Index
Symbols
administrative processes, 393
backing services, 389
concurrency, 392
configuration storage, 388–389
dependencies, 388
development/production parity, 393
isolate/build/run stages, 389–390
log streams, 393
port binding, 392
A
accelerated computing instances, 160–161
acceptor VPCs, 123
access control lists (ACLs), 348
access keys for IAM users, 329–331
access logs, 244
access management. See IAM (identity and access management)
ACLs (access control lists), 348
actions (CloudWatch), additional settings, 226
actions (IAM), 324–325, 344–345
adaptive capacity in DynamoDB, 304–305
administrative access (security groups), 115
administrative processes in 12-factor app rules, 393
AEAD encryption, 123
alarms (CloudWatch)
ALB (Application Load Balancer), 233–243
features, 229
health check configuration, 242–243
HTTPS listener security settings, 239–240
sticky session support, 242
target groups, 233–234, 240–241
user session maintenance, 241
Amazon ECS (Elastic Container Service), 204–205
Amazon EFS (Elastic File System), 257, 281
key features, 282
performance comparison, 284–286
performance modes, 283
security, 284
throughput modes, 283
usage examples, 282
Amazon ElastiCache, 257
Amazon FSx for Lustre, 258, 282
usage examples, 282
Amazon FSx for Windows File Server, 258, 282, 286–287
usage examples, 282
Amazon LightSail, 206
Amazon Machine Images (AMIs). See AMIs (Amazon Machine Images)
Amazon Macie, 279
Amazon RDS (Relational Database Service), 258, 287–294
database engines, 288
performance, 293
bucket configuration options, 272
data consistency, 272
performance comparison, 284–286
static website creation, 404
usage examples, 270
Amazon web services. See AWS (Amazon web services) cloud services
AMIs (Amazon Machine Images), 164–175
components of, 165
Windows AMIs, 167
analyzing costs, 69
Simple Monthly Calculator, 73–74
TCO (Total Cost of Ownership) Calculator, 75
app server inbound ports (security groups), 114
Application Load Balancer (ALB), 233–243
features, 229
health check configuration, 242–243
HTTPS listener security settings, 239–240
sticky session support, 242
target groups, 233–234, 240–241
user session maintenance, 241
application migration to AWS, 196–202
AWS SMS (Server Migration Services), 200–201
VM Import/Export service, 202
Well-Architected Framework, 24–26
application scaling. See scaling
application stacks, 206
archives (S3 Glacier), 281
ASGs (auto scaling groups), 248–251
lifecycle hooks, 251
associating services, hosting services versus, 81
attaching EBS volumes, 264–265
authentication
load balancer support, 233
MFA (multifactor authentication), 337
serverless Web app example, 405
auto scaling
ASGs (auto scaling groups), 248–251
launch configurations, 246
launch templates, 247
auto scaling groups (ASGs), 248–251
lifecycle hooks, 251
administrative processes, 393
backing services, 389
concurrency, 392
configuration storage, 388–389
dependencies, 388
development/production parity, 393
isolate/build/run stages, 389–390
log streams, 393
port binding, 392
benefits of, 377
EC2 instance creation, 381–382
availability
AWS customer agreement, 42
projected service downtime, 43
availability zones (AZ)
load balancer support, 233
in VPCs, 95
AWS (Amazon web services) cloud services
automation. See automation
defined, 1
designing. See designing AWS
migrating applications to, 196–202
AWS SMS (Server Migration Services), 200–201
VM Import/Export service, 202
Well-Architected Framework, 24–26
network security, 18
networking. See networking
AWS ECS for Kubernetes (EKS), 205–206
AWS Fargate, 205
AWS Firecracker, 208
AWS Inspector, 370
AWS Marketplace, AMIs in, 167–168
SCPs (service control policies), 347
AWS Promotional Credit, 6
AWS RAM (Resource Access Manager), 366–368
AWS Shield, 46
AWS Shield Advanced, 46
AWS SMS (Server Migration Services), 200–201
AZ. See availability zones (AZ)
B
BAA (Business Associate Addendum), 54
backing services in 12-factor app rules, 389
backups
AWS services available, 14
in DynamoDB, 308
batch operations (S3), 274–275
block storage. See EBS (elastic block storage)
broad network access, defined, 11
buckets (S3)
configuration options, 272
data consistency, 272
static website creation, 404
Business Associate Addendum (BAA), 54
C
C states, 160
capacity units sizes in DynamoDB, 302–303
