-
Notifications
You must be signed in to change notification settings - Fork 61
/
AWS Notes 03 - Compute.txt
553 lines (475 loc) · 35.3 KB
/
AWS Notes 03 - Compute.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
===============================================
===============================================
=
= AWS
= Certified Solutions Architect - Professional
= SAP-C01 Exam Study Notes
=
= *** Note 03: Compute ***
=
= Created:
= By: Hicham El Alaoui
= Email: [email protected]
= Date: Mar-2021
=
= Source: https://github.com/helalaoui/AWS-Solutions-Architect-Certification
=
===============================================
===============================================
EC2:
EC2 Instance Types:
- General Purpose: M4 to M6 (fixed perf), T2 to T4 (burstable perf).
- Compute Optimized: C4 to C6.
- Memory Optimized: R4 to R6, X1, Z1.
- Storage Optimized: D2 to D3, i3.
- Accelerated: P2 to P4, G3 to G4.
EC2 Nitro Systems:
- The Nitro System is a collection of AWS-built hardware and software components that enable high performance, high availability, and high security.
- Based on Nitro hypervisor - A lightweight hypervisor that manages memory and CPU allocation and delivers performance that is indistinguishable from bare metal.
- Nitro security chip, integrated into the motherboard.
- The Nitro Cards are a family of cards that offloads and accelerates IO for functions: Nitro Card for VPC, Nitro Card for EBS, Nitro Card for Instance Storage, Nitro Card Controller, and Nitro Security Chip.
Instance Lifecycle:
- Launch:
- Creation of an instance from an AMI.
- Status goes to Pending and then Running.
- Stop:
- The instance is stopped.
- Status goes to Stopping and then Stopped.
- EBS-backed instances only.
- Start:
- Status goes from Stopped to Pending to Running.
- Each time you transition an instance from stopped to running, we charge a full instance hour, even if these transitions happen multiple times within a single hour.
- Reboot:
- Equivalent to an operating system reboot.
- The instance keeps its public DNS name (IPv4), private IPv4 address, IPv6 address (if applicable), and any data on its instance store volumes.
- Hibernate:
- Signal the operating system to perform hibernation (suspend-to-disk).
- EBS-backed instances only.
- Terminate:
- Status goes to Shutting-down and then to Terminated.
- Each Amazon EBS volume supports the DeleteOnTermination attribute, which controls whether the volume is deleted or preserved when you terminate the instance it is attached to.
- The default is to delete the root device volume and preserve any other EBS volumes.
- You can set a Termination Protection option: prevents a manual termination but does not prevent a termination by Auto Scale in case of a scale-in or in case of a failed health check.
EC2 Storage:
- Boot volume (disk) can be based on either the Instance Store or EBS.
- Instance Store volume:
- volume on the local disk of the host server.
- Lower latency
- No data consistency after the VM is terminated (but is consistent on reboot).
- Not resizeable.
- AWS does not encrypt these volumes. You need to use OS-level or Filesystem-level encryption.
- No data redundancy.
- EBS volume:
- Volume mapped to an EBS volume.
- Consistent even when the EC2 instance is stopped/terminated.
- You can change size and type.
- For both root and data volumes on EBS, to attach the volumes to an instance, these need to be in the same AZ as the instance.
- Volumes can be encrypted by EBS.
- Data is written to multiple copies in the same AZ.
EC2 AMIs:
- Amazon Machine Image.
- Contains the image of the OS and all other software and configurations that you would like when launching new instances.
- Two types of AMIs: EBS-backed or instance-store-backed.
- EBS-backed AMI:
- Includes one or more EBS snapshots.
- Built from a snapshot of another EC2 instance after it has been customized.
- Boot time: usually less than 1mn.
- Max boot volume size: 16 TiB.
- You are charged for storing the Snapshot in EBS.
- The instance type, kernel, RAM disk, and user data can be changed while the instance is stopped.
- Instance-store-backed AMI:
- The root device is an instance store volume created from a template stored in Amazon S3.
- To build this kind of AMI, you start from an instance that you've launched from an existing instance store-backed Linux AMI. After you've customized the instance to suit your needs, bundle the volume and register a new AMI using AMI tools.
- Boot time: usually less than 5mn.
- Max boot volume size: 10 GiB.
- You are charged for storing the AMI in S3.
- Instance attributes are fixed for the life of an instance.
- AMIs include a block device mapping that specifies the volumes to attach to the instance when it's launched.
