AWS Certified Solutions Architect Associate 2023 | Learn AWS Free | AWS Full Crash Course
AWS Certified Solutions Architect Associate 2023 | Learn AWS Free | AWS Full Crash Course
In this video AWS Certified Solutions Architect Associate 2023 | Learn AWS Free | AWS Full Crash Course we provide a free AWS certification course online. Certification is part of the process to building a great cloud architect career and this video will help you obtain AWS solution architect certification and prepare for the AWS saa-c03.
Get our updated FREE AWS Exam Guide https://gocloudcareers.com/updated-cs… this guide should be used with this free AWS certification training and AWS certified solutions architect course.
Get the Free AWS Lab Demos https://www.gocloudarchitects.com/for…
Register for this our next free webinar, to learn more about how we prepare you to become the ultimate cloud architect. https://my.demio.com/ref/01ppStEkIUVx…
If you are looking for a free AWS certification course online to learn AWS free then this AWS certified solutions architect course is for you.
At Go Cloud Careers and Go Cloud Architects we do everything we can to help people build a cloud architect career. We provide AWS career tips, cloud architect training, free AWS certification training, a free AWS certification course online, AWS certification course free, cloud computing architect, AWS cloud computing full course, and a full and FREE cloud computing complete course.
This AWS certification course online (SAA-C03) is a FREE AWS full course tutorial.
This is a complete AWS Certified Solutions Architect Associate training program.
Topics covered in this video include:
00:00 - Introduction
8:25 - Regions, AZ, local zones, Edge location
22:11 – VPC
24:05 - Hybrid cloud, pure cloud, multi-cloud environment
30:20 - Connecting to the cloud (Direct Connect, VPN)
1:02:15 – Ling Aggregation Groups
1:04:18 – Storage (Object, Block, File)
1:18:30 – S3 (Simple Storage Service)
1:39:35 – Instance Storage
2:04:33 – Transfer Your Data to AWS
2:21:50 – Computing on AWS
2:52:01 – Databases
3:21:38 – Database Optimization
3:53:37 – Basics of Networking
4:12:00 - Routing Tables/ Routers / IGW, Elastic Ips and More
4:39:20 - VPC Endpoints (Gateway Endpoints), VPC Peering, CloudHub, and More
5:02:06 – Access Control Lists, Security Groups, and More
5:23:26 – DNS and Route 53
5:50:18 – Load Balancers
6:02:00 – Security Responsibilities, IAM, and More
6:29:10 – Cross Account Roles, Managed Policies, MFA, Identity Federations, and More
6:50:33 – Firewalls, CDN, Security Hub, Guard Duty, and more
7:13:33 – AWS Services
7:41:35 – More AWS Services
8:06:07 – Even More AWS Services
8:34:53 – Even More and More AWS Services
8:57:17 – Still More AWS Services
9:25:15 – IoT Services
9:52:07 – Building High Availability Systems, Passing the Exam and More
Topics covered in this video include:
The AWS Cloud and How It’s Organized
Direct Connect
Public and Private Virtual Interfaces (VIF)
Direct Connect Gateway
Link Aggregation Groups (LAG)
Virtual Private Networks (VPN)
AWS Primary Storage Options
Elastic Block Storage (EBS)
RAID
Elastic File System (EFS)
AWS Storage Gateway
Amazon FSx for Windows
Amazon FSx for Lustre
EC2
Amazon Machine Images (AMI)
Autoscaling
Instance Purchasing
Tenancy Options
Securing EC2
Relational Databases
NoSQL Databases
Data Warehousing on AWS
Data Lakes
AWS Glue
Database Migration Tools
Internet Gateways
NAT Instances
NAT Gateway
Endpoints
VPC Peering
AWS CloudHub
AWS Transit Gateway
AWS Transit VPC
Network Access Control Lists (NACL)
Security Groups
Amazon Web Application Firewall (WAF)
AWS Firewall Manager
AWS Shield
AWS Service Catalog
AWS Systems Manager Parameter Store
AWS Macie
AWS GuardDuty
AWS Inspector
AWS Security Hub
AWS Simple Queuing Service (SQS)
Amazon MQ
AWS Simple Notification Service (SNS)
AWS Simple Workflow Service (SWF)
AWS Elastic Map Reduce (EMR)
AWS Kinesis
AWS Managed Streaming for Apache Kafka
Amazon OpenSearch
AWS Elastic Container Service (ECS)
AWS Elastic Kubernetes Service (EKS)
Amazon EKS Distro
AWS EKS Anywhere
AWS Elastic Beanstalk
Amazon Elastic Container Registry (Amazon ECR)
AWS CloudWatch
AWS Config
AWS CloudTrail
AWS CloudFront
AWS Lambda
AWS Lambda@Edge
AWS Step Functions
AWS Forecast
AWS Rekognition
Amazon Elastic Transcoder
Amazon Textract
AWS Comprehend
AWS Translate
Amazon Polly
AWS Kendra
AWS Amplify
AWS CloudFormation
AWS Proton
VMWare Cloud on AWS
AWS Certificate Manager (ACM)
AWS App Discovery
AWS AppSync
Amazon AppFlow
AWS Cloud9
AWS Code Artifacts
AWS CodeStar
AWS Data Exchange
AWS Device Farm
AWS Global Accelerator
AWS License Manager
AWS Managed Grafana
AWS Wavelength
AWS Well-Architected Tool
AWS Compute Optimizer
AWS Outpost
AWS X-Ray
AWS Service Quotas
Alexa for Business
AWS IoT Device Management
AWS IoT Core
AWS IoT Analytics
AWS IoT Events
AWS IoT Graph
And More
Learn About Our Cloud Architect Career Development Program, https://gocloudcareers.com/cloud-arch…
Mike Gibbs LinkedIn Page:
https://www.linkedin.com/in/michael-g…
#cloudarchitect #cloudcareer #cloudjob
Content
19.02 -> Hello my name is Richard for and I can say
I am cloud hired that yes, go my choice and
27.61 -> get cloud hired. I'm cloud hired. I'm cloud
hired. I'm cloud hired. Hey, go Cloud Architect
36.04 -> family. I'm cloud hired. Oh, phone. Hi, guys,
say I’m cloud hired. I'm cloud hired. I'm
47.2 -> cloud hired, thanks to Google Cloud architects.
It worked for me and now I’m cloud hired,
52.05 -> because because of Go Cloud Architects program,
I am cloud hired. I am cloud hired. Thank
60.329 -> you, Mike, and the go cloud team.
68.8 -> Welcome, everyone, to our AWS Certified Solution
Architect 2022 course. My name is Michael
79.03 -> Gibbs, and I'll be your instructor throughout
this session. I've been working now in tech
83.36 -> for well over 25 years, I've been an architect
for over 25 years now. And I want to help
88.58 -> you get cloud higher. That's everything we
do we get caught hard. We have a lot of free
93.21 -> things that we're going to talk about at the
beginning of this course, to not only make
96.38 -> sure, you can easily pass the AWS Solution
Architect certification. But you'll be prepared
103.02 -> and better prepared for knowing how the technology
works, how to apply the technology, and to
107.549 -> some degree, what's going on under the hood.
And this is an AWS full course Tech Talk tutorial.
115.17 -> And the reason we do free AWS certification
training is as follows. We saw the courses
120.72 -> that were out there, they were purely the
name of the service and how to configure that
125.299 -> service. But the problem is, solution architects
and cloud architects don't configure anything,
129.71 -> it's all about designing and you can't design
what you don't understand. So we're going
134.14 -> to make sure you understand things very, very
well. And that's what we do this free AWS
141.26 -> course to build your cloud architect career,
we'll talk about I'm sure it'll come up some
145.69 -> AWS career chips. This will prepare you for
the AWS SAA-C03 exam, the brand new exam,
154.12 -> we've fully updated care of all the things
in the new course. And this is an AWS cloud
159.739 -> computing full course. And a cloud computing
complete course, as it relates to the AWS
164.9 -> Certified Solution Architect Associate. We
want to make sure that all of you get caught
169.04 -> hired. I've got a student in my clinic, a
tech career development program that gets
172.519 -> hired basically, every single day. And my
favorite thing in the world is when someone
177.12 -> gets caught hired, I want to help anyone in
the entire world that wants to get a cloud
182.989 -> architect job as a solution architect job,
get called hired anybody that wants to earn
187.099 -> more in tech, I want to help them do it. And
I'm here to you to help you all get cloud
191.239 -> hired. Give me a hashtag, AWS cloud. And then
let me tell you about all the really great
198.04 -> free things we're going to be doing along
with this bootcamp to make sure you can easily
202.26 -> get cloud certified, because the AWS Certified
Solution Architect Associate should be very
206.379 -> basic and easy after this course. But I also
want you to learn. My team has completely
213.22 -> updated and will tell you more about it next
week. But you can be the early adopter for
217.519 -> right now, our AWS Certified Solution Architect,
associate and professional Exam Guide. We've
223.97 -> had about 100 authors to put this book together
with hundreds of years of total technology
229.67 -> experience, and I want you all getting cloud
hired. And that's why we're doing this. So
234.099 -> please give me that AWS card hashtag? No.
So we can focus on making sure you understand
242.14 -> the technology. What is the technology? How
does it work? How does it benefit the customer,
247.78 -> because you're going to need that when a cloud
architect interview or a cloud engineer interview,
251.98 -> they're not going to ask you to go configure
something or the steps but what they will
255.37 -> ask you is, how the tech works, and how to
apply it and I want to make sure that you're
260.561 -> prepared for Solution Architect interviews
and Cloud Architect interviews. So here's
265.33 -> what I want you to do. Download the completely
free lounge or sign up for the completely
271.38 -> free AWS lab demos. The link is in the description
below. And in the description below, you can
277.97 -> download those free lab demos. And that way
you can do hands on practice. I'm going to
283.35 -> be focusing my time with you and making sure
you understand the Tech because I taught an
288.44 -> eight year old how to configure an EC two
instance in less than three minutes. So are
293.45 -> eight that same eight year old how to do an
s three bucket in less than five minutes and
298.34 -> nobody's gonna hire you just for those Hewlett,
they're gonna want to know that you have it
301.47 -> in your head, you understand what the solutions
are, and how they can impact business. So
305.79 -> we're gonna have a lot of fun. So please download
the free lab demo videos, sign up for them,
310 -> and do that on your own time. Now, this Thursday,
we're going to have a completely free webinar
316.55 -> on how to get your first cloud architect job.
And in that, I will tell you everything you
322.32 -> need to know to get hired. And while we're
at it, we've got a lot of free things coming
328.289 -> up very, very, very soon. So many things,
we've got executives coming from Nvidia to
334.93 -> talk to you about what they want, from hiring
people will always have more solution architects
340.99 -> come and talk to you. I interview CEOs constantly
on what they want as part of digital transformation.
348.34 -> So you know, sign up to our email list, so
you can find it. Really, if you can all give
354.57 -> me a hashtag AWS Certified Solution Architect
Associate, we're going to begin the class,
360.13 -> we're going to have lots of fun. Now, I would
never ever, ever give you a class, which is
364.78 -> PowerPoint, bla bla bla in the background,
we would never do it. We're going to live
369.63 -> training for 20 minutes. Then after that,
you know, we're gonna do answer your questions.
374.75 -> Why? Because I want to make sure that you're
skilled, you've got knowledge and capabilities,
379.539 -> so you can have the absolute best cloud computing
career on the world. We will cover all the
385.58 -> recent updates, and the Certified Solution
Architect Associate, we will also include
391.039 -> much of the AWS Certified Solution Architect
Professional in the same boot camp, because
396.62 -> the associates just not enough. And I want
you to have much more competency and much
401.35 -> more knowledge. And that's why I'm focused
on having you download or at least sign up
406.79 -> for the free Labs, which you can do on your
own. And making this a time a real classroom
411.13 -> that you can actually learn. I used to take
these courses constantly, they were for three
416.28 -> to $5,000 for the week for the ability to
ask questions. And that's why I'm doing a
419.88 -> completely free because I know most people
can't afford the kind of training they need.
423.509 -> And I don't want them getting something off
of Udemy, which is taught by somebody that's
426.849 -> never done the job before I've done it for
25 years, and I will help all of you to get
430.85 -> caught hired. So that's why we're going to
cover this this week, we're going to start
434.32 -> by having a lot of fun. So this week, we're
going to be covering the AWS Certified Solution
440.961 -> Architect Associate. This is a free AWS course
to help with your cloud architect career,
446.21 -> we'll cover AWS career tips and Clinica tech
training, which is different than Certified
450.09 -> Solution Architect Associate training. But
you know, we're here at Koch cloud architects
453.879 -> and go cloud careers to help you get cloud
hired. So we'll begin just to let you guys
460.74 -> know, it cost about as much as a new car to
produce one of these things. By the time we
466.07 -> take all into account all the team members
that we have. And while the work they're doing,
471.06 -> and we're going to do it for you to make sure
you get hired. So if you think anybody needs
475.34 -> help, guess what, send them a tweet, make
a LinkedIn post, and invite them to this free
481.97 -> training. While we're at it, please subscribe
and hit the bell to our channel, because you're
487.6 -> going to hear about a lot about new things
like tonight, we're going to talk about how
490.81 -> to optimize and get hired for cloud architects,
versus how to get hired and optimize your
495.35 -> career for cloud engineers. Because the careers
are so different. Most people confuse them.
500.02 -> And that's why they can't get hired. So we're
gonna be talking about that tonight to help
503.74 -> you build the best cloud computing career.
But let's begin. We're going to begin with
509.93 -> the AWS cloud, and how it is organized. So
to begin, let's talk about the AWS cloud organization.
519.56 -> The first thing we're going to talk about
is the AWS region. Now, what is the AWS region,
528.019 -> think of a massive geographic area, like a
continent, or part of a continent. So this
535.32 -> big global area, that's what a region is.
And then we're going to be talking about availability
543.11 -> zones. And guess what they are nothing more
than a simple data center. So you're gonna
546.87 -> have a big giant geographic area. And inside
of these big giant geographic areas, what
552.089 -> are you going to have data centers, in the
data centers, you're gonna have servers and
558.3 -> storage, physical load balancers, you're gonna
have firewalls, routers and switches, guess
563.88 -> what? The same thing that you have in every
other data center. Now what the cloud is really,
571.19 -> it's just renting space in somebody else's
network in a data center. It's all been virtualized
574.579 -> for you. It's nothing more than that. That's
why all clouds are the same. Now, when we
580.029 -> teach this course, we're going to try in many
cases to teach the generic technology so you
585.26 -> know how to work with AWS, Azure, Google Alibaba,
it doesn't matter if you understand the cloud,
591.33 -> you understand, oh. We'll also talk about
local zones. And we'll show how that can reduce
598.36 -> latency and improve performance. And I'll
show you exactly what that looks like. And
602.42 -> we'll talk about Edge locations as it pertains
to the AWS content delivery network called
607.529 -> Cloud. So let's visually look at this for
a minute. Here, what you can see is the AWS
614.05 -> cloud and how it's organized. You can see
this big, beautiful green box, which was drawn
618.649 -> by my team, how that represents, you know,
a geography, like a whole continent or part
625.1 -> of the continent.
626.63 -> Now, the next thing we'll actually talk about,
is those availability zones. And you can see
633.64 -> in this diagram, what do we have? We have
these availability zones that are connected
638.25 -> to each other with links, what do you think
those links are network clicks, most likely
643.16 -> fiber optic links, multiple fiber optic links,
10 Gig links, 100 Gig links, and Link Aggregation
648.63 -> groups, or port channel, ether channel, whatever
terms you want to call it. Same kind of concept,
654.07 -> we're bundling multiple links together, these
links are going to be in a highly redundant
657.71 -> matter. And there's going to be some routing
in between the availability zones. And of
662.631 -> course, routing between regions as well. So
now you can see region, large geographic area,
668.35 -> data center availability zone, what's a data
center again, it's just a, it's a room full
673.24 -> of routers, and switches, and servers and
storage and load balancers and firewalls,
679.2 -> etc. So now, while we're at it, let's talk
about the concept of local zones. And what
689.67 -> it is. Now, when you want the most high performance
in the world, you can't use the cloud. I'm
696.9 -> gonna say this, again, if you're looking for
ultimate peak performance, you can't use the
702.45 -> cloud. See in the data center, we can do many
more things on the network, we can actually
707.92 -> lock down our networks and make them more
secure if we need to. But, you know, keep
713.5 -> this in the back of your mind, that data center
will always perform better. Why? Because the
717.91 -> storage we have in our data center is going
to be far faster than block storage, because
721.79 -> there's the latency on the wire to take you
to the cloud provider. So imagine that you
728.2 -> have a direct connection or a private line
to the cloud. Basically, it's some kind of
732.24 -> like a wire just sort of like my iPhone cables
here. Now what happens, it takes time to transmit
737.779 -> your information over the wire, and we're
talking about milliseconds. Now, that's okay.
744.009 -> Right for normal things, yes, it is. But there
are applications where a nanosecond can be
751.07 -> a competitive business advantage. And when
you deal with that, for example, and nanosecond
756.69 -> being a competitive advantage, it makes things
on the cloud being impractical. So that's
761.07 -> why they're coming up with local zones, which
are still never going to be as fast as your
766.389 -> own data center. But it's a midpoint. And
I'll show you why. A local zone is an extension
772.35 -> of the region. So you can run latency sensitive
applications closer to you, the user, it enables
779.24 -> you to put your computing power closer to
the users will happen if you first have to
785.04 -> up and down local zones, then you're going
to create a subnet in the local zone. Of course,
789.34 -> in your subnet, that's where you're going
to place your systems, your virtual machines
793.029 -> otherwise known as you see two instances,
your load balancers, you could be putting
797.09 -> your containers like elastic Kubernetes service,
or any kind of container orchestration you
802.19 -> put there, the elastic container service Kubernetes
service, we'll talk about why you probably
806.04 -> don't want to use the elastic container service
as we go through this, and why the Kubernetes
809.959 -> environment is much better, but you can still
use both. Now there are some local zones that
816.28 -> are gonna offer even more resources to like,
fought the, like Elastic MapReduce, if you're
824.38 -> trying to do some mapping and reduction in
to create a data lake for example, or change
829.06 -> information between databases, elastic cache,
which has some basic caching, which we could
833.55 -> talk about, of course, you could build your
own Redis Cache and not avoid and not use
836.73 -> a period, rds systems and even dedicated hosts.
So that's what we're really, really talking.
843.55 -> So what's it look like architecture, I'm going
to show you this, and I'm going to draw it
846.209 -> out for you to make sure it makes more sense.
Local zones are realistically this way, again,
852.6 -> we've got this giant green box, this large
geographic region, in this region, that's
858.32 -> where the majority of our systems are gonna
be. We're gonna have little data centers.
862.26 -> Now, these local zones are effectively data
centers in between your data centers, I'm
867.279 -> going to do this, I'm going to map it out
with you real time. So you truly understand
871.25 -> this. Sometimes I just love using the whiteboard.
So let's look at it this way. So you can understand
876.37 -> that in a traditional environment. You're
you're in your data center, and everything
880.721 -> works great in the data center. But if you
want to use a cloud, and the cloud is nothing
886.081 -> more than somebody else's data center, well,
this the AWS code, it could be any code for
891.05 -> that matter. What happens as I mentioned before,
is you've got this latency over your networking.
898.11 -> And that latency could be too much For the
business application, so what a local zone
903.149 -> really is, is a mini AWS data center between
you and the cloud, we'll call it AWS local
910.649 -> zone. Mini data center. And actually, it's
not that many. And what happens is we call
921.05 -> a local zone. Because we can put our latency
sensitive things in between our data center,
931.38 -> and the ad in our in the local zone. And then
of course, you know, the local zone and all
936.3 -> these other things, we'll basically have communications,
which will be back hauled back into the cloud.
940.402 -> And in this manner, you can actually put your
low latency things closer to you. Of course,
947.649 -> if you're looking for the ultimate and availability,
and the ultimate in performance, we can get
952.38 -> rid of all this edge location stuff and just
keep are critical applications in the data
956.68 -> center, and latency sensitive and critical
applications in the data center and then use
960.64 -> the cloud. Or we could take advantage of a
local zone, there's benefits and detractors
964.779 -> to do each. That's the kind of thing we could
cover in our cloud architect career development
968.75 -> program. But, you know, there's lots of reasons
to know how and when, and were to design systems.
975.269 -> But this week, we're focusing on certifications.
So that's what a local zone knows. Now let's
981.579 -> talk about an edge location. In edge, the
edge locations are further CloudFront content
987.639 -> delivery network. And realistically speaking,
Edge locations are basically going to provide
995.49 -> user access into the content delivery network.
Now we will go into depth in the cloud front.
1001.839 -> And we will talk more about content delivery
networks when the time progresses. But because
1006.27 -> right now we're talking about the AWS cloud
and how it's organized. We talked about regions
1011.29 -> being a large geography, data centers being
called availability zones, the data center
1016.91 -> between you and the cloud provider being called
the local zone, and it's just another data
1020.64 -> center, nothing else. I think that's it. Now
let's talk about these Edge locations. So
1028.16 -> many of you, when you go to the internet,
let's say you wanted to go to www.careerfh.com,
1035.699 -> what would happen is your computer will then
do a DNS lookup to see who has the IP address
1040.77 -> of www dako clunkers.com, then what would
happen is the DNS server would give you the
1047.089 -> IP address, then your system would look at
its routing table, it would find this default
1051.28 -> router, and it would do an ARP who has the
MAC address for www dako Khaled careers.com.
1056.96 -> And then the packet would be sent to the upstream
router. Now let's add a content delivery network.
1061.289 -> If you're an if you're in Athens, Greece,
where I'm from, for example, where you are
1066.67 -> in Alexandria, Virginia, or if you're in Cambodia,
Cameroon, or Chicago, basically, you would
1073.46 -> have to be accessing the network over the
internet, coming back to my website. The problem
1080.429 -> is as follows. There's latency going from
point A to point B, and the latency may kill
1087.94 -> your users experience. So a content delivery
network and I'm going to show you how this
1092.49 -> works in a minute is going to make your content
closer to the users, so the users have a better
1097.96 -> experience. Now, Edge locations are where
AWS puts its content caching and its private
1104.83 -> network. And I'll show you exactly what that
looks like. It's really all for those of you
1108.919 -> that are new to cloud, but have worked in
networking, it's essentially called the Point
1112 -> of Presence, where lots of people do their
BGP peering and they connect to each other.
1116.46 -> For example. Edge locations will increase
performance and reduce latency. And key, it's
1123.83 -> not just not just not just related to traffic
going across the internet. In using caching.
1132.46 -> It's by using a private network and also how,
and let's look at what this actually is going
1137.409 -> to look like. First, I'll show you architecturally
and then I'm going to show you the user experience.
1142.74 -> Architecturally, here's what the AWS cloud.
Edge locations actually look like. Now, when
1155.11 -> we're here, you can see that we've got this
large region, you can see the data centers
1160.059 -> or availability zones in this region. And
then you can see these Edge locations. This
1165.39 -> is where your content is cached. Now let's
take it for an example of reality in real
1170.309 -> life, what's it going to look like? And how
does this work? Let's say we have the nice
1175.45 -> happy blue user, the one in the upper right
hand corner of the screen. Now this user is
1183.169 -> my life. And she's there and she wants to
go to www dot gokada careers.com.
1192.22 -> So what does she do? She goes and types that
into her browser. Now what ultimately happened
1198.32 -> here is as follows If no one that day has
requested information from www dot Gokhan
1206.71 -> careers.com, the blue user will hit that edge
location, the edge location won't have any
1211.309 -> information, the edge location would then
send that information to the regional coach,
1215.909 -> which has not no information, and then the
traffic will be sent to the AWS source. And
1221.98 -> whether it's a static website static files,
which are an object storage like AWS s3, or
1227.44 -> a dynamic website, which has got things that
are going on on our virtual machines, otherwise
1231.33 -> known as our EC two instances, that will happen
as the user will go to the edge location,
1236.841 -> the edge location will took them right off
the public Internet, and onto the very fast
1241.159 -> AWS private network, the source will answer,
it'll hit the regional cache, the information
1246.409 -> will be stored, it'll hit the edge location,
the information is going to be stored. And
1251.65 -> there you go, you've got your user. Now the
next, let's say, I go to the same place, right
1259.351 -> after my wife went to go click careers. And
now I represent the second blue user in the
1264.78 -> upper right hand corner. Now I type www.go,
Cloud careers.com into my browser, my request
1271.02 -> gets sent to the edge location, the edge location
since immediately back to me, it's cached.