change sets (CloudFormation), 377, 382–383
changing instance types, 176–177
choosing
applications to migrate, 21–23
listeners, 236
regions, 49
CIDR blocks, creating, 91
secondary CIDR blocks, 93
CLB (Classic Load Balancer), 229
cloud computing. See AWS (Amazon web services) cloud services; public cloud services
Cloud Foundry, 9
cloud storage. See storage
benefits of, 377
EC2 instance creation, 381–382
CloudHub, 137
alarm/action settings, 225–226
cost of, 223
dashboard, 224
EC2 instance monitoring, 226
features, 213
load balancer metrics, 243–244
rebooting/recovering EC2 instances, 226–227
service integration, 219–220, 223
codebase in 12-factor app rules, 386–388
GovCloud, 56
HIPPA (Health Insurance Portability and Accountability Act), 54–55
NIST (National Institute of Standards and Technology), 55–56
PCI compliance checklist, 51–52
compute costs
calculating, 62
compute optimized instances, 159
compute services, 147. See also EC2 instances
concurrency in 12-factor app rules, 392
configuration storage in 12-factor app rules, 388–389
connectivity. See networking
AWS ECS for Kubernetes (EKS), 205–206
AWS Fargate, 205
virtual machines (VMs) versus, 204
convertible reserved instances, 181
cost
analyzing, 69
Simple Monthly Calculator, 73–74
TCO (Total Cost of Ownership) Calculator, 75
compute costs, 62
of CloudWatch, 223
reserved instances (RI), 178–182
of IP addressing, 102, 106–107
of load balancers, 228
optimizing, 67
reserved pricing, 69
of PrivateLink, 130
of S3 storage, 269
credential reports (IAM), 360
cross-account access (IAM roles), 354–355
CRR (cross-region replication), 276
custom policies (IAM), 339
D
D2 instances, 161
dashboard (CloudWatch), 224
data access, questions to ask, 22–23
data centers
history of cloud computing, 2–4
operational benefits of AWS, 14–15
data consistency
in S3 storage, 272
data control, 17
data transfer
database server inbound ports (security groups), 114–115
databases
Amazon RDS (Relational Database Service), 287–294
database engines, 288
performance, 293
backup/restore, 308
DAX, 308
global tables, 307
serverless Web app example, 405
DataSync, 311
DAX (DynamoDB Accelerator), 308
DDoS attacks
AWS Shield, 46
AWS Shield Advanced, 46
dedicated hosts, 162
default region, 33
default security group, 112–113
dependencies in 12-factor app rules, 388
availability zones (AZ)
GovCloud, 56
HIPPA (Health Insurance Portability and Accountability Act), 54–55
NIST (National Institute of Standards and Technology), 55–56
PCI compliance checklist, 51–52
cost analyzation, 69
Simple Monthly Calculator, 73–74
TCO (Total Cost of Ownership) Calculator, 75
compute costs, 62
cost optimization, 67
reserved pricing, 69
edge location services, 44
AWS Shield, 46
AWS Shield Advanced, 46
WAF (Web Application Firewall), 47
questions to ask, 30
regions
choosing, 49
isolation, 34
service separation in, 35
SLAs (service-level agreements)
developers, AWS options for, 6, 20–21
Direct Connect, 138–139, 310–311
disposability in 12-factor app rules, 392–393
DNS services, Route 53, 45–46, 139–144
Alias records versus CNAME records, 140–141
private DNS zones, 143
dynamic port mapping, 232
backup/restore, 308
DAX, 308
global tables, 307
serverless Web app example, 405
SQL databases versus, 299
E
EBS (elastic block storage), 257–258, 259–269
general-purpose SSD baseline, 261–262
provisioned IOPS (io1), 262–263
volumes
best practices, 269
elastic, 264
tagging, 268
EBS-backed AMIs
creating, 169
instance store-backed AMIs versus, 170–171
ASGs (auto scaling groups), 248–251
launch configurations, 246
launch templates, 247
EC2 instances
components of, 165
Windows AMIs, 167
architecture, 152
reserved instances (RI), 178–182
creating with CloudFormation, 381–382
history of virtualization, 148–152
launch templates, 176
monitoring, 226
naming conventions, 153
configuration options, 192
storage options, 193
tagging, 175
accelerated computing, 160–161
compute optimized, 159
dedicated hosts, 162
M1, 156
micro, 156
for paravirtualization, 156
storage-optimized, 161
EC2-Classic, 80
EC2-VPC. See VPCs (virtual private clouds)
edge location services, 44
AWS Shield, 46
AWS Shield Advanced, 46
WAF (Web Application Firewall), 47
EFS (Elastic File System). See Amazon EFS (Elastic File System)
egress-only Internet gateway (EOIG), 132–133
EIP (elastic IP addresses), 104–106
