Learning More About AWS (Part 2) - Notes for Certified Developer Associate Exam

I intreact with AWS a good amount - I use s3 for image/audio/video/other data storage and I use the Relational Database Service for the database for this site - so I am going to try to learn more about how it all works. I have learned a lot about computer networking by having to look up what is what when implementing AWS / Google Cloud services, but I still don't look forward to setting up another service, so by learning more about AWS, I hope that the task begins to seem less daunting to me.

Date Created:

Last Edited:

What I Intend to Learn

I hope to learn enough to earn the AWS Certified Cloud Practitioner and AWS Certified Developer - Associate certifications.

Things that I have Done with AWS / Things that I Need to DO

What I Have Done
- I have created s3 buckets to store / retrieve images, audio files, video files, and geojson objects.
- I have used CloudFront to create edge location for these s3 buckets to make access to their objects quicker.
- I have created Lambda Functions that run on interaction with the s3 buckets.
- I have created a Relational Database Service for PostgreSQL that I use for this website.
- I have limited access to each of these buckets based on IP address, using CORS headers, and by restricting access to certain AWS users.
What I Need to Do
- I need to create a few different things relating to images stored in the s3 bucket
- - A Lambda function that appropriately checks for whether or not the image contains inappropriate content.
  - A way for the images to be resized (width / height) on the server and then sent to the client / save a new version of the image in the s3 bucket
- I need to validate videos / audio stored in AWS
- I need to generate captions for video / audio in AWS
- I need to generate thumbnail for video on AWS
- I need to change the audio / video process for streaming video / audio
- - This replaces the ffmpeg process that I am currently performing on the server

Much of the content in this note is repeated content from Part 1 of AWS

Regions and Zones

AWS provides 20+ regions around the world that provide you high availability, low latency, and that adhere to government regulations
Availability Zones (AZ) are isolated zones in a region. Each region has at least 2 availability zones. They increase availability of applications in the same region.

EC2 Fundamentals

Where do you deploy applications in the cloud?
- EC2 Instances - Virtual servers in AWS (billed by second)
- EC2 Service - Provision EC2 instances or virtual servers

EC2 Features

Create and manage lifecycle of EC2 instances
Load balancing and auto scaling for multiple EC2 instances
Attach storage (& network storage) to your EC2 instances
Manage network connectivity for an EC2 instance
Our Goal:
- Setup EC2 instances as HTTP server
- Distribute load with load Balancers

EC2 Instance Types

Optimized combination of compute (CPU, GPU), memory, disk (storage) and networking for specific workloads
270+ instances across 40+ instance types for different workloads
t2.micro:
- t - Instance Family
- 2 - generation. Improvements with each generation
- micro - size. (nano < micro < small < medium < large < xlarge < ...)
(Remember) As size increases, compute (GPU, CPU), memory, and network capabilities increase proportionately

EC2 - Instance Metadata Service and Dynamic Data

Instance Metadata Service
- Get details about EC2 instance from inside an EC2 instance
- - AMI ID, storage devices, DNS hostname, instance id, instance type, security groups, IP addresses
- URL: http://169.254.169.254/latest/meta-data/
- URL Paths: network, ami-id, hostname, local-hostname, local-ipv4 , publichostname, public-ipv4, security-groups, placement/availability-zone
Dynamic Data Service
- Get dynamic information about EC2 instance:
- URL: http://169.254.169.254/latest/dynamic/
- Example: http://169.254.169.254/latest/dynamic/instance-identity/document

EC2 Hand-On: Setting up a HTTP Server

sudo su
yum update -y
systemctl start httpd
systemctl enable httpd
echo "Getting started with AWS" > /var/www/html/index.html
echo "Welcome to in28minutes $(whoami)" > /var/www/html/index.html
echo "Welcome to in28minutes $(hostname)" > /var/www/html/index.html
echo "Welcome to in28minutes $(hostname -i)" > /var/www/html/index.html

Security Groups

Virtual firewall to control incoming and outgoing traffic to/from AWS resources (EC2 instances, databases, etc.)
Provides additional layer of security - Defense in Depth

Security Group Rules

Security groups are default deny
- If there are no rules configured, no outbound / inbound traffic is allowed
You can specify allow rules ONLY
You can configure separate rules for inbound and outbound traffic
You can assign multiple (up to five) security groups to your EC2 instances

Security Groups

You can add and delete security groups to EC2 instances at any time
- Changes are not immediately effective
Traffic NOT explicitly allowed by Security Group will not reach the EC2 instance
Security Groups are stateful:
- If an outgoing request is allowed, the incoming response for it is automatically allowed.
- If an incoming request is allowed, an outgoing response for it is automatically allowed

EC2 IP Addresses

Public IP addresses are internet addressable
Private IP addresses are internal to a corporate network
You CANNOT have two resources with same public IP address
HOWEVER, two different corporate networks CAN have resources with the same IP address
All EC2 instances are assigned private IP addresses
Creation of public IP addresses can be enables for EC2 instances in public subnet
(Remember) When you stop an EC2 instance, public IP address is lost
You can use Elastic IP to get constant public IP address for an EC2 instance

Elastic IP Addresses - Remember

Elastic IP can be switched to another EC2 instance within the same region
Elastic IP remains attached even if you stop the instance. You have to manually detach it.
Remember: You are charged for an Elastic IP when you are NOT using it! Make sure that you explicitly release an Elastic IP when you are not using it.
You will be charged for Elastic IP when:
- Elastic IP is NOT associated with an EC2 instance OR
- EC2 instance associated with Elastic IP is stopped

Simplify EC2 HTTP server setup

How do we reduce the number of steps in creating and EC2 instance and setting up a HTTP Server?
Let's explore a few options:
- Userdata
- Launch Template
- AMI

