Amazon Certification Devops Professional

0. Deployment Method

Deployment Method description Failed Impact Deploy time DNS change required
All at once all instances at the same time Downtime, Rollback requires a re-deploy faster than other NO
Rolling specific number at the same time No downtime - only the updated batch of instances is affected (we don't add in the ELB), Rollback the affected instances more than All at once NO
Blue/Green Deploy 2 identical stacks at the same time in separate envs no downtime more time more cost YES usually but not always
Immutable environments is an alternative to a rolling deployment where we deploy a new environment instead of using existing resources no downtime, Rollback by terminating the environment more time more cost NO

In-place vs. Disposable

  • In-place: change the current instances
  • Disposable: create new instances and after terminate existing one

1. Deployment With EC2 and Auto Scaling

1.1 Autoscaling Termination Policy

1.1.1 Default Termination Policy

When there is an event to scale In and you need to terminate some instance if you have the default termination policy
In this order

  • If there are instances in multiple AZ the policy the default select the AZ with more instances.
  • If even select the instances with the oldest launch configuration
  • If even select the instances closest to the next billing hour
  • If even select random

1.1.2 Other Termination Policy

  • OldestInstance (useful if you change to a difference instance type)
  • NewestInstance (useful when test a new kind of instance)
  • OlderstLaunchConfiguration (useful when you want replace older launch configuration)
  • ClosesToNextInstanceHour (useful to reduce the cost)

1.1.3 Other tips

  • you can protect instance from scale (doesn't work if they become unhealthy)
  • you can apply to the whole autoscale group OR individual instance

Autoscaling Lifecycle Hooks

  • create from webconsole an autoscaling group called autocling-group-myname and associate with a balancer
  • create the autoscaling hook with this command
aws autoscaling put-lifecycle-hook --lifecycle-hook-name example_hook --auto-scaling-group autocling-group-myname --lifecyclo-transition autoscaling_EC2-INSTANCE_LANCHING

This stop the launching of the instance until a signal will arrive so the instance is launched but it is not added to the ELB remain in the Peinding-Wait state

  • to check if there are hook attached to an autoscaling group you can run
aws autosacling describe-lifecycle-hooks --auto-scaling-group-name autoscaling-group-myname
  • to complete the lifecycle , this should be the latest command of the user data in an autoscaling group
aws autoscaling complete-lifecycle-action --lifecycle-action-result CONTINUE --instance-id i-aaa11133ffgggg --life-cycle-hook-name example_hook --auto-scaling-group-name autoscaling-group-myname

after this command the instance state will become InService and the instance is added to the ELB

It is possible use the same with the terminate instances.

EC2 Backup Strategies

Annual Failure Rate between 0.1% and 0.2% with 3000 ebs volumes running for 1 year we can expect 3 or 6 volumes to have failure

To have consinstency using the volume stapshot system we can:

  • put the system in a freeze state îf you can
  • unmount the volume, run the snapshot and mount the volume, the snapshot will complete after the volume is mounted but with the state when was unmount.
  • use lvm and the option lvm snapshot, create an lvm snapshot before the ebs snapshot and remove the lvm snapshot after the volume snapshot.

Elastic Load Balancer Logs

ELB logs are off by default you can enable and tell to move in a bucket every 5 minutes or 60 minutes
These logs are deployed at best effort so you can't count on every single line, but you can idendify patterns

ELB Security

  • Using the listener http/s you can define x-forwarded-for-header and enable sticky sessions
  • with tcp you can't have sticky sessions but you can receive the client's ip
  • To have secure cominication between the balancer and the workers you need to setup a public key in the Balancer.
  • At the end of the Certificate page when you setup the ELB SSL level there is a Backend Certificate field where you can specify a public key. it is important don't include in this key spaces and the text BEGIN AND END CERTIFICATE LINE.
  • You can add also multiple certificates because the system can try multiple certificate to the client instance.

ELB Metrics

  • Metrics: number of request , sent every 60 second interval

2. Monitoring and Logging With CloudWatch


  • Amazon EMR (or splunk or other) can be use to process these logs , have graphs or find complex patter in the lost high response time ecc.
  • If you want to monitor API request you can use CloudTrail, record in json but from all our account.
  • The metrics can't be deleted but it will disappear after 14 days , we can have any kind of metrics also things outside aws.

