1) what are the services you have used in AWS

o EC2
o IAM
o Lambda
o S3
o EFS
o EBS
o S3 glacier
o RDS
o Synamo DB
o Route 53
o Cloud watch
o Cloud trail
o Aws auto scaling
o Cognito
o Aws cost explorer
o Aws marketplace
o EKS
o ECS
o Code build
o Code deploy
o Code pipeline
o Code artifact
o Cloud formation

2) What was the use case for lambda function

 Serverless Website Example with AWS Lambda
 Serverless Authentication Example Using AWS Cognito
 Serverless CRON Jobs Example
 Mass Emailing using AWS Lambda & SES
 Real-time Notifications with AWS Lambda & SNS

3) Have you used ecs

 Amazon Elastic Container Service (ECS)

4) What are the Mandatory parameters for VPC

5) What are the types of storage gateways in S3

 File Gateway,- Amazon S3 File Gateway supports a file interface into Amazon Simple Storage
Service (Amazon S3) and combines a service and a virtual software appliance. By using this
combination, you can store and retrieve objects in Amazon S3 using industry-standard file
protocols such as Network File System (NFS) and Server Message Block (SMB)
  Amazon FSx File Gateway (FSx File) is a new file gateway type that provides low latency, and
efficient access to in-cloud Amazon FSx for Windows File Server file shares from your on-
premises facility. If you maintain on-premises file storage because of latency or bandwidth
requirements, you can instead use FSx File for seamless access to fully managed, highly reliable,
and virtually unlimited Windows file shares provided in the Amazon Web Services Cloud by
Amazon FSx for Windows File Server.
 Volume Gateway- A volume gateway provides cloud-backed storage volumes that you can
mount as Internet Small Computer System Interface (iSCSI) devices from your on-premises
application servers.

 Cached volumes – You store your data in Amazon Simple Storage Service (Amazon
S3) and retain a copy of frequently accessed data subsets locally. Cached volumes
offer a substantial cost savings on primary storage and minimize the need to scale
your storage on-premises. You also retain low-latency access to your frequently
accessed data.
 Stored volumes – If you need low-latency access to your entire dataset, first
configure your on-premises gateway to store all your data locally. Then
asynchronously back up point-in-time snapshots of this data to Amazon S3. This
configuration provides durable and inexpensive offsite backups that you can recover
to your local data center or Amazon Elastic Compute Cloud (Amazon EC2). For
example, if you need replacement capacity for disaster recovery, you can recover the
backups to Amazon EC2.

 A Tape Gateway- A tape gateway provides cloud-backed virtual tape storage. The tape gateway
is deployed into your on-premises environment as a VM running on VMware ESXi, KVM, or
Microsoft Hyper-V hypervisor.
 With a tape gateway, you can cost-effectively and durably archive backup data in GLACIER

6) What are the types of route53 policies

 Simple routing policy — Use for a single resource that performs a

given function for your domain, for example, a web server that serves
content for the example.com website.

 Weighted routing policy — Use to route traffic to multiple resources

in proportions that you specify.
 Latency routing policy — Use when you have resources in multiple
AWS Regions and you want to route traffic to the region that
provides the best latency.

 Failover routing policy — Use when you want to configure active-

passive failover.

 Geolocation routing policy — Use when you want to route traffic

based on the location of your users.

 Geoproximity routing policy — Use when you want to route traffic

based on the location of your resources and, optionally, shift traffic
from resources in one location to resources in another.

 Multivalue answer routing policy — Use when you want Route 53

to respond to DNS queries with up to eight healthy records selected at
random.

7) what are the types of VPC end points

A VPC endpoint enables connections between a virtual private cloud (VPC) and supported
services, without requiring that you use an internet gateway, NAT device, VPN connection, or
AWS Direct Connect connection. Therefore, your VPC is not exposed to the public internet.

VPC endpoints are virtual devices. They are horizontally scaled, redundant, and highly available
VPC components. The following are the different types of VPC endpoints. You create the type
of VPC endpoint that's required by the supported service.

 Interface endpoints

An interface endpoint is an elastic network interface with a private IP address from the IP
address range of your subnet. It serves as an entry point for traffic destined to a service that is
owned by AWS or owned by an AWS customer or partner. For a list of AWS services that
integrate with AWS PrivateLink, see AWS services that integrate with AWS PrivateLink.
You are billed for hourly usage and data processing charges. For more information, see Interface
endpoint pricing.

 Gateway Load Balancer endpoints

A Gateway Load Balancer endpoint is an elastic network interface with a private IP address from
the IP address range of your subnet. It serves as an entry point to intercept traffic and route it to a
network or security service that you've configured using a Gateway Load Balancer. You specify
a Gateway Load Balancer endpoint as a target for a route in a route table. Gateway Load
Balancer endpoints are supported only for endpoint services that are configured using a Gateway
Load Balancer.

You are billed for hourly usage and data processing charges. For more information, see Gateway
Load Balancer endpoint pricing.

 Gateway endpoints

A gateway endpoint is a gateway that is a target for a route in your route table used for traffic
destined to either Amazon S3 or DynamoDB.

There is no charge for using gateway endpoints.