1276.309 -> And by doing this, we've got a lot of things
benefits. And here's the reason why. First,
1281.08 -> the web servers don't have to keep answering
the request. I got a gotcha, gotcha. So we've
1285.68 -> reduced load on the web servers. Now next,
let's think about this. The web servers load
1290.85 -> is reduced, but the latency is reduced because
the content is already there. Now we'll talk
1296.77 -> about later how content delivery network can
really reduce costs. And content delivery
1301.58 -> networks can work very, very, very well to
protect against DDoS attacks or distributed
1308.57 -> denial of service attacks. And when we talk
about CloudFront, and preventing DDoS, we'll
1314.159 -> talk about exactly why content delivery networks
are good, Allah, generally speaking, you should
1318.529 -> use more than one content delivery network,
just like you should use more than one cloud.
1321.84 -> We'll talk much more about that later.
1328.71 -> Some, so now, actually, let's talk about the
VPC and what it is. So when you deal with
1339.559 -> AWS, you're going to be dealing with something
called a virtual private cloud. Now, I've
1344.69 -> built lots of private clouds, every student
in our in our cloud architect career development
1350 -> program builds a cloud from scratch, you can't
be a cloud architect, if you don't know how
1354.13 -> the clouds design. So all my students build
a cloud. Now, what is a virtual cloud? So
1360.25 -> basically, here's what you need to understand.
You need to understand that the cloud is just
1365.48 -> a data center and a network and it's nothing,
nothing, nothing more, they're nothing more
1370 -> than a network and data center, the Virtual
Private Cloud is they sell you virtual access
1374.85 -> to the data center, kind of like if you checked
into a hotel, you can consider the hotel to
1379.549 -> be the data center. In each room, you could
look at it as your VPC or your virtual private
1384.69 -> cloud. It's your space in a public environment.
Now, your space is safe and secure inside
1390.58 -> of this public environment. But you have to
understand, it's just your space. So let's
1395.31 -> talk about what that means. Let's, let's actually
look at it architecturally. So you can see,
1400.049 -> sometimes visual images are helpful. Here
we go. In this environment, we've got the
1404.53 -> AWS cloud, which is nothing more than a bunch
of data centers. Okay. That's it that are
1410.77 -> networked together. And inside of these data
centers, you carve out your private space.
1415.82 -> For example, we've got VPC one, which was
blue, we've got the VPC two, which is green,
1421.46 -> VPC three, which is red, and VPC four, which
is yellow, all isolated from each other, all
1429.22 -> on the same cloud. And there's lots of reasons
why cloud computing can be beneficial. And
1434.71 -> we'll be talking about them throughout the
week when we go into auto scaling and other
1439.09 -> things that makes the cloud more agile, which
makes it potentially able to perform some
1443.74 -> wonderful digital transformation. And we're
gonna talk about some basic cloud architectures.
1449.73 -> We're going to talk about hybrid cloud. Then
we'll talk and we'll talk then we'll talk
1454.46 -> about a pure cloud. And we'll talk about multi
cloud and their strengths and weaknesses for
1458.789 -> every one of these things. Let's first begin
with the hybrid cloud. If you want the best
1466.01 -> performance, and the highest availability,
you're interested in a hybrid cloud, what
1471.669 -> is a hybrid cloud? Hybrid Cloud is when an
organization keeps its data center. And they
1478.08 -> connect that data center to the cloud. No,
most of the time in a hybrid cloud environment.
1483.82 -> We install like an IBM OpenStack or a Nutanix
cloud on these private data centers, and we
1490.659 -> get our own beautiful high performance agile
cloud. And then we can still connect to the
1496 -> public cloud. We can connect to the public
cloud for you scalability as needed. And we
1502.78 -> can use the public cloud for what it's good
for agility, auto scaling, and all these other
1508.169 -> wonderful things. But we still have ours.
This way, when the next time a cloud provider
1515.799 -> has a power failure, not their power failures
can really take out on the cloud, or somebody
1520.169 -> makes a BGP Miss configuration, or the next
time a cloud is hacked. No, we've trust me,
1524.86 -> we've had plenty of cloud hacking. Over the
last few years, some customers have been honest,
1529.34 -> some cloud providers have been honest about
it. Other ones have had outages that are unexplainable,
1533.79 -> knows, but the point is, is cloud provider
can go down, hybrid cloud can stay up, and
1540.27 -> you're still in business. So let's talk about
when that's valuable. Well, imagine you've
1544.66 -> got a hospital, if you only stuck them on
one cloud, and the cloud went down because
1548.34 -> of a security event, and network event, or
control plane failure, then you're still up
1553.95 -> and imagine a hospital where they're all in
one cloud, cloud goes down, patients die.
1559.02 -> So that's what we need to be very good mindful
of architectures, hybrid clouds, I love them.
1562.01 -> Harbor clouds can enable the low latency,
ultra performance in the data center, and
1569.14 -> can allow you to scale to one two or three
more clouds. And by doing so, while you're
1574.741 -> in a beautiful position. So a hybrid cloud
is ideal for an organization that's got a
1579.54 -> current data center that's being well run
with modern equipment. They want somebody
1585.57 -> that needs Ultra performance, or ultra high
availability, like a hospital or a back architecturally,
1593.51 -> what's a hybrid cloud look like? It looks
just like this. I'm a huge fan of hybrid clouds.
1600.32 -> I've been helping many people with hybrid
clouds for as long as I can remember. And
1605.6 -> realistically speaking, the organization's
got their data center, they've got a private
1609.169 -> line or some connection to the cloud. And
then they use multiple availability zones
1613.299 -> in the cloud. And that led to that goes down,
there'll be guilt data center goes down, you
1617.35 -> still have the cloud, lots of survivability,
potentially huge improvements in cost performance,
1623.029 -> especially for applications that are running
24 hours a day, seven days a week under high
1626.79 -> load, they may be cheaper in the data center,
where other applications may be much cheaper
1630.98 -> in the cloud. And that's why the architects
need to look at the business requirements
1635.12 -> as opposed to what's taught in the certification.
So let's talk about the next kind of caught
1641.15 -> architecture. This is a pure cloud environment.
Now, the here's the thing with the cloud,
1646.59 -> you don't have to buy anything except for
your routers. And in some cases, that's a
1651.21 -> great thing. Now, it may be more expensive
to be on the cloud, but it may be cheaper.
1657.5 -> Again, it depends exactly on the use cases.
But let's say you're an you're it's a brand
1665.71 -> new organization. And they don't have the
capital resources to build their own data
1670.44 -> center. They can go straight to a cloud, they
can build their startup things. The cloud
1676.02 -> will give them scalability, rapid deployment,
enabled them to connect a partner organizations
1682.559 -> and create a really distributed environment.
And guess what, I hope that once the availability
1689.37 -> needs come better, once the business gets
bigger, what do you may need multi clouds
1693.79 -> or a hybrid cloud. Because a single cloud
has a single point of failure. No matter didn't
1698.71 -> No matter no matter how many availability
zones and regions to use. And we've seen this
1703.98 -> with every cloud provider, that's not a major
outage. But you know, here's what a pure single
1708.529 -> cloud environment would look like. We never
recommend a single cloud except for small
1712.61 -> businesses, where availability is not critical.
But we didn't ever recommend something like
1716.529 -> this for a bank or health organization. So
let's look at this. We've got in this environment,
1727.049 -> our organization, we've got our connectivity
to the cloud. And with that, we can show that
1735.169 -> our data centers are up and running. And that's
how we do this. Okay, let's talk about connecting
1746.769 -> to the cloud. Connecting to the cloud.
1752.89 -> Oh, sorry, that's the timer. Mike. You got
good timing.
1761.99 -> Okay, sounds good. So,
1763.99 -> let's ask for a hashtag in the chatbox. Give
me if they're having fun that is, if
1769.15 -> you're having fun, give me a hashtag AWS Certified
Solution Architect Associate.
1775.87 -> I'm not the Cookie Monster. I don't know if
I can spell that long word.
1783.23 -> of you guys can give me a hashtag AWS solution
architect or a hashtag AWS essay. I'll be
1790.22 -> fine with either one of them. But I prefer
to spell it out. Keeps the algorithms happy
1800.23 -> Here we go. While you're there, you're good.
If you haven't subscribed and hit the bell,
1805.529 -> please do. So let me see if you guys are doing
so I can tell real quick. And then let's get
1810.13 -> back to the exciting content. Make sure you
subscribe and hit the bell, let's get back
1818.57 -> into talking about content because we want
to make sure you all get the knowledge that
1822.649 -> at some point in the future, you're all getting
cloud higher. So let's talk about connecting
1828.429 -> to the cloud. If you're going to put your
stuff on the cloud, you got to be able to
1834.269 -> reach it. Now most of the stuff that we care
about in business is not a website, which
1839.279 -> access over the internet. It's internal stuff,
internal stuff. What do I mean by internal
1847.94 -> stuff, HR applications, internal financial
application, and all these other critical
1853.79 -> critical things. Keep that in the back of
your mind. So once you put your data in the
1860.36 -> cloud, you got to be able to reach it right.
Because you've got your cloud here, you've
1866.399 -> got your data center here, where your users
are, you don't have a link between them, guess
1870.549 -> what, you've got nothing. Something my grandmother
would call bookcase, you've got nothing. So
1877.34 -> you know, you want to make sure that you can
actually reach it. Now when we're dealing
1882.289 -> with connecting to the cloud, your reality
is you're going to have a lot of options.
1887.27 -> You're going to have SSL based VPN IPsec based
VPNs, private lines Ethernet over MPLS Software
1894.87 -> Defined Networking and says, but for the purposes
the AWS Certified Solution, Architect Associate,
1900.94 -> and the AWS Certified Solution Architect Professional,
and the AWS advanced networking, which is
1906.529 -> an intro to networking, we're going to be
talking about VPNs. And we're going to be
1910.98 -> talking about private lines. So let's start
first start with a virtual private network.
1917.429 -> A virtual private network is really nothing
more than a means to secure private network
1923.46 -> connectivity over a public Internet, or a
public network. Now, I've been working on
1928.26 -> VPNs, and clouds for 20. Some years, most
VPN technologies in today's world are either
1934.85 -> an IPsec, tunnel, and lttp tunnel. It could
be an MPLS, VP, BGP VPN, it could be VPLS,
1945.809 -> or virtual private land services. But today,
we're going to be talking about IPSec tunnels,
1950.87 -> which is the type of VPN you're going to be
using when you're dealing with cloud computing
1954.6 -> and connecting to your cloud provider. Now,
you may ask, why don't we need the silly VPN
1960.659 -> thing? Why can I just use the internet? Well,
a couple of things. If you're going to use
1966.419 -> the internet, you'd have to have private public
addresses on all of your systems, which we
1972.01 -> know is not possible because we ran out of
ipv4 addresses a long time ago. And that's
1976.25 -> why we use Private Addressing, which we'll
talk about later. Now next on this list, is
1982.039 -> the routing. That we have, we're going to
use the public internet to do all of routing,
1988.08 -> we need to take in, say 800,000 routes from
the internet, and then all of our own routes,
1994.75 -> and we'd have to have public addresses. So
we'd be dealing with $100,000 routers, as
1998.26 -> opposed to maybe $5,000, routers, routers
that can handle a big full internet routing
2004.51 -> table. Now, I'm used to doing highly complex
Internet routing, I'm one of the first Cisco
2009.85 -> Certified internet experts. And I've designed
half of the world's or consulted on half of
2013.899 -> the world's largest Internet service providers.
But let me tell you, this stuff is complicated,
2019.77 -> complicated, complicated. And you know, it's
not something that the average bear would
2024.389 -> want to be dealing with, for example, you
stick a private law and and what he called
2027.82 -> a VPN between it, and all that complicated
BGP and traffic engineering and route aggregation.
2033.039 -> And all that stuff, for the most part is simplifies
address spacing. With VPNs, we can pass our
2041.429 -> private addresses across the link. And we
can also pass our routing across OSPF, BGP,
2048.59 -> whatever our routing protocols are. Now, that
means we need to be on the same subnet on
2053.05 -> both sides. And we can't do this over the
internet. But what we can do is simply as
2059.179 -> follows. We created an IPsec tunnel, both
sides are on the same subnet, and that we
2064.21 -> can pass routing information. So let's look
at what your VPN would look like architecturally.
2073.839 -> Realistically speaking, you're gonna have
your data center, you're gonna have your cloud.
2080.47 -> And while we're dealing with the data center
and the cloud, but you're going to be dealing
2084.44 -> this as there's a router that connects to
the internet here, the virtual gateway on
2088.53 -> the AWS L is connected to the internet, and
you're going to create an IPsec tunnel. Very
2093.51 -> simple. And why is this so great? Well, the
internet is everywhere right now meaning you're
2100.24 -> already connected to the internet. And AWS
is connected to the internet, Azure is connected
2104.87 -> to the internet, Google is connected to the
internet, see, they're all there. And when
2109.63 -> you realize that the ubiquity or the internet
being everywhere, it makes it just so easy
2116.43 -> to just create a connection between them.
By doing so, guess what? You are now in a
2123.93 -> position, you've got a straight line connection
across the internet, want to create another
2129.02 -> connection to another site, who start your
tunnel on both sides, and you've got connectivity.
2133.55 -> So the internet is fast, fast, fast, fast
in terms of connections. But there's other
2139.42 -> things that we'll talk about what how and
why. If I can find my mouse here, we'll move.
2143.04 -> Okay, so there is that. So let's talk about
IPsec. VPN, some more IPsec VPN, get around
2150.69 -> the security and IP addressing challenges
the internet IPsec IPsec, realistically does
2157.66 -> this, let's say my hand is a tunnel, you put
your truck private traffic through the tunnel,
2162.21 -> and on the other side of the internet, it
comes out of the tunnel, and then it's back
2165.521 -> on your private network. Because it's private,
we can use our private information, pass our
2170.73 -> routing information. Now let's keep going
while we're at it. IPsec will encrypt your
2177.52 -> traffic, so that if anybody was able to get
access to your traffic going over the internet,
2182.28 -> guess what, they can't do anything with it
in any way, shape, or form. And that's why
2187.25 -> it's not going to be useful to them. But IPsec
does a little more than that. It prevents
2193.71 -> a man in the middle attack, what is a man
in the middle attack. So let's say I tried
2198.25 -> to create a VPN to chow Charles, one of my
amazing cloud architects. And she's got an
2204.329 -> internet router at her house. And I've got
an internet router in my house. If I connect
2210.94 -> a channel, using IPsec, I know the channel
is actually show. And what do I mean by that
2218.5 -> actually, I might even draw it out for you.
What I mean by that as I need to authenticate
2223.48 -> the person on both sides, I also need to make
sure that the message has not been changed.
2230.5 -> Early in my work life when I used to practice
internal medicine as a nurse practitioner,
2234.96 -> I used to write prescriptions. Now if I had
a person having a heart attack, and I wrote
2240.181 -> for a four milligram prescription of morphine,
that might be the appropriate dose for a patient
2244.57 -> having an active heart attack. But if somebody
changed that for milligrams to 40 milligrams,
2250.31 -> that person patient with overdose, stopped
breathing, and in most cases die. So we need
2255.38 -> to ensure the message integrity of what we're
dealing with. Now also, we need to be sure
2263.859 -> that the sender can't say they didn't send
it afterwards. And that's called non repudiation.
2269.35 -> So let's build the whiteboard. Let's whiteboard
out a VPN right now. So over here, what we're
2274.52 -> going to do is we're going to have two people.
I was mentioning child, but I think, I think
2280.11 -> we'll go back to my favorite kind of examples.
And we'll use some furry friends. So because
2284.56 -> I always love furry friends. So let's say
on this one side of this, we have my cat Cindy,
2291.9 -> and my cat Cindy is basically wants to talk
to her friend over a VPN. So let's go find
2298.77 -> one of my cats in these friends. Mike, you
are not sharing the screen. Oh, thank you.
2306.68 -> See, that was the channel I was referring
to. Now let's say by comparison, let's say
2312.68 -> that Cindy wants to talk to her, her friend
who is a rabbit, rabbit that found its way
2317.61 -> into my garage. And obviously, I put out food
and water for the rabbit and I got it outside
2323.329 -> of a house and filmed somebody to house the
rabbit before my before my Cindy could terrorize
2328.55 -> this pure beautiful sweet rabbit. So let's
say both of them are actually connected to
2333.38 -> the internet. And they wanted to have a conversation
maybe about terrorists or about chasing rabbits
2338.82 -> or doing any of these things. Now, if they're
already on the internet, here's all they really
2344.03 -> need to do. Now first, Cindy, we're gonna
pretend she's a sweet, gentle thing and she
2348.83 -> doesn't eat rabbits, which is totally not
true. But we're gonna pretend right now that
2352.27 -> my Cindy's a pure angel, because I'd like
to believe she's. Now each one of these has
2356.599 -> a router that connects on the internet. And
let's say Cindy's a sweet little girl that
2360.93 -> does not eat rabbits. And the two of them
want to have a conversation. Now by having
2366.16 -> the two of them that wanted to have a conversation
together. Guess what? I'm trying to find some
2370.81 -> more. Some more animals. Everything was going
to be fine. Cindy is going to be talking to
2376.73 -> Cindy is going to be talking to bunny bunny
is going to be talking to Cindy and they're
2381.079 -> all good. Now when the meeting is set up and
this connection is set up between Cindy Guess
2386.83 -> what? We know that Cindy is talking to her
friend cutie pie the rabbit and everybody's
2391.829 -> happy. Now without IPsec here's what could
happen. We could have this beautiful cat named
2397.52 -> Sonny who's my chief operating officer Chris's
cat I want again a wonderful cat. But let's
2402.85 -> say Sonny likes to eat rabbits. And let's
say that Sonny was pretending to be Cindy
2409.45 -> and the rabbit Mr. Rabbit was saying, Hi,
Sonny my home addresses here. Now that would
2414.88 -> be a problem because then suddenly the cat
would you, you beautiful rabbit, and the rabbit
2419.18 -> would not be happy. So we have to first prove
that the message is real, and IPsec provides
2424.95 -> that advantage. Now, secondly, IPsec uses
a hashing algorithm, meaning it creates a
2434.17 -> mathematical formula to let you know that
nothing has been changed in this way. Cutie
2439.18 -> pie rabbit over here can verify that Cindy,
the sweet little girl that I hope she is sometimes
2444.19 -> is actually her friend. And then when she
says come to my house at this address for
2447.94 -> dinner, I've got carrots for you and spinach
for you, the rabbit goes to the correct address,
2452.75 -> and not the address or the scary side of the
cat live. Next, we want to make sure that
2459.66 -> you know when we're dealing with our cats
and our rabbits and they're happy that that
2465.63 -> Cindy the cat can't say the rabbit afterwards,
when the Rabbit came to the house, I did invite
2469.329 -> you that's called non repudiation. So when
we're dealing with IPsec, we're getting three
2474.75 -> benefits, endpoint verification, which prevents
man in the middle attacks, message integrity,
2482.26 -> and something called non repudiation. The
cat can't say that I didn't invite you. So
2489.45 -> let's talk about why do we love VPN so much
because the internet's everywhere. And you
2493.81 -> can set it up in minutes, or seconds. Actually,
if you're good. We're when we want a private
2499.79 -> line, which we're going to talk to next, it
might actually take six 810 weeks to get the
2505.319 -> private to get your private line set up. So
VPN is can be done in seconds. They're generally
2510.971 -> speaking, very inexpensive. And we can create
multipoint tunnels, for example, my cat Cindy
2516.72 -> could create a VPN connection to sunny the
cat, and somebody else's rabbit and somebody
2521.57 -> else's cat, all through the same internet
connection, it's called a point to multipoint
2526.839 -> connection. Beautiful, simple and elegant,
kind of keep that in the back of your mind.
2529.98 -> Easy, easy, easy garden. Now let's talk about
the disadvantage of the Internet. In this
2538.32 -> case, internet performance is not guaranteed,
when you stick your traffic on the internet,
2544.25 -> there's no guarantee that it's going to get
to the destination zero guarantee that it's
2548.54 -> going to get to the destination. So because
of this, if you need critical performance
2553.19 -> or low latency, don't use a VPN use a direct
connection.
2556.54 -> On a direct connection is two three hops.
2560.86 -> Below AWS does that a funny way it could be
more than that. But when a private line, it
2566.71 -> could be 2030 routers or more that you're
going to. And that's the key, the internet
2571.46 -> is what's called best effort, zero guarantees
of your delivery. So once it's on the internet,
2575.76 -> you don't know if it's gonna get there, private
line, guaranteed latency, which is how long
2580.17 -> it's going to take to go from both sides of
the water and guaranteed bandwidth. So when
2583.839 -> it matters, you're going to be using a direct
connection. Now AWS VPN is typically going
2591.74 -> to be set up between the organization's data
center and your VPC. It's called the site
2596.569 -> to site VPN. But VPN can also be set up between
multiple sites as well. The way this works
2603.65 -> is both sides are set up to terminate the
VPNs. You could call it an endpoint. And each
2609.04 -> endpoint encapsulates packets and puts them
into an IPsec tunnel, which sends it to the
2613.48 -> destination and that encrypted environment
just as we described. So when these tunnels
2619.92 -> get set up, here's what happened. They have
to exchange security keys. And it's called
2625.52 -> an Internet Key Exchange Security Association.
What happens is each one of these organism
2633.24 -> each one of the routers, comes up. And they
determine the encryption type. Like Sha 256,
2640.579 -> for example, the algorithm etc. And of course,
you can set up dynamic routing over BGP, which
2648.68 -> is preferable in most cases, or if you don't
know BGP, and you don't know routing, and
2653.74 -> you've only got a single point of failure
in a single link. Of course, you could set
2657.64 -> up static routing, but I strongly wouldn't
recommend that I'd recommend learning BGP
2661.809 -> and being able to use dynamic routes, just
like your VP, just like a GP, your GPS, if
2666.76 -> you're using dynamic routing, which is effectively
DP GPS, and I'm gonna go to Chris's house,
2671.69 -> in parts of I 95 are blocked off. It'll tell
me routing to go left, go right. The static
2677.579 -> route is like an old map book. You basically
write your plans out and go left drive 20
2681.66 -> Miles go right, go 20 miles, but if there's
a roadblock, you're in trouble. So that's
2686.819 -> why you'd want to use BGP. Now, AWS will tell
you that their VPNs are highly available and
2696 -> redundant. And this is partially true, but
partially not Chill. And I'll show you what
2701.99 -> I mean. Because the VPN on their end is logical,
they'll say that it's fully redundant. And
2710.349 -> I'll say how they're gonna say connect the
two things. That's great until the router
2713.78 -> on your end links goes through your internet
connection goes. And all of that goes out
2717.589 -> the windows. We'll talk a little bit more
about that in a minute. But what happens is
2722.2 -> when you set up your VPN to AWS, which is
a logical router, virtual router, as opposed
2726.16 -> to a physical router, there are virtual routers
can go down as long as the clouds up. So what
2733.59 -> happens is a link is going to be connected
to two availability zones, which is two data
2737.64 -> centers. And you can be set up as active active
or active passive. For organizations that
2743.03 -> don't know routing, active passive will be
the best strategy and that with no get out
2747.47 -> of order packets, for organizations that have
the sophistication to understand routing,
2750.94 -> you're not going to create multiple VPNs,
and not use them on multiple links not using
2754.6 -> a route of using BGP. So let's look a little
bit about why I said it's partially true and
2760.88 -> partially not true regarding the single points
of failure with the AWS VPN. Now, AWS would
2767.94 -> tell you this is highly available, and they'd
say, Look, this device and their VPN Device
2772.339 -> is not going to go down. It really won't.
That's not how these systems work. But the
2777.559 -> problem is, if the device on the right side
and the organization's data center goes down,
2782.45 -> everything is dead. And if the internet connection,
the organization's using is also down, this
2789.619 -> systems are dead. So if you really want a
high availability VPN architecture, the only
2797.73 -> option you really have is a solid, you can
create and I'm going to, you can go say this
2802.89 -> is AWS over here. And this is multiple, multiple
availability zones, we're just gonna call
2809.309 -> make one single box. And then this is your
data center, which is sitting over here. The
2814.64 -> only intelligent way to do this is to create
to put two routers in your data center r1
2830.16 -> are to each one of these links should be on
a separate internet service provider in case
2837.559 -> the router or the Internet Service Provider
length. And then what you're going to do is
2841.59 -> connected to virtual routers on AWS. And by
doing so, you can lose. By doing so we can
2853.05 -> lose any of the following, we can lose one
of these internet links, were one of the one
2858.359 -> of the routers. And that's truly truly truly
how you build a high availability set up,
2862.53 -> you would basically create two routers, with
two connections going to both places. And
2867.9 -> now you can lose an a router, one of these
routers can go, for example, or one of the
2875.609 -> of the internet connections can go and you're
still happy. And you're still connected to
2879.96 -> the AWS cloud, kind of keep this in the background.