3. Application Deployments With CloudFormation

  • stacks policies, you can define what is possible update and what isn't

wait condiction

  • Wait conditions can be used to pause the creation of a stack and wait for a signal (or multiple signals) before continuing to create the stack.
  • it is possible send a wait condiction from outside the template here is an example from user data
"UserData" : {
"Fn::Base64" : {
"Fn::Join" : [ "", ["SignalURL=", { "Ref" : "exampleWaitHandle" } ] ]

or an exmple from command line
cfn-signal --success|-s \
--reason|-r <resource.status.reason> \
--data|-d <data> \
--id|-i <> \
--exit-code|-e <exit.code> \
  • you can setup a timeout for the wait condiction
  • the wait condiction can be used to syncronize the resource creation in a template or to wait an external signal
  • dependson instead check only if the resource is created.

Helper script

  • cf-init read information from our environment , group user metadata . It can also install packages ecc.
  • cf-signal is used to signal back to cloudformation
  • cf-hup detects changes in metadata , everychange can needs some minutes to propagate. We can actions commands when a metadata change. Very usefull for updates.
  • cf-get-metadata read metadata and print to stdout

4. Application Deployments On Elastic Beanstalk

There is a good summary table on that describe all the deploy method

Docker and Elastic Beanstalk

2 solutions:

  • we can have single container solution where you have only one container per virtual machines or
  • multiple containers where you can have on the same ec2 multiple containers for example one for php and another for nginx

Files for single comainter:

  • (version1) specify the image to use and parameters for docker ports volumes logs
  • Dockerfile : there are tipcial commands for docker yum install ecc


  • (version2)
  • we can't deploy custom images we need to build before and specify, these will be linked in a secure way
  • .ebextensions directory you specify in there the configuration for the ELB

check if you have the command line for elastic beanstalk

eb --version

to inizialize
eb init

to create an environment
eb-create green-env

5. Application Deployments On OpsWorks

  • a machine can be associated to many layers
  • recipes are added to layers
  • Custom recipes can customize different layers in an application

Recipes are run at certain pre-defined events within a stack

  1. Setup – occurs on a new instance after first boot
  2. Configure – occurs on all stack instances when they enter or leave the online state
  3. Deploy – occurs when we deploy an app
  4. Undeploy – happens when we delete an app from a set of application instances
  5. Shutdown – happens when we shut down an instance (but before it is actually stopped)

Deployment methods

opsworks store the 4 previous deployments , we can easely rollbak to 4 version before.

  • Update by phases , eache phase is a group of instance. It is convenient use connection draining to be sure the connection is closed before we deregister the instance from the load balancer
  • opsworks support the blue/green deployments, using multiple stacks for production and test. Blue is the production stack and green is the staging stack

Some things to keep in mind when you do a blue/green deployment:

  • We will have two ELB and will we switch the dns that point to the ELB, it is necessary prewarm the ELB
  • It is convenient use the weighted routing policies to gradually increase the load on the new system.
  • We can create the opsworks stacks with CloudFormation and use it also for resource outside opsworks.
  • with pre-baked ami is possible save time

managing databses, some to keep in mind:

  • every transaction is recorded during the transition
  • the transition doesn't impact performance during the upgrade

To do this we can dono in two ways:

  • both the applications access to the same database, problem of changes of schema
  • provice each db to a different db , but we need to syncronize data

An RDS can be registered to only one stack at the time and a stack can have different db registered

6. Using DynamoDB with Applications

DynamoDB Essentials

The primary id need to be an unique id unless there is also a sort key in this case
Partition key togehter with Sort Key form an unique key,
if we have both we can have the same partition key but not also the same Sort Key

You can search for another attribute that is not a key/index
It is not sql db so we can't perfomr join operation

Local and Secondary indexes

Global Secondary indexes (different particion key and different sort key)
Local Secondary indexes (still use the same particion key but use another particion to order)

You can create not more than 5 indexes per table

Minimize query and attribute that are non in the indexes

You can't create a Local Secondary indexes after that the table is created but only a Global

A projected Attribute is a set of a table that is copied in the secondary index, it give a performance advanced but at one cost so we need to set only if we think to use.