8) And questions on aws vpc

Can u change the public IP of a running EC2 instance?
The public IP address will not change. Assign, reassign, remove an Elastic IP address - An instance (in
EC2-Classic) can only have one public IP address at any given time. An instance (in a VPC) can have
multiple public ip addresses

9) Can we allocate the multiple elastic IPs in private subnet?

Multiple IP addresses can be assigned and unassigned to network interfaces attached to running or
stopped instances. Secondary private IPv4 addresses that are assigned to a network interface can be
reassigned to another one if you explicitly allow it.

10) Many questions in RDS and difference between dynamo db and other database
 RDS makes it easy to set up, operate, and scale a relational database. DynamoDB is an
AWS fully-managed, high-performance, NoSQL database
  Amazon Redshift is a fully-managed petabyte-scale cloud based data
warehouse product designed for large scale data set storage and analysis. It
is also used to perform large scale database migrations.

11) What is VPC and VPC peering?

A VPC peering connection is a networking connection between two VPCs that enables you to route
traffic between them using private IP addresses. VPC peering allows you to deploy cloud resources in a
virtual network that you have defined
VPC Peering:

 A VPC peering connection is a networking connection between two VPCs that enables you to route
traffic between them using private IPv4 addresses or IPv6 addresses.
 Instances in either VPC can communicate with each other as if they are within the same network.
 You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS
account.
 The VPCs can be in different regions (also known as an inter-region VPC peering connection).

Conditions:

 CIDR block shouldn’t overlap

 Transitive peering relationships are not supported. i.e here VPC B cannot connect with VPC C.
 If the VPCs are in different regions, inter-region data transfer costs apply.
 You cannot have more than one VPC peering connection between the same two VPCs at the same time.
 12) What is route table?
A routing table is a set of rules, often viewed in table format, that is used to determine where data
packets traveling over an Internet Protocol (IP) network will be directed. All IP-enabled devices,
including routers and switches, use routing tables
13) What is AWS Lambda?
AWS Lambda is a serverless compute service that runs your code in response to events and
automatically manages the underlying compute resources for you. You can use AWS Lambda to
extend other AWS services with custom logic, or create your own back end services that operate at AWS
scale, performance, and security.

14) What is load balancer in AWS and types?

Elastic load Balancer (ELB): Elastic Load Balancing automatically distributes your incoming traffic
across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability
Zones. It monitors the health of its registered targets, and routes traffic only to the healthy targets.
Types of Load balancer:
1)Application load balancer:
• Used mainly for web application running http and https protocols.
• Operates at request level.

2 )Network Load balancer:

• Ultra-high Performance at very low latency.
• Operates at connection level, routing traffic to targets with in VPC.
• Can handle millions of requests per second.
3) Classic load Balancer:
• Used for applications that were built in existing EC2 classic env.
• Operates both at connection & request level.
 15) Explain Classic and application load balancer?

->A Classic Load Balancer makes routing decisions at either the transport layer (TCP/SSL) or the
application layer (HTTP/HTTPS).

->An Application Load Balancer makes routing decisions at the application layer (HTTP/HTTPS),
supports path-based routing, and can route requests to one or more ports on each container instance in
your cluster.
->A Network Load Balancer makes routing decisions at the transport layer (TCP/SSL). It can handle
millions of requests per second. After the load balancer receives a connection, it selects a target from the
target group for the default rule using a flow hash routing algorithm. It attempts to open a TCP connection
to the selected target on the port specified in the listener configuration. It forwards the request without
modifying the headers

16) Can you explain CD in your organization?

17) Aws load balancing

Elastic Load Balancing automatically distributes your incoming traffic across multiple targets, such
as EC2 instances, containers, and IP addresses, in one or more Availability Zones. It monitors the health
of its registered targets, and routes traffic only to the healthy targets
18) Any issues so far you came across and felt difficult in Aws and how you resolved

19) Auto scaling in aws

AWS Auto Scaling monitors your applications and automatically adjusts capacity to maintain
steady, predictable performance at the lowest possible cost.
20) If you lost ssh key how you connect to an instance
Take AMI backup and create new ec2 instance with new key

21) Load Balancer creation?

 Spin up an EC2 instance1 in another availability zone (az1) with http port open in Security group
 Add the below script and launch the instance.
#!/bin/bash
yum update -y
yum install httpd -y
echo '<h1> Response from server-1 </h1>' > /var/www/html/index.html
service httpd start
chkconfig httpd on

 Spin up one more EC2 instance1 in another availability zone (az2) with http port open in Security
group
 Add the below script and launch the instance.
 #!/bin/bash
yum update -y
yum install httpd -y

22) AWS S3?

Amazon S3 has a simple web services interface that you can use to store and retrieve any amount of data,
at any time, from anywhere on the web.

Single operation upload:

 It’s a traditional upload where you will upload the object in one part
 A single operation upload can upload the file up to 5GB in size.
Upload object in parts:

 Using multipart upload, you can upload the large objects up to 5TB.
 You can use multipart upload for the objects from 5MB to 5TB in size.

Rules for bucket naming:

 Bucket names must be between 3 and 63 characters long.

 Bucket names can consist only of lowercase letters, numbers, dots . and hyphens -.
 Bucket names must begin and end with a letter or number.
 Bucket names must not be formatted as an IP address (for example, 192.168.5.4).
 Bucket names can't begin with xn-- (for buckets created after February 2020).