EKS (AWS ECS for Kubernetes), 205–206
Elastic Beanstalk, 389–390, 394–397
elastic block storage (EBS). See EBS (elastic block storage)
Elastic Compute Cloud. See EC2 instances
Elastic Container Service (Amazon ECS), 204–205
elastic EBS volumes, 264
Elastic File System (EFS). See Amazon EFS (Elastic File System)
elastic IP addresses (EIP), 104–106
elastic load balancing (ELB). See ELB (elastic load balancing)
in 12-factor app rules, 392
defined, 12
ASGs (auto scaling groups), 248–251
launch configurations, 246
launch templates, 247
ELB (elastic load balancing), 227–233
feature comparison, 229
encryption
AEAD, 123
endpoints
in Aurora, 298
entities (IAM), 319
EOIG (egress-only Internet gateway), 132–133
ephemeral storage. See EBS (elastic block storage)
F
F1 instances, 161
failover
of availability zones (AZ), 38–40
Fargate, 205
file synchronization in Amazon EFS, 286
Firecracker, 208
firewalls
NACLs (network access control lists), 117–122
inbound/outbound rules, 118–120
WAF (Web Application Firewall), 47
G
G3 instances, 160
gateway VPC endpoints, 125–128
gateways
gateway VPC endpoints, 125–128
VPG (virtual private gateway), 134–135
GDPR, 20
general-purpose instances, 156–157
general-purpose SSD (gp2), 261–262
Geo DNS, 142
Glacier class (S3), 274, 280–281
Glacier Deep Archive class (S3), 274
global DynamoDB tables, 307
golden AMI pipeline sample configuration, 174
GovCloud, 56
gp2 (general-purpose SSD), 261–262
Gramm-Leachy-Billy Act, 20
H
H1 instances, 161
health checks
Health Insurance Portability and Accountability Act (HIPPA), 20, 54–55
high availability. See availability
high-memory instances, 160
HIPPA (Health Insurance Portability and Accountability Act), 20, 54–55
history
host-based routing, 238
hosting services, associating services versus, 81
HTTP access (security groups), 114
HTTPS listener security settings, 239–240
hyperthreading, 154
hypervisors
I
I3 instances, 161
IaaS (infrastructure as a service), 6–8
IAM (identity and access management), 317–365
AWS services available, 15
features, 318
groups, 332
MFA (multifactor authentication), 337
ACLs (access control lists), 348
conditional elements, 350
permission boundaries, 346–347
resource-based, 340
SCPs (service control policies), 347
session policies, 348
versioning, 349
signing in, 332
STS (security token service), 355–356
identifying, 328
ICMP access (security groups), 115
identities (IAM), 319
identity management. See IAM (identity and access management)
identity-based policies (IAM), 337–339
inbound rules (NACLs), 118–120
infrastructure as a service (IaaS), 6–8
infrastructure as code. See automation
in-line policies (IAM), 340–341
installing
Amazon RDS (Relational Database Service), 292–293
instance storage. See EBS (elastic block storage)
instance store-backed AMIs
EBS-backed AMIs versus, 170–171
instances (EC2). See EC2 instances
Intelligent-Tiering class (S3), 273–274
interface VPC endpoints, 128–131
inventory processing (S3), 277
io1 (provisioned IOPS), 262–263
IP addressing
IPv6 addresses, 110
load balancer support, 232
private IPv4 addresses, 102–103
public IPv4 addresses, 103–104
secondary CIDR blocks, 93
IPv4 addressing
IPv6 addressing, 110
isolation of regions, 34
J
job function policies (IAM), 339
L
latency-based routing (LBR), 142
launch configurations, 246
LBR (latency-based routing), 142
LCUs (load capacity units), 228
lifecycle hooks, 251
LightSail, 206
listeners, choosing, 236
load balancers, 18–19, 227–244
ALB (Application Load Balancer), 233–243
health check configuration, 242–243
HTTPS listener security settings, 239–240
sticky session support, 242
target groups, 233–234, 240–241
user session maintenance, 241
cost of, 228
ELB (elastic load balancing), 227–233
feature comparison, 229
NLB (Network Load Balancer), 244
load capacity units (LCUs), 228
local instance storage, 187–189
log streams in 12-factor app rules, 393
M
M1 instances, 156
M4 instances, 157
magnetic drives
EBS (elastic block storage), 263
local instance storage, 187–189
managed policies (IAM), 338
managed services
defined, 7
memory-optimized instances, 159–160
MFA (multifactor authentication), 337
micro instances, 156
migrating applications to AWS, 196–202
AWS SMS (Server Migration Services), 200–201
VM Import/Export service, 202
Well-Architected Framework, 24–26
mobile application authentication, 353