- AMI IDs are different between regions.
- You can launch instances from an AMI if the AMI owner grants you launch permissions.
- You can copy an AMI within the same AWS Region or to different AWS Regions.
- When you no longer require an AMI, you can deregister it.
- Deregistering the AMI frees up the EBS snapshot or S3 template that was used to create it. You can then delete the snapshot/template to stop incurring storage costs.
- You can use AMIs from:
- Amazon provided AMIs: free for Linux AMIs.
- Marketplace: additional fees paid to the provider.
- Community AMIs: free to use.
- You own AMIs.
EC2 Instance Billing Types:
- On-demand Instances.
- Savings Plans.
- Reserved Instance (RI).
- Spot instances.
- Dedicated Host.
- Dedicated Instance.
- Capacity Reservation.
On-Demand Instance:
- pay by the second.
- vCPU-based limits per account and per region.
- Instance usages are billed for any time your instances are in a "running" state.
Saving Plans:
- commitment to a consistent amount of usage, in USD per hour, for a term of 1 or 3 years.
Reserved Instance (RI):
- Is a billing benefit and not an instance type.
- When AWS finds an on-demand instance matching your reservation attributes, it applies the reservation rates to this running instance.
- Payment can be upfront or monthly payment or a mix. The more you pay upfront for your reservation, the greater is your discount.
- Standard RI:
- A 1- or 3-yr commitment for a consistent instance configuration, including instance type and Region.
- Can be sold in the « Reserved Instance Marketplace ».
- Convertible RI:
- Like Standard RI but you can exchange the reservation for an equal or higher reservation.
- Reservation change is based on the normalization factor of each instance size (relative to the « small » instance size).
- Scheduled RI: 1-yr commitment, pre-defined schedule (Deprecated).
Regional RIs:
- Reservations are floating in the region.
- Does not reserve capacity.
- Size change supported for Linux.
Zonal RI:
- tied to a specific AZ.
- Reserves capacity in the specified AZ.
- You can change AZ within the same region.
- Instance size change not supported.
Spot instances:
- AWS unused capacity.
- up to a 90% discount compared to On-Demand prices.
- You specify the maximum price you are willing to pay and AWS will allocate Spot instances to you whenever the Spot price is lower than this maximum price your specified.
- If the Spot price exceeds your maximum willingness to pay for a given instance or when capacity is no longer available, your instance will be removed automatically.
- Removal options: Stop, Hibernate, Terminate.
- Termination notices are issued 2 minutes prior to removal (except for hibernation).
- When requesting a spot instance you can make a "Persistent Request" so that AWS keeps trying to spin your instance after it is removed.
Spot Fleet:
- A collection, or fleet, of Spot Instances, and optionally On-Demand Instances.
- Attempts to launch the number of Spot Instances and On-Demand Instances to meet the target capacity that you specified in the Spot Fleet request.
- Attempts to maintain its target capacity fleet if your Spot Instances are interrupted.
- When Spot Fleet attempts to fulfill your On-Demand capacity, and you have defined multiple on-demand instance types, it will try to launch the lowest-priced instance type first. You can alter this by defining a custom priority (allocation strategy).
Spot blocks:
- Spot Instances with a defined duration.
- designed not to be interrupted and will run continuously for the duration you select.
- You can use a duration of 1, 2, 3, 4, 5, or 6 hours.
- The price that you pay depends on the specified duration.
- In rare situations, Spot blocks may be interrupted due to Amazon EC2 capacity needs. You are not billed for interrupted instances.
Dedicated Hosts:
- A physical server with EC2 instance capacity fully dedicated to your use.
- Allow you to use your existing per-socket, per-core, or per-VM software licenses (BYOL).
Dedicated Instance:
- For instances that need to run on single-tenant hardware.
- May share the host with other instances from the same AWS account.
- You have no visibility on the host.
- You have no guarantee that when you run the instance it will always start on the same host.
- BYOL not supported.
On-Demand Capacity Reservations:
- Enable you to reserve capacity for your Amazon EC2 instances in a specific Availability Zone for any duration.
- Billing starts as soon as the capacity is provisioned.
- When you no longer need it, cancel the Capacity Reservation to stop incurring charges.
- You specify: AZ, number of instances, instance attributes.
- Can be combined with Savings Plans or Regional Reserved Instances to receive a discount.
EC2 Auto Scaling:
- Ensures that you have the correct number of Amazon EC2 instances available to handle the load for your application.
