  • Can only communicate with internal IP addresses inside of EC2
  • Cannot access public IP addresses as Direct Connect is NOT an internet provider
  • Create multiple private VIFs (Virtual Interface) to multiple VPC ’s at a time

Public Virtual Interfaces: Use Direct Connections to AWS and connects to public AWS endpoints for any AWS service such as DynamoDB or Amazon S3

  • Requires public CIDR block range
  • Still has consistent traffic as it is sent over your dedicated network to the Direct Connect partner at the partners connection to AWS

An AWS Direct Connect location provides access to the AWS region it is associated with. It does not provide access to other AWS regions.
What if your creating multiQregion design and have a need for a more reliable network connection?

  • Create a public virtual interface to the remote regions public endpoints and use VPN

over the public virtual interface to protect the data

Amazon ElastiCache

Caching Strategies:
  • Lazy Loading: check cache, if no read db and write in cache
  • write through: every time there is a write , the app write 2 times in the db and in the cache
  • Adding TTL can be applied to both lazy loading and write through to manage cache resources.
  • Does not have backup abilities
  • Scales by adding more nodes to the cluster
  • Every node in the cluster is the same instance type
  • Memcached supports auto discovery, client programs automatically identify all nodes in a cache cluster
  • Improve fault tolerance by locating nodes in multiple availability zones
  • Memecached is a great solution for storing “session” state in applications this will make web servers stateless which allows for easily scaling

used for:

  • small data sets can be stored in memory
  • frequent changes
  • persistent
  • automatic failover

scaling :

  • to increase writes you need to increase the size
  • support clusters of read replicas
  • to increase the size you need to take a snapshot and create a new instance or add a node and seed it from the original

redis support backups with snapshot (Memcache no) but you cannot copy to another region



  • Fully managed petabyte scale data warehouse
  • run in a single AZ
  • continues backup to s3 if there is a fail the system will fix the wrong nodes

How it works:

  • Redshift distributes the query from the “leader” node in parallel across all the cluster’s compute nodes.
  • The compute nodes work together to execute the queries and return the data back to the leader node which then organizes the results and sends it back to the client requesting the data from the cluster.


  • change instance type (this also influence the storage available)
  • when you add a node the system redistribuite the data across the nodes.

Change the node type:

  • all connections are terminated , the cluster is restarted in read-only mode , any uncompleted transactions will be rolled back
  • a new cluster is started and use as source the original one
  • the end point is changed


  • storage is included in the cluster
  • no spot instance allowed
  • reserved instance are allowed


  • you can have manually and automatic snapshot for backup
  • you can copy the snapshots to another region
  • the snapshot contains also some redshit configuration


Keys concept:

  • we can store dynamic content , we need to configure if the dynamic content change it doesn't stay cached
  • it can be used to stream media
  • it cache the last request until the TTL expire , or is set to 0, or the object is invalidate
Salvo diversa indicazione, il contenuto di questa pagina è sotto licenza Creative Commons Attribution-ShareAlike 3.0 License