You never write an index it is build automatically

Provisioned Capacity

  • 1 unit in read means 1 or 2 reads capacity per second per element of 4 KB
  • 1 unit in write is 1 write per element of 1 KB
read capacity

If we have item of 3 KB we need to have always 1 unit and waste 1KB of read everytime because it is not possible group item.
Item of 3 KB and we need to read 80 elements per second:

  • first question strongly consistent read or eventually consistent read

(item size rounded to the next 4) / (4KB) * number of items

item size items per second # strongly read # consistent read
3 KB (round to 4) 80 80 40
10KB (round to 12) 80 240 120
write capacity

(item size rounded to the next 1) / (1KB) * number of items

item size items per second # write capacity
1,5 KB (round to 2) 10 20
Local Secondary Index

The size is to consider of the indexes not on the table for this reason is important choose well the index and have it short as possible.

  • If you add an item on the table you have the cost to write the item on the table , this cost 1 write
  • If you update an item on the index you need 2 writes, 1 to delete the index the other to put the new value
  • If you only delete is 1 write
Global Secondary index

??????? Lessons to review ????????

7. Amazon S3

Object Lifecycle Management

  • Standard_IA is cheaper than Standard s3 but it is for objects that you don't need to access very often, if you access often the cost will pass the Standard one. We will keep the 99.999999999% but over an year will be 99.9%
  • Object must stored at least 30 days in the current storage class before they can transiction to Standard_IA.
  • You cannot transition from Standard_IA to Standard or Reduced Redundancy
  • You cannot transition from Glaciet to any other storage class
  • You cannot transition from any storage class to Reduced Redundancy

8. Security Concepts

IAM credentials and roles

  • With the role in the EC2 machines, the credentials are rotated automatic from AWS many times at day, you can request the credentials using a curl.

Very Important to remember

Elastic Beanstalk:

  • to update the db you can use the container command and the "leader only" flag set to true
  • for a multidocker environment you need the file for the configuration
  • 1 application has many environment, 1 enviroment many deployments


  • to decrease the cost of the solution do a syntaxt check and build test on the CI and launch in a EC2 machine


  • if the system grow and you need to split in multiple department it is convenient use a nested structure and split in multiple templates
  • when you need to do an update consider to use the "update policies"
  • if you want that the creation of the stack waits until the software installed in the EC2 machine is completed you can use the "CreationPolicy"
  • if you want keep the RDS during an update you need to set the AWS::RDS::DBInstance to have the Deletion Policy property to retain. You have two choices
"myS3Bucket" : {
  "Type" : "AWS::S3::Bucket",
  "DeletionPolicy" : "Retain"

"MyDB" : {
  "Type" : "AWS::RDS::DBInstance",
  "Properties" : {
  "DeletionPolicy" : "Snapshot"

snapshot is supported only from AWS::EC2::Volume, AWS::RDS::DBInstance, and AWS::Redshift::Cluster
  • if the resource that you need it is not supported from Cloudformation you can create a custom resource type using a custom resource template
  • the function Fn::Parse doesn't exist


  • with the CloudWatch custom metrics you can find many information also understand the data transfer increase cost
  • to report information in real time use Kinesis
  • when you want notify to an on call engineer, you need to use SNS and not SES
  • to have a centralized log and analyze you can use Elasticsearch with kibana 4


  • the least cost effettive way to reduce the problem is increase the min number of instance
  • AutoScalingRollingUpdate is to replace without downtime
  • if you suspend the AddToLoadBalancer process for debug you need to add manually the instance to the ELB when you re-enable
  • if the instance was added to the autoscale will go in terminating state and in terminated, if instead was not added to the autoscale so it will not be terminated after the in service will go to detaching and after in datached. In this case can be attached again in the future.
Salvo diversa indicazione, il contenuto di questa pagina è sotto licenza Creative Commons Attribution-ShareAlike 3.0 License