So let's talk a little bit more. When, as
2888.8 -> I said, you know, the virtual gateway router
on the other end is highly available, but
2893.17 -> your stuff is not. So when it comes to high
availability. One cloud is not high availability,
2898.79 -> no matter how many availability zones emergency,
single router, no matter what is not high
2904.31 -> availability. Military outages, one is none
and two is one and three is greater than two.
2910 -> One is none. Two is one and three is better
than two, critical, critical critical for
2914.91 -> you to understand that and critical for our
world. How do you set up a VPN? It's silly
2923.33 -> easy. Basically, you're going to determine
which AWS Virtual Gateway, you're going to
2927.66 -> connect to pick a routing method, static routes
or dynamic routes. And either you set up your
2935 -> tunnel configurations, where you go to the
form of AWS spits out a virtual configuration
2940.16 -> for you. And that's it. But I'll give you
a little more information, you can obviously
2947.03 -> do a custom setup, which is what a network
architect would look Neela do I have my network
2951.8 -> engineers really put a nice routing policy.
So that way, I can tune the performance and
2958.38 -> trench in my traffic engineering. But if you
don't know what you're doing, or actually
2963.56 -> you shouldn't be touching this stuff at all,
because you'll just be taking systems down.
2967.579 -> But if you know what needs to be done, but
don't know how to configure it, which is totally
2972.339 -> fine. The AWS system management console will
literally create an auto configuration for
2977.1 -> most VPN devices, whether it be Cisco Juniper
Networks, Palo Alto are fortunate. Of course,
2983.47 -> you can monitor the status of your VPN tunnels
with Cloud watch on their end. But you could
2987.43 -> also look at what's going on on your routers
at urine. Now, since we talked about what
2992.08 -> is a VPN, which is creating a virtual network
inside of a public network, let's talk about
2999.109 -> a direct connect Trim, which is like a wire,
I've always viewed a direct connection as
3003.52 -> simply a wire between two locations. That's
the way I like to look at it. Because I've
3010.109 -> been working with private lines now for a
couple of decades, and let me tell you, if
3014.91 -> to me, it was always easier to explain it
to people in terms of simple waters.
3021.99 -> So let's talk about the
3026.93 -> direct connection is the equivalent, almost
of a private line, and we're going to walk
3032.04 -> you through it. So why would you use a private
line well, guaranteed bandwidth, consistently
3037.799 -> latency, and it's going to be the highest
availability and reliability. less to go wrong
3044.54 -> on a wire than the entire Internet. Now, when
you need higher performance, you can bundle
3051.73 -> links together. Now, if you have one length,
it's 10 gigs, you've got 10 gigs. If you've
3056.47 -> got two links, it's 10 gigs, you got 20 gigs.
If you bundle three links together, you got
3061.339 -> 30 legs, gigs. And if you bundle four links
together, it's called 40 gigs. For those of
3066.39 -> you that have been in networking for a couple
of decades, like me, I'm sure you've heard
3070.19 -> of Port channel, ether channel, link aggregation
groups, Link Aggregation groups are effectively
3075.079 -> the new de facto standard for bundling links
together, we can bundle up to four links per
3079.37 -> Link Aggregation group. And obviously, we
can create multiple Link Aggregation groups,
3083.49 -> across routers. So now let's now that I mentioned
that it's a logical wire, let's talk a little
3094.89 -> bit more about it. And you can think of it
this wire being a wire, but it's really not
3100.99 -> just the wire, and I'm going to get much more
into it. Now, to connect to the cloud, you're
3105.18 -> going to be using a fiber optic connection,
which is always going to be single mode fiber,
3109.34 -> because we're going over distances. And remember,
it's going to be a one gig link, a 10 gig
3115.64 -> link. And finally, AWS supports 100 Gig flex.
There are several steps along the way. And
3121.9 -> we're going to show you that in a minute.
But before we show you that in the minute,
3125.589 -> let's talk about the key underlying technologies.
Obviously, you need a router, you're not connecting
3132.69 -> to anything, the router will have to be a
fiber optic port, because you're not going
3138.609 -> to go more than 100 meters a copper connection,
so it's gonna have to be fiber optic. No single
3142.79 -> mode fiber, as the only thing as I mentioned,
it's going to get you the distance. So if
3146.7 -> you're dealing with one gig, it'll be 1000
base dash LX. If it's 10 gigs, you're going
3151.78 -> to have 10 G base dash LR, for your exams,
you might expect to see 1000 base dash LX
3159.19 -> or 10 G base dash LR for 10 Gig respectively.
Now, for any of you that are coming from the
3165.38 -> networking world, which is like the perfect
world for cloud computing, because we network,
3169.64 -> people have been working with Cloud for 20
plus years, 25 years, you know that when you're
3174.22 -> dealing with a laser, and you put those lasers
in your fiber optic partners a send laser
3178.87 -> and a receive laser. Now if your send laborers
are is up, but you receive Labor's don't lasers
3183.63 -> down, in many cases, that link will stay up.
The problem is your traffic won't be flowing,
3189.18 -> and your traffic will be tossed apart, thrown
away. So when you have multiple links, you
3196.17 -> need something that's going to let you know
if one of those links is partially down to
3199.55 -> close that entire link, like a health check,
which we'll talk about when we get to DNS,
3205 -> or load balancers. AWS, like most good networking
organizations have done for the last 20 years,
3211.38 -> enable something called bi directional forwarding
link detection. And that means if you've got
3215.2 -> to send and receive laser on one of these
lasers goes down and removed the entire link.
3218.91 -> So you can fail over to your backup connections,
which is exactly what you need to use. Now
3226.57 -> when you purchase a direct connection, which
I'm going to show you about in a few minutes,
3230.349 -> you're not exactly buying the straight wire
to the to the cloud. It's like you're buying
3236.089 -> a wire to an internet Point of Presence, which
then you're going to backhaul you back and
3240.44 -> I'll show you that in a minute. So you connect
to your direct connection location from your
3245.48 -> service provider, and then you get back called
back to AWS. So and there's going to be something
3251.87 -> called the letter of authorization required.
I'm going to walk you through that right now.
3255.9 -> So here's what it really is going to look
like. To the right, we've got our on premise
3262.299 -> environment, got a router here are dealing
multiple routers. And we're going to have
3269.23 -> a wide area network link to ideally two direct
connection locations. So let's start with
3275.17 -> the bottom link. We have have our own router
sitting in a direct connection location. We
3281.38 -> buy a link to that. Now we have to connect
our router or layer three switch to the AWS
3289.83 -> router slash layer three switch and we need
to run what's called the cross connect. What's
3294.33 -> a cross connect it's a wire between our router
and their device. And then the traffic is
3299.53 -> taken by Over the AWS network. So think of
this on premise or data center, we have one
3306.7 -> or more routers that connect into each direct
connection location, via a WAN link, like
3311.71 -> a one gig WAN link or a 10 gig LAN link or
100 Gig RAM. We then connect to our router
3317.73 -> over the winlink, just like we've been doing
in networking for forever, I think somewhere
3324.109 -> between our router and the AWS router, we
need to run a cable called a cross connect.
3331.49 -> And that cross connect gives you the permission
or your service provider, the Commission permission
3336.39 -> to run that cable between your device and
the AWS not exposed because you didn't connect
3341.14 -> to this direct connection location to your
router, you have no access to AWS that way
3345.829 -> until that router is connected to the AWS
network and routing is actually established
3350.29 -> between them. So you're going to need something
to enable your service provider to run this
3355.97 -> little orange cable between the customer router
and the and the and the dx where they are
3362.51 -> they're the designated router, the direct
connection look routers for the service provider.
3366.099 -> So look on the bottom bottom right, you can
see direct connection location, you can see
3371.13 -> that little orange connection between our
devices and the AWS devices. And in those
3375.89 -> particular cases, that's called your cross
connect. And that's done by the letter of
3379.619 -> authorization. So you must get this letter
of authorization prior to being able to run.
3387.75 -> So let's talk about this direct connection.
What this letter of authorization is that
3394.4 -> it's the ability to connect that connection
between your device and their device, just
3398.2 -> that wire. To receive this letter of authentic
authorization, you need to identify the region
3403.549 -> in which case you're going to be connected
to now, you will request a letter of authorization
3410.13 -> either via simply the the management console,
the API, but also you could do it over the
3415.78 -> command line interface. And if your application
is complete, what'll happen is AWS will provision
3421.41 -> the switch port on their layer three switch,
although they're going to be layers and layer
3425.68 -> two routing to you, in the lecture, run that
cross connect. Now what at that point is you
3431.88 -> download the letter of authorization, you
hand that to your service provider and they
3436.309 -> cross the cable for you don't remember the
cross connects just a wire between. Now when
3442.68 -> we're dealing with with AWS, we're gonna get
into concepts called public and private interfaces.
3450.27 -> Now, if any of you were involved back in 1996,
working on Frame Relay, like me, or 1998,
3458.03 -> working with the ATM cloud, or 2001, dealing
with the BGP VPLS call or BGP called RFC 2547,
3465.26 -> cloud or the VPLS code, this is no different
in the same 25 year old networking technologies.
3471.77 -> Basically, you connect to a public virtual
interface, and that will enable you access
3475.69 -> to public AWS services. Public AWS services
are gonna have a globally routable IP address,
3483.67 -> which means public. And you'll be exchanging
information routing information with BGP,
3488.66 -> simple, simple, simple stuff. Now, AWS will
not re advertise your routes out. And by doing
3496.349 -> so, you don't have to worry becoming becoming
a transit ISP for the entire Internet. You
3501.9 -> know, it's the same thing as setting up your
route in BGP, and using the note export community.
3507.34 -> So your service provider will export your
routes. Now, when you deal with AWS BGP, well,
3513 -> you've got some serious limitations. They
won't take a lot of rows from and basically
3517.789 -> 100, which is nothing, I connect to the internet
in my house to three different internet service
3522.25 -> providers. And guess what, I take an 800,000
routes from each internet service provider,
3526.7 -> AWS like to give them 100. It's nothing, nothing,
nothing. So because of this, keep that in
3533.4 -> the back of your mind. So here's what I want
you to understand what it's going to look
3537.089 -> like, architecturally, I want to draw this
for you. I don't want any confusion. I know
3540.47 -> many people are confused by most, especially
people have taken others, you know, AWS events,
3545.069 -> networking courses, those that are taught
by networking people, and they get so confused.
3548.32 -> I don't want you guys being confused. So realistically,
all what's really going on is here, you know,
3553.71 -> you've got your box over here. This is your
box. So this is your data center. Then connect
3563.359 -> over here to the cloud. And when you click
going on is when you're connecting to let's
3570.5 -> call it the clouds router. You're going to
connect to the virtual router in the cloud.
3574.28 -> It's called a virtual router vif virtual interface.
Now through this virtual interface, you can
3584.98 -> connect to say s3 or you can connect any other
multiple devices. So the way this happens,
3591.329 -> let's just see a public service. Now we've
got to s3 and another public service ser aiic
3600.29 -> may not have spelled that right, it doesn't
look right. But we're doing stuff live in
3605.36 -> real time. So basically what happens is we
connect to this virtual interface. And they
3610.05 -> build virtual links. Basically, pseudo wires,
for those of you that are familiar with MPLS,
3615.93 -> pseudo wires to all of their services. And
in that matter, you're getting one connection
3621.859 -> to them. And they can basically create virtual
circuits for you. Very reminiscent of the
3627.32 -> frame relay permanent virtual circuits of
the ATM permanent virtual circuits, same thing
3631.62 -> we're talking about. Nothing's new. But that's
how these virtual interfaces work. Now, the
3638.92 -> public ones, guess what connects you to public
services.
3643.15 -> So let's talk about
3646.46 -> private virtual interfaces. Well, this is
to connect you to virtual stuff inside of
3651.09 -> your V PC, your virtual private cloud, otherwise
called virtual private data center. Some people
3657.17 -> like to call a VPC, virtual private network,
that's Saturday, here's the reason why you
3662.14 -> don't, it's a virtual private data center.
It's not just your routing and routing and
3666.16 -> switching and encryption. In your VPC. It's
where you put your servers and all the things
3670.95 -> that are part of your network, which is your
data center. So of course, by using private
3677.45 -> or the private virtual interface, you can
use private IP addresses. Again, you can only
3683.22 -> advertise 100 routes over the session. So
what does that mean? It means the people dealing
3688.099 -> with your IP addresses can't be like a DevOps
engineer, that's not a network engineer, love
3692.19 -> DevOps engineers. But that's not their world,
you need to have a really good network engineer,
3696.72 -> a really good network architect, or a really
good cloud network architect, set up your
3701.07 -> routing. If your routing is wrong, and your
IP addressing is wrong. It's going to be like
3705.03 -> a city that was planned without streets where
you're trying to stick on streets after the
3708.099 -> fact, we've all been there. We all see how
bad it is. So you got to have a very senior
3713.57 -> person to deal with your IP address. And so
getting super annoying. We'll be doing a free
3717.69 -> AWS events networking course. And I'll teach
a lot more about that. Of course, if you really
3721.38 -> want to learn that that's the kind of stuff
we teach in depth in our cloud architecture,
3724.43 -> where to vote unpregnant, but things that
are really out there in deep depths, because
3728.309 -> that's architecture. Whereas this is more
certification material. So let's talk a little
3734.04 -> bit more about Link Aggregation groups. I
love Link Aggregation groups for the following
3738.369 -> reasons. Link Aggregation groups enable you
high speed connectivity, and they remove single
3744.559 -> points of failure. So high performance, high
availability, this is about as good as it
3748.88 -> gets everybody. So if you wanted 20 gigs network
performance, and you've got a 10 gig link,
3756.73 -> well, you got a problem. Now you could talk
to 10 Gig links, and set up a beautiful BGP
3763.39 -> policy and load share one subnet on one link
and another subnet another link, and that
3767.26 -> would be perfect. Or you could put two links
together as a single link. And by putting
3774.049 -> your two links together as a single link,
it simplifies the routing, because it's going
3778.31 -> to look like one IP address on both sides.
We don't have to deal with the challenging
3782.01 -> switching things like regards to spanning
tree or rapid spanning tree to promote loop
3786.72 -> avoidance. It's quite simply basically just
multiple wires bundled into a single bar.
3791.78 -> And if those of you are around long enough
for ISDN, and multi link, PPP, that's identical
3796.819 -> technology, but with Ethernet, instead of
point to point connections. So we can bundle
3802.66 -> links up to four of them, as long as they
have the same speed, performance and latency.
3808.619 -> So what's it going to really look like here's
in this environment, we've created two Link
3812.599 -> Aggregation groups, across two routers, to
two direct connection locations. NL in this
3818.74 -> particular environment. Look at it this way.
If on the top link aggregation group, if either
3828.799 -> one of those links goes down, the link is
still up, and we still have 10 gigs of bandwidth.
3832.73 -> So in this case, we've got 20 links on gig
to 10 Gig links in the top and to 10 Gig links
3838.43 -> in the bottom, lots of performance, lots of
capacity, and of course, higher higher and
3845.97 -> higher availability. And when it comes to
the organizations that are totally dependent
3850.109 -> upon technology, it's all about high availability,
because if the systems aren't there, we don't
3856.349 -> need them. So before we get back to the content,
give me a hashtag AWS Certified Solutions
3863.329 -> Architect, associate and the chatbox. That
way I know you're there. If you've not subscribed
3869.73 -> and hit the bell, please do so now. If you're
having a good time, please hit the like button
3873.98 -> will signal the algorithm that we're doing
a good job. And we can get more of our free
3878.05 -> content to those people that need it most,
especially those that can't afford training.
3881.619 -> We want to make sure that we hope all those
that need training that are looking to pass
3886.369 -> the AWS Certified Solution Architect 2020
job free training with our free full AWS course.
3894.2 -> And now let's talk about storage on the cloud.
I love talking about storage. I really do
3900.31 -> So what is storage, where we keep our stuff,
right? Okay, so storage just in the environment
3908.46 -> where organizations are going to keep their
data. And then when we get into storage, we're
3914.24 -> going to be dealing with volatile storage,
and non volatile storage. And I'm going to
3919.79 -> tell you right now, that storage is an absolutely
critical component of your virtual private
3925.73 -> cloud environment. So we're going to be talking
about block storage, object storage, file
3934.64 -> storage, instead of just going into the AWS
terms, I want to make sure you understand
3941.15 -> these types of networks, because as an architect,
you're gonna have to architect around them
3944.93 -> and their weaknesses. And if you're an cloud
engineer, it's not going to be good enough
3950.14 -> to know how to click a few buttons. Anybody
can do that. You're going to have to know
3953.5 -> how to get around the performance problems
of block storage. Why can't use object storage
3958.63 -> for attaching into a system? What Why are
these services used? So I want to make sure
3963.779 -> you understand it, as I want you all to get
cloud hired someday as either cloud architects
3968.29 -> or solution architects or cloud engineers.
So we'll begin with block storage. Block Storage
3975.91 -> is non volatile, which means it doesn't go
away with system reboot, or instance termination.
3983.029 -> And why do organizations use block storage?
Well, block storage is a very common type
3988.559 -> of storage area network. What is the storage
area network everybody? It's basically a network
3994.359 -> full of machines called RAID arrays filled
with hard drives that are attached to a network.
3999.66 -> That's it, it's network attached storage.
Now, why do organizations like block storage?
4006.13 -> Well, for a couple reasons, block storage
decouples, the server and the storage environment
4012.69 -> what I mean by decoupled in a traditional
server, your storage is limited to what's
4018.26 -> inside of those hard drives in the server.
But with block storage, you can have your
4023.9 -> storage, you know, a kilometer away, and you
can have your servers over here. And they
4029.27 -> can access it via the IP network, or be a
Fibre Channel networks in the physical physical
4034.94 -> data centers. But by doing that, we're not
limited to the storage that's inside the server.
4041.099 -> So for a cloud provider means they can have
data centers just fill with storage, and connect
4045.751 -> them to a data center filled with servers,
or vice versa, or putting the stuff anywhere
4050.859 -> in the new. Now when you dealing with this
with block storage, and the storage area network,
4056.17 -> your data is taken and broken down. So the
little blocks, and each block is going to
4060.99 -> have an identifier. What makes it even better
is your blocks can be stored anywhere on the
4066.61 -> system anywhere on the network, which means
it's going to scale fast. And it's very dependable.
4074.109 -> And being decoupled enables your systems to
grow. So I like to look at it in this visual
4079.849 -> environment. To me, I always looked at it
and pictured it kind of like a calculator
4083.47 -> in my head. What do I mean by a calculator
in my head look, in this particular environment,
4088.96 -> we've got our systems, and our date is listed
as well, 01234, etc. And that's how we can
4096.18 -> identify our data. When we need it, we'll
get into the AWS specifics of the storages.
4101.15 -> After we do a quick overview of the data center
technology. Now while we're at it, let's talk
4108.41 -> about object storage. Object Storage is a
type of storage area network where your data
4112.56 -> is taken in broken down into objects. Object
Storage is very unique storage. Because one,
4120.58 -> each object has metadata. So what's made a
data, its data actually about the data, which
4126.56 -> is so cool. So when you're dealing with object
storage, if you want to find something, you
4131.04 -> can query the metadata and find it much quicker.
Now, because we've got metadata, we can start
4139.79 -> thinking of big data environments, data lakes,
which we'll talk about, and the ability to
4146.16 -> basically take your data, categorize your
data and query your data. And in most cases,
4152.08 -> with block storage, we can even use SQL queries
that can put it in a database. Now, object
4158.431 -> storage, we've got to be very clear on this
is not normal storage. We can't mount it the
4163.87 -> regular server like we could with traditional
storage. It's good for static files. The reason
4170.489 -> we can't use it by a regular computer is as
follows. Every time we deal with a new modification
4176.58 -> of a file or an object, it's going to create
a new version. So imagine, for example, we
4181.359 -> tried to use object storage and mounted to
a server, a server with you know, 292 cores
4186.63 -> and six terabytes around. Now, that server
will have a nine terabyte swap file. The swap
4192.06 -> file or virtual memory is typically 1.5 times
around the DRAM and the system. Now that file
4199.13 -> that swap file, may change 100,000 times per
minute. So if we were to try to map a swap
4205.56 -> file on object storage, we might have 100,009
terabit objects per minute. Now, obviously,
4213.24 -> that would cost an organization millions of
dollars a month for that kind of storage,
4216.92 -> it would bankrupt them. So object storage
is good for software, archival purposes, backups,
4223.84 -> static web files, static website hosting and
things. So the way I like to view it as this
4228.79 -> object storage is flat, flat flat storage,
meaning basically you've got your data and
4233.54 -> something like a database pointer pointing
to the data. And it looks just like this.
4237.83 -> Got a bunch of objects that are sitting there
with information pointing to the objects,
4243.33 -> and these little pieces of metadata or data
about the data, which you can see with little
4247.06 -> diamonds at the top. That's the way I visualized
object storage.
4251.83 -> Now we'll talk about file storage. This is
what you've got in your computer.
4258.6 -> If you're using a Windows system, it's NTFS.
For example, if you're on a Mac, it's the
4263.63 -> apple file systems, whichever file system
they're using at the time, is traditional
4268.47 -> storage. Now, also, if you've got a Windows
machine, you click Share Folder, it becomes
4273.64 -> a file server. So file storage is either the
hard drive that's in your systems, your physical
4279.04 -> hard drive, or you take a Linux machine and
you share a folder, and you create an NFS
4284.7 -> or network file system share. On a Windows
system, it's a Server Message Block share,
4289.83 -> pure file storage. And fire storage is hierarchical.
So typically speaking, here's what way it's
4296.64 -> going to look like. You're gonna have a parent
folder, and inside your folder, you're gonna
4301.04 -> have another folder. And that's where you're
storing your stuff, like many of you have
4304.219 -> in your environment. And now let's talk about
object storage on AWS. What's that called
4312.8 -> s3. Now, I want you to understand this, this
object storage is the same that you'd buy
4318.34 -> from Delhi MC in your data center. It's the
same stuff Microsoft calls blob, it's the
4324.44 -> same stuff that Google calls cloud storage,
is the identical technology is 20 plus year
4330.21 -> old technology, it's not new. And now you
understand how you would use it on any cloud.
4335.62 -> to Now let's talk about what is Amazon Simple
Storage, otherwise known as s3, it's AWS branded
4343.409 -> object storage, no different than anybody
else's object storage. It's integrated into
4348.81 -> tremendous number of AWS services. AWS would
call it high availability, because they'd
4354.08 -> say it's 99.99%. I don't necessarily consider
that to be high availability, because that
4361.81 -> means you're gonna have basically 50 minutes
of downtime per year. So you could call that
4366.56 -> high availability, the customers that work
with me would never call that high availability.
4370.7 -> But you know, it's your definition of high
availability, I'm fine with 99.99%, high availability
4377.239 -> for GovCon careers, because we're not mission
critical. But in a hospital, or a bank and
4383.07 -> a bank, millions of dollars can be lost with
this. And the hospital people could die like
4386.68 -> this. So depends on your needs. Now, what
I will say is AWS s3 is durability of your
4394.02 -> data is truly remarkable. It's 99.999999999%.
Durable. What does that mean? It means that
4406.92 -> even if I can't access it when I need it,
AWS systems are so backed up, and so well,
4414.42 -> that the chances of me needing it or not being
able to retrieve it later are basically zero
4418.739 -> 99.99 911, nine durability, which means 99.9
to nine decimal places out available. So this
4429.25 -> is truly extraordinary. And of course, if
something goes on, you'll be notified by event
4436.84 -> bridge. So when would we use Amazon s3 or
Amazon object storage, what a backup and archive
4446.81 -> our organization's data for static website
hosting, for distribution of content media
4453.52 -> or software for disaster recovery planning,
like I could take my whole data center, back
4458.56 -> it up to object storage to get into cloud
provider. We're for big data analytics when
4463.22 -> we're talking with things like data, lakes,
future machine learning projects, etc, etc,
4471.27 -> etc. were intentionally not using the branded
names because I want you to know with this
4477.56 -> is no matter what color you are, so that's
what we're going to talk about the concept
4481.59 -> because nobody is going to care if you go
in a job interview if you know the names of
4484.29 -> the services, but they aren't going to cares.