AWS services available, 14
CloudWatch
alarm/action settings, 225–226
dashboard, 224
rebooting/recovering EC2 instances, 226–227
service integration, 219–220, 223
EC2 instances, 226
moving to AWS (Amazon web services) cloud, 5–6
multifactor authentication (MFA), 337
N
NACLs (network access control lists), 117–122
inbound/outbound rules, 118–120
naming conventions for EC2 instances, 153
National Institute of Standards and Technology (NIST)
public cloud definitions, 10–13
scaling/elasticity definition, 209–210
network access, broad, 11
network access control lists (NACLs), 117–122
inbound/outbound rules, 118–120
Network Load Balancer (NLB), 244
features, 229
network security, 18
availability zones (AZ), 95
AWS networking internals, 81–83
EC2-Classic, 80
IP addressing
IPv6 addresses, 110
private IPv4 addresses, 102–103
public IPv4 addresses, 103–104
inbound/outbound rules, 118–120
performance, EC2 instances and, 163–164
Alias records versus CNAME records, 140–141
private DNS zones, 143
administrative access, 115
app server inbound ports, 114
database server inbound ports, 114–115
PING access, 115
stretch layer 2 network designs, 82
subnets
VPC CIDR block creation, 91
secondary CIDR blocks, 93
VPC endpoints
CloudHub, 137
VPG (virtual private gateway), 134–135
NIST (National Institute of Standards and Technology)
public cloud definitions, 10–13
scaling/elasticity definition, 209–210
NLB (Network Load Balancer), 244
features, 229
O
object storage. See Amazon S3
object tags (S3), 277
One Zone-1A class (S3), 274
OpsWorks, 376
optimizing costs, 67
reserved pricing, 69
ordering EC2 instances, 190–196
configuration options, 192
storage options, 193
OUs (organizational units), 366
P
P states, 160
PaaS (platform as a service), 8–10
paravirtualization, 148, 152, 156
parity in 12-factor app rules, 393
password policies (IAM), 334–335
PCI (Payment Card Industry) compliance checklist, 51–52
PCI DSS, 20
performance
Amazon EFS (Elastic File System), 283
Amazon RDS (Relational Database Service), 293
EBS (elastic block storage), 263
EC2 instances and networking, 163–164
permission boundaries (IAM policies), 346–347
PING access (security groups), 115
planning for monitoring, 217–219
platform as a service (PaaS), 8–10
ACLs (access control lists), 348
conditional elements, 350
permission boundaries, 346–347
resource-based, 340
SCPs (service control policies), 347
session policies, 348
versioning, 349
policy objects (IAM), 320
port binding in 12-factor app rules, 392
pricing. See cost
primary CIDR block, planning, 91–93
principals (IAM), 320
private cloud services, 8
private DNS zones, 143
private IPv4 addresses, 102–103
private subnets, 18
provisioned IOPS (io1), 262–263
provisioning capacity in DynamoDB, 302–303
public cloud services
defined, 5
network security, 18
Q
quality of service, AWS customer agreement, 41
R
R4 instances, 159
R5 instances, 159
rapid elasticity, 12
RDS (relational database service). See Amazon RDS (Relational Database Service); databases
rebooting EC2 instances, 226–227
recovering EC2 instances, 226–227
redundancy. See load balancers
regions
availability zones (AZ)
choosing, 49
default, 33
isolation, 34
service separation in, 35
relational database service (RDS). See Amazon RDS (Relational Database Service); databases
requester VPCs, 123
reserved instances (RI), 178–182
scheduled instances, 182
reserved pricing, 69
resiliency. See scaling
Resource Access Manager (AWS RAM), 366–368
resource pooling
for scaling, 211
resource-based policies (IAM), 340
resources (IAM), 320
RESTful communication, 406
restoring DynamoDB tables, 308
RI (reserved instances), 178–182
scheduled instances, 182
rotating IAM access keys, 335–337
Alias records versus CNAME records, 140–141
private DNS zones, 143
routing protocols
load balancer support, 232
S
S3. See Amazon S3
Sarbanes-Oxley, 20
in 12-factor app rules, 392
AWS services available, 15
defined, 12
ASGs (auto scaling groups), 248–251
launch configurations, 246
launch templates, 247
scheduled reserved instances, 182
scheduled scaling, 250
SCPs (service control policies), 347
secondary CIDR blocks, adding, 93
in Amazon EFS, 284
AWS customer agreement, 41
AWS Inspector, 370
AWS RAM (Resource Access Manager), 366–368
HTTPS listener security settings, 239–240
IAM (identity and access management), 317–365