Limitation of S3 bucket:
 Only 100 buckets can be created per account.
 Can hold unlimited objects

S3 Storage classes:
 Standard:
 Designed for general- and all-purpose storage
 Default storage option
 99.999999999% object durability
 99.99% object availability
 Most expensive storage class.
 Reduced Redundancy storage
 Designed for non-critical objects
  99.99% object durability
 99.99% object availability
 Less expensive than standard
 Infrequent access
 Designed for less frequently accessed objects.
 99.999999999% object durability
 99.99% object availability
Less expensive than reduced redundancy storage

 Glacier
 Designed for long term archival storage
 May take several hours to retrieve the objects from this storage
 Cheapest s3 storage class

S3 Life cycle policy:

An object lifecycle policy is a set of rules that automate the migration of the object storage class
to different storage class

By default, lifecycle policies are disabled for a bucket

 23) What is Elasctic IP?
An Elastic IP address is a reserved public IP address that you can assign to any EC2 instance in a
particular region, until you choose to release it. To allocate an Elastic IP address to your account in a
particular region, see Allocating an Elastic IP Address.

When you associate an Elastic IP address with an EC2 instance, it replaces the default public IP
address. If an external hostname was allocated to the instance from your launch settings, it will also
replace this hostname; otherwise, it will create one for the instance. The Elastic IP address remains in
place through events that normally cause the address to change, such as stopping or restarting the
instance.

24) What is the difference B/W S3 and EBS ?

Amazon S3

Amazon S3 is a simple storage service offered by Amazon and it is useful for hosting
website images and videos, data analytics, etc. S3 is an object-level data storage that
distributes the data objects across several machines and allows the users to access the
storage via the internet from any corner of the world.

Amazon EBS

Unlike Amazon S3, Amazon EBS is a block-level data storage offered by Amazon.
Block storage stores files in multiple volumes called blocks, which act as separate hard
drives, and this storage is not accessible via the internet. Use cases include business
continuity, transactional and NO SQL database, software testing, etc

25) How user can access S3 in CLI ?

Create a bucket
->aws s3 mb s3://bucket-name
List buckets and objects
-> aws s3 ls
Delete bucket
-> aws s3 rb s3://bucket-name
Delete Object
-> aws s3 rm s3://bucket-name/example/filename.txt –recursive

Move object
-> aws s3 mv s3://bucket-name/example s3://my-bucket/
$The following example moves a local file from your current working directory to the Amazon -
S3 bucket with the s3 cp command.
 $ aws s3 mv filename.txt s3://bucket-name
--The following example moves a file from your Amazon S3 bucket to your current working
directory, where ./ specifies your current working directory.
$ aws s3 mv s3://bucket-name/filename.txt ./

Copy object
-> aws s3 cp s3://bucket-name/example s3://my-bucket/

Sync object
-> aws s3 sync . s3://my-bucket/path

26) what is Lambda?

AWS Lambda lets you run code without provisioning or managing servers. You pay only for the
compute time you consume.
Just upload your code and Lambda takes care of everything required to run and scale your code
with high availability

27) What is private instance?

Instances in the private subnet are back-end servers that don't need to accept incoming traffic
from the internet and therefore do not have public IP addresses; however, they can send requests
to the internet using the NAT gateway

28) What C-name and A-record

CNAME Record:
Maps hostname to another host name: us-east.2.elb.amazonaws.com to
myapp.mydomain.com

Alias Record: points a host name to AWS Resource ex: myapp.mydomain.com to us-
east.2.elb.amazonaws.com
 29) Write a script to list all AWS S3 buckets in a given region and total used capacity of the bucket.

30) What are the components of VPC?

1)VPC CIDR Block.

2)Subnet.
3)Gateways.
4)Route Table.
5)Network Access Control Lists (ACLs)
6)Security Group.
1)VPC CIDR block

Select "Your VPCs" in the left sidebar and the dashboard will display all of your VPCs in a
particular AWS Region, including the default VPC. A region can only have one default VPC.
Although you can have up to five VPCs in a region, only the initial VPC that AWS creates for
you can be the default VPC.

Every VPC is associated with an IP address range that is part of a Classless Inter-Domain
Routing (CIDR) block which will be used to allocated private IP addresses to EC2 instances.
AWS recommends that VPCs use private ranges that are defined in RFC 1918. These private
ranges are reserved by the Internet Assigned Numbers Authority (IANA) and cannot be routed to
the Internet. Different sized ranges with different allocations of IP addresses can be assigned to a
VPC depending on need.

All default VPCs will be associated with an IPv4 CIDR block with a 172.31.0.0/16 address
range. This will give you 65,536 possible IP addresses, minus some AWS reserved addresses.
VPCs can be created with smaller CIDR blocks, such as a /20, which would yield 4091 possible
addresses.

2)Subnet

Next, if you go to the "Subnets" screen, you will see that multiple default subnets have already
been assigned to your default VPC, one subnet for each availability zone.

A subnet is always associated with a single availability zone and cannot span multiple zones.
However, an availability zone can host multiple subnets. Each subnet in a VPC is associated with
an IPv4 CIDR block that is a subset of the /16 CIDR block of its VPC.

In a default VPC, each default subnet is associated with /20 CIDR block address range which
will have 4091 possible IP addresses minus the five addresses AWS always reserves. Note that
two subnets cannot have overlapping address ranges.

When you launch an EC2 instance into a default VPC without specifying a specific subnet, it’s
automatically launched in one of the default subnets. Every instance in a default subnet receives
a private IP address from the pool of addresses associated with that subnet and also a private
DNS hostname.

In a default subnet, an instance will also receive a public IP address from the pool of addresses
owned by AWS along with a public DNS hostname, which will facilitate Internet access for your
instances.
3)Gateways

Frequently, your EC2 instances will require connectivity outside of AWS to the Internet or to a
user's corporate network via the use of gateways.

For communication with the Internet, a VPC must be attached to an Internet gateway. An
Internet gateway is a fully managed AWS service that performs bi-direction source and
destination network address translation for your EC2 instances. Optionally, a VPC may use a
virtual private gateway to grant instances secure access to a user's corporate network via VPN or
direct connect links. Instances in a subnet can also be granted outbound only Internet access
through a NAT gateway.

A subnet that provides its instances a route to an Internet gateway is considered a public subnet.
A private subnet may be in a VPC with an attached Internet gateway but will not have a route to
that gateway. In a default VPC, all default subnets are public subnets and will have a route to a
default gateway.

4)Route table

I've mentioned routing several times while talking about the Internet gateway. Every VPC is
attached to an implicit router. This router is not visible to the user and is fully managed and
scaled by AWS. What is visible is the route table associated with each subnet, which is used by
the VPC router to determine the allowed routes for outbound network traffic leaving a subnet.

Note from the screenshot below that every route table contains a default local route to facilitate
communication between instances in the same VPC, even across subnets. This intra-VPC local
route is implied and cannot be changed. In the case of the main route table that is associated with
a default subnet, there will also be a route out to the Internet via the default gateway for the VPC.

Also note that every subnet must be associated with a route table. If the association is not
explicitly defined, then a subnet will be implicitly associated with the main route table.
5)Network security(network ACLS)

One concern you may have is network security, particularly if all default subnets in a default
VPC are public and open to Internet traffic. AWS provides security mechanisms for your
instances in the form of network ACLs and security groups. These two mechanisms can work
together to provide layered protection for your EC2 instances.

An ACL acts as a firewall that controls network traffic in and out of a subnet. You create rules
for allowing or denying network traffic for specific protocols, through specific ports and for
specific IP address ranges.

Network ACLs are stateless and have separate inbound and outbound rules. This means both
inbound and outbound rules have to be created to allow certain network traffic to enter the subnet
and for responses to go back through.

A number is assigned to each rule and all rules are evaluated starting with the lowest numbered
rule. When traffic hits the firewall, it is evaluated against the rules in ascending order. As soon as
a rule is evaluated that matches the traffic being considered, it is applied regardless of what is
indicated in a subsequent rule.
As indicated above, the default ACL in a default VPC is configured with lower-numbered rules
for both inbound and outbound traffic which combine to explicitly allow bi-directional
communication for any protocol, through any port and to and from any source or destination.

You can associate an ACL with multiple subnets but any single subnet can only be associated
with one ACL. If you don't specifically associate an ACL with a subnet, the subnet is
automatically associated with the default ACL. This is the case with your default VPCs which
have all subnets associated with the default ACL.

6)Security groups

Security groups are considered the first line of defense and consist of a firewall that’s applied at
the instance level. This means only instances explicitly associated with a security group will be
subject to its rules while all instances in a subnet are impacted by the network ACL applied to
that subnet.

Similar to ACLs, you create inbound and outbound traffic rules based on protocol, port and
source or destination IP. However, there are some differences:

 You can specify rules to allow network traffic but cannot create rules to deny specific types of
traffic. In essence, all traffic is denied except for traffic you explicitly allow.
 Security groups are stateful, so if you create a rule to allow a certain type of traffic in, then
outbound traffic in response is also allowed even if there is no explicit outbound rule to allow
such traffic.

Every instance must be associated with a security group and if a security group is not specified at
launch time, then that instance will be associated with a default security group.
You can see from the screenshot above that a default security group will have a rule that only
allows inbound traffic from other instances that are associated with the same default security
group. No other inbound traffic is allowed.

Looking at the outbound rules above, all network traffic out is allowed by the default security
group. This includes traffic out to the Internet since a default VPC will have a route to a default
internet gateway.

31) How will you name the IP address to a domain name?

Step 1: Obtain a Static URL
Note: If you are using Elastic Load Balancing (Elastic Load Balancing is done
automatically if you launched your app with Amazon Elastic Beanstalk) then
you do not need to obtain a static IP address and can go directly to step 2.

a. Click here to open the Elastic IPs part of the EC2 console in a new
window and click Allocate New Address.
 b. Set EIP used in: to VPC and click Yes, Allocate.
Note: There is no charge for Elastic IP addresses (EIPs) that are connected to
running instances. If you remove the instance (e.g. the EIP is no longer
connected to a running instance) then there is a cost of $0.005/hr for the EIP).

c. Select the new IP address in the Elastic IP column. Press

the Actions button and choose the Associate Address option.
d. Click in the Instance text box and choose the option that has your instance
name.
e. Verify that your new Elastic IP address is working by typing it into your
web browser.

32) I have aplication in mumbai region and suddenly the region is goes down, application will be
impacted, how to resolve/avoid this.

33) have you written any terraform file to create AWS resources?

34) DIFFERENCE BETWEEN EFS AND EBS

Amazon EFS is an NFS file system service offered by AWS. An Amazon EFS file system is
excellent as a managed network file system that can be shared across different Amazon EC2
instances and works like NAS devices.
 Amazon EBS is the block storage offered on AWS. An Amazon EBS volume is a persistent
storage device that can be used as a file systemfor databases, application hosting and storage, and
plug and play devices

EFS is:

 Generally Available (out of preview), but may not yet be available in your region
 Network filesystem (that means it may have bigger latency but it can be shared across several
instances; even between regions)
 It is expensive compared to EBS (~10x more) but it gives extra features.
 It's a highly available service.
 It's a managed service
 You can attach the EFS storage to an EC2 Instance
 Can be accessed by multiple EC2 instances simultaneously
 Since 2016.dec.20 it's possible to attach your EFS storage directly to on-premise servers via
Direct Connect. ()
EBS is:

 A block storage (so you need to format it). This means you are able to choose which type of file
system you want.
 As it's a block storage, you can use Raid 1 (or 0 or 10) with multiple block storages
 It is really fast
 It is relatively cheap
 With the new announcements from Amazon, you can store up to 16TB data per storage on SSD-
s.
 You can snapshot an EBS (while it's still running) for backup reasons
 But it only exists in a particular region. Although you can migrate it to another region, you
cannot just access it across regions (only if you share it via the EC2; but that means you have a
file server)
 You need an EC2 instance to attach it to
 New feature (2017.Feb.15): You can now increase volume size, adjust performance, or change
the volume type while the volume is in use. You can continue to use your application while the
change takes effect.

35) DIFFERENCE SECURITY GROUPS AND NACLS

Security Group NACL (Network Access Control List)

It supports only allow rules, and by It supports both allow and deny rules,
default, all the rules are denied. You and by default, all the rules are denied.
cannot deny the rule for establishing You need to add the rule which you can
a connection. either allow or deny it.
It is a stateful means that any It is a stateless means that any changes
changes made in the inbound rule made in the inbound rule will not reflect
will be automatically reflected in the the outbound rule, i.e., you need to add
outbound rule. For example, If you the outbound rule separately. For
are allowing an incoming port 80, example, if you add an inbound rule port
then you also have to add the number 80, then you also have to
outbound rule explicitly. explicitly add the outbound rule.

It is associated with an EC2 instance. It is associated with a subnet.

All the rules are evaluated before Rules are evaluated in order, starting from
deciding whether to allow the traffic. the lowest number.

Security Group is applied to an NACL has applied automatically to all the

instance only when you specify a instances which are associated with an
security group while launching an instance.
instance.

It is the first layer of defense. It is the second layer of defense.

36) EXPLAIN TRANSIT GATEWAY

A transit gateway is a network transit hub that you can use to interconnect your virtual private
clouds (VPCs) and on-premises networks. As your cloud infrastructure expands globally, inter-
Region peering connects transit gateways together using the AWS Global Infrastructure. Your
data is automatically encrypted and never travels over the public internet.

37) Are using EKS

Amazon Elastic Kubernetes Service (Amazon EKS) is a fully-managed,
certified Kubernetes conformant service that simplifies the process of building, securing,
operating, and maintaining Kubernetes clusters on AWS. Amazon EKS integrates with core AWS
services such as CloudWatch, Auto Scaling Groups, and IAM to provide a seamless experience
for monitoring, scaling and load balancing your containerized applications.

38) What is private and public subnets

The main difference is the route for 0.0.0.0/0 in the associated route table.

A private subnet sets that route to a NAT instance. Private subnet instances only need a
private ip and internet traffic is routed through the NAT in the public subnet. You could
also have no route to 0.0.0.0/0 to make it a truly private subnet with no internet access
in or out.
A public subnet routes 0.0.0.0/0 through an Internet Gateway (igw). Instances in a public
subnet require public IPs to talk to the internet.
 39) How can someone excess sitting on-site access your instance inside your private subnet
Bastionhost:
A bastion host is a server whose purpose is to provide access to a private network from an external
network.
VPN:
Is mainly used to establish a secure and private tunnel from you network or device to aws network

• Aws site-to-site vpn: enables you to securely connect your on-premises network to your
vpc.
• AWS client vpn : enables you to securely connect users to AWS or on premises network.

40) How will you you establish connection bw public and private subnet
a NAT gateway will allow the EC2 instances in the private subnets to connect to the
internet and achieve high availability.

41) AWS RDS service - What is read replica

Amazon Relational Database Service (Amazon RDS) makes it easy to
set up, operate, and scale a relational database in the cloud. It
provides cost-efficient and resizable capacity while automating time-
consuming administration tasks such as hardware provisioning,
database setup, patching and backups. It frees you to focus on your
applications so you can give them the fast performance, high
availability, security and compatibility they need.

Amazon RDS Read Replicas enable you to create one or more read-only copies
of your database instance within the same AWS Region or in a different AWS
Region. Updates made to the source database are then asynchronously copied to
your Read Replicas.

42) Have you setup your own RDS service

To create a DB instance

1. Sign in to the AWS Management Console and open the Amazon RDS console
at https://console.aws.amazon.com/rds/.
2. In the upper-right corner of the Amazon RDS console, choose the AWS Region in which you
want to create the DB instance.
3. In the navigation pane, choose Databases.
4. Choose Create database.
5. In Choose a database creation method, select Standard Create.
6. In Engine options, choose the engine type: MariaDB, Microsoft SQL Server, MySQL, Oracle,
or PostgreSQL. Microsoft SQL Server is shown here.

7. For Edition, if you're using Oracle or SQL Server choose the DB engine edition that you want to
use.

MySQL has only one option for the edition, and MariaDB and PostgreSQL have none.
8. For Version, choose the engine version.
9. In Templates, choose the template that matches your use case. If you choose Production, the
following are preselected in a later step:
 Multi-AZ failover option
 Provisioned IOPS storage option
 Enable deletion protection option

We recommend these features for any production environment.

10. To enter your master password, do the following:
a. In the Settings section, open Credential Settings.
b. Clear the Auto generate a password check box.
c. (Optional) Change the Master username value and enter the same password
in Master password and Confirm password.

By default, the new DB instance uses an automatically generated password for the master user.
11. For the remaining sections, specify your DB instance settings. For information about each
setting, see Settings for DB instances.
12. Choose Create database.

If you chose to use an automatically generated password, the View credential details button
appears on the Databases page.

13.For Databases, choose the name of the new DB instance.

On the RDS console, the details for the new DB instance appear. The DB instance has a status
of creating until the DB instance is created and ready for use. When the state changes
to available, you can connect to the DB instance. Depending on the DB instance class and
storage allocated, it can take several minutes for the new instance to be available.

43) How will you achieve high availability in RDS

RDS provides high availability using Multi-Availability Zone (Multi-
AZ) deployments. This means RDS automatically provisions
a synchronous replica of the database in a different availability
zone. When the main database instance goes down, users are
redirected transparently to the other availability zone.
 44) cloud watch alerts
Alarm:
CloudWatch Alarms feature allows you to watch CloudWatch metrics and to receive notifications
when the metrics fall outside of the levels (high or low thresholds) that you configure
Ex:
If CPU utilization goes beyond the static threshold alarm goes to alarm state
Three states in CW Alarm:
Alarm state
Insufficient
OK state

Events: An Event indicates change in AWS environment

Event Resource: Which resource you want to monitor
Event target: to alert the event change through notifications
Logs:
CloudWatch Logs enables you to centralize the logs from all your systems, applications, and AWS
services

45) diff nat gateway and nat instance

Attribute NAT gateway NAT instance

Availability Highly available. NAT gateways in each Use a script to manage failover
Availability Zone are implemented with between instances.
redundancy. Create a NAT gateway in
each Availability Zone to ensure zone-
independent architecture.
Bandwidth Scale up to 45 Gbps. Depends on the bandwidth of the
instance type.
Maintenance Managed by AWS. You do not need to Managed by you, for example, by
perform any maintenance. installing software updates or
operating system patches on the
instance.
Performance Software is optimized for handling NAT A generic AMI that's configured to
traffic. perform NAT.
Cost Charged depending on the number of Charged depending on the number
NAT gateways you use, duration of of NAT instances that you use,
usage, and amount of data that you send duration of usage, and instance type
through the NAT gateways. and size.
Attribute NAT gateway NAT instance
Type and size Uniform offering; you don’t need to Choose a suitable instance type and
decide on the type or size. size, according to your predicted
workload.
Public IP Choose the Elastic IP address to associate Use an Elastic IP address or a public
addresses with a public NAT gateway at creation. IP address with a NAT instance.
You can change the public IP
address at any time by associating a
new Elastic IP address with the
instance.
Private IP Automatically selected from the subnet's Assign a specific private IP address
addresses IP address range when you create the from the subnet's IP address range
gateway. when you launch the instance.
Security groups You cannot associate security groups with Associate with your NAT instance
NAT gateways. You can associate them and the resources behind your NAT
with the resources behind the NAT instance to control inbound and
gateway to control inbound and outbound outbound traffic.
traffic.
Network ACLs Use a network ACL to control the traffic Use a network ACL to control the
to and from the subnet in which your traffic to and from the subnet in
NAT gateway resides. which your NAT instance resides.
Flow logs Use flow logs to capture the traffic. Use flow logs to capture the traffic.
Port forwarding Not supported. Manually customize the
configuration to support port
forwarding.
Bastion servers Not supported. Use as a bastion server.
Traffic metrics View CloudWatch metrics for the NAT View CloudWatch metrics for the
gateway. instance.
Timeout When a connection times out, a NAT When a connection times out, a
behavior gateway returns an RST packet to any NAT instance sends a FIN packet to
resources behind the NAT gateway that resources behind the NAT instance
attempt to continue the connection (it to close the connection.
does not send a FIN packet).
IP Supports forwarding of IP fragmented Supports reassembly of IP
 Attribute NAT gateway NAT instance
fragmentation packets for the UDP protocol. fragmented packets for the UDP,
TCP, and ICMP protocols.
Does not support fragmentation for the
TCP and ICMP protocols. Fragmented
packets for these protocols will get
dropped.

46) what is IAM

● IAM provides access to accounts services where we can manage User, Roles, Groups & Policy password
policy.
● It applies globally to all AWS regions.
Users: we create users and assign necessary permissions to them in the form of policies.
Groups: We can create groups for ex. Dev QA etc. and attach policies at the group level.
Policy:
A policy is a set of permission
Always explicit deny overrides explicit allow
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": *,
"Resource": "*"
},

Policy types:
1. Identity Based Policy: Applicable on users, groups of users, and roles
● AWS Managed policy:
● Custom Managed Policy:
 ● Inline Policy
2. Resource Based policy: Attach to a resource such as an Amazon S3 bucket
3. Session based Policy: create a temporary session for a role or federated user
Imp Notes:
More than one policy can be attached to a user or a group at the same time.
Policies can’t be attached directly to resources like EC2 instance, S3 bucket etc.,
Basic Policy structure:

Effect : Can take only two value allow or deny

Principal: who is assuming the policy
Resource: on whom you are assuming the policy
Ex:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FirstStatement",
"Effect": "Allow",
"Action": ["iam:ChangePassword"],
"Resource": "*"
},
{
"Sid": "SecondStatement",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
 "Resource": "*"
},
]
}

47) what is AWS cognito

Cognito
 It Mainly provides authentication authorization and user management for your application  It
provides a managed user pool to mange identity for the application
Cognito provides user flows:  Signup  Signin  Forgot or change password  Multifactor
authentication  Email and phone verification
It also provides software development kit to your mobile or web application, and also provide lambda
triggers in order to customize any of these user flows with you own business logic
It also provides a built-in hosted UI for these user flows
Social identity can be integrated Facebook Google Amazon SAML After authentication the user the
Cognito provides the best practice way of accessing the AWS resources securely from the app by
providing temporary credentials
User Pool:
 User pools acts as mediator between your app and external social identity providers
 you can add multiple identity providers as you need.
 The user pool manages the token exchange with each of the providers and gives your app
standard user pool tokens of same format
Identity poll:
 Where you exchange the authentication token to get temporary aws credentials which you can use to
access the resources directly from the app
 These can be used independently of each other or used together
Difference between user pool and identity pool AWS Cognito User Pools is there to authenticate users
for your applications Say you were creating a new web or mobile app and you were thinking about how
to handle user registration, authentication, and account recovery, you don’t need to implement
user authentication inside your application, rather you can integrate AWS Cognito User Pools, which will
manage user sign-up, sign-in, password policies.
AWS Cognito Identity pool:  This is a service which was designed to authorize your users to use the
various AWS services. The source of these users could be a Cognito User Pool or even Facebook or
Google. In other words, Identity Pools are used to assign IAM roles to users (who had been authenticated
through a separate Identity Provider which could be Cognito User Pools or Social logins (e.g; Gmail,
 Facebook & etc.)). Because these users are assigned an IAM role, they each have their own set of IAM
permissions, allowing them to access AWS resources directly.
So, the difference is  AWS Cognito User Pools: Granting access to a application  AWS Cognito
Identity Pools: Granting access to amazon service

Difference between IAM and Cognito

AWS IAM gives securely and control access to AWS services and resources for your users AWS
Cognito It Mainly provides authentication authorization and user management for your application

48) how to resize the EBS volume

In order to extend the volume size, follow these simple steps:

1. Login to your AWS console

2. Choose “EC2” from the services list
3. Click on “Volumes” under ELASTIC BLOCK STORE menu (on the left)
4. Choose the volume that you want to resize, right click on
“Modify Volume”
5. You’ll see an option window like this one:

6. Set the new size for your EBS volume (in this case i extended an
8GB volume to 20GB)
7. Click on modify.
Now, we need to extend the partition itself.

SSH to the EC2 instance where the EBS we’ve just extended is
attached to.

Type the following command to list our block devices:

[ec2-user ~]$ lsblk

You should be able to see a similar output:

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT xvda 202:0 0 20G 0 disk └─xvda1 202:1
0 8G 0 part /
As you can see size of the root volume reflects the new size, 20GB,
the size of the partition reflects the original size, 8 GB, and must be
extended before you can extend the file system.

To do so, type the following command:

[ec2-user ~]$ sudo growpart /dev/xvda 0
Be careful, there is a space between device name and partition number!
Now we can check that the partition reflects the increased volume size
(we can check it with the lsblk command we already used):

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT xvda 202:0 0 20G 0 disk └─xvda1 202:1
0 20G 0 part /
Last but not least, we need to extend the filesystem itself.
If your filesystem is an ext2, ext3, or ext4, type:
[ec2-user ~]$ sudo resize2fs /dev/xvda1
If your filesystem is an XFS, then type:
[ec2-user ~]$ sudo xfs_growfs /dev/xvda1
Finally we can check our extended filesystem by typing:
 [ec2-user ~]$ df -h
If everything went right, we should be able to see our effective
filesystem extended size:
Filesystem Size Used Avail Use% Mounted on devtmpfs 980M 0 980M 0% /dev tmpfs
997M 0 997M 0% /dev/shm tmpfs 997M 440K 997M 1% /run tmpfs 997M 0 997M 0%
/sys/fs/cgroup /dev/xvda1 20G 1,4G 19G 7% /
You have just extended your EBS volume size with 0 downtime, enjoy!

49) What is AWS firewall manager

AWS Firewall Manager is a security management service which allows you to centrally
configure and manage firewall rules across your accounts and applications in AWS
Organizations. ... You can deploy AWS Network Firewalls across accounts and VPCs in your
organization

50) AWS elasctic cache

You can use ElastiCache for caching, which accelerates application and database
performance, or as a primary data store for use cases that don't require durability like session
stores, gaming leaderboards, streaming, and analytics.

 Automatic detection and recovery from cache node failures.

 Automatic discovery of nodes within a cluster enabled for automatic discovery, so that no
changes need to be made to your application when you add or remove nodes.
 Flexible Availability Zone placement of nodes and clusters.
 Integration with other AWS services such as Amazon EC2, Amazon CloudWatch, AWS
CloudTrail, and Amazon SNS to provide a secure, high-performance, managed in-memory
caching solution.

51) How to do performance tube using ELB

OS-level settings
1. To optimize network and OS performance, configure the following settings
in /etc/sysctl.conf file of Linux. These settings specify a larger port range, a more effective
TCP connection timeout value, and a number of other important parameters at the OS-
level.
It is not recommended to use net.ipv4.tcp_tw_recycle = 1 when working with network address
translation (NAT), such as if you are deploying products in EC2 or any other
environment configured with NAT.
net.ipv4.tcp_fin_timeout = 30
 fs.file-max = 2097152

net.ipv4.tcp_tw_recycle = 1

net.ipv4.tcp_tw_reuse = 1

net.core.rmem_default = 524288

net.core.wmem_default = 524288

net.core.rmem_max = 67108864

net.core.wmem_max = 67108864

net.ipv4.tcp_rmem = 4096 87380 16777216

net.ipv4.tcp_wmem = 4096 65536 16777216

net.ipv4.ip_local_port_range = 1024 65535

2. To alter the number of allowed open files for system users, configure the following
settings in /etc/security/limits.conf file of Linux (be sure to include the leading * character).
* soft nofile 4096

* hard nofile 65535

3. Optimal values for these parameters depend on the environment.

4. To alter the maximum number of processes your user is allowed to run at a given time,
configure the following settings in /etc/security/limits.conf file of Linux (be sure to include the
leading * character). Each carbon server instance you run would require upto 1024
threads (with default thread pool configuration). Therefore, you need to increase the
nproc value by 1024 per each carbon server (both hard and soft).
* soft nproc 20000

* hard nproc 20000

Memory settings
Memory allocated for ELB should be increased to the following. Note that you need to modify
the <ELB_HOME>/bin/wso2server.sh file to make this change.

 -Xms1500m -Xmx3000m
 -XX:PermSize=256m -XX:MaxPermSize=512m

In passthru properties file, we have:

 worker_pool_size_core=400
 worker_pool_size_max=500
 io_buffer_size=16384
 52) What is ALB,ELB

ELB (Elastic load balancing) helps to make your applications highly available by using
health checks and distribute the incoming traffic multiple targets such as Amazon EC2
instances, containers, IP addresses, and Lambda functions.

ALB (Application Load Balancer) is a type of ELB that is mainly designed for web
applications with HTTP and HTTPS. This is named Application Load Balancer
because this load balancer works at the Application layer. In ALB, we register targets
in target groups and route it routes requests to its target groups.

53) Did you write cloud formation templates

54) Why we use VPC in AWS

Amazon VPC enables you to build a virtual network in the AWS cloud - no VPNs,
hardware, or physical datacenters required. You can define your own network space, and
control how your network and the Amazon EC2 resources inside your network are exposed to
the Internet.
55) Difference between IG and NatGatway
Internet Gateway (IGW) allows instances with public IPs to access the internet.
NAT Gateway (NGW) allows instances with no public IPs to access the internet
Difference is that NAT gateways are designed to provide instances in private subnets access to
the public Internet outbound or other AWS resources. Internet gateway is designed to expose
EC2 instances with public IPs to inbound traffic from the internet. NAT gateway doesn't allow
connections to be initiated inbound from the Internet to resources within the VPC.

56) what is sns

Amazon S3 has a simple web services interface that you can use to store and retrieve any amount
of data, at any time, from anywhere on the web.

Single operation upload:

 It’s a traditional upload where you will upload the object in one part
  A single operation upload can upload the file up to 5GB in size.
Upload object in parts:

 Using multipart upload, you can upload the large objects up to 5TB.
 You can use multipart upload for the objects from 5MB to 5TB in size.

Rules for bucket naming:

 Bucket names must be between 3 and 63 characters long.

 Bucket names can consist only of lowercase letters, numbers, dots . and hyphens -.
 Bucket names must begin and end with a letter or number.
 Bucket names must not be formatted as an IP address (for example, 192.168.5.4).
 Bucket names can't begin with xn-- (for buckets created after February 2020).

Limitation of S3 bucket:
 Only 100 buckets can be created per account.
 Can hold unlimited objects

57) S3 storage class

S3 Storage classes:
 Standard:
 Designed for general- and all-purpose storage
 Default storage option
 99.999999999% object durability
 99.99% object availability
 Most expensive storage class.
 Reduced Redundancy storage
 Designed for non-critical objects
 99.99% object durability
 99.99% object availability
 Less expensive than standard
 Infrequent access
 Designed for less frequently accessed objects.
 99.999999999% object durability
 99.99% object availability
 Less expensive than reduced redundancy storage

 Glacier
 Designed for long term archival storage
 May take several hours to retrieve the objects from this storage
Cheapest s3 storage class