Do you understand how they work and do you
4488.76 -> know how to use them? On your exams, you need
to know the name of the proprietary services.
4494.14 -> So when you're dealing with s3, you understand
that basically what's happened is it's organized
4498.61 -> into buckets for you user to look at it. Now
in reality, it's flat environment where basically
4505.21 -> there's the data and a URL pointing to the
data. But that's just for us. For us, you
4511.34 -> know that we can put it in a bucket and make
it feel good. The bucket is really just a
4516.91 -> container for our stuff that's stored on AWS
three, what'll happen is the buckets are given
4521.79 -> a top level namespace, which is basically
speaking, a fully qualified domain name, etc,
4528.1 -> to Dotto, Cloud careers.com. Fully Qualified
Domain, we'll get into that in more depth,
4534.87 -> the fully qualified domain names when we talk
about DNS, and we're going to cover that heavily.
4539.14 -> And all the routing types when we get to that
search. Now, when you name the bucket, it
4544.52 -> can have upwards of 63 characters, including
letters, numbers, and hyphens and periods,
4549.77 -> so we can be pretty descriptive about it.
But remember, the path where you store the
4554.719 -> stuff is not necessarily where the actual
object or file is located. Now the URL that's
4563.66 -> used to access your file, again, it's just
a pointer in the database to where it's truly
4568.35 -> sorum. s3 is a lot like a database behind
the scenes as an all as object storage. In
4574.471 -> that you've got your data, you've got a pointer
to it. And here's the good news. Because it's
4578.39 -> so much like a database, you can run SQL or
Structured Query Language type queries or
4583.43 -> searches on your data. Now, that organization
can have 100 buckets per account. And if you
4590.639 -> need more than that, all you need to do is
reach out to AWS apart, and they'll give you
4594.12 -> a bucket in case you can have more buckets.
So let's talk about securing your data, you're
4600.38 -> gonna have two options. You can run a bucket
policy, which is the preferred method, because
4606.28 -> it's very granular and based on identity and
access permissions, what is identity and access
4610.8 -> management? Who are you? What are you allowed
to do, and then locking what you do. We'll
4615.57 -> talk much more about that when we get to the
security section. Where it can, you can use
4620.49 -> those same Unix Windows ACL based permissions,
which are basically readwrite and full control.
4626.99 -> So it matters. I'm going to tell you right
now, that lack of understanding of object
4632.64 -> storage, it causes most of the hacks on the
internet 16% of all held clock, how cloud
4639.31 -> hacks are related to misconfigurations. Anybody
can configure this with three minutes of training.
4645 -> What they can't do is know what to configure
and why they're configuring this, which is
4649.48 -> exactly exactly why we're focused so much
on the concept. Like I said, you can do those
4654.639 -> free lab downloads, sign up and do all those
labs and practice them. But if you don't understand
4659.94 -> what it is, you don't pass an interview for
the solution architect or the cloud engineer
4664.239 -> knowledge of how the systems work is the most
critical. Now we're going to talk about different
4672.699 -> storage classes, different storage classes
on s3. And why is this depending upon your
4680.42 -> needs, and your performance, there'll be different
options for your object storage inside of
4686.39 -> s3. By doing so, the whole point is to get
the lowest possible cost for your demands
4693.34 -> or your customers demands. And in this section,
we're going to be talking about a lot of object
4699.54 -> storage options. We're going to be talking
about s3 standard, your highest performance.
4704.02 -> We'll talk about s3 and frequent access. Then
we'll get into the scariness of s3 infrequent
4709.679 -> access one zone, which was Reduced Availability
Storage, then we'll get into s3, intelligent
4715.141 -> tearing, then we'll get into Amazon s3, Glacier
flexible. And of course, we'll deal with Amazon
4720.54 -> s3, instant retrieval as well. So what is
Amazon s3, standard, basic simple object storage.
4730.7 -> It's high availability, or at least 99.99%
available, which some people would call high
4735.65 -> availability. It's incredibly high durability
that 99 point 11 nines durability, which means
4741.42 -> 99.9 to 11 decimal places, to the performance
of it as acceptable, good for for most applications.
4748.949 -> And it's what you use for frequently accessed
data. And here's the reason if you're going
4754.58 -> to be accessing your data, you can access
it as much as you want. They don't pay you
4758.52 -> to to use it pull your data. Once it's stored
there to put it there pull up their like it
4764.05 -> won't know if there's transferring the network.
Yeah, there will be but in this case, there's
4767.11 -> going to be your cheapest option in most cases.
So while we talk about s3 storage tiers, let's
4775.449 -> talk about the next option. infrequent access.
Now, again, this gives you your same availability
4781.11 -> and durability as before, and performance.
Now, if you're using s3, standard infrequent
4787.81 -> access, you're gonna pay a lower rate to store
your data, which is great, but you're gonna
4792.7 -> pay to retrieve your data and your data has
to be available. So imagine it this way and
4798.48 -> we'll talk about lifestyle security lifestyle
lifecycle policies and why and how they can
4802.85 -> be used to optimize your customer systems.
But here's what we're dealing with s3, you
4807.56 -> pay less, but then you got to pay to retrieve
your data. Now, here's the thing, if you're
4811.35 -> not retrieving your data a lot, it's cheaper
to use s3. But if you're pulling your data
4816.29 -> constantly, it's too expensive. So this is
for data, that's infrequent access. And we'll
4822.07 -> show you the lifecycle policies before and
how you do this to really save an organization.
4826.46 -> And this is one of the things is transformational
in the cloud. Now, the next access we're talking
4832.01 -> about is s3, infrequent access one zone this
terrifies me, because now you reduce develop
4837.489 -> the availability of your data, which means
when you need it, you're not going to find
4841.381 -> it as easily. Now, when you deal with one
availability zone, you're typically dealing
4846.88 -> with 99.9% performance, which for the most
part is one day of downtime per year. So if
4853.3 -> you can tolerate that, it's cheaper if you
can tolerate it.
4860.04 -> And that's kind of our thing. Now, while we're
dealing with this, you get the cheapest pricing,
4866.62 -> but you got to pay for your data. And the
availability is going to be substantially
4873.312 -> less. So keep that in the back of your mind.
And there's something called s3, intelligent
4878.83 -> tearing. This is the automatic thing, where
AWS monitors your data, they automatically
4887.05 -> place your data on wherever they think is
the most cost effective performance for you.
4890.54 -> And this is cost optimization managed by your
service provider. Well, I think that's like
4895.68 -> having the fox guarding the henhouse. They're
gonna optimize it for you, the people that
4900.07 -> are getting paid to do it. So now, it's a
service. It's a machine learning based service.
4904.88 -> And they are now may not be great for you,
but kind of keep that in the back of your
4907.1 -> mind. If you know your data and your uses
policies, it's probably best to create something
4911.65 -> manually. Now, if you're looking for really
low cost, we've got s3 Glacier, which is good
4919.54 -> for long term storage. In fact, it's where
you put your stuff, and you pay less to have
4926.84 -> it there. Now let's instantly retrievable.
As a rule, it costs 68%, lower than s3. But
4936.52 -> to retrieve it, now you're dealing with some
heavy duty retrieval fees. It's kind of keep
4941.4 -> that in the back of your mind. But if you
don't retrieve your data for at least 90 days,
4946.5 -> then guess what you got, you've got much lower
cost up to 68%, lower. Now let's talk about
4957.37 -> s3, Glacier. Flexible, that's traditional
Gladers to Glacier storage, meaning you pay
4965.62 -> less to keep it there. But it's not instantly
available. In fact, you've got this really
4971.71 -> cool thing called the vault lock option, which
makes your data immutable. So let's think
4975.94 -> about that. And making your data immutable.
If your data is immutable, it can't be changed.
4982.62 -> So for a bank that needs to store their customers
records, the glacier vault peut, lookups,
4987.969 -> and beautiful for medical facility, it has
to store their patient records for seven years
4992.37 -> later, but puts it in a place where it can't
be modified, brilliant, brilliant option for
4997.909 -> the right places. Now, this is designed for
information that's going to be accessed one
5002.45 -> to two times per year. If somebody needs their
data, they can retrieve it in minutes, two
5008.04 -> hours. And it's really low cost. It's going
to be even 10% less than glacier Institute,
5015.16 -> I made it retrieval. And you can pay for the
data retrieval. But you're gonna have to request
5021.05 -> information when you're done. Now, we're dealing
with SC glacier deep archive, remember, it's
5029.81 -> the lowest course cost. But it's designed
for stuff that you don't need within 12 to
5035.239 -> 48 hours, because that's how long it could
take to get it. And your data is going to
5038.71 -> be stored in three or more availability zones.
And it's designed for long term storage of
5044.16 -> highly regulated industries. So let's talk
about lifecycle management. I'm not going
5048.35 -> to visual that we'll use for this. What are
we dealing with here? Let's say an organization
5054.87 -> knows their usage flows and their data. Let's
say that the organization knows they have
5061.91 -> data that they're gonna frequently access
for 30 days. So they're gonna put it in s3,
5068.52 -> let's say for the next 30 days, that information
can be accessed just a little, little bit.
5073.23 -> Guess what? That's terrific. They can put
it in infrequent access. Let's say 30 days
5080.31 -> later, they're never going to use that data
ever again. But they want to store it for
5085.34 -> archival purposes, maybe future machine learning
purposes. May be may maybe maybe, you know,
5093.04 -> backup purposes. Maybe they need it for regulatory
environments. So that's what a lifecycle policies
5099.55 -> mean. can manually set it up minutes, it's
simple to do, stick your data on one, migrate
5105.56 -> your data to the next and have it automatically
managed to pay the lowest price based upon
5109.63 -> an organization's uses of their actual data.
So, you know, while we're at it, let's talk
5118.139 -> about s3 versioning. You gotta love when a
manufacturer or a brand like AWS decides to
5124.84 -> create a feature out of the natural functionality
of the technology itself. So when you're dealing
5130.199 -> with object storage, all object storage automatically
creates new versions, every time something's
5135.489 -> modified. Now, of course, the cloud providers
have taken big, big gains to prevent that
5141.24 -> from happening, which basically means they
know that their customers would be really
5145.58 -> upset if they filled up their systems and
got multimillion dollar bills per month because
5151.429 -> their storage about them. So they automatically
delete old versions. But if you want to basically
5155.21 -> keep all copies of something, you can turn
on s3 versioning, which is the default behavior
5159.72 -> of object storage anyway. So let's say I wrote
an example of a CSA dot Certified Solution
5164.491 -> Architect dot doc. And let's say I worked
on it for an hour saved it, I'd have version
5170.02 -> one, then Alonzo, for my team worked on it
from our is version two, then Chow worked
5174.12 -> on it for an hour and version three. Then
Chris worked on it for an hour his version
5178 -> for Eddie, who's in Cameroon worked on it
is version five. Leo, who's in Brazil worked
5184.179 -> on it, it's version six. By doing that, you
would store each version and why is that good?
5189.239 -> Well, the version number 642 got corrupted.
If you go back to 641, you still got something.
5195.409 -> So that's what versioning is. And it's but
it's the default behavior on all object storage
5202.19 -> platforms. Now, let's think about security
of your data. Now, there's two ways that you
5210.16 -> can use your data, I could just let you delete
a file directly from my from my object storage
5216.58 -> bucket. No big deal. Simple, simple, simple,
easy to do. But imagine that. So let's say
5222.58 -> we're talking about Super Challenge, Charles,
this rockstar cloud architect on my team,
5226.95 -> she's amazing in every way. Let's say she
was mad at me one day, and she just wanted
5230.77 -> to delete a file. And she deleted the file,
Chow would never be mad at me, she would never
5235.36 -> do this. She's amazing in every way. But you
know, here's that. Now, if she had multifactor,
5241.48 -> authentication, delete set up, child tried
to delete a file, and I would get sent a challenge.
5247.39 -> And they would ask me for a one time password.
Now I could provide that one time password,
5252.58 -> and that file will be deleted, or I could
not provide that one time password and the
5256.56 -> file stays there. So that's it. But that's
what it works. Multifactor delete multi factor
5262.219 -> authentication, again, is nothing nothing
new. And it's done to prevent other bad actors
5267.77 -> from doing it or you yourself. How many times
have you have accidentally deleted something
5272.79 -> and then had to go into the trashcan to pick
it up. I've done it before. So that's the
5276.179 -> point of multi factor authentication, delete,
but it also gives you protection from others
5281.68 -> from others. So let's talk about organizing
our data into s3. You know, when you organize
5291.99 -> it, remember, s3 is flat, you just put your
stuff in the object storage. And the reality
5298.389 -> is there's the database pointer pointing to
it. But that's going to be hard for the user
5302.411 -> to use. It's going to be tough. But we can
use what's called the delimiter, which is
5309.44 -> a pointer to our data. And by doing something
like that, it can feel logically organized
5314.949 -> like a folder. I'm going to put one right
now basically fake one that I just made up
5319.67 -> in the chat box so you can see it. So here
if I use the limiter, which I did in the chatbox
5325.11 -> mic slash 2020, slash AWS video slash storage
slash s3 dot mp4, but I popped in that chat
5331.7 -> box, you can see it looks and feels just like
a Unix path. No, it's not. But I can make
5336.92 -> my users feel like they're using traditional
storage. And this is the same thing that happens
5341.63 -> if you use Dropbox, or Google's cloud storage,
or anybody else's storage, it's all the same
5348.05 -> because it's all object storage, the Apple
comm is all the same. I call for example.
5357.84 -> Now if you're gonna have your data on s3,
if somebody were to break into AWS, and steal
5363.07 -> their hard drives, for example, your data
would be there. And that would be bad bad
5368.96 -> that of course, your data would be spread
across RAID arrays, which make only partially
5373.54 -> the data active but still, that's a problem.
So you're going to protect your information
5379.26 -> with encryption. And encryption, basically
take something and turns it into something
5385.179 -> that's not usable. Unless you've got the decryption
key. Kind of like those old cereals. We could
5390.27 -> have a message and you need to buy the box
of cereal to get the secret decoder ring to
5393.96 -> read it. It's the same. So we're going to
protect our sensitive data with income option.
5401.25 -> And encryption will make your data completely
completely completely unusable. Without the
5406.96 -> decryption key or that secret decoder ring.
There's lots of forms of encryption throughout
5412.83 -> history, there was a martial art called Capoeira
in Brazil. And that was designed not to look
5418.95 -> like a martial art. There's languages like
Pac 12, in the Caribbean, which were languages,
5425.38 -> which were a form of groups in that, you know,
certain people that understand how to speak
5429.12 -> and other wooden. Now there's wooden. Now
we've got encryption via IPsec, saw 256, and
5433.81 -> many other encryption algorithms. Realistically
speaking, that's all we're talking about.
5437.83 -> Now, we can encrypt that on the client side,
before we send it somewhere, or we can encrypt
5442.86 -> it on the storage server, and we're going
to be talking about them.
5446.42 -> Now, you'll definitely see this in a Certified
Solution Architect Professional exam, you
5451.869 -> may actually see this in the Certified Solution
Architect Associate exam as well. The first
5457.389 -> type of key encryption we're going to be talking
about and I didn't make up these terms up
5460.8 -> is SSC dash kms. Again, I don't make up these
names. And this is realistically a customer
5468.55 -> managed key within the AWS key management
system. Now, this is a complete key management
5474.24 -> system, meaning the user manages the master
key. And the key management system controls
5479.639 -> the data key. And this provides a beautiful
audit trail of how, who and when the day data
5487.199 -> was accessed. And it's going to look realistically
speaking like this, got the AWS key management
5492.9 -> key, there's a customer manage master key.
And then data can use us to basically speaking,
5500.69 -> encrypt your data simple and effective. Now
let's talk about another version. And again,
5508.81 -> I didn't make up this neck, this term, SS
e dash s through AWS managed keys. Now, this
5516.77 -> is an incredible complete key management solution.
Now, it's not going to be for ultra high security
5522.85 -> environments where you need control of your
keys. But for most people, this is simple
5527.04 -> and elegant. Basically, the key management
systems will manage all keys, it will automatically
5533.179 -> rotate your keys. And every object is going
to be encrypted with a new encryption key.
5538.41 -> So wow, you implement this solution, the computer
system automatically manages it for you. And
5544.56 -> you know, your data is safe and secure. This
is probably one of the best solutions for
5548.699 -> average organizations, not good if you need
military grade security, or things like that.
5554.449 -> But under normal environments is a simple,
elegant and really effective. And it reduces
5558.739 -> your overhead. Let's look at it this way.
Basically, you've got the key management system.
5566.469 -> It literally, it literally manages the master
key, and manage the data key. And everything
5573.33 -> is done for you automatically, as I like to
say, and no, I never would use the term auto
5579.29 -> magic. But lots and lots and lots of people
like to use alternative tech. So I thought
5583.67 -> I'd give you something that would be a little
fun. Now the next option we have, and this
5590.03 -> is one of the big coasts was going to be used
in your critical environments, middle military
5593.98 -> grade security, is something that's going
to be called SS e dash c. And this is really
5599.27 -> customer provided keys. Now this gives the
customer complete autonomy over the encryption
5604.699 -> keys. Them customer is going to manage all
their keys. Now here's the downside of that.
5613.02 -> Lots, lots, lots of actual key management
going to kind of keep that in the back of
5621.51 -> your mind. So how do we optimize Intune s3?
Well, we're going to talk about pre signed
5630.909 -> URLs, multi part uploads, range guts, as well
as cross region replication. So what is a
5640.94 -> pre signed URL? Let's say I want to send super
child the amazing cut architect's information.
5649.21 -> I've got two options, you know, I could give
her the keys to get into the system. Or I
5654.47 -> could press on the euro, and send my priests
on euro to supertall, the amazing cloud architect.
5661.14 -> So how would I do this, I sign the object
with my own encryption key. And I send that
5667.85 -> URL directly to show the URL is a fully qualified
domain name. She could click on this and then
5674.27 -> she could download the photo of my cat, which
is probably what I would send a super child
5678.65 -> a photo of my cat, because I love to send
photos of my cats to everybody, especially
5682.78 -> the people on my team. Still love my cat.
But by doing this by presenting the URL, I'm
5690.1 -> giving super chill, secure and temporary access
to my content. Now how long does this content
5696.659 -> actually available? Well, it depends on the
method that I actually Sign it. So if I sign
5701.8 -> it with my Iam instance profile, again, identity
and access management is, who are you? What
5708.119 -> are you allowed to do? And what did you do
and we'll talk much more about that when we
5712.46 -> get into identity and access management. But
if I sign it straight with my profile, it's
5717.02 -> good for up to six hours. Now, if I use the
Security Token Service, and I promise you,
5722.57 -> we're going to get into a lot of detail of
the Security Token Service, when we get involved
5725.989 -> with security and identity and access management,
then it's going to be good for up to 36 hours.
5730.6 -> Now what if I sign it with an im user name
and Charles an IAM user of our systems? Well,
5735.82 -> you can have access to that link for up to
seven days, where I could issue a temporary
5740.239 -> token. And I love temporary tokens. And here's
why I give something that's available for
5744.659 -> a short period of time that it's not available,
and poof, it is done. And that's why we really
5749.79 -> love these things, the AWS temporary tokens
because somebody steals your token, they can
5754.28 -> only accept for a short period of time, and
then we're back to normal.
5759.52 -> Now, let's talk next about multi part uploads
and what they are. Well,
5766.75 -> with s3, we can deal with a file size, it's
up to five terabytes, but we can upload a
5771.48 -> file up to five gigabytes. Now imagine this,
you send 4.75 gigabytes over the wire, and
5782.56 -> the network connection goes, you know what's
lost, all 4.75 gigabytes. And that's not an
5788 -> efficient distribution system, it would be
much more efficient. If we can send little
5793.52 -> bits and parts of the file, and then reconstituted
in the end. See, there's so many things that
5800.37 -> can go wrong with large file transfers. And
that's why AWS recommends to use a multi part
5806.56 -> upload for all files over 100 megabytes. And
let's look at what that actually is. Again,
5812.08 -> it's a very, very simple concept. We've got
our file over here, our file gets split into
5818.18 -> multiple parts. And it gets put back into
the big beautiful file the same file it was
5823.179 -> in the beginning. And then since the object
storage, why do I love this so much? Why is
5827.5 -> this so great? Because let's say from the
top to the bottom, you've got four file parts,
5832.39 -> let's say file, part three, which is the second
one from the bottom gets lost in transmission.
5838.58 -> By doing so, we don't have to retransmit the
entire file, we only transmit file part three,
5844.219 -> which was the final part that was lost, making
our transfers more reliable and more efficient.
5848.75 -> And that's why we use multi part uploads for
all files that are greater, or uploads that
5854.12 -> are greater than one that are greater than
or greater than 100 megabyte. Making sure
5861.409 -> we don't have network transfer problem.
5866.29 -> So let's talk about the last one, which is
cross region replication.
5872.54 -> When we're dealing with cross region replication,
what we're doing is we're taking our data
5876.06 -> stored in one region, which again, is just
a large, large geography and replicating it
5880.66 -> to another one. Why would we want to do this?
Well, if I'm in the US East region, and I
5888.54 -> replicate to US West, well, guess what? Guess
what? Then, if US East dies, I still have
5897.409 -> US West. But what else are we talking about?
When we're dealing with with cross regional
5904.929 -> charges inside of the cloud provider, they
charge you to send your data across regions.
5910.71 -> And let's say you had some object storage,
it might be cheaper to keep your object storage
5915.099 -> replicated in two different environments,
then it would be to pay all those intermediate
5919.139 -> charges. Again, this is 100%, based upon the
use of your data, the specific use case and
5925.39 -> where your users are accessing thing. But
cross region replication gives us goods and
5930.679 -> disaster recovery abilities. But it might
be cheaper if we're dealing with a lot of
5934.739 -> interdepartmental chat transfers. And if we're
dealing with, you know, users in Japan, and
5940.409 -> then users in New York City, by replicating
the regions, the information from regional
5945.44 -> button one to region to the US and Japan are
gonna get fast, low latency access, because
5950.53 -> they're not going to be traversing the entire
AWS global network to get it, they're gonna
5954.47 -> go to something in Japan. Likewise, the people
in New York or New Jersey could go to the
5959 -> bucket and region that's closest to them.
So that's why we're dealing with this. So
5963.28 -> we talked a little bit about storage area
networks. We're going to talk more about storage
5968.58 -> area networks today. Get into instant storage
and block storage and all kinds of cool, exciting
5975.75 -> stuff. So now we're going to talk about instant
storage. So what is instant storage? Well,
5982.119 -> if you've got a virtual machine or a server,
it's the storage that's sitting inside your
5987.21 -> server. Now, here's the thing. It's fast,
real fast, real fast, real fast, fast, fast,
5998.639 -> fast, fast, fast. How fast is instant storage?
Well, let's put it into context, we're going
6005.6 -> to be dealing with EBS block stores, the fastest
storage volume you can get is a quarter of
6010.79 -> a million IPs. Now you can go to Best Buy
for about 100 bucks, and buy a Samsung 90
6017.03 -> Pro, which gives you about a million IPs,
which is four times the fastest block storage.
6022.08 -> Now when you're dealing with instant storage,
what you're dealing with as a RAID array is
6026.429 -> typically eight of these drives in a raid
environment. So you might have 678 million
6032.119 -> UPS just sitting inside the server. So instant
storage and fast, fast, fast fast. Were box
6039.639 -> storage is slow, slow, slow, slow, slow. So
why don't we use instant storage, instant
6046.96 -> storage. And here's the thing. The thing is
as follows. Whenever you store an instance,
6055.71 -> storage is deleted upon instance, termination.
So unlike your data center, where you store
6061.389 -> your stuff, and the NVMe Raiders that are
sitting inside of your servers in the cloud,
6067.08 -> every time you read, you delete your system,
it's all gone and you lose everything. So
6070.909 -> this makes it not feasible. So that's why
we need to get really, really, really through
6076.5 -> what we're talking about here. So let's talk
about elastic block storage. What is block
6085.07 -> storage, block storage, it's the same block
storage, it's been around for 20 years, in
6089.79 -> every data center in the world, nothing new.