features, 318
groups, 332
MFA (multifactor authentication), 337
signing in, 332
STS (security token service), 355–356
network security, 18
administrative access, 115
app server inbound ports, 114
database server inbound ports, 114–115
PING access, 115
security token service (STS), 355–356
selecting. See choosing
Server Migration Services (AWS SMS), 200–201
server name identification (SNI), 231
server usage, operational benefits of AWS, 14
serverless Web app example, 404–406
API Gateway setup, 406
authentication, 405
DynamoDB tables, 405
static website creation, 404
service consumers, 129
service control policies (SCPs), 347
service providers, 129
serviceless computing, 206–208, 400–401
service-level agreements (SLAs), 15–16
service-linked roles (IAM), 352
session policies (IAM), 348
SFTP (Secure FTP), 312
shared file systems. See Amazon EFS (Elastic File System); Amazon FSx for Lustre; Amazon FSx for Windows File Server
signing in as IAM user, 332
Simple Monthly Calculator, 73–74
Simple Storage Service. See Amazon S3
SLAs (service-level agreements), 15–16
tagging, 268
SNI (server name identification), 231
Snowball Edge, 312
Snowmobile, 312
SQL databases, DynamoDB versus, 299–300
SSD (solid state drive) storage, 187–189
stack sets (CloudFormation), 383–384
stacks (CloudFormation), 380–381
Standard class (S3), 273
standard reserved instances, 181
Standard-1A class (S3), 274
stateless processes in 12-factor app rules, 390–391
statements (IAM), 320
static websites, creating, 404
sticky sessions, 242
storage
Amazon EFS (Elastic File System), 281
key features, 282
performance modes, 283
security, 284
throughput modes, 283
usage examples, 282
Amazon FSx for Windows File Server, 286–287
Amazon RDS (Relational Database Service), 287–294
database engines, 288
performance, 293
bucket configuration options, 272
data consistency, 272
usage examples, 270
data transfer options, 309–313
backup/restore, 308
DAX, 308
global tables, 307
EBS (elastic block storage), 259–269
best practices, 269
elastic volumes, 264
general-purpose SSD baseline, 261–262
performance, 263
provisioned IOPS (io1), 262–263
tagging volumes/snapshots, 268
local instance storage, 187–189
operational benefits of AWS, 14
performance comparison, 284–286
storage class analysis (S3), 277
storage-optimized instances, 161
stretch layer 2 network designs, 82
STS (security token service), 355–356
subnets
synchronization in Amazon EFS, 286
T
T1 instances, 156
backup/restore, 308
global tables, 307
provisioning capacity, 302–303
serverless Web app example, 405
tagging
EBS volumes/snapshots, 268
EC2 instances, 175
target groups, 233–234, 240–241
TCO (Total Cost of Ownership) Calculator, 75
templates (CloudFormation), 377–380, 381
temporary credentials in IAM, 352, 355–356
testing
AWS services available, 15
stages in 12-factor app rules, 389–390
throughput
Amazon EFS (Elastic File System), 283
EBS (elastic block storage), 263
Total Cost of Ownership (TCO) Calculator, 75
trust policies (IAM), 351
U
updating Elastic Beanstalk applications, 396–397
user session maintenance, 241
groups, 332
identifying, 328
signing in, 332
V
vaults (S3 Glacier), 281
versioning
IAM policies, 349
virtual machines (VMs), containers versus, 204
virtual private clouds. See networking; VPCs (virtual private clouds)
virtual private gateway (VPG), 134–135
virtual servers. See EC2 instances
virtualization
with VMware, 8
VM Import/Export service, 202
VMs (virtual machines), containers versus, 204
VMware, 8
volumes (EBS)
best practices, 269
elastic, 264
tagging, 268
VPCs (virtual private clouds). See also networking
availability zones (AZ), 95
AWS networking internals, 81–83
CIDR block creation, 91
secondary CIDR blocks, 93
endpoints
hosting versus associating services, 81
IP addressing
IPv6 addresses, 110
private IPv4 addresses, 102–103
public IPv4 addresses, 103–104
Alias records versus CNAME records, 140–141
private DNS zones, 143
administrative access, 115
app server inbound ports, 114
database server inbound ports, 114–115
PING access, 115
subnets
CloudHub, 137
VPG (virtual private gateway), 134–135
VPG (virtual private gateway), 134–135
CloudHub, 137
W
WAF (Web Application Firewall), 47
Well-Architected Framework, 24–26
Windows AMIs, 167
WRR (weighted round robin), 141
X
Z
Z1d instances, 160