- Instances are grouped in Auto Scaling Groups (ASG).
- Auto Scaling does basically two things:
- Automatically replaces instances that are unhealthy.
- Automatically scales out or scales in your ASG to meet your scaling policy.
- ASGs are Region-wide.
- Number of instances in ASG:
- You specify a min, a max and a desired number of instances in an ASG.
- Desired number: the number of instances launched at start.
- The desired number can be changed manually (manual scaling) or by auto scaling.
- Min and Max number: boundaries for all requests to change the desired number (either manual or auto scaling).
- Launch templates & Launch configurations:
- Configuration template for your instances (AMI ID, instance type, key pair, security groups, and block device mapping, …).
- Launch Configurations cannot be modified (you can only delete or copy). Launch Templates can be modified (a new version is created each time a template is modified).
- Launch templates support more instance types and offers more options than launch configurations.
- An ASG can have multiple launch templates.
- You can assign weight to instance types and define the mix you want between on-demand and Spot instances.
- Supports health check notifications. Can come from EC2, ELB, or a custom health check. Unhealthy instances are replaced.
- Scaling policy types:
- Fixed number.
- Manual.
- Scheduled.
- Simple scaling & Step scaling: step adjustments based on threshold values for the CloudWatch alarms. The difference is that with Step scaling, the adjustments vary based on the size of the alarm breach, which is not the case with simple scaling.
- Target Tracking: you select a load metric for your application, such as CPU utilization or request count, set the target value, and Amazon EC2 Auto Scaling adjusts the number of EC2 instances in your ASG as needed to maintain that target (like a thermostat).
- Scaling based on SQS: you can build a scaling policy that responds to the load of an SQS queue by defining a custom CloudWatch metric and defining a target tracking scaling policy.
- Supports time to wait for new instances to warm-up: while scaling out, Auto Scaling does not consider instances that are warming up as part of the current capacity of the group.
- Cool down period:
- Specific to Simple Scaling policies.
- After the Auto Scaling group scales, it waits for a cooldown period to complete before any further scaling activities initiated by simple scaling policies can start.
- During the cool down period, there is no impact on other policy types. For example, a target scaling policy can trigger during the cool down period.
- Default cool down is 300 seconds.
- Lifecycle hooks:
- Let you take action before an instance goes into service or before it gets terminated.
- The instances are marked "paused" as an Auto Scaling group launches or terminates them.
- When an instance is "paused", it remains in a wait state either until you complete the lifecycle action using the complete-lifecycle-action command or the CompleteLifecycleAction operation, or until the timeout period ends (one hour by default).
Auto Scaling Instance Termination policy:
- First identifies which of the two types (Spot or On-Demand) should be terminated.
- Default policy: designed to help ensure that your instances span Availability Zones evenly for high availability. Then selects the instance that uses the oldest launch template or configuration.
- Can be customized.
- To prevent EC2 Auto Scaling from terminating a particular instance when scaling in, use instance scale-in protection on the instance or on the ASG. Does not prevent termination from the console nor when unhealthy instances are replaced.
- To prevent EC2 Auto Scaling from terminating unhealthy instances, suspend the ReplaceUnhealthy process.
Auto Scaling with ELB:
- You can attach the load balancer to your Auto Scaling group to register the group with the load balancer.
- Instances that are launched/terminated by your Auto Scaling group are automatically registered/deregistered with the load balancer.
- You can configure your Auto Scaling group to use ELB metrics such as the ALB request count per target (or other metrics) to scale the number of instances in the group.
- You can also optionally enable Auto Scaling to replace instances based on health checks provided by the ELB.
Other Features:
- Elastic Fabric Adapter: fast network interface for HPC (similar to Infiniband).
Virtualization types:
- Linux Amazon Machine Images use one of two types of virtualization: paravirtual (PV) or hardware virtual machine (HVM).
- The main differences between PV and HVM AMIs are the way in which they boot and whether they can take advantage of special hardware extensions (CPU, network, and storage) for better performance.
- For the best performance, we recommend that you use current generation instance types and HVM AMIs when you launch your instances.
Key Pair:
- consisting of a private key and a public key,
- used to prove your identity when connecting to an instance.
- When creating an instance, you can generate a new key pair or use an existing one.
- Amazon EC2 stores the public key, and you store the private key.
- On Linux: the key pair file is used for SSH connections.