Why do we use block storage as we talked about
6095.52 -> before decouples, your servers and your storage
environments. And by doing so it means that
6102.659 -> the data centers can scale easy. Now we're
gonna melt block storage in our devices. And
6109.099 -> remember, block storage is slow regardless
of what's taught in your certification course,
6112.71 -> it's going to act like a virtual hard drive.
So what are we going to use it we're going
6116.871 -> to be sticking it on our virtual machines
which otherwise called an AWS EC two instances,
6121.389 -> Azure calls them virtual machines. Google
calls them Compute Engine instances, it's
6126.199 -> identical technology is all calls for the
most part of the same thing. Network in a
6129.849 -> data center has been virtualized, when they
have new names for the same technologies.
6136.119 -> So block storage is scalable, real scalable,
and it's not deleted upon its termination.
6142.239 -> And this is high availability, storage, high
availability, storage. And what we're talking
6147.12 -> about this is, is 99.999% available, which
means it's there when you need it, except
6154.429 -> for about five minutes, and 15 seconds per
year. It's relatively good High Availability
6159.54 -> Storage, having said that, no cloud providers
been 99.99% available for the last couple
6164.989 -> of years. So it's really not going to be anything
that's that high availability and practical
6170.17 -> purposes. But according to the exam is 99.99%
available with teqsa. Now, on your exam, you
6179.179 -> can think of block storage was AWS Lexis took
the term elastic before and they call it elastic
6183.98 -> block storage, they'll sell it's free, or
for high throughput and high transaction workloads,
6188.909 -> it's the best you can do on the cloud. And
we're gonna teach how to work around the weaknesses
6192.119 -> of block storage too, because it's so critical.
With block storage, you're gonna get multiple
6197.41 -> performance options are slow, but compared
to datacenter technology, but some are slower
6203.219 -> than others. And some are cheaper than others,
and some are more expensive than others. So
6208.92 -> basically, block storage is going to be associated
with a single availability zone or data center.
6214.2 -> And basically, realistically speaking, it's
going to be backed up to another availability
6218.33 -> zone or data center. So that's good news.
What's in one data center will be copied automatically
6222.56 -> to another data center. That was also very,
very, very cool. Is the way your back your
6231.19 -> your block storage is automatically going
to be backed up in terms of snapshot bias
6235.84 -> is this so cool, it will be transferred to
object storage. Whoa. So your block storage
6243.27 -> automatically gets sent into s3 or s3 glacier
wherever you want to pop it. And now wow.
6250.06 -> If something happens to your systems, you've
got another one. Now these EBS volume snapshots
6256.28 -> are truly truly amazing. Because it's not
like you ran backup software, you backed up
6261.73 -> backed up and backed up stuff. Okay? That's
not what we're actually talking about. It's
6267.239 -> a full system image, like a ghost image, or
system image that can literally be rebooted,
6274.98 -> which can be just relaunched, and then poof,
a virtual machine will come up with the identical
6281.35 -> hard drive, and everything else you need.
So AWS gives you some of the most brilliant
6287.8 -> and beautiful backups all the other cloud
providers do too. But this is simple and elegant
6292.119 -> and typically speaking about 1000 times better
than most organizations and enterprises backup
6298.969 -> strategy. So love So how do you choose your
EDB? ES file types? Well, it's going to be
6306.13 -> your performance requirements. And your performance
can be trained as both latency and throughput.
6312.67 -> And they're not the same. So latency is going
to be measured in input operation and output
6319.239 -> operations per second. What does that mean?
How many times can you read write to disk
6322.34 -> read write, read, write, read write, the higher
the number of Read Write activities you can
6326.181 -> do per second, the lower the latency, by comparison
is throughput, which is how much stuff can
6332.79 -> you move per second, I like to use vehicles
to explain the difference between latency
6337.75 -> and throughput. So let's say I'm here, and
I want to take a car full of cat toys from
6348.159 -> Palm Beach, Florida, to New York City. So
I get in my car, I start my car full of cat
6355.639 -> toys. You know, my car is let's call it a
sports car. It's not it's an SUV, but it's
6361.79 -> a high performance SUV. So let's say I shove
my SUV full of cat toys. And they get to New
6366.739 -> York City. Now the reality is, it's in New
York City, I can drive my car probably at
6372.77 -> 100 miles an hour before the police stopped
me between Palm Beach and New York City. And
6378.139 -> I'm gonna get there relatively fast. My car
is designed to be driven in the left lane
6381.489 -> and the Autobahn where there's no speed limit.
But let's say I wanted to drive between Palm
6385.599 -> Beach and New York and I could average 100
miles an hour. The latency to get to New York
6390.62 -> is going to be lower. Now by comparison, let's
say that my buddy owns a tractor trailer.
6396.73 -> And he sells this tractor trailer full of
cat toys. Now he drives that tractor trailer
6401.71 -> at 70 miles an hour between Palm Beach in
New York City. When that tractor gets trailer
6406.83 -> gets to New York City, look at the stuff that
occurred every cat in New York, and New Jersey
6412.489 -> is going to be having a party time with their
cat toys versus my SUV that may take care
6417.56 -> of you know, a couple of cats in Brooklyn,
or Manhattan, you know, the throughput is
6422.54 -> greater in the tractor trailer. The latency
of the car is faster. So now you know what
6428.8 -> latency is the speed that you can do something
in terms of input output per second, how fast
6433.849 -> can you get somewhere versus throughput is
how much stuff. So input an output operations
6438.87 -> per second, which is inversely correlated
with latency is going to be measured in IO
6443.179 -> PS. And throughput is going to be measured
in the amount of stuff you can move. And that's
6448.949 -> going to be in gigabits per second or terabits
per second or megabits per second. So when
6455.21 -> we go through these things, we're going to
talk about latency and throughput.
6460.81 -> Now the fastest fastest block storage you
can get an AWS is EBS provision, IO PS is
6467.58 -> called IO two. This is their highest performance,
SSD storage. They consider it the lowest latency
6474.56 -> and it's designed for workloads that require
high input and output operations. They'll
6478.719 -> tell you, it's good for large databases, they'll
tell you it's good for applications requiring
6482.33 -> low latency. And they'll tell you it's good
for 4000 megabit per second, which is decent
6486.679 -> throughput actually. And a quarter of a million
IPs, this is acceptable. Now, this is nothing
6493.14 -> like you can get in your own private cloud,
like with any Nutanix cloud, for example,
6497.409 -> where you're running all of this stuff, all
of this stuff. And in these particular environments,
6507.91 -> that's what we're talking about. So, you know,
quarter million OPI is not very fast, but
6515.38 -> relatively quickly, you know, it's going to
be a problem in many business applications,
6519.6 -> because it's still too slow. And that's what
we're going to talk about raid rate is not
6523.659 -> covered in the Certified Solution Architect
Associate, but you need to know it for real
6527.21 -> life is also covered in the Certified Solution
Architect Professional. So we're going to
6531.31 -> be explaining that to you when the time comes.
So this is the fastest fastest fastest, it
6537.96 -> might be a few $1,000 per month to get this
in mind, he was going to be slower than $150
6542.869 -> drive, you could buy a best buy like a Samsung.
Now, by comparison, the old fastest drives
6550.91 -> that we can use EBS volumes, it's about two
years old, with the EP DS provision IO one
6556.76 -> devices. And that's going to be you know,
relatively high performance. I say that you
6561.97 -> know with cringing, SSD storage is designed
for low latency. It's designed for workloads
6567.679 -> requiring high input and output operations
per second, like databases and applications
6572.33 -> that require low latency look. The max you
can get here is 16,000 io PS, which is nothing.
6578.489 -> But it's the second fastest block storage
you can get on the cloud. The throughput on
6582.58 -> this thing is acceptable at 1000 megabits
per second look, that's not going to be problematic
6586.9 -> for most applications, but you're gonna have
massive problems when you're dealing with
6591.96 -> low latency in these environments. Now let's
talk about general purpose SSD. Instead of
6600.1 -> These other drives which are based upon non
volatile NVMe drives, this is going to be
6604.989 -> based on traditional SSD storage. Now, when
you're dealing with SSD storage, you get decent
6611.64 -> throughput, you get much lower latency, which
means higher i o PS, then magnetic storage,
6617.11 -> but much lower than you're gonna get from
NVMe. Moderate throughput, like 250 megabits
6623.08 -> per second, which is what you get a little
better than a standard magnetic hard drive.
6626.95 -> This is fine for a transactional workload.
It's good for development and test environment
6633.1 -> because it's cheap. And it's relatively low
latency, we can call it that. And now we can
6641.36 -> get into our magnetic storage options. Now,
this is an interesting one. We've got EBS
6648.85 -> throughput, optimized hard drive, relatively
low cost magnetic storage, because it's magnetic,
6653.739 -> it's going to be high latency, which means
low IO POS. Now, the throughput on these things
6659.34 -> isn't bad. 500 megabits per second, which
is right up there with the standard SSD drive.
6665.74 -> Because these are obviously sitting in RAID
arrays. So this is really good for frequently
6669.929 -> accessed workload or throughput intensive
application like video, for example. It's
6675.02 -> great, great, great when it comes to through
credit, intensive workloads, like a video
6679.349 -> editor will use transferring large video files,
great for large log storage, great for sequential
6686.04 -> reads and writes. So kind of keep that kind
of keep that in the back of your mind. And
6693.19 -> then the next option is EBS, cold storage,
which is going to be your lowest option, low
6699.639 -> IPS low throughput to under 50 megabit per
second. And it's going to be used for workloads
6705.969 -> that are not accessed frequently. And because
I told you right now look, what are you going
6712.1 -> to do when you have a business application
that requires 2 million IPS on the cloud?
6718.949 -> Well, you don't get high disk performance
on the cloud. So the only way you can work
6724.849 -> around it is either use a private cloud, like
OpenStack or Nutanix. In your data center
6729.409 -> for your high performance latency sensitive
applications, use the public cloud for non
6733.33 -> latency applications. Or if you're going to
be on the public cloud, no big deal use rate.
6738.87 -> So we're gonna do a brief and for a brief,
brief introduction of RAID. And then from
6746.489 -> there, you know, where are we going to go,
we're gonna go into things. So what is RAID?
6753.23 -> RAID, a Redundant Array of Inexpensive Disks
is really a means to combine multiple hard
6757.739 -> drives into a single hard drive for multiple
performance. And is there still going to be
6763.639 -> separate drives, we're going to take separate
physical devices and logically associate them
6767.389 -> as a single device. On the cloud, everything's
virtual, we're going to virtual box stores,
6771.8 -> and we're going to combine them in the same
way. So there's going to be multiple, multiple
6777.74 -> performance options. For redundancy, there's
going to be four main raid types that the
6782.91 -> entire world uses. Now, we're going to be
dealing with 01 and 10 on the cloud, not raid
6789.67 -> five. But if you're a cloud architect, or
a cloud engineer, and you're going to be moving
6794.29 -> stuff, from the data center to the cloud,
you better know what raid five is, because
6798.05 -> it's used everywhere. The only reason we can't
use RAID five in the cloud is because the
6802.17 -> Cloud Storage is so bad. In terms of performance
with regards to latency, you can't deal with
6808.01 -> the additional latency overhead of RAID five,
but widely used in the enterprise. So let's
6813.949 -> talk about raid zero. raid zero is called
striping. And I'm gonna say what that looks
6820.489 -> like. But basically, you're gonna be taking
your data into multiple hard drives, right
6825.349 -> 1234512345. And by doing it, your load balancing
the load across multiple drives. When you
6831.54 -> load balance, you get lots and lots and lots
of speed. Lots and lots and lots of speed.
6838.98 -> Because of that, you're there. So when you
do this, you get no fault tolerance either
6843.56 -> because if one of the drives in your RAID
array fails, you lose everything, everything,
6848.94 -> everything. So no fault tolerance, but it's
good when ultrafast speed is needed. But if
6855.099 -> you're going to use raid zero, backup, backup,
backup, and backups more, so what's it going
6860.79 -> to look like? It's going to look like as follows,
store your data from block one on one, drive
6866.54 -> one block to in the next drive, block three
on one, drive block four. By doing this, you're
6870.26 -> gonna get twice the throughput and lower latency.
So great way to accomplish around this. You've
6877.22 -> got four quarter million I draw io PS drives
in the cloud, not that will eat you equal
6883.349 -> to what you can get from that $150 drive at
Best Buy. Now, of course it might cost you
6888.02 -> $30,000 on the cloud to equal the performance
of $150 drive from Best Buy, but you can still
6893.449 -> do it. Like I said, it's all about knowing
as an architect, where do you put your stuff?
6899.44 -> How do you work? To check for maximum performance
at the lowest cost and what drives that, the
6904.409 -> business requirements, nothing else. So business
acumen is so critical for the Cloud Architect.
6911.079 -> So let's talk about raid zero in the cloud
computing environment, it's a little less
6915.53 -> bad than the normal environment. And here's
why. In the normal environment, if one drive
6919.68 -> fails, you're done. But you got to remember,
these aren't actually physical drives their
6924.75 -> virtual drive their high availability, so
they could be a little better. raid zero was
6929.389 -> generally too risky for the enterprise unless
we're gonna get into return assumption as
6934.5 -> temporary storage video editors use raid zero
all the time. When I used to edit my own videos,
6939.179 -> I had my own RAID array that was raid zero,
and I backed up to a raid five RAID array.
6945.57 -> Good news is we can backup a raid zero into
a single availability zone. And because they're
6950.829 -> logical runs, it's less risky, but still,
it's too risky for us for production environments.
6955.48 -> Now, this gets us into raid one, which is
going to get us into some really cool availability.
6961.9 -> And it's the secret to raid 10, which is coming
up. Now raid one is disk mirroring, Let's
6967.429 -> marry two hard drives in the system. Whenever
it gets written a hard drive one gets immediately
6972.25 -> copied to hard drive to and that way if harddrive
one fails, you just break the mirror and use
6976.8 -> the other hard drive is brilliant in terms
of redundancy, but it's slow. It's expensive,
6981.619 -> and it has low capacity. And here's what I
mean by this normally, in raid zero, you've
6984.961 -> got four two terabyte hard drives, guess what
do you have tuck capacity? Eight. Here, you've
6989.79 -> got two four terabyte hard drives, what do
you got capacity wise for? Because you're
6993.969 -> getting one and it's backing up to the other.
And that's it. So what's this look like visually
6999.74 -> and architecturally, you've got two drives
hard drive one and hard drive to hear all
7004.719 -> the data from hard drive one is exactly mirrored
and copy to hard drive two. I've got no throughput
7009.77 -> benefits, no latency benefits, and no storage
increases. But I've got brilliant high levels
7016.04 -> of availability. Now let's talk about raid
five. RAID five is really the best of both
7023.87 -> worlds. You can't do it on AWS, because the
storage is so slow, they won't let you raid
7028.79 -> five gives you speed and redundancy done.
RAID five is considered striping with parity.
7036.139 -> And it's high speed and it's highly redundant.
It's used by 90% 99% of all enterprises, some
7041.75 -> form of RAID 50, raid 60, or even raid five.
What does this look like? Here you go.
7050.13 -> We've got our block with let's say we split
it amongst four drives. If we've got four
7054.54 -> four terabyte drives, we get 12 terabytes
of total capacity, because what's going on
7059.13 -> is as follows. We lose one drive to redundancy
data. So here we go. In this environment,
7065.81 -> we basically copy block one to drive one,
block two to drive to block three to drive
7070.06 -> three, and we put backup apparently data on
drive for the next time we write our data
7074.88 -> to block one on our drive one, block two and
harddrive two now we put our backup data on
7079.099 -> the drive drive three here. And then we store
data on hard drive for now the next time for
7083.86 -> example, we put our data on drive one, backup
data in drive two data on drive three data
7092.909 -> on try four, and so much and so forth. So
you know, kind of keep that in the back of
7098.89 -> your mind raid five, speed and redundancy.
But here's the problem with raid five, the
7104.48 -> act of writing this backup data and can increase
latency. And because we're dealing with block
7109.79 -> storage, which is so so so slow, guess what
we're dealing with, it's not even allowed
7114.54 -> on the AWS cloud. So block raid zero is fast,
and gives us everything we need. But But redundancy.
7123.659 -> RAID one gives us all the redundancy in the
world. But no speed. Hmm, what if we blended
7129.679 -> them together? And that's raid 10. So really
raid 10 is a combination between raid zero,
7137.739 -> and raid one, in which case we'll create a
RAID array. That's raid zero for speed, a
7144.11 -> backup RAID array for speed and copy RAID
array one two right away to let's be fair,
7150.42 -> we lose RAID array one, guess what? We're
good on RAID arrays, 23456 and everything
7156.13 -> else. So we're going on the other drive. So
let's make sure we get this clearly. So I'll
7159.78 -> show you what it looks like. Here we've got
two RAID arrays. The first case we're combining
7164.32 -> raid 02 drives back and forth fast so fast.
raid zero on the other ones that copies from
7172.599 -> copies from raid zero raid one to raid zero
array to anything happens with our first RAID
7177.179 -> array. No worry about it, no big deal. We're
good to go. Why are we good to go? You're
7182.38 -> going to be on the second RAID array. And
that's why we're using RAID. I'm going to
7189.77 -> talk about a couple more file systems real
quickly. And then I'm going to get involved
7194.5 -> in answering some questions. So Let's talk
about the next thing. We'll talk about the
7202.98 -> elastic file system. What are we talking about
with regards to the elastic file system, nothing
7208.651 -> special other than NFS file system, meaning,
if any of you've been using Linux, or Unix
7215.04 -> storage environments for years file storage,
and you set up a network file system share,
7219.77 -> which was invented by Sun Microsystems own
30 years ago. That's what we're talking about
7224.989 -> that the same thing that AWS elastic file
system is, it's the AWS branded, fully managed
7232.02 -> version of Linux, Unix storage, that's it.
And of course, with this, we have the same
7238.489 -> kind of versions, like we do with any other
kind of storage, where we've got the standard,
7243.02 -> which is the highest performance option, and
frequent access, which is stuff where you're
7247.04 -> not going to access it frequently, but you
have to pay for it. When you retrieve it,
7250.48 -> we'll have our two options, which is burstable.
Here's what burstable means you've got access
7255.85 -> to this, but you can temporarily increase
your speed. Or guess what, you know, provision
7261.65 -> throughput, which is you say, I need this
and you pay for it ahead of time, and it's
7264.889 -> guaranteed to you, again, no different than
Frame Relay, with a committed information
7269.79 -> rate and a burst rate from 25 years ago, same
kind of thing we're talking about. Now, what's
7276.69 -> good about is the elastic file system is it's
like NFS, right? So it's post a composer is
7282.639 -> compatible, and it will work with your legacy
systems. It's considered high throughput,
7287.52 -> high OP is low latency. One thing that I really
love about the elastic file system versus
7293.42 -> building your own file store, file server
is it expands if needed. So normally, from
7300.91 -> an architecture perspective, you're planning
how much storage you think you need 10 years
7305.03 -> from now, five years from now, or three years
from now how long you're going to keep your
7308.699 -> systems, then you usually double it. When
you figure you have a good dose. I'm exaggerating
7313.159 -> the concept, but it's something like that.
It's, it's what's called the swag a scientific
7317.119 -> world something does. Now here, here's where
the cloud shines, the elastic file system
7323.929 -> will grow on demand. So we'll automatically
adjust size and capacity, I gotta tell you,
7330.23 -> for the people that do capacity planning and
systems administration, this is a huge, huge,
7334.372 -> huge thing, they'll be incredibly helpful.
Here's what it looks like. We use the elastic
7342.739 -> file system. So you can take your easy two
instances that are running Linux, for example,
7347.699 -> and mount them to an NFS SharePoint in a fully
managed environment by AWS, just like you
7354.02 -> would do in the data center. But here you
don't have to matter. Now, we talked about
7360.699 -> file services for for Linux, right. So what
do you think the next is file services for
7365.929 -> Windows? Now, if you wanted to deal with file
service for Windows, you could deal with a
7370.389 -> Samba share on a Linux system? Or you could
use Windows servers, Windows servers. So let's
7378.969 -> talk about Windows Server. When you're dealing
with Windows servers, you're dealing with
7383.81 -> a fully managed high availability Windows
file system. Okay? Why is it because they're
7390.699 -> Windows servers that AWS manages for you.
And because they're Windows servers, they
7395.349 -> use the Server Message Block protocol, which
means they're hosted on Windows servers. So
7401.31 -> because their Windows servers offering window
shares, you can get all those windows system
7405.719 -> features like quotas and Active Directory.
file systems window also provides encryption
7410.869 -> in transit and arrest. And what does this
really look like? It looks like this. Basically
7417.36 -> speaking, you've got your server. You create
your file system, you configure your file
7424.14 -> shares, you connect your file shares. And
that's it, you run your applications simple,
7431.13 -> simple and effective. While we're at it, let's
get to the point where we talk about Amazon
7438.71 -> FSX FSX for lustre. So now let's say you needed
a higher performance file system. Because
7445.99 -> block storage isn't good enough for you. For
some high performance computing, this is where
7451.04 -> we get into the Amazon FSX for lustre, where
you can get millions of IO PS and 100 gigs
7457.29 -> per second throughput, bi directional synchronization,
we can synchronize our data with multiple
7464.14 -> s3 buckets, for example. And this enables
some truly high performance transfers via
7469.95 -> multiple threads. Now we're gonna get back
to the training. So you'll recall yesterday
7475.64 -> we talked about the cloud and how it was organized,
and the type of connectivity we use to connect
7481.949 -> to the cloud. And we talked about storage
on the cloud. Now today, we're going to begin
7488.219 -> by telling you how do you get your stuff your
data to AWS? So realistically speaking, how
7495.8 -> are you going to get your data to AWS depends
on your options. If you've got a high speed
7501.71 -> link to you, and AWS like 100 Gig link, and
you don't have that much data or a 10 gig
7507.21 -> link, pretty easy, just send your data over
the wire, no big deal. But, you know, in most
7515.86 -> in some cases, that's not practical. There's
ways where we can send it over the network,
7520.71 -> which I talked about, which is a manual transfer.
There's ways where we can send the data over
7525.409 -> the network to the cloud over a more automated
transfer. And of course, the transfer appliances,
7530.199 -> we can talk about to get our data there, if
we lack network bandwidth, or we lack time,
7534.989 -> so we're going to tell you how to do all three
starting now. Now, when it comes to sending
7539.909 -> data to AWS, the first, you know, AWS officially
supported method is to use something called
7545.239 -> the storage gateway, I love the storage gateway
concept, because here's what it is. Effectively,
7552.3 -> you've got AWS, which sits over here, you've
got a specific virtual machine that you put
7557.79 -> in your data center. That data center becomes
a server, you connect all your devices to
7563.41 -> this server, and I'll show you graphically
what those going to look like. And then your
7566.619 -> data is just asynchronously copied on the
cloud, put a file server in your data center,
7571.63 -> it magically gets copied to the cloud. Now
what is this the storage gateway that AWS
7578.8 -> provides, it's just a simple virtual machine.
You pop it in your one of your VMware servers
7584.54 -> and your Microsoft Hyper V servers. And it's
an AWS manage virtual server. And basically,
7592.349 -> what you do is you mount the server, and I'll
tell you how you do it. And it just moves
7596.54 -> your stuff to the cloud asynchronously, dynamically
and beautifully. It's very, very simple. Now,
7601.809 -> if an organization has a hybrid cloud, which
is a data center connected to the cloud, the
7607.27 -> storage gate will keep the data synchronizes
magic. But if an organization wants to migrate
7613.7 -> their stuff to the cloud, they can also use
a storage gateway, copy all their stuff over
7618.1 -> and then launch their virtual machines in
the cloud. OK, three, they're up and running
7622.71 -> like nothing. So we're going to talk about
storage gateways. We're going to talk about
7628.67 -> the types of storage gateways. We're going
to talk about how they work and why organizations
7633.94 -> would use them. So the first kind of gateway,
we'll be talking about VIOME file gateways,
7640.15 -> VIOME, gateways and stored mode VIOME, gateways
and cache mode.
7645.559 -> And realistically speaking, there's also something
called a tape gateway. I don't know if you
7650.869 -> must have you hopefully not as old as me who
has been working in chuck for many decades,
7654.369 -> I have, where we started out by basically
putting these tapes and we use backup to a
7659.1 -> tape. And then the tapes got bigger and bigger
and bigger, as many organizations still have
7665.309 -> a tape gateway, which basically speaking,
we can get rid of that, we can create a virtual
7669.639 -> tape gateway. And we can backup and archive
like we used to using virtual tapes of tape
7673.889 -> backup machines, which we'll talk about. So
we'll talk about file gateways, VIOME, gateways
7678.139 -> and stored mode cache mode, as well as off
the ticket. So let's begin with the storage
7685.619 -> gateway, specifically, the file gateway, it's
a very, very simple, elegant solution. Let
7691.79 -> me show you what's really going on. In this
particular mile environment, what you have
7696.79 -> is you've got your servers. So we have them
the left side of the screen replicate representative
7701.46 -> application servers. Now we stick this AWS
virtual machine in either a Windows server
7707.969 -> using Hyper V or VMware ESXi server. And we
met, we basically use the Server Message Block
7714.65 -> or an NFS Share to the storage gateway, which
is represented by red. And then that storage
7722.349 -> gateway is going to use a direct connection
or your VPN connection, whatever when I'm
7725.59 -> done with you have, and it's going to directly
send your data to s3. And from there, you
7731.52 -> can have a lifecycle policy with your data
like we did where it stays on s3, then it
7735.98 -> moves to infrequent access. And it goes to
Glacier, we can keep it on s3. So very simple.
7741.44 -> Takes your stuff in your data center. You
mount a virtual machine just like it's any
7745.77 -> other file server in the world. And asynchronously
your data gets copied back to AWS simple,
7752.6 -> effective, elegant, very, very basic, very,
very simple. No, there are ways to truly optimize
7762.78 -> this. What if an organization really has a
hybrid cloud. And they want to use their data
7768.739 -> center for the majority of their computing,
because it's cheaper to operate the computers
7772.32 -> you own than it is to operate stuff on a cloud
where the cloud gives you more agility and
7778.87 -> enables you to design potentially cheaper
and we'll talk about that when we talk about
7782.929 -> auto scaling. But the best performance you're
ever going to have is in your data center
7787.431 -> because there's no latency. The cheapest cost
is going to be for the hardware that you typically
7793.19 -> have. So for organizations that have a higher
than one a real high availability call them
7797.54 -> and they are they have their own cloud and
they connect to one or two The public cloud.
7801.92 -> Now you're talking about VIOME gateways and
store matter why? Because the organization
7806.369 -> keeps most of their data in the data center.
And they're using the cloud either for bursting,
7810.77 -> which means added additional capacity. They're
using the cloud for what it's really good
7814.65 -> for, which is hosting, say, web applications
that dynamically scale on demand. Are they
7819.869 -> using the cloud for backup purposes like disaster
recovery purpose, and this is where the VIOME
7824.3 -> get restored mode comes in. But this machine
in our data center, everything gets backed
7830.81 -> up on to s3. And it's a beautiful, beautiful,
simple way to do it. Now the servers will
7837.73 -> connect via the I scuzzy protocol, basically,
an internet based scuzzy CL, it's because
7843.83 -> he took the attachment to the drives. And
it'll operate like any other type of storage
7849.34 -> area network. So basically, what is this gonna
look like? Now in this particular case, you
7855.219 -> could have your users, they're going to be
connecting to their stuff in your datacenter.
7862.21 -> And they'll be connecting to your application
servers, or whatever servers you have, your
7869.09 -> servers will have an ice cozy connection,
as you can see, between our application servers
7872.869 -> in orange, and this gateway virtual machine,
because operating restore mode, and then as
7878.96 -> data changes in our data center, you're gonna
see it's going to be pushed to Amazon s3 or
7884.809 -> snapshots. simple, elegant way, your data
is primarily in your data center, and you
7890.159 -> want to shift it and send it to the cloud,
beautiful, elegant and everybody. Now, what
7898.889 -> if you really had most of your stuff going
on in the data center, meaning the eight or
7904.56 -> I'm sorry, the cloud like AWS cloud, but you
still had some stuff in your data center,
7909.389 -> most of your data was stored in the cloud?
Well, there's a way to make this work to basically,
7915.889 -> you can keep your data center or your called
synchronized, while maintaining most of your
7920.309 -> data in the cloud. And bringing it back. Now
here's the first thing to remember, computers
7925.62 -> cannot mount object storage doesn't work.
We talked about all those reasons why yesterday,
7931.79 -> of swap files, and versioning, and lots and
lots and lots of challenges. So because of
7937.079 -> this, it's not like we can take our data center
servers, and mount them to object storage,
7942.19 -> or AWS s3, or Microsoft, Google's cloud stores
because the technology is not designed for
7947.39 -> them. But we can do this, we can store our
data into object storage on the cloud, which
7954.04 -> was nice and cheap. And create some little
virtual environment called the gateway that
7959.16 -> can then share it back to the systems in our
data center, and make it feel like it's real
7964.469 -> storage, not object storage. And that's where
this beautiful blind gateway cache mode comes
7969.389 -> in. And the VIOME gateway cache mode is designed
for organizations who predominantly keep their
7974.91 -> data in Amazon's object storage, otherwise
known as s3. And it's going to make the data
7980.05 -> steward stored on s3 feel like local storage
in the data center way this is going to work
7984.76 -> as a storage gateway virtual machine is going
to be installed. And I'll say what picture
7989.98 -> for this in a minute. And the data basically,
is going to be received and cached from s3.
7998.07 -> And by doing this, what are we really really
talking about, it's going to be pulled from
8002.83 -> s3, placed on this, the server that all your
devices mount to, and then you can pull information
8009.02 -> from the cloud and synchronize it. So let's
look at what this is going to look like architecturally.
8014.19 -> So imagine most of your data is on the right
side of this where it says Amazon s3, you
8019.461 -> can see the red data over here. And here in
our data center, we've got users that want
8024.19 -> to access the data. So basically put this
VIOME gateway in here. And the VIOME gateway
8030.099 -> connects us to the AWS Cloud for storage.
Now, when we pull data from the AWS cloud,
8035.8 -> out of s3, and it sits on our gateway virtual
machine, it's going to cache that data. And
8042.119 -> what do I mean by cache that data? So let's
say I was drawing a picture of my beautiful
8046.75 -> cat, Cindy, but my cat Cindy, I adopted her
theoretically, I was supposed to rescue her,
8051.56 -> but I think she rescued me by making me happier
after I adopted her. So anyway, so I picked
8056.42 -> up so so there's that. So kind of the way
you'd like to look at it is if I went into
8061.41 -> some pull my data from the cloud, and I wanted
to view a document of my cat, Cindy, who would
8067.619 -> be on the AWS cloud, sent to the Gateway virtual
machine, I will do my thing and it will be
8072.239 -> cached on the Gateway virtual machine. Now
my wife who really loves cats, decides she
8077.39 -> wants to look at the photo of Cindy. She's
gonna go straight to the Gateway virtual machine
8081.63 -> to access it, and it's going to be there for
me. So the data is not going to go back to
8086.48 -> the cloud. Now then my brother comes to my
house and he wants to look at photos of my
8090.88 -> beautiful cat Cindy. And again, he connects
to the Gateway virtual machine and the gateway
8095.591 -> virtual machine says I have it here and sends
it back. Now then, later that day, I want
8102.99 -> to look at a photo of Chris, his beautiful
orange cat, the Maine Coon Summit. And I go
8107.79 -> to the Gateway virtual machine, and it's not
there. It pulls it from AWS s3, stores that
8114.27 -> on that gateway virtual machine and sends
it to me. Now, Chris, from my team with the
8117.95 -> look of beautiful orange cat, sonny, he goes
to the Gateway virtual machine is there. So
8122.829 -> it's a lot like a content delivery network
concept. But for your data, your private data
8129.02 -> across your intranet versus the internet versus
web pages, but similar in content with regards
8134.119 -> to character. I'm aware that my pointer doesn't
show on screen I wish it really does. Because
8140.59 -> I tried to move my mouse, it just does not
show up with our broadcasting stuff. So the
8146.469 -> last thing I want to draw is really a tape
gateway. While we're at it, let's add, let's
8152.739 -> add a slide, we'll do it together. So what
is really going on here with the tape gateway?
8158.76 -> Well, it's pretty simple. What we have over
here is AWS object storage.
8166.21 -> And what we then have is, we've got the we've
got our data center. And most and a lot of
8176.91 -> data centers have this virtual tape machine,
where it's basically it's a tape to tape backup
8182.37 -> drive. And usually the way this works, the
AC backup. Typically what happens is we've
8192.62 -> got some user admin when they're doing the
backup, they're popping in these backup tapes
8197.2 -> to pop it in the back of tapes, and they're
shipping them off site. Now what happened
8201.32 -> is AWS came up with a virtual tape. And basically,
it's instead of being a physical tape that
8207.08 -> goes James, it says Virtual Tape. terrible
sound, so they put it in this virtual tape.
8217.849 -> And what happens the tape backup drive thinks
it's connecting to a tape, but it's literally
8222.42 -> a virtual tape. And then the virtual tape
will send it over your network directly to
8228.46 -> AWS, you have direct connection to AWS object
storage. And there you go. That's your virtual
8233.8 -> tape gateway. So those are the ways that we
can send our data over the network to AWS.
8242.639 -> Of course, we could put an FTP server or secure
FTP server in the cloud, you just place it
8247.28 -> there like we would in any other data center.
But these are the AWS you know, manage simple,
8252.16 -> elegant ways to do it. But what if you don't
have enough time? What if you don't have enough
8259.019 -> bandwidth, you need to get your stuff to the
cloud faster. Now we're getting into other
8264.01 -> options. The first option we're going to deal
with is something called the snowball. I love
8270.309 -> the snowball idea I really do. What is this
snowball? It is ruggedized computer, and in
8277.979 -> the ruggedized computer, and you can see pictures
of it in our book. They basically ship you
8282.519 -> a computer with a bunch of hard drive in a
RAID array. You plug this computer into your
8287.45 -> network over the 10 Gig network connections.
You copy your data to the snowball, copy,
8293.32 -> copy, copy. And then you ship the snowball
back to AWS. And they pop it on your object
8301.599 -> storage. No, when you copy it there, it's
encrypted. And it's very simple. You request
8308.26 -> a snowball from AWS. They deliver you the
snowball. You load data on the snowball, calm
8315.479 -> and pick it up and ship it back to them. And
then AWS take the data off of the device,
8322.03 -> puts it on your object storage platform, and
then securely erases that device for the next
8328.599 -> customer. And yes, they know how to securely
erase the device for the next customer. That's
8332.559 -> how the snowball works. And it's a nice, simple,
elegant solution.
8340.28 -> Now what if you needed to move a lot more?
So instead of shipping this ruggedized computer?
8346.399 -> What if you needed a whole shipping container?
So now we're dealing with the snowball bill,
8352.42 -> really, really cool concept. The snowmobile
is basically a data center on wheels, is this
8358.439 -> 45 foot shipping container, fill the storage
storage on more storage. And what happens
8365.51 -> is this data center gets driven to you have
tractor trailer connected snowmobile to your
8372.91 -> your network, copy all your data on and then
the snowmobile is driven back to AWS. They
8379.849 -> copy it onto your object storage, otherwise
known as your s3. And guess what? It's done.
8388.219 -> Well, let's talk about some of this a little
more realistic for the average user. Let's
8392.68 -> say you've got a small amount of data like
15 terabytes. In this particular environment,
8398.43 -> you could use just the very simple AWS Import
Export service, what is that Tarantal hard
8404.86 -> drive from AWS, copy your data to the rental
hard drive, ship the hard drive, and then
8410.1 -> they take it off. So again, you know, this
is where we're getting the nice and simple
8413.53 -> and elegant. Put your data on a hard drive,
ship it to AWS, they loaded for you, and you're
8421.93 -> good to go. Very simple. So, before we get
into computing, which we're going to have
8428.72 -> a lot of fun with. And we're going to even
show you under the hood, what's going on,
8432.96 -> because I want you guys to truly experience
it. As opposed to just seeing a lecture. We're
8438.58 -> going to talk about Amazon work docs, which
is the last key component of storage I need
8443.71 -> to do us. So if any of you have ever used
something like Dropbox before, or Google Drive
8450.39 -> before, a consumer oriented collaboration
toolset, that's what Amazon own work DOCSIS.
8456.8 -> It's a fully managed secure content creation,
storage and collaboration service, just like
8462.27 -> Google Drive or Dropbox. It enables collaboration
on creative projects, shared document editing,
8467.41 -> it's simple and affordable. And you can access
it via web client for specific client software
8474.21 -> for Windows and Mac operating systems. And
of course, it means you know, traditional
8478.319 -> security standards like HIPAA, PCI DSS and
ISO requirements. So, so far, we've covered
8485.31 -> storage. And in this bootcamp, we've covered
block storage, object storage, file storage,
8490.43 -> covered the AWS branded s3, EBS, we've talked
about raid the elastic file system slash NFS.
8497.93 -> File System for Windows, we talked about storage
gateways, the snowball, the snowmobile, and
8502.02 -> the import expert service, and work docs.
Now we're gonna get into compute next, which
8507.5 -> is one of my favorite parts.
8510.25 -> So now let's start talking about computing
upon the AWS cloud.
8519.52 -> And before we do this, I want to explain exactly
what's going on. I want to make sure you all
8526.77 -> truly understand what are virtual machines,
because if you don't understand virtual machines,
8535.56 -> all this stuff is basically going to all be
for naught. So I'm going to give you a visual
8540.93 -> description of a virtual machine, using one
of my favorite things in the world. I got
8546.01 -> Cindy. And then after we deal with this visual
description I'm going to give you, I'm going
8549.982 -> to bring you to one of our data center servers,
we're going to teach you how to create one
8556.31 -> in real life the hard way, so you get to see
it in the data center. And then when we talk
8560.551 -> about this Elastic Compute Cloud, you'll be
able to define it in one sentence, it's a
8564.77 -> couple words long, you're gonna all know it.
So in 1999, VMware came up with the first
8574.47 -> x86 hypervisor. And then it created the first
virtual machine, it was the coolest thing
8581.191 -> in the world at the time. And what a virtual
machine really was, is we would take a server,
8587.56 -> chop that physical server up into many servers,
and then be able to create multiple servers
8593.3 -> on that single server. Now, when I started
in tech, 25 years ago, this was not possible.
8599.77 -> And here's the reason the servers were slow.
They had a couple Meg's of RAM, maybe, and
8608.06 -> you know, that was a $20,000 device, one core,
or two one core CPUs, you know, a couple Meg's
8615.2 -> RAM, and that's 10 grand. Now on that, here's
what happened, we could only run one stuff
8620.88 -> on a server. And you know, every few years,
when computing power would double or so you'd
8625.67 -> be buying a new server because we were constantly
outgrowing our technology. Fast forward, you
8631.6 -> know, 25 years. Now we've got the servers
made by AMD, which can have a good 364 core
8637.899 -> CPUs in them, which gives us 192 cores, we
can pack these things with 610 terabytes of
8644.26 -> DRAM. Now that one server can power many servers.
So what happens is we're dealing with all
8650.54 -> clouds. And when we're dealing with AWS easy
to Azure virtual machines, Google Compute
8656.42 -> Engine instances, waracle virtual machines,
it's all the same technology. And basically,
8661.25 -> what makes this possible is as follows. We're
going to take a server, and I'm using my favorite
8668.33 -> technology demonstrators over here, and the
server is going to be represented by the physical
8673.29 -> hardware. And we're going to install this
very thin layer of software on the server
8679.64 -> called the hypervisor. Now the hypervisor
will let us take that server and create a
8684.6 -> bunch of mini servers all sitting inside this
server. Now, each Mini server will have its
8689.64 -> own operating system and its own applications
and their dependencies. So in this particular
8696.31 -> case, we've got three servers, server one
On is on the extreme left is my beautiful,
8703.16 -> sweet, adorable cat Cindy. She's running her
own application and she is in one of the virtual
8709.71 -> machines. Now on the same server, the same
physical device guess what we have? We have
8713.543 -> Chris, my chief operating officers fantastic
cat named Sonny, who's a beautiful orange,
8720.13 -> Maine Coon. And you can see she's in her own
virtual machine with her own operating system.
8724.59 -> Of course, she has the application. Now on
the right, we have this cat, which I named
8730.14 -> caddy. It's a Maine Coon black with green
eyes. It's a beautiful, beautiful cat. Now
8735.78 -> this cat comes to my house every single day
to go play with Cindy my cat. My cat Cindy
8740.24 -> is terrified of this beautiful Maine Coon
I don't know why even put out food for the
8744.5 -> Maine Coon because it's hungry a lot of the
times and it's sad. But my cat and her like
8748.899 -> each other. I don't know why. But you can
see this cat who I call a caddy is on her
8754.05 -> own virtual machine being on our own virtual
machine. Guess what, she is completely separated
8762.35 -> from Sonny the cat and Cindy the cat on the
same server. And that makes my cat Cindy happy.
8768.31 -> Because I don't know why Cindy doesn't like
caddy, I think she's a beautiful nameko. So
8773.66 -> that's what we're really talking about. But
let's take this conceptual drawing. And let's
8781.67 -> build a real virtual machine the hard way,
the datacenter way, and by doing it this way.
8787.9 -> Now, when you deal with any cloud provider,
you're gonna understand what is a virtual
8794.069 -> machine. So Chris, can you share my my web
browser you put the web browser on the screen.
8804.51 -> Okay, here we go, everyone, here you can see
my desktop. And right now I'm remoted into
8810.67 -> via a web browser, my one of my many VMware
servers that the students in the cloud architect
8816.79 -> Career Development Program use to really get
hands on experience real hardcore hands on
8821.24 -> experience, they build clouds on these things.
And the basis of all virtual machines is the
8826.14 -> following. In this particular case, we've
got a physical server. But tell me about the
8831.75 -> server, the Dell is a precision workstation,
which is basically a server. It's good Dell
8836.51 -> 7810, you can see it's got 24 CPU cores, you
can see that it's got two and the Xeon E 526
8845.07 -> 70. V threes, you can see that the system
has got a total of 128 gigabits around on
8851.49 -> the right hand side of this, you can see that
the total number of gigahertz in the system
8856.729 -> is 55 gigahertz. And you can see that we've
got this one terabyte of NVMe storage. Now
8863.319 -> when we're dealing with virtual machines,
all what we're really dealing with is as follows.
8868.97 -> We're really dealing with taking the server,
the hypervisor on the servers that VMware
8872.93 -> ESXi. And we create a virtual machine. And
we'll name the virtual machines. Let's call
8882.07 -> it Cindy's virtual machine. My cat is really
cute. And she'd like to get her hands involved
8887.14 -> in technology every day of the week. Unplugged
servers with their paws, great troubleshooting
8890.39 -> coach by the way, then we pick the operating
system we want. And then we give it some information
8898.46 -> about the operating system. In this case,
we'll use Windows 1064 bit, in case many of
8902.609 -> you haven't deployed service in your life,
I'm just gonna show you something real simple.
8906.15 -> And then the next thing we would do is in
the traditional data center environment, we're
8911.6 -> going to determine you know what we need,
okay, how many CPU cores are we going to use?
8916.09 -> How much memory does the virtual machine need?
How big is the hard drive we want to use.
8924.52 -> And then from there, we'll determine where
it's going to boot, we're going to boot it
8928.45 -> directly off of this ISO file, we're not going
to build the whole virtual machine, I just
8932.37 -> want you to get the conceptual knowledge over
here, we're going to make sure that we expose
8936.43 -> the operating system, the hardware, etc. And
this is basically the form basis of all easy
8941.81 -> to instances, Azure virtual machines. Now
you can see we just created this new computer.
8946.97 -> And if I click on this computer, wow, it's
going to boot up just like any other computer
8952.22 -> wait just like any other Windows computer
is going to press press any key to continue
8957.59 -> and will enable us to install it just like
it's any other physical computer. The only
8962.6 -> difference is I can have 20 of these things
sitting in my server, optimizing using space,
8970 -> power efficiency. And by doing it, guess what?
We're basically in a position where we can
8977.17 -> maximize our data centers. So this is what
we've been using for the last couple of decades.
8983.22 -> Grasping go back to me, we don't need to be
sharing any more of the screen. But I wanted
8989.46 -> everybody to understand under the hood, what
isn't easy children's. So now, let's go into
8996.35 -> the AWS related content. I want it to be meaningful
to you So AWS likes to call their virtual
9004.18 -> machines, Elastic Compute Cloud. I don't know
why they paid somebody in marketing somebody
9008.22 -> millions of dollars to come up with that name.
But so they call it now you know that Elastic
9013.021 -> Compute Cloud is nothing more than a virtual
machine. If you're interviewed by a CEO, a
9018.26 -> CTO or CIO, or any of these people, and they
say what's easy to you tell them it's a virtual
9022.47 -> machine, don't get rid of any of the sales
or marketing things, and they'll trust you.
9028.24 -> So when you're dealing with virtual machines,
and like Cloud, how do you size them. And
9032.821 -> the same way you do any other virtual machine.
So if you know that a virtual machine takes
9038.8 -> 24 cores, you size your virtual machine with
24 cores, if you know your virtual machine
9044.721 -> needs 256 gigs of DRAM, guess what you size
your virtual machine with 256 gigs. Anyone
9051.12 -> know when it comes to your storage? In terms
of hard drives? In your data center, you know
9057.1 -> what to get. But on the cloud, you're dealing
with slow blocks third, so again, you need
9061.101 -> raid, what kind of storage environments what
kind of block stored file if you go, there
9065.01 -> you go. And again, you're there. What kind
of network performance do you need? You need
9070.21 -> Gigabit Ethernet, 10, Gigabit Ethernet, 40
100 gig ethernet, exactly what do you need.
9075.22 -> So again, the same way you would make any
any any virtual machine in any data center,
9082.56 -> the same thing you would do in the cloud,
if I say learn the cloud, not there's not
9086.2 -> any vendors platforms, and then you're gonna
know all in the cloud. So let's talk a little
9092.93 -> bit more about them. Now, I showed you the
hard way. In the data center, you have to
9098.97 -> tell your servers exactly what you want. You
can tell your server this one has four cores
9104.38 -> and four gigs around or two cores and four
gigs of RAM. This next server has 64 gigs.
9110.18 -> And a terabyte of RAM, you can do that on
your virtual machine, but not on AWS,
9116.431 -> on AWS, these virtual machines are pre built
for you, they took all the thinking of it
9120.02 -> out of you. And all you need to know is which
family of virtual machines to use. And then
9125.47 -> you go to the chart to determine which works
on machines include your CPU D RAM performance.
9131.3 -> Now they made finally is like a one which
is used for ARM based workloads and sci fi
9135.48 -> which is used for compute optimization for
batch processing, media transcoding, and in
9141.319 -> G threes or GPU based machines, which you
use for say, machine learning. And then they've
9146.811 -> got the ID three, which is for high speed
storage for like data warehousing and high
9151.72 -> speed, high performance databases. They've
got an M phi, which is general purpose, ideally
9156.13 -> for databases and M six, which is more general
purpose stuff. Prakash isn't databases, they've
9161.93 -> got a CI three, which the basic burstable
computing platform, which is perfect for web
9166.47 -> apps and test environments. And then when
you need a lot of memory, for like big datasets
9172.109 -> and data science and data engineering things,
you're gonna have large datasets in memory.
9176.63 -> Then in memory databases, you've got the x
one family, because it's got the lowest cost
9180.97 -> per gigabyte of DRAM, because they're focused
on giving a maximum DRAM. But you know, kind
9186.891 -> of keep that in the back of your mind, you
should be good to go. So realistically speaking,
9194.59 -> when you're dealing with a virtual machine,
what are your operating system options? Well,
9200.479 -> EC to really support Lynda Linux and Windows,
basically, almost all your servers are going
9207.88 -> to be Linux, you'll have Microsoft Exchange
servers, Active Directory servers, some organizations
9212.93 -> have Windows servers, but for the most part,
most servers are going to do Linux. Now, AWS
9218.851 -> also offers virtual machines that run on Mac
Minis. For the Mac operating system, you're
9224.43 -> not going to host a mission critical application
on a Mac Mini, it doesn't have error correcting
9229.15 -> RAM. It's not a mission critical system. But
if you're a developer, and you need to compile
9233.92 -> code, for applications running on a Mac, you
need a Mac to do that. So instead of your
9240.37 -> developers having to buy Macs, they can get
a 24 hour AWS EC two instance that runs the
9247.99 -> Mac operating system. That's what that's for.
Now, you can create your own machines, you
9253.96 -> can take your virtual machines from the data
center, use a conversion tool, and take those
9257.859 -> same VMware virtual machines or KVM, or QEMU
virtual machines or Hyper V virtual machines,
9262.46 -> migrate them to the cloud provider of your
choice. Or you can use a pre built virtual
9266.62 -> machine, just pre built virtual machines from
AWS. But also, let's say you want real security
9272.43 -> on your environment. You're not going to be
using AWS WAF or any cloud providers native
9277.4 -> things. You're going to be going here extreme
security vendors Cisco Palo Alto Fortinet
9283.41 -> checkpoint, and then you're going to be running
their stuff on a virtual machine. And you'll
9288.3 -> be getting those virtual machines from the
AWS Marketplace, which is where you're going
9294.37 -> to getting these things to kind of keep that
in the back of your mind. But whenever you
9297.97 -> build the machine image, what's the going
to need a storage volume, where you're going
9303.02 -> to store your stuff that's my mother in law
would like to call it and just basically going
9306.93 -> to be your system and your Ebs.
9314.66 -> So we can get normally every every virtualization
device has its own name, though it's virtual
9320.729 -> machines, AWS cluster virtual machine images
and Amazon Machine Image. Everybody else has
9327.31 -> their own names. And basically in what I showed
you, I created a virtual machine and I'll
9333.1 -> have to install my own operating system. Windows
Linux would have the Red Hat Ubuntu to Oracle,
9339.24 -> Linux, Amazon Linux, CentOS Linux flavor of
your choice. So you'll see now with AWS, their
9346.5 -> pre made for you, all you have to do is click,
click, click three buttons and it comes up.
9351.76 -> That's why the cloud is easier because I mean,
it's so agile, he just clicked three buttons,
9355.22 -> and it's done in seconds. And launching one
of these virtual machines is easy. I chose
9359.569 -> a six year old I'm sorry, an eight year old
had to do it in less than five minutes, to
9362.721 -> his real cute with a couple bucks. So much
easier than the hardware I showed you, which
9369.2 -> is the datacenter. And we can get these machine
images from marketplace. If there are a firewall,
9374.33 -> we can generate them from our own machines.
And we can upload our own machines and use
9380.08 -> a conversion tool. Simply make a virtual machine
image. It's basically a system image or server.
9386.63 -> What are the components of this well going
to be your operating system, your launch permissions
9392.55 -> and a block device mapping that map's the
block storage tiers to your virtual machine.
9398.18 -> That's really it. I can make an AMI machine
image of my servers, I can copy it to different
9404.1 -> regions. In case of a disaster recovery, I
can take my image, modify the image and ship
9411.46 -> it to other clouds for disaster recovery purposes.
So it's great for new migrations, great for
9416.67 -> multi cloud environments. Amazon, Linux two
and Amazon AMI or prebuilt Linux images supported
9422.75 -> by AWS. And they're all based off of the Red
Hat Linux operating system. But Red Hat, you
9430.56 -> have to pay for their support, and AWS, it
kind of comes with. So now let's say you launch
9436.609 -> a virtual machine. So let's say I launch a
virtual machine and I want this virtual machine
9442.57 -> to update its operating system. upon reboot.
Maybe I want to install certain things like
9448.25 -> an Apache web server. So I can set up what's
called the bootstrap script. And there's a
9453.37 -> little box where you put command. So let's
say I've got a Linux machine, I could have
9457.64 -> the first command do sudo apt apt get update,
which will update the packages, then I can
9463.06 -> do sudo apt apt get upgrade, and it'll upgrade
the packages, then I could have it say like
9468.689 -> sudo apt install. I think it's Apache or httpd
for the web server. And coop, it'll install
9474.31 -> all that as soon as the server comes up. I
could use a script to basically launch these
9480.45 -> AWS machines, install applications patch the
software, with a Linux things, it's a simple
9487.47 -> bash shell script. With a Windows system.
It's a basic PowerShell script. Simple, simple,
9494.19 -> simple, easy stuff. Number one, we're getting
our virtual machines in the cloud provider.
9502.4 -> There's multiple ways we can get them. And
the way that we purchased these things can
9508.95 -> affect our cost dramatically. This is called
tenancy options.
9513.55 -> So let's talk about the first one.
9518.57 -> On Demand. And what is on demand instances.
By the way, this is realistically speaking,
9527.73 -> in many cases, why organizations love, love,
love to use the cloud. So with an on demand
9535.97 -> instance, you pay by the second and what's
your compute capacity, your compute capacity
9540.92 -> as follows whatever you need it to be, meaning
I don't know my demands. So basically speaking,
9546.939 -> I think I need a 16 core server with 64 gigs
around. I buy that on demand. If I need capacity,
9555.81 -> I use auto scaling a ton more of those servers.
And when I don't need them, the servers miraculously
9562 -> reduced their load. And I'm back to one server.
Now by doing this on demand. I don't need
9569.59 -> to know my exact capacity. Because I don't
need to know my exact capacity. Here's what
9576.272 -> I have to deal with. I have to pay more for
for the agility to scale up or scale down
9582.77 -> and that's actually technically scale out.
And scale in scaling up means using a bigger
9587.52 -> server. We're scaling out means adding additional
servers. So really what we're talking about
9591.83 -> is this on demand enables us to add what we
need when we need it. Now when we deal with
9598.18 -> on demand, work Hang the most. Now, why are
we paying the most with regards to on demand,
9605.21 -> we're paying the most for the following reason.
He can't guarantee Amazon what our customer
9610.14 -> costs are going to be. So they have more business
risk. Now by comparison, if I told AWS, I'm
9619.03 -> going to buy this server of this capacity
for the next three years, that's called the
9624.6 -> reserved instance, in this reserved instance,
here's what we're dealing, we're dealing with,
9633.01 -> I tell them, that I'm gonna buy this capacity.
Now, if I tell AWS, how much stuff I'm going
9639.02 -> to buy, they're in a better prediction and
how many servers they need to buy, to support
9643.761 -> my business needs, and they're gonna give
me a nice discount for this. So that's what
9649.05 -> I reserved instance. So on demand is, you're
going to pay the most, because there's business
9653.31 -> risk involved, for an AWS, you're gonna have
to keep extra capacity around just in case
9657.59 -> you need it. With a standard reserved instance,
you're basically telling them ahead of time,
9662.63 -> I'm gonna buy this for the next one to three
years, and they're gonna give you a nice discount.
9667.84 -> Now, what if you've got a very, very, very
strange environment, and in your strange environment,
9675.45 -> you know that every Friday, Saturday and Sunday,
your system is going to run a batch job, it's
9681.2 -> going to run 24 hours each day. And you only
need it from Friday, Saturday or Sunday. Well,
9686.68 -> that's where we deal with something called
the scheduled reserved instance. And what
9691.32 -> that is, really is you buy a set of compute
time, every week on those days. And because
9698.68 -> you're committing to it ahead of time, you're
gonna get a discount. Now, that discount won't
9703.649 -> be as great as if you reserve it 24 hours
a day, seven days a week, but it will still
9707.66 -> be there. Now the last option, we're going
to talk to something called the spot instance,
9713.97 -> a spot instance, is basically an auction of
where you're buying or renting an extra AWS
9723.58 -> capacity. So here's the thing, here's the
way a spot instance works. You know, you need
9728.74 -> extra compute capacity to do something, you
bid in an auction like manner, at a certain
9734.51 -> price. Now, if the price raises, while you're
using the systems, guess what your systems
9740.311 -> get shut down. Me kind of scary, Google causes
a preemptable. And for instance, basically,
9747.27 -> you're purchasing unused services, at the
lowest cost, AWS is willing to sell it to
9751.819 -> you. But if somebody else wants your compute
capacity, and they're willing to pay more
9755.689 -> than you, you are shut off. So kind of keep
that in the back of your mind. This is a little
9761.68 -> on the scary side, a little on the scary side,
to kind of keep that in the back of your mind.
9769.399 -> So reserved instances guaranteed to know what
they are cheapest, schedule reserved, you
9775.311 -> know, you need them on a couple of days a
week, you reserve the capacity at a time you
9778.38 -> get a discount that as big as if you buy it
all the time, on demand, get what you need
9782.02 -> when you need it, scale out, scale and go
and Spot Instances bidding with extra capacity.
9795.359 -> Now, what other options we actually have was
regarding tenancy, and that's more how you
9800.96 -> buy them. The next is really what they would
call tenancy is you want a shared tenancy
9806.25 -> instance. And what is that the shared tenancy
is when you launch a virtual machine, on a
9811.479 -> server that has a whole bunch of other people's
virtual machines, kind of like that. So the
9815.93 -> system I showed you were three cats on the
same virtual machine. Now that is you standard,
9820.529 -> you get a standard virtual machine. In any
cloud provider, it's called Shared tenancy
9825.479 -> and your your virtual machines and somebody
else's virtual machines on the same server.
9829.689 -> Who cares? It doesn't matter. They're, they're
logically isolated, they're secure. Now, what
9836.3 -> if you wanted to put have the whole server
for you, and make sure the entire server freak
9843.59 -> you exclusive of the entire server is guess
what? All your virtual machines nobody else's.
9851.28 -> That's where you get something called the
dedicated instance. So shared tenancy was
9856.359 -> multiple people share the same server. Dedicated
instances are basically when you have on the
9861.71 -> same system, multiple multiple, multiple customers
dedicated instances, you buy this instance,
9871.14 -> you only stick your virtual machine. Now what
if you need real performance, high performance
9879.6 -> access to the high performance disks in your
server? X. You've got an application that
9885.7 -> needs the serial number or your processor
or a serial number on your motherboard. You
9890.85 -> have to put a key in there for the USB key
and the server for a license and when you're
9898.21 -> dealing with this kind of stuff. So what you
really need is what's called the dedicated
9902.1 -> host, what's a dedicated host? It's a bare
metal server just like the one that I showed
9906.779 -> you. For which case you put your own hypervisor,
or you use their hypervisor, their nitro hypervisor,
9911.68 -> and you manage it yourself. So realistically
speaking, that's exactly what we're talking
9916.06 -> about with Amex needs my cats kind of given
the hours.
9928.98 -> Sorry about this, I adopted a cat. She's the
sweetest thing in the world, but she makes
9934.1 -> me sneeze from time to time. So when you're
dealing with a virtual machine, how are we
9944 -> going to deal with keeping it secure? Well,
all virtual machines in AWS have the ability
9951.61 -> to use something like a host based firewall
called a security group. The security group
9956.93 -> will allow you to keep stuff, unlimited stuff
outside of your server. And the good news
9963.83 -> is that security groups are stateful, which
means they track the connections going in.
9970.05 -> And basically, you can set up a firewall based
policy on the server. So for example, if it's
9975.609 -> a web server, allow port 80 and Port 443,
and to the server, anything else in? Why would
9984.4 -> you or if it's a high secure server, you competitive
basically to create a firewall rule that would
9990.75 -> say, Hello, allow any connection from the
IP address 190 2.1 68.1 dot 21 slash 32, an
9999.74 -> exact match or something like that. So let's
look about what we're really talking about
10006.09 -> over here. We're basically talking in an environment
where we've got our virtual machines, and
10011.45 -> put a firewall rule called the security group
right outside of them. And that's it. That's
10016.45 -> all we need to talk about. Everything is up
and operational. Now, when it comes to getting
10024.33 -> an IP address on an EC, two instance, how
do you think that happens? How's it happened
10029.12 -> in the data center? Well, in the data center,
you can manually assign them, or you can use
10034.68 -> DHCP. Now, in this case, in here, all AC two
instances are going to be given a name from
10042.06 -> the DHCP server. So they're going to automatically
be assigned, you're gonna have to tell it
10045.859 -> your cider range, and you'll create the subnets.
And an IP address is going to be assigned
10050.53 -> naturally for you know, when an IP address
is given to your your EC two instances, you're
10057.359 -> also going to get DNS service that's associated
to it, and a fully qualified DNS name. And
10064.479 -> that way you can attach to it Mike's EC two.this.test.com.
And that way, it can connect to it via the
10071.43 -> DNS name, as opposed to remembering 1.2 dot
3.4, which is his IP address. Now, when we've
10078.91 -> got a virtual machine, just like in our data
center, we can have multiple network interfaces,
10082.13 -> we can have multiple, multiple subnets on
multiple network cards on different subnets
10087.47 -> public ones, private ones, anything we need
to do, just like we would do in a data center
10091.85 -> environment. So that would be be created by
multiple network interfaces, which we'll talk
10097.45 -> more about later, especially in the network.
Now, typically speaking, anything that you
10104.8 -> don't want reachable from the internet should
have a private IP address, and be behind your
10110.53 -> firewall, your IDS, IPS systems, your access
control lists, etc. We'll talk more about
10114.51 -> that later. Kind of keep that in the back
of your mind. Now, instances are also going
10120.95 -> to be assigned at lunch, a public ipv6 address.
If you don't want to be reachable via public
10127.229 -> don't take a public address. So remove that
address and make sure you don't have a route
10132.79 -> to an internet gateway of some kind, which
gives you ipv6 router. And you see manually
10137.76 -> disabled anything you don't need. When it
comes to security, you've got a server and
10141.77 -> it's got 1000 services, and you only need
one, disable all 909 services and keep the
10147.99 -> one same thing. Now the only thing to remember
is when you've got multiple network cards
10152.979 -> on a server, generally speaking, each network
card needs to be on a different subnet. And
10157.6 -> you can't use the same IP address in two places.
So each interface is going to require a unique
10163.51 -> address space and a unique subnet that's not
going to be used in subnets that are going
10167.39 -> to be overlapping somewhere else. Bear with
me one second. Sorry, cat really gets my allergies
10176.18 -> even though I love her to death. Now how are
you going to manage your virtual machines?
10182.22 -> Well, lots of ways. You can use the management
console where you click click a few buttons
10187.81 -> just like I showed you with my VMware environment
other than the AWS one. If it's a Linux machine
10193.03 -> you can SSH or security occur cell Angela
and if it's a Windows machine, you're using
10197.79 -> RDP Remote Desktop Protocol. Of course, you
can do lots of management on these systems
10203.18 -> as well, via I wouldn't call it the the software
development kit or by pushing and pulling
10209.68 -> API's. So those are options. While we're at
it, let's talk about another compute platform
10220 -> called AWS outpost, which is realistically
speaking, a fully managed virtual machine
10226.18 -> service. Now, it's a little different. So
here's what the AWS outpost is, if you recall
10232.899 -> yesterday, I told you that the highest performance
is in your data center. Because it's no latency
10238.63 -> there, the cloud is going to be your highest
latency. And then we talked about these concepts
10243.65 -> of local zones, which were intermediaries
between your data center, and the ultimate
10248.59 -> cloud, the local zone for lower latency. I
also told you the by far, the lowest latency
10254.45 -> solution is this, keep your stuff in your
data center that you've low latency. Well,
10260.399 -> customers are demanding low latency. So AWS
decided to sell you the servers that you can
10265.55 -> stick back in your data center. Now they fully
manage the servers, which makes it simply
10269.93 -> easy for you. But you got to remember, it's
gonna cost you more to buy somebody else's
10274.96 -> fully managed server to run your data center.
That would be just to get your standard server,
10279.27 -> you can use like Microsoft Hyper V, or KVM,
or QEMU as a hypervisor, but it's your option.
10285.34 -> And by doing this, it's AWS outpost, it basically
is giving you that simplicity and elegance
10291.01 -> of the AWS cloud and sticking it in your local
data center and giving you the performance
10295.71 -> as if it's in your data center. But AWS is
gonna manage it for you, but they're gonna
10299.76 -> manage it for you, they're going to charge
you to manage it. So keep that in the back
10303.17 -> of your mind might be a great thing may not
be. So the AWS outpost is really just a server
10310.27 -> that acts like an extension of your Virtual
Private Cloud place where your own equipment
10314.29 -> is in your own data center. We're gonna get
to databases next. Hashtag AWS Certified Solutions
10322.3 -> Architect 2022. I know it's a long one. But
we want a lot of people to see this free training.
10332.13 -> I'm putting that kind of content there will
help as many people as possible, see the free
10336.479 -> training, ideally spell it out, no abbreviations.
Hit that like button and comment and subscribe.
10347 -> Tell friends, join us, we can help as many
people as possible with our free training,
10358.91 -> we are dedicated to making sure anyone that
wants education can get so know that you're
10367.97 -> awake, which makes me happy. I'm going to
start talking about databases. So what is
10372.79 -> a database? A database is a place where you
can store large amounts of information. A
10381.27 -> database facilitates the sorting, calculating,
reporting and Information Store sir. Databases
10389.82 -> are an absolute critical component to modern
applications. Mission Critical environment
10396 -> in today's world. AWS basically has three
forms of databases. They have relational databases,
10405.18 -> and we'll talk about them. They have no SQL
databases. They have data warehousing databases.
10411.46 -> And while it's not a database with to some
degree talk about a data lake, because they
10416.88 -> pop that into your exam. Now when we deal
with databases, we're gonna start out with
10424.72 -> relational databases. And relational databases
are the most common form of databases. And
10432.61 -> they give a business some really valuable
insight, data that's related to each other.
10437.47 -> Now, why would a business want to know data
that it's related to each other? Well, if
10442.05 -> I know that every time I use the coupon code,
panda bear with a 20% off discount, and I'm
10450.181 -> the CEO of a business, and panda bear can
enable an organization so 30 times their normal
10456.43 -> sales, then it's pretty important to know
that the coupon code panda bear drive sells.
10463.15 -> We can also find that made with a relational
database users geography. The more users in
10468.3 -> Florida buy this if so the company can target
their advertising money in Florida based upon
10473.1 -> itself. So organizations thrive on data. And
we can determine the relationship with data
10480.279 -> pricing and purchasing. Whoa, all kinds of
exciting stuff, too. That's why we need relational
10486.97 -> databases. Because data relational databases
provide information that's related to good
10494.29 -> business insights. And the way this works
is the data is going to be stored so similarly,
10501.45 -> to the way get stored in a spreadsheet, with
rows and columns, each row is going to have
10507.16 -> a unique ID. And the columns are basically
going to hold certain values, that's going
10512.88 -> to be the basis of how these things work,
just like a spreadsheet, that instead of being
10517.62 -> a spreadsheet database. Now when we're dealing
with databases, we're going to talk about
10523.43 -> something called atomic they adhere to the
acid model. And what does this mean? It means
10528.319 -> the transactions are all or nothing. It's
either on the database, or it's not. Now the
10534.43 -> next part of this acid compliance refers to
the consistency of data. If I write something
10540.07 -> to the database, and non relational database,
everybody else who accesses that database,
10545.479 -> a millisecond later gets access to the same
information. And something called isolated
10550.989 -> as well. Which means transaction one doesn't
affect transaction two. And it's also called
10556.359 -> dorable. Which means your data in the database
isn't going to miraculously just disappear,
10561.189 -> kind of like your email where you can find
something because you've got 10,000 emails
10565.32 -> that maybe if you're not a CEO, you don't
get 10,000 emails each day. But if you are,
10569.439 -> you know exactly what I'm talking about. So
I'm going to talk about relational databases,
10574.229 -> we talked about that a time, that acid model
atomic or nothing transactions consistent,
10580.14 -> immediately readable after a right, isolated
transaction, one doesn't affect transaction
10585.37 -> two, and durable data in the database will
not be lost. So let's look a little bit at
10592.53 -> relational databases, you know, how are these
things 200 structured, kind of structured
10597.72 -> as follows. You know, what do we have over
here we've got data that's related to each
10603.35 -> other, or customer order ID, customer ID and
information, information related to the name,
10609.95 -> their email address, and etc. That's what
we're dealing with relational database, getting
10614.399 -> data that's related to each other. Now, when
we deal with relational databases, there's
10622.51 -> plenty of kinds that we can use. We're going
to discuss Amazon, Aurora, Maria, DB, Microsoft
10628.92 -> SQL Server, MySQL, Postgres, and Oracle DB.
And, of course, you can create any database
10634.29 -> you want. By launching a virtual machine and
installing your own database software. I'm
10638.87 -> going to talk about the Aurora database, which
is a wonderful database that you probably
10642.93 -> should never use in your career. And here's
the reason you probably shouldn't ever use
10647.211 -> it, no matter how good it is. It's AWS proprietary.
So when you're using a hybrid cloud, you want
10654.14 -> to have your database and your private data
center and the AWS college account, when you're
10658.31 -> going to be using the Azure cloud and the
AWS cloud and the Google Cloud. You can't
10661.77 -> use this because your information won't be
there. So this puts you into one of those
10665.35 -> AWS proprietary positions, which we tech Architects
like to call vendor handcuffing, you're stuck,
10672.25 -> you're you can't get out of there. So generally
speaking, if you're an architect, you want
10676.26 -> your customers to have some blizzards, flexibility
and agility. Stay away from Amazon Aurora,
10680.649 -> I would tell you to do the same thing for
the Microsoft database, the same thing for
10684.43 -> the Google database because it's proprietary.
But for the purposes of your exam, it's the
10691.16 -> coolest thing in the world. It's a fully managed
database, which is my SQL and Postgres compatible.
10699.479 -> Its high performance and high scalability.
And the reality is, it's a very good performing
10704.83 -> database, it can be up to five times faster
than standard MySQL, or three times faster
10710.399 -> than Postgres. And what it really does, Amazon
kind of took, you know, some of the benefits
10714.72 -> of the commercial database, such as what you
get from Oracle, for example. And what you
10720.22 -> we can combine it with what you get out of
a freeware database, and they sell it to you
10725.22 -> as kind of a software as a service. And by
doing this, it's serverless, which means you
10730.22 -> don't have to manage at all, anything that's
going on, it's done for you, you're not thinking
10737.09 -> of your storage, etc. So, when you use Aurora
serverless, it's much easier for you to do
10742.72 -> it. Here's the problem with serverless, you
lose all control, you lose your performance,
10749.6 -> because you can tune your own systems, high
performance as you want. But once you go serverless
10754.109 -> you're at the mercy of somebody else. Mercy
of somebody else. So for any of you that are
10760.87 -> into performance cars, you've seen somebody
take a Honda Civic, and it's been 50 grand
10765.851 -> to that Honda Civic, and they turn it into
a race car that can outperform a $200,000
10770.5 -> car. It's because they customized it. When
you're going with serverless you're getting
10777.16 -> whatever the average performance is. It's
kind of like going to McDonald's or Burger
10781.33 -> King when they say Would you like fries with
that? Serverless a standard, you've got much
10786.37 -> less opportunities. In this case, it's simpler.
It's much easier to go to McDonald's and buy
10791.02 -> a hamburger than it is to cook it yourself.
But when you cook yourself may or may not
10794.87 -> be better based upon your taste. So kind of
keep that in the back of your mind. It's a
10799.631 -> great database but its proprietary. No, of
course, you can use the my SQL database. Now
10806.09 -> my SQL database is an extremely old, highly
popular database used in a tremendous number
10813.22 -> of wide variety of applications. Now, AWS
also supports Postgres. Postgres is an open
10823.17 -> source relational database, it's very scalable.
In many cases, people actually use this as
10828.33 -> a data warehouse, very advanced feature set
for MySQL, great database. Now, while we're
10836.25 -> at it, another great database is Maria dB.
And this is an open source relational database,
10842.51 -> which means I'm gonna pop this in AWS, Azure,
Google your data center, which is why we love
10847.43 -> it so much, is created actually by the developers
of MySQL, with the added additional features
10853.31 -> and functionality for the enterprise beautiful,
beautiful stuff. Now, many organizations use
10859.43 -> the Microsoft SQL database, specifically from
Microsoft related workloads. And of course,
10860.939 -> AWS RDS supports Microsoft SQL Server version
2008 2012 2014. Of course, you can create
10861.939 -> your own virtual machines install any database
you want. AWS, by, by having Microsoft SQL
10862.939 -> Server, lets the users really access Windows
workloads brought to the cloud in a very seamless
10863.939 -> environment allows for a very simple migration.
Microsoft SQL is different clustering options
10864.939 -> and failover options in most databases that
you would use. And you have to be familiar
10865.939 -> with those when you're using them. And the
forward ends of it are naturally supported
10866.939 -> our Express, web Standard and Enterprise,
the Microsoft SQL Server, but you got to remember,
10867.939 -> you can easily easily easily launch a virtual
machine and steal any database you want, and
10868.939 -> not use anybody's database management system.
Now let's talk about when it really matters.
