Getting Started with AWS

IAM (Identity and Access Management): The root account has all privileges. It is difficult to restrict privileges for the root user so AWS recommends accessing the console using IAM user accounts.

• Policies: Defines permissions and can be applied to users, groups, and roles
• User: A person
• Group: A collection of users that have the same policy
• Role: Similar to a user. However, it is a generic entity that any user or service (EC2 instance) can assume.

Create a user in IAM:

• Services => Security, Identity, & Compliance => IAM => Users (Access Management) => Add Users (button)

AWS structure: AWS has servers throughout the world. We will utilize those resources based on regions (ie Northern California).

• Region: Collection of availability zones
• Virtual Private Cloud (VPC): Isolated space within a region. Each VPC spans across all availability zones within a region.
• Availability Zone: A data center within a region

• Subnetwork (subnet): A subnet is a range of IP addresses contained in a single availability zone. External routes use 0.0.0.0/0 and will be routed to the “Internet Gateway.” All other specified addresses will router to internal resources. A VPC router is used to send data internally between subnets. Public subnets have a public IP address and can utilize the internet gateway to connect with the internet. Of note, private subnets do not have a public IP address and cannot utilize the internet gateway. However, you could use a Network Address Translation (NAT) gateway, which is located in a public subnet, to connect a private subnet to the internet gateway.

Elastic Cloud Compute (EC2): An EC2 is a server or virtual computing environment, known as an instance. Each EC2 instance is launched inside of a subnet. You can have multiple EC2 instances in a subnet. Each EC2 instance has its own CPU, RAM, storage, and operating system. If the EC2 instance is located in a public subnet, it will have a public IP address. Otherwise, it will have a private IP address.

• Public IP: IP address accessible by the internet
• Private IP: IP address used internally and not accessible by the internet
• Elastic IP: A static IPv4 public address. You get charged if you don’t use it because they are in short supply.

Security Group: A security group acts as a virtual firewall for your EC2 instances to control inbound and outbound traffic. A security group is “stateful” which means it will deny all traffic originating outside of the security group but will allow all traffic originating inside of the security group. You must explicitly allow specified incoming traffic. By default, it will allow all outbound traffic. Of note, whenever a connection hangs, check if the security group allows incoming traffic from the internet.

Network Access Control List (Network ACL): A network ACL acts as a firewall for controlling inbound and outbound traffic for subnets. A network ACL is stateless. By default, a stateless firewall will allow all incoming and outgoing traffic.

Amazon Machine Image (AMI): An EC2 instance that has an existing operating system (windows or linux).

Launching an EC2 Instance: Navigate to Services => Compute => EC2 => Launch Instances =>

1. Select the Amazon Linux AMI because it’s free

2. Select t2.micro which has 1 vCPU and 1GB of memory.

3. Add “user data” which are scripts that run when the instance starts. This script below will start an apache web server.

#!/bin/bash
yum update -y
yum install httpd -y
systemctl start httpd
systemctl enable httpd
cd /var/www/html
echo "This is a test page running on Apache on EC2 in the AWS Cloud" > index.html

4. Use the default storage settings

5. Don’t add any tags at this time

6. Add a security group by selecting “create a new security group.” Then, set the security group name and description

7. Create/download key pair which will create a .pem file.

8. By default, the subnet will block all traffic to the EC2. Therefore, we will need to configure our Security Group to permit traffic on port 80. To start, click on “Security Groups” from the menu

9. Click on the security group you created from step 6.

10. Click on “Inbound Rules” then click on “Edit Inbound rules.”

11. Click on “Add Rule.” Set the type to “HTTP.” Set the source to “Anywhere-IPv4” => Save Rules.

To allow your EC2 instance to access an S3 service, we need to attach an IAM role to the EC2 instance. This role must contain a policy that permits the EC2 instance to access S3.

1. Navigate to Identity and Access Management (IAM)
2. Click on “Roles” then “Create Role”

3. Click on EC2

4. Add a policy called “AmazonS3ReadOnlyAccess”

5. Name the role “S3-Read-Only”

6. Navigate to EC2. Select the instance you just created. Then click Actions => Security => Modify IAM Role

7. Select S3-Read-Only

Connect to EC2 Instance:

1. Navigate to your instance => click on the “connect” button => SSH Client => Copy the command in the Example

2. Open a terminal on your local computer => navigate to the folder containing your .pem file =>

chmod 400 yourFileName.pem =>

Then,

ssh -i ...

Autoscaling: Based on your scaling policy, Amazon will add or delete EC2 instances based on the computing demand from your application. You can set the minimum and maximum number of EC2 instances. The CloudWatch service tracks performance/metrics for the EC2 instances. CloudWatch will notify the autoscaling group and the preset configuration will determine if resources need to be adjusted. For example, if a status check failed on a given instance or >80% of CPU is being used on a given instance, then a new instance will be launched.

Set Scaling Policy: We can set scaling logic to determine when the autoscaling group should add or remove EC2 instances. In the scaling group you created, navigate to the “Automatic Scaling” section then click “create dynamic scaling policy.” You can create policies based on the average CPU utilization, network traffic, or the average number of requests that the load balancer receives per target.

Application Load Balancer: All incoming HTTP traffic is routed to a load balancer. Based on availability, the load balancer will route the user’s request to a given EC2 instance. We will create a load balancer target group and attach it to an autoscaling group.

1. Configure load balancer. We just need to set the name.

2. Since we are using port 80 (HTTP) instead of 443 (HTTPS), we don’t have any security settings to configure

3. Choose the security group you created for your EC2 instances.

4. Set the name of your target group. You’ve created your load balancer. Now, we need to create the autoscaling group to attach to the load balancer.

5. Create a new autoscaling group which is group of EC2 instances. The only difference is in step 3, we will add a load balancer and select the target group we created.

Now, you can view the rendering of the load balancer by visiting the “DNS Name” provided in the description of your load balancer.

EC2 pricing:

• On-demand: use computing when requested
• Spot: provides additional EC2 capacity when available at a discounted price.

Databases

DynamoDB: Non-relational databases without defined schemas.

Relational Database Service (RDS): Relational databases with defined schemas. Runs on an EC2 instance. Supports: Amazon Aurora, MySQL, MariaDB, Oracle, Microsoft SQL Server, PostgreSQL. You could just launch an EC2 instance yourself then install these database servers. However, Amazon provides a managed service to automatically backup your database, provide caching, scaling, failover coverage. You can change your instance but it will cause down time.

Multi-Availability-Zone: Amazon will replicate your database in another availability zone as a backup in case your main database crashes.

Scale Out: You can create a duplicate database (in the same availability zone). The main database will handle write queries and the duplicate database will handle read queries.

Create an RDS: Services => Database => RDS => Create Database

2. Choose your template. In this case, we will choose the free tier

3. Enter a name, master username, and password for your database. Note, in our case, we must choose the t2 instance since we using the free tier.

4. Determine if you want autoscaling

5. Select your VPC

6. Enable password authentication

7. Under “additional configuration”, enter the database name and enable backups

Enable Multi AZ: After your database is created, select the database in the dashboard. Then click “modify.” Under the “Multi-AZ deployment’ section, select “yes.”

Create Read Replica: This will create a new EC2 instance with a read-only version of your database. Actions => Create Read Replica =>

DynamoDB: A fully managed NoSQL/non-relational database. Seamless horizontal scaling. Data is replicated across multiple availability zones. The database is made up of tables, items, and attributes. To start, we will define our table name, partition key, and a sort key. The partition key is the primary key for each item in the table.

Populate table: Action => Create Item => Enter a firstname and lastname => Create Item

Populate Table with New Attribute: One of the main differences between relational and non-relational databases is the ability top have flexible columns. When you add a new item, you can introduce a new column and DynamoDB will automatically add a new column to the table. In the example below, we add a new attribute called “JerseyNumber” with a value of 17. We have not created a column called “Jersey Number” so DynamoDB will create a new column with this name and set the value of this item to 17. The rest of the items will not have a value. Relational databases will throw an error if you try to add an item with a column that doesn’t exist.

View Item: You can view the item that you created in your table by going to Items => Database name

AWS Cloud Formation: Describe what you want in a template then AWS will build it. Using a code written in a JSON or YAML template (infrastructure as code), you can deploy any AWS service. You define the infrastructure in the template. To get started, go to Services => Management & Governance => CloudFormation

• Create a .yml template file that will contain the resource type, availability zone, image id, and instance type as shown below. You can go to this link to find premade templates: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/sample-templates-services-us-west-2.html

Resources:
  MyInstance:
    Type: AWS::EC2::Instance
    Properties:
      AvailabilityZone: us-east-1a
      ImageId: ami-0a887e401f7654935
      InstanceType: t2.micro

• Here is a simple .yml template that will create an S3 bucket. Make sure to empty any content inside of the S3 bucket before deleting the stack.

Resources:
  DigitalCloud:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: PublicRead
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html

• Upload this .yml file as your template. You can view the outcome of your template by clicking “view in designer.”

• Populate the name of the stack

• You can leave the fields as-is. Then, “create stack.” A new EC2 instance will be launched in your specified region. When you delete the stack, all of the launched services will be deleted.

AWS Elastic Beanstalk: Platform as a Service (PaaS). Runs the underlying infrastructure. The developer just needs to provide code and Beanstalk will configure the entire infrastructure. They will never configure the EC2 instance, manage the load balancer, or create an S3 bucket.

• You will enter the name of your application. Then, you will select the platform (ie Node, PHP, Python, Docker, etc), upload the code for your app,

• When your app is finished deploying, you’ll see the screen below. You will now be able to upload new code and redeploy the app.

Continuous Integration: The developer pushes code to a repository. Then code is built on the server. If the new code passes the necessary tests, it will be deployed. This process can be handled by AWS CodePipeline.

AWS CodeCommit: Code repository similar to github. Go to Services => Developer Tools => CodeCommit. Then go to Source => Repositories => Create Repository

• Create a repository

• Navigate to the repository you just created and copy the git command shown below. Assuming you gave git installed on your computer, run this command in your terminal. You will be prompted to enter a username and password. Proceed to the next step to find the username and password.

• In your IAM console for your user, we need to generate the git credentials. Enter the generated username and password into your console.

• Copy some code files into the folder you created. Then enter the following git commands into your terminal to push the code to AWS Code Commit.

git add .
git commit -m "first commit"
git push

• The files will now appear in your aws repository.

AWS CodePipeline: Code repository similar to github. Go to Services => Developer Tools => CodePipeline. Then go to Pipeline => Pipelines => Create Pipeline

Step 1: Enter a name

Step 2: Select AWS CodeCommit as the Source Provide because that’s where our code is. Select the repository name (“mysourcerepo”) we created. The default branch name will be “master.”

step 3: skip this step

step 4: We must determine where are code will be deployed. In our case, our app is located on AWS Elastic Beanstalk (it could be on EC2, AWS Cloud Formation, etc). Then, select your application name.

Finished: Now, whenever you push code, the new code will automatically be applied deployed to the server.

AWS Codestar: CodeStar will manage all of the deployment services. Without much configuration, CodeStar will create a Lambda function, IAM roles, a CodePipeline, a CodeDeploy, a CodeBuild, a CodeCommit, a CloudFormation, and an S3 bucket. Go to Services => Developer Tools = CodeStar => Create Project

step 1: Allow AWS to create a role for the project and choose Template

step 2: Enter a name for your app and select a repository

Finished: You can view the deployed application by clicked on “view application.” You can also take a look at all the resources that CodeStar created for you. You can also see that CodeStar set up an automated pipeline

Lambda / Serverless: There is no underlying infrastructure that you need to configure. The app’s code is in a Docker container. A “task” runs the docker container. “ECS Services” are used to manage the tasks. These services are grouped in a “Cluster.” Services => Containers => Elastic Container Service (ECS) => Create Cluster

Pay structure:

• Pay as you go
• Reserve: You can establish a term (ie 1 year)

Misc Terms:

• Multitenant vs. Dedicated Host: Having your own server or sharing with other apps.
• AWS calculator: based on your setup, estimates what your cost will be.
• Billing Alarm: alert when you are about to get charged
• AWS CloudWatch: monitors how much AWS you’re using. You can set up alarms here for billing, usage, and other metrics.
• AWS SNS (simple notification service): email