- On Windows: the key pair is used when you click « Get Administrator Password » on the instance.
Placement Groups:
- When you launch a new EC2 instance, the EC2 service attempts to place the instance in such a way that all of your instances are spread out across underlying hardware to minimize correlated failures.
- You can use placement groups to influence the placement of a group of interdependent instances to meet the needs of your workload.
- Placement strategies: Cluster, Partition, Spread.
- Cluster Placement Groups:
- Packs instances close together inside an Availability Zone (same rack).
- Enables low network latency or high network throughput.
- Enhanced Networking is recommended.
- Limited to some instance types. Recommended to use the same instance type in the placement group.
- Can span peered VPCs but you will not get the full bandwidth.
- Partition Placement Groups:
- Spreads your instances across logical partitions such that groups of instances in one partition do not share the underlying hardware with groups of instances in different partitions.
- Can have partitions in multiple Availability Zones in the same Region.
- Max 7 partitions per AZ.
- A partition placement group with Dedicated Instances can have a maximum of two partitions.
- Spread Placement Groups:
- Strictly places a small group of instances across distinct underlying hardware to reduce correlated failures.
- Dedicated Instances not supported.
- An instance can belong to only one placement group.
- Existing instances cannot be moved into a placement group.
- PGs cannot be merged.
- Can contain reserved instances but you cannot reserve capacity for the group itself.
- Dedicated Hosts not supported.
Data Transfer Costs:
- Data transferred "in" to and "out" from EC2 and ElastiCache instances or Elastic Network Interfaces across Availability Zones or VPC Peering connections in the same AWS Region is charged at $0.01/GB in each direction.
- Same AZ: free
- Data transferred between S3/Glacier/DynamoDB/SES/SQS/Kinesis/ECR/SNS/SimpleDB and Amazon EC2 instances in the same AWS Region is free.
EC2 Instance metadata and user data:
- Data attached to your instance and that you can access from within your instance.
- Can be used to configure or manage the running instance.
- Instance metadata:
- AWS metadata about your instance.
- Divided into categories, for example, host name, events, and security groups.
- User data:
- Data that you specified when launching your instance.
- For example, you can specify parameters for configuring your instance, or include a simple script.
- Can be passed as text, base64 or file.
- If the text starts with a shebang (#!) it will be executed after the instance in launched.
- EC2 instances can also include dynamic data, such as an instance identity document that is generated when the instance is launched.
- Metadata security: although you can only access instance metadata and user data from within the instance itself, the data is not protected by authentication or cryptographic methods. Any software running on the instance, can view its metadata.
- Metadata can be retrieved using the "Instance MetaData Service": IMDSv1 or IMDSv2. Based on HTTP requests.
- IMDSv2 uses an authentication token: the first request retrieves a token that can be used for up to 6 hours.
- Example: curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/
- The IP address 169.254.169.254 is a link-local address and is valid only from the instance.
====================================
Lambda:
- a serverless compute service that runs your code in response to events and automatically manages the underlying compute resources for you.
- Functions are “stateless,” with no affinity to the underlying infrastructure.
- Functions are triggered by events, by HTTP requests or on a schedule.
- When Lambda runs your function:
- it invokes a handler function in you code that you defined when creating the Lambda function, and passes an event object and a context object to this handler.
- Event: Lambda passes the event data to your function in JSON format.
- Context: This object provides methods and properties that provide information about the invocation, function, and execution environment.
- Sizing:
- You define the amount of memory available to your Lambda function at runtime.
- Lambda allocates CPU power and network capacity in proportion to the amount of memory configured.
- Lambda is charged in increments of 100ms.
- Multi-AZ.
- You can set the timeout up to 15mn (max allowed time for a function to end).
Lambda function code:
- Natively supports Java, Go, PowerShell, Node.js, C#, Python, and Ruby code, and provides a Runtime API which allows you to use any additional programming languages to author your functions.
- Lambda Supports also packaging and deploying functions as container images.
- Supports Code signing. To verify code integrity, use AWS Signer to create digitally signed code packages for functions.
- Function code package is stored in S3.
- Function code package has a size limit. If you need more size, you can use Lambda Layers.
- Layers:
- A layer is a .zip file archive that contains libraries, a custom runtime, or other dependencies.
- With layers, you can use libraries in your function without needing to include them in your deployment package.
- Layers not supported for containers.
- A function can use up to five layers at a time.
- Layers are extracted to the /opt directory in the function execution environment.
Lambda has three events integration methods:
- Lamba reads events: For services that generate a queue or data stream. Lambda reads data from the other service, creates an event, and invokes your function. Supported services: DynamoDB streams , SQS, MQ, Kinesis, Apache Kafka (Amazon-managed or self-managed).
- Services that invoke Lambda functions synchronously: the other service waits for the response from your function. Supported services: ELBv2, Cognito, Lex, Alexa, API Gateway, CloudFront, Kinesis Data Firehose, S3 Batch.
- Services that invoke Lambda functions asynchronously: Lambda queues the event before passing it to your function. The other service gets a success response as soon as the event is queued. Supported Services: S3, SNS, SES, CloudFormation, CloudWatch, CodeCommit, IoT, CodePipeline.
Lambda Scaling:
- The first time you invoke your function, AWS Lambda creates an instance of the function and runs its handler method to process the event.
- When the function returns a response, it stays active and waits to process additional events.
- If you invoke the function again while the first event is being processed, Lambda initializes another instance, and the function processes the two events concurrently.
- As more events come in, Lambda routes them to available instances and creates new instances as needed.
- When the number of requests decreases, Lambda stops unused instances to free up scaling capacity for other functions.
Lambda Concurrency:
- Concurrency is the number of requests that your function is serving at any given time.
- Concurrency is subject to a Regional quota that is shared by all functions in a Region.
- Reserved Concurrency:
- When a function has reserved concurrency, no other function can use that concurrency.
- Also limits the maximum concurrency for the function, and applies to the function as a whole, including versions and aliases.
- Provisioned concurrency:
- Initializes a requested number of execution environments so that they are prepared to respond to your function's invocations.
- Ensures that all requests are served by initialized instances with very low latency.
- Provisioned concurrency counts towards a function's reserved concurrency and Regional quotas.
- When all provisioned concurrency is in use, the function scales up normally to handle any additional requests.
- When requests come in faster than your function can scale, or when your function is at maximum concurrency, additional requests fail with a throttling error (HTTP 429 Too Many Requests).
Lambda Application Auto Scaling:
- Application Auto Scaling takes a step further by providing autoscaling for provisioned concurrency.
- Lets you create a target tracking scaling policy that adjusts provisioned concurrency levels automatically, based on the utilization metric that Lambda emits.
Lambda RDS Proxy:
- You can use RDS Proxy: manages a pool of database connections and relays queries from a function.
- This enables a function to reach high concurrency levels without exhausting database connections.
- Supported on MySQL and Aurora.
File System for Lambda:
- You can configure a function to mount an EFS file system to a local directory.
- A function connects to a file system over the local network in a VPC.
- The function subnet must be in the same AZ as the EFS mount point.
Lambda Network:
- You can configure a Lambda function to connect to private subnets in a VPC.
- When you connect a function to a VPC, Lambda creates an elastic network interface for each subnet in your function's VPC configuration.
- Multiple functions connected to the same subnets share network interfaces.
- Connecting additional functions to a subnet that has an existing Lambda-managed network interface is much quicker than having Lambda create additional network interfaces.
- However, if you have many functions or functions with high network usage, Lambda might still create additional network interfaces.
- If you configure a Lambda function in your VPC and you need your function to have access to internet, you need to do the necessary in your VPC (NAT gateway, Security Group, …).
Lambda interface VPC endpoints:
- Can be created to invoke your Lambda function from you VPC without crossing the public internet.
- Each interface endpoint is represented by one or more elastic network interfaces in your subnets.
- A network interface provides a private IP address that serves as an entry point for traffic to Lambda.
Lambda Logging:
- Lambda automatically monitors Lambda functions on your behalf and sends function metrics to Amazon CloudWatch.
- Lambda sets a CloudWatch Logs log group and a log stream for each instance of your function. Permissions required: CreateLogGroup, CreateLogStream, and PutLogEvents.
- All output (stdout & stderr) from you function is sent to the log stream.
Lambda@Edge:
- is a feature of Amazon CloudFront that lets you run code closer to users of your application, which improves performance and reduces latency.
- runs your code in response to events generated by the Amazon CloudFront content delivery network (CDN).
- Refer to the CloudFront notes for more details.
====================================
AWS Wavelength:
- Deploys standard AWS compute and storage services to the edge of telecommunication carriers' 5G networks.
- Developers can extend an Amazon VPC to one or more Wavelength Zones, and then use AWS resources like EC2 instances to run applications that require ultra-low latency and a connection to AWS services in the Region.
====================================
ECS:
- A fully managed container orchestration service for Docker.
- Allows you to easily run applications on a managed cluster either on EC2 instances or AWS Fargate.
- ECS on EC2 instances:
- You create an ECS cluster: group of EC2 instances that you manage.
- ECS will install Docker and a lightweight agent on each EC2 instance.
- You can choose the AMI you want.
- When using ECS on EC2 instances, you have root access to the operating system of your container instances, enabling you to take ownership of the operating system’s security settings as well as load and configure additional software components for security capabilities such as monitoring, patch management, log management and host intrusion detection.
- Use case: Customers who require greater control of their EC2 instances to support compliance and governance requirements or broader customization options.
- Tasks:
- A Task is an application. Tasks allow you to define a set of containers that you would like to be placed together.
- A task definition is a JSON file that describes one or more containers (up to a maximum of ten) that form your application.
- A task definition is like a blueprint for your application. Each time you launch a task in Amazon ECS, you specify a task definition.
- Task definitions include: the docker image, CPU and RAM amount, docker networking mode, data volumes, …
- ECS will place containers on the cluster based on your placement strategies.
- ECS CLI supports Docker Compose.
- Supports Amazon Elastic Container Registry (ECR), Docker Hub and 3rd party hosted Docker image repositories.
- Supports Blue/Green Deployments.
- Container auto-recovery.
- Uses EFS for storage persistence.
- Integration with ELB (ALB or NLB): automatically adds and removes containers from the load balancer.
Sensitive data in ECS:
- Amazon ECS enables you to inject sensitive data (like credentials) into your containers by storing it in either "AWS Secrets Manager" secrets or "AWS Systems Manager Parameter Store" parameters and then referencing them in your container definition.
- Secrets can be exposed to a container in the following ways:
- To inject sensitive data into your containers as environment variables, use the "secrets" container definition parameter.
- To reference sensitive information in the log configuration of a container, use the "secretOptions" container definition parameter.
- Using AWS Secrets Manager: When you inject a secret as an environment variable, you can specify the full contents of a secret, a specific JSON key within a secret, or a specific version of a secret to inject.
- Sensitive data is injected into your container when the container is initially started. If you change or rotate your secret, it will not reflect on the running container.
ECS Network Modes:
- awsvpc (recommended): The task is allocated its own elastic network interface (ENI) and a primary private IPv4 address. This gives the task the same networking properties as Amazon EC2 instances.
- bridge: The task utilizes Docker's built-in virtual network which runs inside each Amazon EC2 instance hosting the task.
- host: The task bypasses Docker's built-in virtual network and maps container ports directly to the ENI of the Amazon EC2 instance hosting the task. As a result, you can't run multiple instantiations of the same task on a single Amazon EC2 instance when port mappings are used.
- none: The task has no external network connectivity.
====================================
Amazon Elastic Kubernetes Service (EKS):
- Gives you the flexibility to start, run, and scale Kubernetes clusters in the AWS cloud or on-premises.
- automates key tasks such as patching, node provisioning, and updates.
- Can run on EC2 or AWS Fargate.
- EKS runs the Kubernetes control plane across three Availability Zones in order to ensure high availability, and it automatically detects and replaces unhealthy control plane nodes.
- EKS supports running Windows worker nodes alongside Linux worker nodes in the same cluster.
====================================
AWS Fargate:
- Fargate is a serverless compute engine that you can use to run containers for ECS, EKS and AWS Batch.
- Fargate removes the need to provision, scale and manage EC2 instances.
- Fargate allocates the right amount of compute, eliminating the need to choose instances and scale cluster capacity.
- Fargate runs each task or pod in its own kernel providing the tasks and pods their own isolated compute environment (isolation by design).
====================================
AWS Elastic Beanstalk (EB):
- With Elastic Beanstalk, you can quickly deploy and manage applications in the AWS Cloud without having to learn about the infrastructure that runs those applications.
- It keeps the provisioning of building blocks (e.g., EC2, RDS, ELB Auto Scaling, CloudWatch), deployment of applications, and health monitoring abstracted from the user so they can just focus on writing code.
- You simply specify the code or containers to deploy.
- Supports a large list of platforms: .NET, Docker, Java, Node.js, PHP, Python, …etc.
