Exam readiness – Free elearning link below:
Domain 1: Design for Organizational Complexity 12.5%
Domain 2: Design for New Solutions 31%
Domain 3: Migration Planning 15%
Domain 4: Cost Control 12.5%
Domain 5: Continuous Improvement for Existing Solutions 29%
Domain 1: Design for Organizational Complexity
- Cross-account authentication and access strategies
- Multi-account AWS environments
We can set up one of the below 3 Directory types:
- AWS Managed Microsoft AD: With AWS Managed Microsoft AD, you can easily enable your Active Directory-aware workloads and AWS resources to use managed actual Microsoft Active Directory in the AWS Cloud. Workload examples include Amazon EC2, Amazon RDS for SQL Server, custom .NET applications, and AWS Enterprise IT applications such as Amazon WorkSpaces.
- AD Connector: AD Connector is a proxy for redirecting directory requests to your existing Microsoft Active Directory without caching any information in the cloud. AD Connector comes in two sizes, small and large. A small AD Connector is designed for small organizations and is intended to handle a low number of operations per second. A large AD Connector is designed for large organizations and is intended to handle a moderate to high number of operations per second.
- Amazon Cognito User Pools: With user pools, you can add user registration and sign-in features to your apps. Users can sign in with an email address, phone number, or user name rather than use an external identity provider like Facebook or Google. You can also create custom registration fields and store that metadata in your user directory. You can verify email addresses and phone numbers, recover passwords, and enable multi-factor authentication (MFA) with just a few lines of code.
- Set up and manage SSO across all your AWS accounts in your AWS organization, business applications, and custom SAML 2.0–based applications.
- Assign SSO access to users and groups in your corporate Microsoft Active Directory.
- Use a personalized end-user portal to give users easy access to AWS accounts and business applications you’ve authorized.
- NACL – Not session aware. 1 subnet can have only 1 NACL,
- Security group – Session aware, allow only (implicit deny), 1 EC2 instance can have upto 5 security groups.
- VPC Endpoint – To connect VPC to other non VPC AWS Services like S3 without going via internet. It has 2 types.
- Gateway endpoint – For S3 and Dynamodb.
- One Service per endpoint, one policy per endpoint, one route per service, multiple endpoints per VPC.
- Cannot be extended via VPC peering or site to site VPN or Direct Connect.
- Interface endpoint – An AWS private link interface for all other services.
- Can be extended via Site to Site VPN and Direct Connect.
- Gateway endpoint – For S3 and Dynamodb.
- Internet Gateway
- Egress only internet gateway
- NAT Gateway
- Elastic Network Interfaces (ENI) –
- VPC Flow logs: VPC Flow Logs allow customers to collect, store, and analyze network flow logs. The Flow Logs capture information about the following:
- Allowed and denied traffic
- Source and destination IP addresses
- Protocol number
- Packet and byte counts
- Action taken (accept or reject)
You can use VPC Flow Logs to troubleshoot connectivity and security issues, and to make sure that the network access rules are working as expected.
- Traffic mirroring:
Traffic Mirroring provides deeper insight into the network traffic by allowing you to analyze actual traffic content, including payload. Traffic Mirroring is targeted for the following types of cases.
- Analyzing the actual packets to perform a root-cause analysis on a performance issue
- Reverse-engineering a sophisticated network attack
- Detecting and stopping insider abuse or compromised workloads
Hybrid and VPC Peering:
VPC Peering: Traffic doesn’t flow through internet. Can connect VPCs between 2 different regions. The VPCs should not have overlapping CIDR blocks.
Site to Site VPN: Can be created either via VGW or Transit Gateway. Traffic flows through internet
1. Virtual Private Gateway (VGW) (Or EC2 Instances with VPN)
2. Transit Gateway.
With AWS Transit Gateway, you can simplify the connectivity between multiple VPCs and also connect to any VPC attached to AWS Transit Gateway with a single VPN connection. AWS Transit Gateway also enables you to scale the IPsec VPN throughput with equal cost multi-path (ECMP) routing support over multiple VPN tunnels. A single VPN tunnel still has a maximum throughput of 1.25 Gbps
Traffic doesn’t flow through internet. It flows through a private network.
Direct Connect Gateway:
Hybrid – AWS Storage Gateway
DHCP and DNS
Domain 2: Design for New Solutions:
- Implementation strategies for reliability requirements
- Ensuring business continuity
- Meeting performance objective
- Security requirements and controls
- Deployment strategies for business requirements
Some Key Architectures:
Redis and Memchaced:
Launch Configuration vs Launch Template in ASG: