AWS
1. To find the list of IPs of any particular attributes of the nodes belonging to a particular stack
aws ec2 describe-instances --filters "Name=tag:aws:cloudformation:stack-name,Values=yourstack" --output text --query 'Reservations[*].Instances[*].PrivateIpAddress'
2. If you multiple VPCs , make sure your access keys which used during aws configure point to the VPC you are searching the instances in. If you are looking for a stack which returns zero result and stack is there , most likely your keys belong to different VPC.
3. To get only the required attributes as key value pair from AWS CLI output.
aws ec2 describe-instances --filters "Name=tag:aws:cloudformation:stack-name,Values=yourstack" --output text --query 'Reservations[*].Instances[*].{IP:PrivateIpAddress,ID:InstanceId}'
4. To stop multiple instances
aws ec2 stop-instances --instance-ids "i-06eea80" "i-00eww42a86"
5. To upload all *.sh files from a local directory /home/glbairwa to a folder "scripts" inside s3 bucket backup :
aws s3 cp /home/glbairwa/ s3://backup/scripts/ --recursive --exclude "*" --include "*.sh"
6. Remote Desktop to AWS instance
If you modify the security group in order to allow RDP connection from you machine, you may need to restart the instance and download the RDP file again via AWS Console->ec2->select instance->Connect
7. Security Groups are stateful, so if you have inbound access and make a request then server can send the response back even if there no explicit Outbound access in security group. Network ACLs are different , those work at subnet level and applies to all instances within subnet and have allow & deny rules and are also stateless , means you have to specify inbound and outbound access explicitly.
8. EBS Volume and instance have to be in same availability zone.
9. You can also change/modify the volume( gp2 to io1 or st1 or sc1 or size of the volume ) on the fly except the standard magnetic volumes.
10. To move volumes from one AZ to another , you make snapshot and then from that snapshot you create volume in different AZ. To move volumes to another region , you have to copy the snapshot to another region , then create an image and then launch instance from that image. You can also directly create image from an instance and copy the image to another region and launch instance from that.
11. By default only root volume is terminated with instance, but not others.
12. Snapshots exist on S3. Encrypted snapshots can not shared with others but unencrypted can be.
13 . ELBs *) Application -Layer 7 *)Network - Layer 4 *) Classic - Layer 7 or Layer 4 with TCP traffic . ELBs put an header called "X-Forwarded-For" where they put the IP for the requesting server or user, because ELBs forward request to internal IP , which is not visible to the end user.
14. You can attach/replace IAM role to running ec2 instance.
15. You can configure the bootstrap bash scripts inside Configure Instance Details -> "Adavanced Details"-> User Data field.
16. Instance metadata endpoint ( Accessible from the running instance )
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/user-data/
17. Top level domain names
https://www.iana.org/domains/root/db
18. If you want to change the instance type , as of now , you will have to stop the instance and then do it. You don't have to terminate it. You can change IAM role and security group etc. without even stopping.
T instance types is burstable, which accumulate credit when activity is low and use it when activity is high.
19. Cross region VPC peering is supported in AWS.
20. When the VPC IP CIDR blocks are overlapping, you cannot create a peering connection.
21. Drift Detection is a new feature which finds how far the resources in stack created from CloudFormation template has drifted away from original configuration. It only considers the drift for values which are set in the CloudFormation template. If some values are not set, then it won't be considered as part of drift.
aws ec2 describe-instances --filters "Name=tag:aws:cloudformation:stack-name,Values=yourstack" --output text --query 'Reservations[*].Instances[*].PrivateIpAddress'
2. If you multiple VPCs , make sure your access keys which used during aws configure point to the VPC you are searching the instances in. If you are looking for a stack which returns zero result and stack is there , most likely your keys belong to different VPC.
3. To get only the required attributes as key value pair from AWS CLI output.
aws ec2 describe-instances --filters "Name=tag:aws:cloudformation:stack-name,Values=yourstack" --output text --query 'Reservations[*].Instances[*].{IP:PrivateIpAddress,ID:InstanceId}'
4. To stop multiple instances
aws ec2 stop-instances --instance-ids "i-06eea80" "i-00eww42a86"
5. To upload all *.sh files from a local directory /home/glbairwa to a folder "scripts" inside s3 bucket backup :
aws s3 cp /home/glbairwa/ s3://backup/scripts/ --recursive --exclude "*" --include "*.sh"
6. Remote Desktop to AWS instance
If you modify the security group in order to allow RDP connection from you machine, you may need to restart the instance and download the RDP file again via AWS Console->ec2->select instance->Connect
7. Security Groups are stateful, so if you have inbound access and make a request then server can send the response back even if there no explicit Outbound access in security group. Network ACLs are different , those work at subnet level and applies to all instances within subnet and have allow & deny rules and are also stateless , means you have to specify inbound and outbound access explicitly.
8. EBS Volume and instance have to be in same availability zone.
9. You can also change/modify the volume( gp2 to io1 or st1 or sc1 or size of the volume ) on the fly except the standard magnetic volumes.
10. To move volumes from one AZ to another , you make snapshot and then from that snapshot you create volume in different AZ. To move volumes to another region , you have to copy the snapshot to another region , then create an image and then launch instance from that image. You can also directly create image from an instance and copy the image to another region and launch instance from that.
11. By default only root volume is terminated with instance, but not others.
12. Snapshots exist on S3. Encrypted snapshots can not shared with others but unencrypted can be.
13 . ELBs *) Application -Layer 7 *)Network - Layer 4 *) Classic - Layer 7 or Layer 4 with TCP traffic . ELBs put an header called "X-Forwarded-For" where they put the IP for the requesting server or user, because ELBs forward request to internal IP , which is not visible to the end user.
14. You can attach/replace IAM role to running ec2 instance.
15. You can configure the bootstrap bash scripts inside Configure Instance Details -> "Adavanced Details"-> User Data field.
16. Instance metadata endpoint ( Accessible from the running instance )
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/user-data/
17. Top level domain names
https://www.iana.org/domains/root/db
18. If you want to change the instance type , as of now , you will have to stop the instance and then do it. You don't have to terminate it. You can change IAM role and security group etc. without even stopping.
T instance types is burstable, which accumulate credit when activity is low and use it when activity is high.
19. Cross region VPC peering is supported in AWS.
20. When the VPC IP CIDR blocks are overlapping, you cannot create a peering connection.
21. Drift Detection is a new feature which finds how far the resources in stack created from CloudFormation template has drifted away from original configuration. It only considers the drift for values which are set in the CloudFormation template. If some values are not set, then it won't be considered as part of drift.
22. Minimum volume for throughput optimized HDD is 500GB.
23. "Lifecycle hooks enable you to perform custom actions by pausing instances as an Auto Scaling group launches or terminates them. When an instance is paused, it remains in a wait state until either you complete the lifecycle action using the complete-lifecycle-action CLI command or CompleteLifecycleAction API action, or the timeout period ends (one hour by default)." from AWS documentation.
24. "A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network. " - from AWS documentation.
There are two types of VPC endpoints. 1) interface endpoints ( powered by PrivateLink ) and 2) gateway endpoints . Interface endpoint is an ENI with a private IP from your subnet which serves as entry point for traffic destined to a supported service. Gateway endpoint is a gateway that you specify as a target in routing table for traffic destined to supported AWS service. Currently only two services are supported via gateway endpoints ( S3 & DynamoDB).
25. There can be multiple scaling policies in effect for an auto scaling group at the same time. When multiple policies try to scale out or scale in at the same time ..it always chooses the policy which keeps the highest capacity in ASG ( so while scaling in it picks the policy which terminates the least number of instance and while scaling out it picks which add largest number of instances ).
28. "Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key." - AWS documentation
23. "Lifecycle hooks enable you to perform custom actions by pausing instances as an Auto Scaling group launches or terminates them. When an instance is paused, it remains in a wait state until either you complete the lifecycle action using the complete-lifecycle-action CLI command or CompleteLifecycleAction API action, or the timeout period ends (one hour by default)." from AWS documentation.
24. "A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network. " - from AWS documentation.
There are two types of VPC endpoints. 1) interface endpoints ( powered by PrivateLink ) and 2) gateway endpoints . Interface endpoint is an ENI with a private IP from your subnet which serves as entry point for traffic destined to a supported service. Gateway endpoint is a gateway that you specify as a target in routing table for traffic destined to supported AWS service. Currently only two services are supported via gateway endpoints ( S3 & DynamoDB).
25. There can be multiple scaling policies in effect for an auto scaling group at the same time. When multiple policies try to scale out or scale in at the same time ..it always chooses the policy which keeps the highest capacity in ASG ( so while scaling in it picks the policy which terminates the least number of instance and while scaling out it picks which add largest number of instances ).
28. "Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key." - AWS documentation
29. "Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key." - AWS documentation
30. In the CORSConfiguration for an S3 bucket, you can configure up to 100 CORSRule's.
31. Multi-AZs => synchronous replication. Read Replicas => Asynchronous replication.
32. CloudTrail logs are already encrypted.
33.
SSE-S3 : Amazon S3 manages the keys
SSE-C : Customer manages the key
AAE-KMS : AWS manages data key and you manage the Master Key
31. Multi-AZs => synchronous replication. Read Replicas => Asynchronous replication.
32. CloudTrail logs are already encrypted.
33.
SSE-S3 : Amazon S3 manages the keys
SSE-C : Customer manages the key
AAE-KMS : AWS manages data key and you manage the Master Key
34. Changes to CloudTrail Global Service Event logs can only be done via CLI and not console.
35. For AWS CloudHSM backup , it generates ephemeral backup key (EBK) and encrypts data using that key and then encrypts that key with another key call Persistent Backup Key ( PBK). To generate PBK it uses MKBK( Manufacturer Key Backup Key) and AKBK ( AWS Key Backup Key ).
36. Amazon RDS now supports Storage Auto Scaling. There is no additional cost for RDS Storage Auto Scaling. You just specify the maximum storage limit.
37. You can only mount EFS to instances within one VPC unless instance/server belongs to a peered VPC or it is an on-premise server connected via AWS direct Connect or VPN.
38. To access the file system ( EFS) from EC2 instances in another VPC, you must first delete the current mount targets and then create new mount targets
39. EFS can be created in two performance modes : 1) General Purpose : for most latency sensitive requirements 2) Max I/O : when tens, hundreds or thousands of instances are accessing the file system at the cost of slightly higher latency.
40. VPN CloudHub operates on hub and spoke model which you ca use with or without VPC.
37. You can only mount EFS to instances within one VPC unless instance/server belongs to a peered VPC or it is an on-premise server connected via AWS direct Connect or VPN.
38. To access the file system ( EFS) from EC2 instances in another VPC, you must first delete the current mount targets and then create new mount targets
39. EFS can be created in two performance modes : 1) General Purpose : for most latency sensitive requirements 2) Max I/O : when tens, hundreds or thousands of instances are accessing the file system at the cost of slightly higher latency.
40. VPN CloudHub operates on hub and spoke model which you ca use with or without VPC.
Comments
Post a Comment