- Elastic Beanstalk will automatically handle all the details such as provisioning an Amazon ECS cluster, balancing load, auto-scaling, monitoring, and placing your containers across your cluster.
- Elastic Beanstalk is ideal if you want to leverage the benefits of containers but just want the simplicity of deploying applications from development to production by uploading a container image.
- You can create versions of your application (stored in S3).
- You can have multiple environments (prod, dev, test, …).
- You can change settings in the infrastructure created by EB. For instance, you can change the load balancing parameters of the ELB.
- You can select different deployment strategies for new application versions (all-at-once, rolling, …).
==============================
AWS Batch:
- Regional service that helps you to run batch computing workloads on the AWS Cloud.
- Sits in a VPC.
- Jobs: a unit of work (such as a shell script, a Linux executable, or a Docker container image)
- A Job runs as a containerized application on AWS Fargate or Amazon EC2 instances.
- Jobs can reference other jobs by name or by ID, and can be dependent on the successful completion of other jobs.
- Job definition includes IAM role, CPU, Memory, container properties, environment variables, persistent storage, …
- Jobs are submitted to a Job Queue.
- You associate one or more compute environments with a job queue. You can set priorities.
- Managed Compute Environment: Fargate or EC2 (including Spot instances).
- Unmanaged Compute Environment: Batch creates an ECS cluster and you need to manage it (set up, scaling, …).
- Sensitive data stored in AWS Secrets Manager secrets can be exposed to an AWS Batch job as environment variables or as part of the log configuration.
==============================
AWS Outposts:
- A fully managed service that extends AWS infrastructure, services, APIs, and tools to customer premises.
- An Outpost is a pool of AWS compute and storage capacity deployed at a customer site.
- AWS offers multiple Outposts hardware configurations (sizings).
- Form factor: 42U rack.
- AWS operates, monitors, and manages this capacity as part of an AWS Region.
- Each Outpost is an extension of an Availability Zone and its associated Region.
- Each Outpost can support multiple VPCs that can have one or more Outpost subnets.
- You can create subnets on your Outpost and specify them when you create AWS resources such as EC2 instances, EBS volumes, ECS clusters, and RDS instances.
- Instances in Outpost subnets communicate with other instances in the AWS Region using private IP addresses, all within the same VPC.
- Your on-premises network must provide wide area network (WAN) access back to the Region and to the internet.
- Local gateway:
- Logical interconnect virtual router that enables communication between your Outpost and your on-premises network (NAT and BGP advertisement).
- Can also be used for outbound internet traffic.
- VPC private connectivity options (Outpost to AWS):
- service links: an encrypted set of VPN connections that are used whenever the Outpost communicates with your chosen home Region.
- local gateway: the local gateway sends traffic through an existing Direct Connect or S2S VPN.
- Customers can also deploy multiple Outposts at a site, each tied to a different Availability Zone for even higher availability.
==============================
VMware Cloud on AWS:
- Provides dedicated, single-tenant cloud infrastructure based on vSphere.
- A cluster can have 2 to 16 hosts.
- Runs the VMware SDDC native stack.
- VMware manages and operates the service.
- Includes NSX which integrates with AWS Direct Connect for end-to-end private networking.
- Supports Disaster Recovery with Site Recovery Manager.
- Includes vSAN and NVMe for instance storage.
- Connected to VPC.
==============================
AWS offers a wide-range of website hosting options:
- Amazon Lightsail: for Simple Website hosting.
- AWS Amplify Console: for Single Page Web App hosting.
- Amazon S3: for Static Website hosting.
- Amazon EC2: for Enterprise Web Hosting.
Amazon Lightsail:
- Provides ready to use compute, web server software, Database, DNS, Load Balancer and Storage for websites hosting.
- Use cases:
- Popular website stacks like LAMP, LEMP, MEAN, Node.Js.
- Websites built on common applications like WordPress, Joomla, Drupal, Magento.
- Targeted at:
- Websites that are unlikely to scale beyond 5 servers.
- Customers who want to manage their own web server and resources.
- Simplified management console.
- Simplified billing with predefined packages.
AWS Amplify:
- Websites built with Single page app frameworks such as React JS, Vue JS, Angular JS, and Nuxt.
- Websites built with static site generators such as Gatsby JS, React-static, Jekyll, and Hugo.
- Progressive web apps or PWAs
- Websites that do not contain server-side scripting, like PHP or ASP.NET
- Websites that have serverless backends.