Bootstrapping with Userdata

#!/bin/bash
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
curl -s http://169.254.169.254/latest/dynamic/instance-identity/document > /var/www/html/in

Bootstrapping: install OS patches or software when an EC2 instance is launched
In EC2, you can configure userdata to bootstrap
Lookup user data - http://169.254.169.254/latest/user-data/

Launch Templates

Why do you need to specify all the EC2 instance details (AMI ID, instance type, and network settings) every time you launch an instance?
How about creating a Launch Template?
Allow you to launch Spot instances and Spot Fleets as well

Reducing Launch Time with Customized AMI

Installing OS patches and software using userdata at launch of EC2 instances increases boot up time
How about creating customized AMIs with OS patches and software pre-installed?
How about creating customized AMIs with OS patches and software pre-installed?
- Hardening an Image - Customize EC2 images to your corporate security standards
Prefer using Customized AMI to userdata

AMI - Amazon Machine Image

What operating system and software do you want on the instance?
Three AMI sources:
- Provided by AWS
- AWS Market Place: Online store for your customized AMIs. Per hour billing
- Customized AMIs: Created by you

EC2 Amazon machine Image - AMI - Remember

AMIs contain:
- Root volume block storage (OS and applications)
- Block device mappings for non-root volumes
You can configure launch permissions on an AMI
- Who can use the AMI?
- You can share your AMIs with your AWS accounts
AMIs are stored in Amazon S3 (region specific)
Best Practice: Backup up to data AMIs in multiple regions
- Critical for Disaster recovery

EC2 Security - Key Pairs

EC2 uses public key cryptography for protecting login credentials
Key pair - public key and private key
- Public key is stored in EC2 instance
- Private key is stored by customer

Connecting to EC2 Instance(s) - Troubleshooting

You need to have the private key with you
Change the permissions to 0400 (chmod 400/path/my-key-pair.pem)
- Default permissions on private key - 0777 (VERY OPEN)
(Windows Instances) In addition to private key, you need admin password
- (At Launch) Random admin password is generated and encrypted using public key
- Decrypt the password using the private key and use it to login via RDP
Security Group should allow inbound SSH or RDP access:
- Port 22 - Linux EC2 instance (SSH)
- Port 2289 - RDP (Remote Desktop - Windows)
Connect to your instance using its public DNS: ec2-**-**-**- **.compute.amazonaws.com.

Quick Review

AMI

What operating system and what software do you want on the instance?
Reduce boot time and improve security by creating customized hardened AMIs.
Region specific.
Backup AMIs in multiple regions
You can shared AMIs with other AWS accounts

EC2 Instance Types

Optimized combination of compute (CPU, GPU), memory, disk (storage), and networking for specific loads

Security Groups

Virtual firewall to control incoming and outgoing traffic to/from AWS resources (EC2 instances, databases, etc.)
Default deny. Separate allow rules for inbound and outbound traffic
Stateful and immediately effective

Key Pairs

Public key cryptography (Key Pairs) used to protect your EC2 instances
You need private key with right permissions (chmod 400) to connect to your EC2 instance. (Windows EC2 instances only) You need admin password also
Security group should allow SSH(22) or RDP(3389)

Instance Metadata Service - Get details about EC2 instance from inside an EC2 instance. http://169.254.169.254/latest/meta-data/

userdata - Used for bootstrapping. Install OS patches or software when an EC2 instance is launched

Elastic IP Addresses - Static public IP address for EC2 instance

Launch Templates - Pre-configured templates (AMI ID, instance type, and network settings) simplifying the creation of EC2 instances

Load Balancing

Distribute traffic across EC2 instances in one or more AZs in a single region
Managed service - AWS ensures that it is highly available
Auto scales to handle huge loads
Load Balancers can be public or private
Health Checks - route traffic to healthy instances

HTTP vs HTTPS vs TCP vs TLS vs UDP

Computers use protocols to communicate
Multiple layers and multiple protocols
Network Layer - Transfer bits and bytes
Transport Layer - Are the bits and bytes transferred properly?
Application Layer - Make REST API calls and Send Emails
(Remember) Each layer makes use of the layers beneath it
(Remember) Most applications talk at application layer. BUT some applications talk at transport layer directly (high performance).
Most applications typically communicate at application layer
- Web Apps/REST APU(HTTP/HTTPS), Email Server (SMTP), File Transfers (FTP)
- All these applications use TCP/TLS at network layer (for reliability)
HOWEVER applications needing high performance directly communicate at transport layer:
- Gaming applications and live video streaming use UDP (sacrifice reliability for performance)
Objective: Understand Big Picture. Its OK if you do not understand details.

Three Types of Elastic Load Balancers

Classic Load Balancer
- Old generation supporting Layer 4(TCP/TLS) and Layer7 (HTTP/HTTPS) protocols
- Not recommended by AWS
Application Load Balancer
- New generation supporting HTTP/HTTPS and advanced routing approaches
Network Load Balancer
- New generation supporting TCP/TLS and UDP
- Very high performance use cases

Classic Load Balancer

Older version of ELB
Not recommended anymore
Supports TCP, SSL/TLS and HTTP(s) (Layer 4 and 7)

Application Load Balancer

Most Popular and frequently used ELB in AWS
Supports WebSockets and HTTP/HTTPS (Layer 7)
Supports all important load balancer features

Scales automatically based on demand (Auto Scaling)
Can load balance between
- EC2 instances (AWS)
- Containerized applications (Amazon ECS)
- Web applications (using IP addresses)
- Lambdas (serverless)

Load Balancers - Security Group Best Practice

Listeners

Each Load Balancer has one or more listeners listening for connection requests from the client
Each listener has:
- a protocol
- a port
- a set of rules to route requests to target

Multiple Listeners

You can have multiple listeners listening for a different protocol or port

In the above example:
- HTTP requests on port 80 are routed to the EC2 instances target group
- HTTPs requests on port 443 are routed to port 80
- HTTP requests on port 8080 get a fixed response (customized HTML)

Target Groups

How to group instances that ALB has to distribute the load between?
- Create a target group
A target group can be:
- A set of EC2 instances
- A lambda function
- Or a set of IP addresses

Target Group Configuration - Sticky Session

Send all requests from one user to the same instance
Implemented using a cookie
Supported by ALB and CLB

Target Group Configuration - Deregistration delay

Load balancer stops routing new requests to a target when you unregister it
What about requests that are already in progress with that target?
This setting ensures that load balancer gives in-flight requests a chance to complete execution
0 to 3600 seconds (default 300 seconds)
Also called connection draining

Microservices Architectures - Multiple Target Group(s)

Microservices architectures have 100s of microservices
- http://www.xyz.com/microservice-a
- http://www.xyz.com/microservice-b
Should we create multiple ALBs?
Nope. One ALB can support multiple microservices!
Create separate target group for each microservioces
(Remember) Classic Load Balancer, does NOT support multiple target groups

Listener Rules

How do I identify which request should be sent to which target group?
Configure multiple listener rules for the same listener
Rules are executed in the order they are configured
Default Rule is executed last

Listener Rules - Possibilities

Based on path - in28minutes.com/a to target group A and in28minutes.com/b to target group B
Based on HOST - a.in28minutes.com to target group A and b.in28minutes.com to target group B
Based on HTTP headers (Authorization header) and methods (POST, GET, etc)
Based on Query Strings (/microservice?target=a,/microservice?target=b)
Based on IP Address - all requests from a range of IP address to target group A. Others to target group B

Architecture Summary

Highly developed architecture
Load balancer can have multiple listeners (protocol + port combinations).
Each listener can have multiple rules each routing to a target group based on request content
A target can be part of multiple target groups

Introducing Auto Scaling Groups

Highly decoupled architecture
Load balancer can have multiple listeners (protocol + port combinations).
Each listener can have multiple rules each routing to a target group based on request content.
A target can be part of multiple target groups.

Introducing Auto Scaling Groups

Target Groups are configured with a static set of instances. How do you scale out and scale in automatically?
- Configure an auto scaling group.

Auto Scaling Groups

Auto Scaling Group responsibilities:
- Maintain configured number of instances (using periodic health checks)
- - If an instance goes down, ASG launches replacement instance
- Auto scale to adjust on load (scale-in and scale-out based on auto scaling policies)
ASG can launch On-Demand Instances, Spot Instances, or both
- Best Practice: use launch Template
An ELB can distribute load to activate instances as ASG expands and contracts based on the load

Auto Scaling Components

Launch Configuration / Template
- EC2 instance size and AMI
Auto Scaling Group
- Reference to Launch Configuration / Template
- Min, max and desired size of ASG
- EC2 health checks by default. Optionally, enable ELB health checks
- Auto Scaling Policies
- - When and How to execute scaling?

Scaling Polices - Background

Two parts:
- CloudWatch alarm (Is CPU utilization > 80% or <60%)
- Scaling action (+5 EC2 instance or -3EC2 instances)

Scenario	Solution
Change instance type or size of ASG instance	Launch configuration or Launch template cannot be edited. Create a new version that the ASG is using the new version. terminate instances in small groups.
Roll out a new security patch (new AMI) to ASG instances	Same as above.
Perform actions before an instance is added or removed	Create a Lifecycle Hook. You can configure CloudWatch to trigger actions based on it.
Which instance is an ASG is terminated first when a scale-in happens?	(Default Termination Policy) Within constraints, goal is to distribute instances evenly across available AZs. Next priority is to terminate older instances.
Preventing frequent scale up and down	Adjust cooldown period to suit your need (default - 300 seconds). Align CloudWatch monitoring interval
I would want to protect newly launched instances from scale-in	Enable instance scale-in protection

Network Load Balancer

Functions at the Transport layer - Layer 4 (Protocols TCP, TLS, and UDP)
For high performance use cases (millions of requests per second)
Can be assigned a Static IP/Elastic IP
Can load balance between:
- EC2 instances
- Containerized applications (Amazon ECS)
- Web applications (using IP addresses)

Review

Elastic Load Balancer
- Distribute traffic across EC2 instances in one or more AZs in a single region
- Managed Service - highly available, Auto scales, public or private

Classic Load Balancer
- Layer 4 (TCP/TLS) and Layer 7 (HTTP/HTTPS)
- old. Not recommended by AWS

Network Load Balancer
- Layer 4 (TCP/TLS and UDP)
- Very high performance use cases
- Can be assigned a Static IP / Elastic IP

Application Load Balancer

- Layer 7 (HTTP/HTTPS)
- Supports advanced routing approaches (path, host, http headers, query strings and origin IP addresses)
- Load balance between EC2 instances containers , IP addresses and lambdas)
Concepts
- Each load balancer has one or more listeners (different protocol or port) listening for connection requests from the client
- Target group is a group representing the targets (ex. EC2 instances)
- ONE ALB and NLB can support multiple microservices (multiple target groups)!
- Auto Scaling Group - maintain configured number of instances (usig periodic health checks). Auto scale to asjust to load
- Dynamic Scaling Policies - Target tracking scaling, Simple scaling and Step Scaling
- Cloud Watch alarms track the metric (Is CPU utilization > 80% or <60%) and trigger the auto scaling action (+5 EC2 instances or -3 EC2 instances)

Serverless Fundamentals - Lambda and API Gateway

What are the things we think about when we develop an application?
Where do we deploy the application?
What kind of server? What OS?
How do we take care of scaling the application?
How do we ensure that it is always available?
What is we do not need to worry about the servers and focus on building our application?
Enter Serverless

Serverless

Remember: Serverless does NOT mean "No Servers"
Serverless for me:
- You don't worry about infrastructure
- Flexible scaling
- Automated high availability
- Pay for use:
- - You don't have to provision servers or capacity!
You focus on code and the cloud managed service takes care of all that is needed to scale your code to serve millions of requests!

AWS Lambda

Write and Scale Your Business Logic
- Write your business logic in Node.js (JavaScript), Java, Python, Go, C# and more...
- Don't worry about servers or scaling or availability (only worry about your code)
Pay for Use
- Number of requests
- Duration of requests
- Memory
Stateless - store data to Amazon S3 or Amazon DynamoDB
500MB of non-persistent disk space (/tmp directory)
Allocate memory in 64MB increments from 128MB to 3GB
- Lambda cost increases with memory
- CPU Power increases with memory allocated
- Inexpensive - https://aws.amazon.com/lambda/pricing/
- - Free tier - 1M free requests per month
- Monitor function executions through Amazon CloudWatch
- Maximum allowed time for lambda execution is 900 seconds (default - 3 seconds)
- Integrates with AWS X-Ray (tracing), AWS CloudWatch (monitoring and logs)

AWS Lambda Concurrency - Reserved Concurrency

Function concurrency - no of Lambda function instances serving requests (at a given time)
How to control function concurrency?
- Regional quota is shared by all functions in a region
- - Default 1,000 (Raise by creating support request)
- How to ensure that a critical lambda function can always run?
- - Use reserved concurrency
  - Example: my-function-PROD and my-function-DEV have Reserved Concurrency configured
  - Other functions can use remaining concurrency from regional quota

AWS Lambda Execution Content

const AWS = require('aws-sdk');
const dynamo = new AWS.DynamoDB.DocumentClient();
exports.handler = async (event) => {
	// Other Logic
}

Execution Context - Temporary runtime environment created to execute Lambda functions
- Lambda tries to reuse execution context when possible
- When Lambda reuses execution context, objects declared outside handler functions remain initialized (AWS and dynamo in above example)
- Each execution context has /tmp directory with 512 MB disk space. This cache is reused across invocations using same execution context.
Cold Start is a common problem for the first request to a Lambda function (and subsequent requests involving creation of new execution contexts)

AWS Lambda Concurrency - Provisioned Concurrency

Initialization of Lambda function takes time
How to get a consistent performance from Lambda functions?
- Use Provisioned Concurrency
- Provisioned concurrency runs continually (More expensive)
- Provisioned concurrency can be configured on a Lambda function version or an alias
- In the example, my-function-PROD and my-function-DEV are configured with Provisoned concurrency

AWS Lambda Concurrency - Throttling

What happens if more than allowed requests are made?
- Throttling error (429 status code)

AWS Lambda - Synchronous Invocation

aws lambda invoke --function-name my-function --payload '{ "key": "value" }' response.json 
{
	"Executedversion": "$LATEST",
	"StatusCode": 200
}

Lambda runs the function and waits for response
Lambda returns the response with additional data such as the version of the function that was executed
Sample services using synchronous invocation
- AWS API Gateway
- Amazon CloudFront
- Amazon Lex

AWS Lambda - Asynchronous Invocation (Events)

When using asynchronous invocation (--invocation-type Event), AWS services do NOT wait for a response from the Lambda function
- Example: Processing events from Amazon S3, Amazon SNS
- Lambda places the event on an event queue
- On successful execution, an invocation record (JSON with request and response details) can be sent other AWS services (SQS queue, SNS topic, or another Lambda function)

AWS Lambda - Asynchronous Invocation - Errors

Lambda retries failed events two or more times
If an event is throttled, Lambda retries up to 6 hours (with exponential backoff)
Failed events can be sent to a Dead letter queue (SQS queue or SNS topic)
- Only request details are sent
You can configure:
- Maximum age of event (default - 6 hours)
- Retry attempts (default - 2)
- Dead letter queue service (default - none)

Lambda Request Context

exports.handler = async (event, context) => {
	console.log(context);
}

Context object provides information about
- Lambda function invocation
- - awsReuested (unique identifier)
  - identity > cognitoIdentityId, cognitoPoolId (Which Amazon Cognito identity?)
- Lambda function and Execution Environment
- - functionName, functionVersion, invokedFunctionArn
  - memoryLimitInMB, logGroupName, logStreamName

Run Lambda@Edge

Run Lambda functions to customize CloudFront content
- (RESTRICTION) ONLY Python or Node JS supported
Lambda functions can be run at different points in processing a request in CloudFront:
- After CF receives a request from a viewer (Viewer request)
- Before CF forwards the request to Origin (Origin Request)
- After CF receives response from Origin (Origin Response)
- Before sending response to the viewer (Viewer Response)

AWS Lambda - Versioning

How to move a tested lambda function to production and avoid anyone changing it accidentally?
- Create a version
- Creates a immutable copy of your lambda function
A version includes:
- Function code and all the dependencies
- The Lambda runtime
- All function settings include environment variables
- Unique ARD for the version
(NOTE) $LATEST points to the latest version

AWS Lambda - Alias

How to ensure that consumers of lambda functions are not affected when you release new versions>
- Use an Alias
Example:
- Currently: DEV => latest version, Test => V2, Prod => V1
- After V2 is tested: Switch Alias prod => V2
- Consumers can always refer to the Prod alias and use the fully tested version
Features:
- Can be used to define permissions in resource-based policies
- Alias routing configuration can be used to send a portion of traffic to a second function version (Blue / Green Deployment)

AWS Lambda Layers

Lambda code is typically dependent on other libraries
How to share libraries among Lambda functions?
- Create Layers
Layer - ZIP with libraries & other dependencies
- (ADVANTAGE) Keep deployment package small
- (ADVANTAGE) Develop function code in the Lambda console (Package Size < 3 MB)
- (Constraint) Max 5 Layers
Layers are extracted to the /opt directory and made available to your Lambda functions
Use AWS Serverless Application model (AWS SAM) to automate creation and mapping of layers

AWS Lambda Using SAM

Trandorm: 'AWS::Serverless-2016-10-31'
Resources:
	function:
		Type: AWS::Serverless::Function
		Properties:
			Handler: index.handler
			Runtime: nodejs12.x
			Policies:
				- AWSLambdaBasicExecutionRole
				- AWSLambdaReadOnlyAccess
				- AWSXrayWriteOnlyAccess
				Layers:
					- !Ref libs
		libs:
			Type: AWS::Serverless::LayerVersion
			Properties:
				LayerName: blank-nodejs-lib
				ContentUri: lib/.
				CompatibleRuntimes:
					- nodejs12.x

Lambda Best Practices - Recommended by AWS

Take advantage of execution context reuse to improve the performance of your function
- Initialize SDK clients and database connections outside of the function handler
- Cache static assets locally in the /tmp directory
Use environment variables to pass operational parameters
minimize your deployment package size to its runtime necessities
Avoid using recursive code (Save $$$)
Reduce the time it takes lambda to unpack deployment packages authored in Java by putting your dependency .jar files in a separate /lib directory
- This is faster than putting all your function's code in a single jar

Scenario	Solution
Does Lambda require scale up or out when it receives multiple requests?	Lambda scales out - NOT up. Number of instances are increased
How do you enable logging in Lambda functions?	Lambda makes logging very easy. Call the appropriate method Make sure that lambda function execution role has the right permissions to write to CloudWatch logs
How do you enable tracing in Lambda functions?	Lambda makes tracing very easy. 1. Give permissions to execution role 2. Enable tracing with X-Ray
How can you make Lambda function run faster?	Increase memory
I would want to create a temporary file out of 100 MB in a Lambda. Where can I store the file?	Use `/tmp` directory
Send request headers with multiple values as an array from Application Load Balancer to a Lambda function	Enable Multi-value headers on ALB
You are creating thumbnails for images in Lambda functions based on event notifications from an s3 bucket. How do you avoid configuring Lambda function version in S3 event notification every time there is a new version?	Create an Alias for your lambda function and use it from the s3 event notification
How can you increase the CPU available to a Lambda function?	Increase available memory

API Gateway

Rest API Challenges

Most applications today are built around REST API:
- Resources (/todos, /todos/{id}, etc.)
- Actions - HTTP Methods - GET, PUT, POST, DELETE, etc.
Management of REST API is not easy
- You've taken care of authentication and authorization
- You've to be able to set limits (rate limiting, quotas) for your API conumers
- You've to take care of implementing multiple versions of your API
- You would want to implement monitoring, caching, and a lot of other features...

How about a fully managed service with auto scaling that can act as a "front door" to your APIs?
Welcome to "Amazon API Gateway"
"publish, maintain, monitor, and secure APIs at any scale"
Integrates with AWS Lambda or any web application
Supports HTTPs and WebSockets (two way communication - chat apps and streaming dashboards)
Serverless. Pay for use (API calls and connection duration)

REST API
- feature-rich RESTful API
HTTP API
- Also used to build RESTful API
- Newer approach
WebSocket API
- Persistent connections with clients
- Allows full-duplex communication
Names are little confusing

API Gateway RESTful API Approaches

REST API
- Fully featured (API caching, Request/Response Validations, Test invocations)
- Custom Request/Response Transformations
- Better Integration with AWS Services (AWS X-Ray, AWS WAF, etc.)
HTTP API
- Newer, Simpler, Cheaper, and Low Latency
- Automatic Deployments

REST API Gateway - Custom Integration (Default)

Integrations define request / response transformations to/from lambda
The default is Custom Integration
Request can be transformed by configuring Mapping template in Integration Request
Response can be transformed by configuring Mapping Template in Integration Response

REST API Gateway - Proxy Integration - Request

Request to API Gateway

// Headers: header1:header-value
// queryString: ?queryparam=queryparamvalue
{
	"message": "Welcome"
}

Standard Event Sent to Lambda Function

{
	resource: '/todos', 
	path: '/todos', 
	httpMethod: 'POST', 
	headers: {"header1":"header-value"}, 
	multiValueHeaders: {"header1":["header-value"]},
	queryStringParameters: {"queryparam":"queryparamvalue"},
	multiValueQueryStringParameters: {
		"queryparam":["queryparamvalue"]
	}, 
	pathParameters: null, 
	stageVariables: null, 
	requestContext: {}, 
	body: '{\n "message" : "Welcome"\n}', 
	isBase64Encoded: false
}

Request API Gateway - Proxy Integration - Response

Response from Lambda Function

{ 
	statusCode: 200, // a valid HTTP status code 
	headers: { custom-header: "xyz" // any API-specific custom header }, 
	body: "{\"message\": \"Welcome\"}" // a JSON string. 
}

Response from API Gateway

HTTP API - API Gateway

REST API - API Gateway has a lot of features very few AWS customers make use of
REST API - API Gateway is a little complex to setup (transformations etc)
How about creating a simpler API Gateway
Enter "HTTP API"
- The name is confusing
- Newer, Cheaper, and Low Latency
- Simpler
- - Less features,
  - Easier to setup
  - Example: Makes OAuth Authentication simple

HTTP API Gateway - Payload

Two Versions 1.0 and 2.0
(Recommendation) Use 1.0 for migration from REST API and 2.0 for newer APIs
Request Structure
- Almost same as REST API - Proxy Integration
- 2.0 offers support cookies and has minor changes
Response Structure
- Same as REST API - Proxy Integration (with statusCode, body, headers)
- In addition, 2.0 supports a simple structure:
- - Just return a valid JSON return {"message": "Welcome" }

API Gateway - Endpoint Types

Edge Optimized (default)
- Recommended for geographically distributed clients
- API Requests are routed to the nearest CloudFront Edge Location
Regional
- Recommended for clients in a single region
Private
- Can only be accessed from your VPC using an interface VPC endpoint

API Gateway - Integration Types

API Gateway acts as a front-end for different backend systems
Supported Integration Types:
- Lambda Function - Connect via proxy or direct integration
- Mock - Create a mock backend service
- AWS service - Connect to 100+ service endpoints inside of AWS (DynamoDB, Kinesis, etc.)
- VPC Link - Connect to AWS resources inside a VPC

REST API Gateway - Lambda Integration - Custom Integration

Configure mappings (using VTL) to transform request and response

REST API Gateway - Lambda Integration - Proxy Integration

Predefined structure for request and response transformations

API Gateway - Deployment Stages

How do we deploy API Gateway to different environments?
- Create different Stages
You can create more than one stage
- Dev, Test, UAT, Prod, etc.
Use Stage variables for changing configuration values for different environments
- Example: Connect to different Lambda aliases in different stages

API Gateway - Caching

Caching helps you provide quick responses (low latency) and minimize load on the backend systems (save $$$)
Supported for API Gateway - REST API
How to envale Caching?
- Enable API cache for the specific stage
- - You can override stage settings for specific methos
- Configure time-to-live (TTL)
- - default - 300 seconds (max - 4600 seconds, TTL=0 to disable caching)
- Verify CacheHitCount and CacheMissCount metrics in CloudWatch
- Cache keys can be formed using custom headers, URL paths, and / or query strings

Identity Federation

Authenticate users with an external authentication system and provide them access to resources on the cloud
Corporate Identity Federation:
- Federate with an Enterprise Authenticated System
- SAML (XML Based) is the most popular protocol
Web Identity Federation:
- Provide access to your application to users based on their Social IDs
- OpenID (Supported by Facebook, Microsoft, Google, etc.) is the most popular protocol

Amazon Cognito

Want to quickly add a sign-up page and authentication for your mobile and web apps?
Want to integrate with web identity providers (example Google, Facebook, Amazon) and provide a social sign-in?
Do you want security features such as multi-factor authentication (MFA), phone and email verification?
Let's go: Amazon Cognito
(Feature) Sync user data across devices, platforms, and applications

Amazon Cognito - User Pools

Do you want to create your own secure and scalable user directory?
Do you want to create sign-up (or registration) pages?
Do you want a built-in, customizable web UI to sign in users (with option to social sign-in)?
Create a user pool
Cognito User Pool can be integrated with Application Load Balancer and API Gateway

Amazon Cognito - Identity Pools

Identity pools provide AWS credentials to grant your users access to other AWS resources
Connect identity pools with with authentication (identity) providers
- Your own user pool OR
- Amazon, Apple, Facebook, Google+, Twitter OR
- OpenID Connect provider OR
- SAML identity providers (SAML)
Configure multiple authentication (identity) providers for each identity pool

API Gateway - Authorization

Open - No authentication or authentication
IAM Permissions - Use IAM Policies and AWS Credentials to grant access
Amazon Cognito Authorizer - Connect to Amazon Cognito User pool (possible to use Oauth authorization)
Lambda Authorizers - Connect to lambda function to validate the bearer token (OAuth or SAML for example), or request parameters

Authorization - IAM Authorization

{
	"Version": "2012-10-17",
	"Statement":[
		{
			"Effect":"Allow",
			"Action":["execute-api:Invoke"],
			"Resource":[
				"arn:aws:execute-api:us-east-1:account-id:api-id/*/GET/pets"
			]
		}
	]
}

When using IAM Authorization (authorization type set to AWS_IAM)
- API Gateway checks whether the IAM user has the right permissions attached

Lambda Authorizer

Use a Lambda function to control access to your API:
- Input: bearer token (token-based) or request parameters (request parameter-based)
- Implement custom authorization strategy (call OAuth or SAML provider) in Lambda
- Output: Object containing at least an IAM policy and a principal identifier
When API Gateway receives a request:
- API Gateway calls the authorizer Lambda function
- Lambda function returns the IAM policy
- API Gateway evaluates the policy document and grants/denies access

Lambda Authorizer - Policy Response Example

// Grant Access
{
	"Version":"2012-10-17",
	"Statement": [
		"Action": "execute-api:Invoke",
		"Effect": "Allow",
		"Resource" : "arn:aws:execute-api:us-east-1:123:7b5/ESTestInvoke-stage/GET/"
	]
}
// Deny Access
{
	"Version":"2012-10-17",
	"Statement": [
		"Action": "execute-api:Invoke",
		"Effect": "Deny",
		"Resource" : "arn:aws:execute-api:us-east-1:123:7b5/ESTestInvoke-stage/GET/"
	]
}

Cognito user Pool Authorization

Use an Amazon Cognito user pool to control access to your API
Configuring a Cognito User Pool Authorizer:
- Step I: Create a User Pool in Cognito
- Step II: Configure API Gateway to use the Amazon Cognito user pool as authorizer
To call an API integrated with user pool:
- Step I: User signs up for the user pool
- Step II: User signs in
- Step III: Call the API methos passing the user's identity token in Request Authorization header

Amazon S3 Fundamentals

Amazon S3 (Simple Storage Service)

Most popular, very flexible and inexpensive storage service
Store large objects using a key-value approach
Also called Object Storage
Provides REST API to access and modify objects
Provides unlimited storage:
- (S3 storage class) 99.99% availability & 11 9's durability
- Objects are replicated in a single region (across multiple AZs)
Store all file types - text, binary, backup, and archives
- Media files and archives
- Application packages and logs
- Backups of your databases or storage devices
- Staging data on-premise to cloud migration

Amazon S3 - Objects and Buckets

Amazon S3 is a global service. NOT associated with a region
- HOWEVER, a bucket us created in a specific AWS region
Objects are stored in buckets
- Bucket names are globally unique
- Bucket names are used as part of object URLs => Can contain ONLY lower case letters, numbers, hyphens and periods
- Unlimited objects in a bucket
Each object is identified by a key value pair
- Key is unique in a bucket
- Max object size is 5 TB
- (Remember) No hierarchy of buckets, sub-buckets, or folders

Amazon S3 Versioning

Protects against accidental deletion
versioning is optional and is enabled at a bucket level
You can turn on versioning on a non versioned bucket
All old objects will have a version of null
You cannot turn off versioning on a bucket version
- You can only suspend versioning

Amazon S3 Static Website Hosting

Use S3 to host a static website using a bucket
Step 1: Upload website content
Step 2: Enable Static website hosting
Step 3: Disable "Block public access"
Step 4: Configure "Bucket policy" to enable read access

Resource based policies - Bucket policies

{
	"Version": "2012-10-17",
	"Statement" : [
		{
			"Sid": "PublicRead",
			"Effect":"Allow",
			"Principal": "*",
			"Action": ["s3:GetObject"],
			"Resource":["arn:aws:s3:::mybucket/*"]
		}
	]
}

Control access to your bucket and objects
Can grant cross account and public access

Amazon S3 - Tags

Tags can be assigned to most AWS resources
Can be used for automation, security (policies), cost tracking, etc
Key-value pairs applies to S3 objects:
- Environment=Dev
- Classification=Secure
- Project=A
Can be used in creating lifecycle policies
Can be updated continuously during the lifetime of an object

Amazon S3 Event Notifications

Configure notifications when certain events happen in your bucket
Event Sources
- New object created events
- Object removal events
- Reduced Redundancy Storage (RSS) object lost events
- Replication events
Event Destinations
- Amazon SNS topic
- Amazon SQG queue
- AWS Lambda function

Amazon S3 - Prefix

Allows you to search for keys starting with a certain prefix
Searching for prefix 2030/10 returns
- 2030/10/coursel.png&2030/10/course2.png
URL - https://s3.amazonaws.com/my-bucket-ranga?prefix=3020/10/
- Above URL would only work when public access is allowed
Supported by REST API, AWS SDK, AWS CLI and AWS Management Console
used in IAM and Bucket Policies to restrict access to specific files or groups of files

Bucket ACLs and Object ACLs

Bucket/Object ACLs
- Access for bucket/object owner
- Access for other AWS accounts
- Public access
Use object ACLs (object level access)
- When bucket owner is not the object owner
- When you need different permissions for different objects in the same bucket
(Remember) Bucket/Object ACLs
- CANNOT have conditions while policies can have conditions
- CANNOT explicitly DENY access
- CANNOT grant permissions to other individual users
(Remember) ACLs are primarily used to grant permissions to public or other AWS accounts

AWS S3 Storage Classes - Introduction

Different kinds of data can be stored in Amazon S3
- Media files and archives
- Application packages and logs
- Backups of your databases or storage devices
- Long term archives
Huge variations in access patterns
Trade-off between access time and cost
S3 storage classes help to optimize your costs while meeting access time needs
- Designed for durability of 11 9's

S3 Lifecycle Configuration

Files are frequently accessed when they are created
Generally usage reduces with time
How do you save costs and move files automatically between storage classes?
- Solution: S3 Lifecycle configuration
Two kinds of actions:
- transpiration actions (one storage class to another)
- expiration actions (delete objects)
Object can be identified by tag or prefix

Amazon S3 Replication - Same Region and Multiple Regions

Replicate objects between buckets in same or different regions
- Could be cross account
- Can be configured at bucket level, a shared prefix level, or an object using S3 object tags
- Access to destination bucket is provided using IAM policy
Amazon S3 Fundamentals

Amazon S3 (Simple Storage Service)

Most popular, very flexible and inexpensive storage service
Store large objects using a key-value approach
Also called Object Storage
Provides REST API to access and modify objects
Provides unlimited storage:
- (S3 storage class) 99.99% availability & 11 9's durability
- Objects are replicated in a single region (across multiple AZs)
Store all file types - text, binary, backup, and archives
- Media files and archives
- Application packages and logs
- Backups of your databases or storage devices
- Staging data on-premise to cloud migration

Amazon S3 - Objects and Buckets

Amazon S3 is a global service. NOT associated with a region
- HOWEVER, a bucket us created in a specific AWS region
Objects are stored in buckets
- Bucket names are globally unique
- Bucket names are used as part of object URLs => Can contain ONLY lower case letters, numbers, hyphens and periods
- Unlimited objects in a bucket
Each object is identified by a key value pair
- Key is unique in a bucket
- Max object size is 5 TB
- (Remember) No hierarchy of buckets, sub-buckets, or folders

Amazon S3 Versioning

Protects against accidental deletion
versioning is optional and is enabled at a bucket level
You can turn on versioning on a non versioned bucket
All old objects will have a version of null
You cannot turn off versioning on a bucket version
- You can only suspend versioning

Amazon S3 Static Website Hosting

Use S3 to host a static website using a bucket
Step 1: Upload website content
Step 2: Enable Static website hosting
Step 3: Disable "Block public access"
Step 4: Configure "Bucket policy" to enable read access

Resource based policies - Bucket policies

{
	"Version": "2012-10-17",
	"Statement" : [
		{
			"Sid": "PublicRead",
			"Effect":"Allow",
			"Principal": "*",
			"Action": ["s3:GetObject"],
			"Resource":["arn:aws:s3:::mybucket/*"]
		}
	]
}

Control access to your bucket and objects
Can grant cross account and public access

Amazon S3 - Tags

Tags can be assigned to most AWS resources
Can be used for automation, security (policies), cost tracking, etc
Key-value pairs applies to S3 objects:
- Environment=Dev
- Classification=Secure
- Project=A
Can be used in creating lifecycle policies
Can be updated continuously during the lifetime of an object

Amazon S3 Event Notifications

Configure notifications when certain events happen in your bucket
Event Sources
- New object created events
- Object removal events
- Reduced Redundancy Storage (RSS) object lost events
- Replication events
Event Destinations
- Amazon SNS topic
- Amazon SQG queue
- AWS Lambda function

Amazon S3 - Prefix

Allows you to search for keys starting with a certain prefix
Searching for prefix 2030/10 returns
- 2030/10/coursel.png&2030/10/course2.png
URL - https://s3.amazonaws.com/my-bucket-ranga?prefix=3020/10/
- Above URL would only work when public access is allowed
Supported by REST API, AWS SDK, AWS CLI and AWS Management Console
used in IAM and Bucket Policies to restrict access to specific files or groups of files

Bucket ACLs and Object ACLs

Bucket/Object ACLs
- Access for bucket/object owner
- Access for other AWS accounts
- Public access
Use object ACLs (object level access)
- When bucket owner is not the object owner
- When you need different permissions for different objects in the same bucket
(Remember) Bucket/Object ACLs
- CANNOT have conditions while policies can have conditions
- CANNOT explicitly DENY access
- CANNOT grant permissions to other individual users
(Remember) ACLs are primarily used to grant permissions to public or other AWS accounts

AWS S3 Storage Classes - Introduction

Different kinds of data can be stored in Amazon S3
- Media files and archives
- Application packages and logs
- Backups of your databases or storage devices
- Long term archives
Huge variations in access patterns
Trade-off between access time and cost
S3 storage classes help to optimize your costs while meeting access time needs
- Designed for durability of 11 9's

S3 Lifecycle Configuration

Files are frequently accessed when they are created
Generally usage reduces with time
How do you save costs and move files automatically between storage classes?
- Solution: S3 Lifecycle configuration
Two kinds of actions:
- transpiration actions (one storage class to another)
- expiration actions (delete objects)
Object can be identified by tag or prefix
Versioning should be enabled on BOTH source and destination
ONLY new objects are replicated (Explicitly copy existing objects)
(Advantage) Reduces latency and helps you meet regulations
(USECASE) Object replication between dev and test environments

Amazon S3 - Object Level Configuration

You can configure these at individual object level (overriding bucket level configuration):
- Storage class
- Encryption
- Object ACLs

Amazon S3 Consistency

S3 is distributed - maintains multiple copies of your data in a Region to ensure durability
Distributing data presents a challenge
- How do you ensure data is consistent?
S3 Consistency Model
- READ AFTER WRITE for PUTS of new objects
- Eventual Consistency for Overwrites PUTS and DELETES
(In simplified words) S3 Data is highly distributed across multiple AZs and (possibly) multiple regions:
- When you crate a new object, it is immediately available
- You might get a previous version of data immediately after an object update using PUT/DELETE
- You will get partial or inconsistent data

Amazon S3 Pre-signed URLs

Grant time-limited permission (dew hours to 7 days) to download objects
Avoid web site scraping and unintended access
Specify
- Your security credentials
- Bucket name
- Object key
- HTTP method and
- Expiration date and time
Created using AWS SDK API

Amazon D3 Access Points

Simplifies bucket policy configuration
Create application specific access points with an application specific policy
Provide multiple customized paths with unique hostname and access policy for each bucket
"dual-stack" endpoint supports IPv4 and IPv6 access

Amazon S3 Scenarios - Security

Amazon S3 Cost

Important pricing elements:
- Cost of Storage (per GB)
- (If Applicable) retrieval Charge (per GB)
- Monthly tiering fee (Only for Intelligent Tiering)
- Data transfer fee
FREE of Cost:
- Data transfer to Amazon S3
- Data transfer from Amazon S3 to Amazon CloudFront
- Data transfer from Amazon S3 to services in the same region

Amazon S3 Scenarios - Costs

Amazon S3 Performance

Amazon S3 is serverless
recommended for large objects
Amazon S3 supports up to:
- 3,500 requests per second to add data
- 3,500 requests per second to retrieve data
- Zero additional cost
- With each S3 prefix
Transfer Acceleration
- Enable fast, easy and secure transfers of files to and from your bucket

Amazon S3 Scenarios - Performance:

Learning More About AWS (Part 2) - Notes for Certified Developer Associate Exam

What I Intend to Learn

Things that I have Done with AWS / Things that I Need to DO

Much of the content in this note is repeated content from Part 1 of AWS

Regions and Zones

EC2 Fundamentals

Load Balancing

Serverless Fundamentals - Lambda and API Gateway

API Gateway

Amazon S3 Fundamentals

Comments

Inserting Custom HTML:

Basics:

Inserting Code Expressions:

Inserting $\Large{LaTeX}$ Expressions:

SVG Icon Search

AI Code Generation

The Sanitization of HTML