10869.939 -> When it really matter. When businesses really
need a scalable relational database, for the
10870.939 -> most part, they go to Oracle, Oracle's the
600 pound gorilla when it comes to databases,
10871.939 -> and relational databases.
10872.939 -> It's one of the most popular relational databases
in the world. It's got a massively functional
10873.939 -> feature set and functionality. It's developed,
licensed and managed by Oracle, and AWS database
10874.939 -> management service offers, you know, standard
one, Standard and Enterprise licenses. And
10875.939 -> each of the versions of the Oracle database
will have different performance, flexibility
10876.939 -> and scalability options. And you can pick
these and these are great because they are
10877.939 -> standard databases. So use them across your
clouds. Now when you're dealing with the Oracle
10878.939 -> database, with AWS, there's two versions,
there's license included and bring your own
10879.939 -> license. So let's talk about what they are.
License included is basically we're using
10880.939 -> the AWS license to the Oracle database. And
you're only going to get two options, basic
10881.939 -> options, Standard Edition one, and Standard
Edition two. But if you've already got a paid
10882.939 -> license to Oracle, you can bring that license
directly with you to cloud and host your database
10883.939 -> on AWS. And then you get a lot more flexibility,
you can use the standard license, the Enterprise
10884.939 -> license, the standard edition one, and the
standard edition to do license. So that's
10885.939 -> really where you're gonna go. Now, we talked
about relational databases, which show the
10886.939 -> relationship between variables. Relational
databases are great. But there are other kinds
10887.939 -> of databases to serve different purposes.
The next kind of database we're going to talk
10888.939 -> about is a no SQL database. And a no SQL database,
which is an old school database developed
10889.939 -> by IBM, if I remember correctly around the
70s came up with not only SQL, that's where
10890.939 -> they got the nut, no SQL, not only SQL, and
the queue with no SQL databases, they provide
10891.939 -> a lot of flexibility and schema. So in addition
to being like that regulated, you know, columns
10892.939 -> and rows, like a spreadsheet, you get a little
more flexible here. We can do with structured
10893.939 -> data, semi structured data, because the structure
on these no SQL databases is very loose. And
10894.939 -> no SQL database can scale beyond things that
you can possibly imagine much, much larger
10895.939 -> than relational database. And you know, the
data stored in a key value kind of pair environment.
10896.939 -> And what are we talking about here, we've
got our keys and we've got our values. And
10897.939 -> of course, you know, anything that we're going
to give you is going to have a cat dog or
10898.939 -> a burden because we love things with fur or
feathers as an example. Now we're really talking
10899.939 -> about a lot of flexibility, a schema, which
enables you to do things that you could never
10900.939 -> do in a traditional environment. So let's
say you wanted to store video game state well,
10901.939 -> if players in a video game, that's a no SQL
database, let's say you need near unlimited
10902.939 -> scalability, that's a no SQL database. Let's
say you want to store your content provider
10903.939 -> and people are watching movies, do you want
to store the place where they stopped in a
10904.939 -> movie that's in no SQL database. We cover
no SQL databases, I'm going to talk about
10905.939 -> the three options that you have for the most
part, I'm going to tell you about the one
10906.939 -> that's going to be on your exam Dynamo DB,
I'm going to also tell you, you probably should
10907.939 -> never architect Dynamo DB into anything. And
here's the reason why. It's AWS proprietary,
10908.939 -> just like Google's cloud, big table, just
like Microsoft Cosmos dB. And being proprietary
10909.939 -> keeps you from building your high availability,
high performance clouds, like you would do
10910.939 -> in a multi cloud environment. So if you're
an architect, try to stay away from these
10911.939 -> things. Try to use an open standard, such
as MongoDB, or Apache Cassandra. But you know,
10912.939 -> this is up to you. You can always architect
anywhere you want. But it's on the exam. So
10913.939 -> we're going to talk a lot about Dynamo DB.
Amazon DynamoDB is the AWS branded, no SQL
10914.939 -> database. And truthfully, it's an excellent,
excellent, excellent database. It's a great
10915.939 -> database. But it's proprietary, which means
you can't use them or multi clouds, which
10916.939 -> were we architects are concerned about high
availability means it's not usable. But it's
10917.939 -> on your exam. And if you're only going to
deal with one customer, one client, and they
10918.939 -> don't care about system availability, they
don't care what happens if a single cloud
10919.939 -> goes down, then you can use it. Now, in this
case, Dynamo DB is another serverless fully
10920.939 -> managed by AWS environment. It's highly available
as long as the AWS called us up. And your
10921.939 -> systems are placed naturally in multiple availability
zones, no matter what, it's serverless. So
10922.939 -> that means you don't have to manage the servers,
the security in the stores information on
10923.939 -> high performance SSD storage, but again, block
storage, so it's not the fastest thing. Now
10924.939 -> DynamoDB is a good performing databases, it's
got low millisecond latency. And what we could
10925.939 -> use is we could use the DynamoDB accelerator,
which is basically in memory cache, that can
10926.939 -> lower latency just milliseconds. When we send
our data to Dynamo DB and encrypts all data
10927.939 -> by default, and one good thing that's pretty
amazing about Dynamo DB, as you can back it
10928.939 -> up, has almost no impact on performance. And
we can set up our Dynamo DB to replicate across
10929.939 -> regions, which is quite nice. But again, it's
proprietary. Now, the way Dynamo 10 Beacon
10930.939 -> tends to work is it tends to work with primary
indices. But it can also work with secondary
10931.939 -> indices in which allows applications to use
different query patterns. Now when you're
10932.939 -> dealing with a secondary index, it's basically
like you partition the database. And you can
10933.939 -> have a local or global secondary index, local
secondary indexes have the pane same partition
10934.939 -> key as the base table. Global indexes can
span across multiple multiple multiple database
10935.939 -> partitions. Relatively speaking, there's going
to be some limitations on sizing, the single
10936.939 -> key can exceed 10 gigabytes. But that's still
a pretty big and to increase scalability,
10937.939 -> then Dynamo DB is not doesn't hit here does
not that's a model at all, which means I might
10938.939 -> write to the database. And three seconds later,
it might be available everyplace else. By
10939.939 -> slowing that down just a little bit. It can
promote some extreme scalability. So it's
10940.939 -> going to be there. It's just not immediately
available. Now, if you truly needed to, you
10941.939 -> needed to make DynamoDB immediately consistent
with a second I write it, everybody else can
10942.939 -> read it. You can configure that if needed.
But remember, it's designed this way for a
10943.939 -> reason for scalability. Now, when you're dealing
with DynamoDB, you really want to provision
10944.939 -> the capacity of it ahead of time. In terms
of what capacity, what are we talking about
10945.939 -> readwrite access to the drive where it's stored.
So you're gonna have to provision your read
10946.939 -> and write capacity. And if you don't, it won't
be there when you need it. Now you could potentially
10947.939 -> actually use something called Auto Scaling
as it pertains to your database. What do I
10948.939 -> mean by that? Auto Scaling if you need more
input output operations per second, will scale
10949.939 -> up your stores to give you better performance.
Problem is that doesn't scale down when you're
10950.939 -> done. So if you needed it for a very short
period of time, hoof, it'll scale up up the
10951.939 -> capacity that you need. But then it wants
to go back down so you might be paying too
10952.939 -> much for long periods of time. So you need
to know your workload and optimize your throughput
10953.939 -> based upon your needs as a business. Now there's
now the ability to create infrequent access
10954.939 -> tables, which lowers the customer usage. But
Pentagon there's a 25% fee to save data and
10955.939 -> retrieve data. So not going to be useless
if you use the log. Now with Dynamo DB, we're
10956.939 -> dealing with pricing based on throughput.
And on demand capacity can basically is there
10957.939 -> with higher cost and if you pre provisioned
ahead of time, just like anything else. So
10958.939 -> where would you use DynamoDB? When you need
near unlimited scalability, when low latency
10959.939 -> is required, when you're storing data from
a large number of IoT devices, during the
10960.939 -> game, stay, the player data store, the leaderboard,
those kinds of things, but remember. So Dynamo
10961.939 -> did they, if you'd run a single cloud, you
could be used for large scale financial applications,
10962.939 -> shopping carts, inventory tracking customer
profiles. Now remember, that's your AWS proprietary
10963.939 -> database, which means you can't use it in
multiple clubs. Can't use it with your private
10964.939 -> cloud hybrid code. So keep that in the back
in mind. Now, if you needed a really good,
10965.939 -> no SQL database and a critical high availability
environment, you can't use this because it's
10966.939 -> single cloud. You could use Mongo DB, or Apache
Cassandra. And you'll select those based upon
10967.939 -> your read write information. Because Apache
Cassandra is better for certain things, and
10968.939 -> as well as MongoDB is better for others. And
that's why we architects, when we architect
10969.939 -> something, we always go to the database, people
may ask him to help recommend something. And
10970.939 -> if you're a database person, you're gonna
automatically know. And if you're a cut engineering
10971.939 -> you need, go ask a database person, they specialize
these things, they'll be able to tell you
10972.939 -> when to use Apache Cassandra versus MongoDB.
Generally speaking, you use Apache Cassandra,
10973.939 -> when you have more write activity, and MongoDB
when you have more read activity. But when
10974.939 -> it comes to architecture, it's never done
by a single person, leverage your team and
10975.939 -> make sure your team knows different skills
and that way you get the best overall skills
10976.939 -> and designs.
10977.939 -> Now, if relational databases show us the relationships
between variables, and no SQL databases give
10978.939 -> us a ton of flexibility. And scalability.
What about a data warehouse? Data Warehouses
10979.939 -> getting kind of cool to me. But data warehouses
where you store a tremendous amount of information?
10980.939 -> Why are we storing all this information? Tragically,
so we can make better business decisions in
10981.939 -> the future. So what data warehouse which is
typically Postgres is something that could
10982.939 -> be used to store large amounts of business
data that you can then process later, run
10983.939 -> a database visualization tool, run a business
intelligence tool, like Power BI, and get
10984.939 -> information from the data so you can make
better business decisions. Now, there's obviously
10985.939 -> lark, there's several types of databases.
Amazon, of course, has their own proprietary
10986.939 -> data warehouse, called redshift, which again,
I don't recommend you use because you can't
10987.939 -> use it in a multi cloud environment, I recommend
you look towards things like Postgres. But
10988.939 -> you do need to know the AWS available proprietary
services is definitely on your exam. And if
10989.939 -> you're going to only be working with AWS,
these services are truly great. They're very
10990.939 -> good. It's just that most customers want to
be on multiple clouds. And most innovation,
10991.939 -> the high availability systems require multiple
codes. So we don't recommend you use anything
10992.939 -> proprietary that locks you into a single column.
But you know, the way you would set up a data
10993.939 -> warehousing database would be, you would take
your object storage. You take your information
10994.939 -> and map it and reduce it with like a Python
spark script, with AWS, EMR, whatever. We'll
10995.939 -> talk about that system later. And then you'll
push your data into your data warehouse. And
10996.939 -> then you can pull your data out of your data
warehouse and use a tool like Power BI or
10997.939 -> AWS QuickSight. And be able to analyze your
data and make better business decisions based
10998.939 -> upon your data. So all this point why we're
collecting data to make better business decisions.
10999.939 -> Let's talk a little bit more. What is redshift
it's the AWS managed AWS proprietary database,
11000.939 -> data warehouse, get actionable insights from
your data use it for business analytics, etc,
11001.939 -> etc. And these kinds of things. And realistically
read specialist spectrum can provide real
11002.939 -> insights into your data, when combined with
other services such as
11003.939 -> AWS will tell you to use redshift because
it's fast, powerful and fully managed, fully
11004.939 -> managed does offer you the advantage that
you don't have to think about it. fully managed
11005.939 -> also means you take away your control which
hamburger is better than one of the Donald's
11006.939 -> or Burger King, or the when your grandmother
cooked you, or your friend who's a chef cook
11007.939 -> you, when you've got control, and it's cookie
cutter, those are fine. It's just it's up
11008.939 -> to you in determining what your needs are.
But if you're using redshift, they can scale
11009.939 -> to petabytes of full of data warehousing availably.
And because it's Postgres, you can run SQL
11010.939 -> queries on your data, your applications can
perform SQL queries on your data. Now, when
11011.939 -> we're dealing with redshift, we're dealing
with primary architecture based around clusters
11012.939 -> and nodes. Basically, speaking, you've got
a primary node, which was called a leader
11013.939 -> node, you got a bunch of compute nodes support
the leader nodes. And queries are directed
11014.939 -> towards the leader, you know, very, very,
very similar to what you're actually dealing
11015.939 -> with, in a traditional environment. We're
going to discuss data lake Chris, and then
11016.939 -> I think we'll take a break, and then we'll
go back into more database stuff. So what
11017.939 -> is a data lake? Love data lakes. So a data
lake is a repository that allows you to take
11018.939 -> structured data, unstructured data is stored
in the same place at any scale. If you're
11019.939 -> interested in data lakes, you know, I interviewed
a really great database architect, his name
11020.939 -> was Praveen and my team could put a link to
that video in the chat box, you can go back
11021.939 -> and learn all about data lakes. But a data
lake is a repository that enables you to store
11022.939 -> your data. And it's typically based in object
storage, you put large amounts of data. No,
11023.939 -> because you're creating a data lake, a data
lake is going to be created by taking the
11024.939 -> information out of your data warehouses out
if your no SQL databases, out of your relational
11025.939 -> database is not of your object storage. Now
this data is going to be smoothed out, it's
11026.939 -> going to be normalized. And you can keep it
in that format. Now in the data lake, we can
11027.939 -> query for certain data, we can run business
intelligence tools on these data, we can run
11028.939 -> machine learning on the data and the whole
point of creating data is so we can make better
11029.939 -> business decisions. So typically speaking,
what would it look like, we would typically
11030.939 -> take you know, three databases, we use proprietary
models, just to make those graphics a little
11031.939 -> simpler. We'd have data sources coming from
lots of places. And then what we would do
11032.939 -> is we would normalize the data. Now, AWS has
a proprietary service to normalize that data
11033.939 -> called Elastic MapReduce. Although what most
people actually do is they write a Python
11034.939 -> spark script, from their database team, and
that's used to normalize all of your data
11035.939 -> stored in the data lake. And once it's there,
you can make much better business decisions,
11036.939 -> inferences, and better predictions. So I know,
next thing, we're gonna, we're gonna get into
11037.939 -> storage options. Actually, let me go for let
me go for two minutes longer. Before I go
11038.939 -> to the next question, let's talk about database
storage options. If you're dealing with a
11039.939 -> database, where you're gonna store your stuff,
but I want you to think about this, databases
11040.939 -> are sitting on servers. What kind of storage?
Can we mount on a server in the Cloud Block
11041.939 -> Storage? So we're going to be storing our
data on EBS volumes. What kind of EBS volumes
11042.939 -> will provision IOP provision I ops plans meaning
the highest performance ones, if we need them,
11043.939 -> potentially a RAID array, or provision IOP
as volumes, we could use general purpose SSD
11044.939 -> and magnetic storage. If we use magnetic storage
for a database, the latency is going to be
11045.939 -> sky high. So for the most part we're not going
to be using. So if it really matters, we're
11046.939 -> going to be using provisioned IO PS. If it's
less important, we can use general purpose
11047.939 -> SSD. But you know, we're gonna be running
in some latency issues for the most part with
11048.939 -> the database. Lastly, let's talk about quantum
ledger databases. The Amazon quantum ledger
11049.939 -> database is a fully managed and serverless
central ledger database, which automatically
11050.939 -> scales for applications. Because it's server
list. You don't have to manage or about provisioning
11051.939 -> things, which is good. Because you don't have
to worry about provisioning things. You lose
11052.939 -> control over performance, which is not good.
So it's architecture. It's always going to
11053.939 -> be a trade off to get this but but as it cost
me all architectural decisions. Unlike a traditional
11054.939 -> database, when we're dealing with quantum
ledger databases, it creates what's called
11055.939 -> an immutable farm. So what does that mean?
Immutable means it can't be changed. So by
11056.939 -> using a ledger database, like this quantum
ledger database, you can take our stuff stored
11057.939 -> to the database and leave it there and nobody
can touch it. So we can't add or update out
11058.939 -> a record, update a record or delete a record
and that leads They're for auditing purposes,
11059.939 -> so it's really nice so now let's look at a
little more quantum database. The Quantum
11060.939 -> ledger database tracks data changes by stealing
a small amount storing small amount of changes
11061.939 -> inside of attraction transaction of the journal
in your checkbook. The data stored in the
11062.939 -> quantum ledger database journal is immutable
and cryptographically verifiable meaning the
11063.939 -> data has not been altered, modified or tampered
with, perfect for legal tracking. The Quantum
11064.939 -> ledger database can track all changes made
to any application while simultaneously providing
11065.939 -> verifiable change history. The Amazon quantum
ledger database can track all changes made
11066.939 -> by an application to any application while
simultaneously providing a verifiable change
11067.939 -> history. It's also acid compliant, meaning
atomic consistent, transactions are independent,
11068.939 -> and the transactions are durable. Like we
talked about before, completely before. And
11069.939 -> that means the information that's there is
going to stay no matter whether you had a
11070.939 -> network failure or not. Quantum ledger database
is ideal when you need a repository of secured
11071.939 -> accurate and verifiable immutable business
history. So prefer preserving the authentic
11072.939 -> legal documentation of say a vehicle ownership
vehicle title, vehicle registration, recording
11073.939 -> financial tracks and transactions for auditing
purposes. Fraud detections, forensic analysis
11074.939 -> and employee history. So let's take it from
there, I covered a lot of stuff, we'll stop.
11075.939 -> Let's talk about some database optimizations.
11076.939 -> Actually, before we do that,
11077.939 -> give me a hashtag AWS Certified Solution Architect
Associate and the top hog hashtag AWS Certified
11078.939 -> Solution Architect Associate, I'll know you're
awake, alert and oriented, paying attention
11079.939 -> because I want to know that everybody's paying
attention. That way I know everybody's going
11080.939 -> to get a great learning experience.
11081.939 -> If you've not subscribed or hit the belt,
or like the video, please do so now. So we
11082.939 -> can distribute our free content to as many
people as possible to truly help all those
11083.939 -> in need. Get some skills, they can build the
careers of their gene, Eric and Neela economy.
11084.939 -> I'm so happy to see you know, mascara in the
last day. It's good to see you, Eric. Alexander,
11085.939 -> so wonderful to see you.
11086.939 -> Super happy to see you all. Okay, I'm loving
this, you guys are paying attention. You're
11087.939 -> awake, alert and oriented. I know know that
you're there. And I'm going to keep keep keep
11088.939 -> going. So now let's talk about some database
optimizations. We're going to talk about some
11089.939 -> Amazon database optimizations. We're going
to be talking about backups, automated backups,
11090.939 -> database snapshots, which I love, by the way
on encryption. So let's talk about how do
11091.939 -> you scale a relation. And we're also going
to be talking about scaling relational databases,
11092.939 -> which means we'll be talking about read replicas,
caching, killing, high availability databases,
11093.939 -> and multi availability databases. And of course,
multi column databases is really what you
11094.939 -> want to do. Now, let's talk about backing
up your database. Let's say you put all your
11095.939 -> data in a database, right? And the database
or crash, that'd be a problem, right? If all
11096.939 -> the businesses data was lost. So we'll have
to backup our database databases are mission
11097.939 -> critical applications. And here's the really
cool things. If you're using any of the AWS
11098.939 -> database, if the backups are automatically
done, it doesn't just backup the entire database.
11099.939 -> It backs up the entire virtual machine. She
got a server, which basically is your Smith
11100.939 -> system, your your applications, like your
database and all your data. And it backs up
11101.939 -> the entire server into a single image file.
I love this. I love this. Because now you've
11102.939 -> got a full system backup. Now you can move
that backup to another cloud, you can move
11103.939 -> that backup to another availability zone,
another region. And poof, you can instantly
11104.939 -> launch this database, two or three clicks.
And it's brand new, and it's got all your
11105.939 -> databases and it's perfect. That's why we
love the way it's the best this is database
11106.939 -> backups. It is truly truly amazing. Now what
will happen is your databases will be backed
11107.939 -> up automatically. You can retain their backups
from one to 35 days work, we can move it and
11108.939 -> move into your own object storage bucket and
keep it there forever. And the backup is going
11109.939 -> to happen and during the define window each
day. And during the backup process means the
11110.939 -> performance of your data database is going
to be severely degraded or potentially even
11111.939 -> unavailable for a second or two. But that's
okay, because you're gonna have a full copy
11112.939 -> of your database. And the way this works is
you're going to, it's going to be creating
11113.939 -> a snapshot. And a snapshot is really just
a point in time copying an exact block by
11114.939 -> clock copy of the hard drive, the Bucks storage
you're going to use, which could be turned
11115.939 -> into another virtual machine. Now we can maintain
these database snapshots until we delete them.
11116.939 -> And that way, we can bring a database back
any time we want. Now, what's it really look
11117.939 -> like? It's very simple. We've got our database,
and poof, it just automatically makes the
11118.939 -> snapshot images. And as these images that
we can then use to launch a new database,
11119.939 -> we're running them worldcons.
11120.939 -> Now since we've got a database snapshot, what
happens if we ever want to restore it? This
11121.939 -> is where the beauty comes in. You restore
it by basically launching the instance, the
11122.939 -> machine image you just made. Magically, your
system comes up applications installed database
11123.939 -> installed and guess what? It's up and running.
And the only difference is, it's going to
11124.939 -> have a new IP address. Because it's going
to have a new IP address, it'll have a new
11125.939 -> DNS address. So if you if you have a catastrophic
backup, you come back to when your Ebs snapshots,
11126.939 -> your database snapshot, it's going to come
up but you're gonna have a new IP address
11127.939 -> and a DNS address. So whoever's doing your
applications will need to update the application
11128.939 -> to point to the new address. And it's up and
running, and you're back and your business
11129.939 -> is fully operational. So it's just going to
look like this. We take our snapshot, and
11130.939 -> automatically we've got a new virtual machine,
also called the new RDS instance, and everything
11131.939 -> is running beautifully.
11132.939 -> Now if we're going to store our data on the
database, what happens if somebody breaks
11133.939 -> into the data center and steals Amazon's hard
drives or, for example, or gets information
11134.939 -> from your account? They don't want that, right?
So we want to encrypt the data. by encrypting
11135.939 -> the data. It's meaningless. To anybody that
doesn't have a decryption key. So we're adding
11136.939 -> security. So let's talk about the encryption
types supported by the AWS database. We can
11137.939 -> encrypt the data at rest. What does that mean?
And the data stored on the server is encrypted.
11138.939 -> Basically, what happens is encrypting the
EBS volume, the block storage volume, which
11139.939 -> houses the database. This is very simple,
we turn it on by enabling the AWS key management
11140.939 -> system. That's it. Key Management Service.
And the key management service makes it really
11141.939 -> easy to concur URL, create and control your
encryption keys. AWS also supports transparent
11142.939 -> data encryption. And if you're going to be
using an industrial database like Oracle or
11143.939 -> Microsoft SQL, it's going to be transparent.
Transparent Data Encryption is also supported
11144.939 -> with Cloud HSM. I love transparent data encryption,
because it's a form of encryption that encrypts
11145.939 -> and decrypts your data on demand. So when
you write the data to storage, it's encrypted,
11146.939 -> when you pull it from storage is decrypted
automatically for you. Of course, we can use
11147.939 -> the cloud HSM which is a hardware security
module and device to manage your encryption
11148.939 -> keys etc. Of course, we can also use encryption
in transit. Kind of like when you use IPsec
11149.939 -> over over the internet for a VPN or IPsec
over direct connection for encryption over
11150.939 -> your private line. It's encryption in transit.
Now, in most cases, when you're going to do
11151.939 -> encryption in transit to a database, you're
going to be using the TLS transparent layer
11152.939 -> security protocol, which is going to use as
an SSL certificate. So there's a certificate
11153.939 -> created that's going to authenticate your
influence just like with an HTTPS website.
11154.939 -> Now let's talk about scaling your databases.
Since databases have become mission critical
11155.939 -> applications, it's a platform that's going
to grow dynamically just need the mounds of
11156.939 -> the application. Now there's two ways we can
scale databases. Or any device we can scale
11157.939 -> up and we can scale out. Know what is scaling
up means. We've had our database on a server
11158.939 -> that's got 16 cores and 256 gigs around. It's
not enough. We now put it on the beautiful
11159.939 -> AMD server powered by Epic CPUs, got 192 cores
and six terabytes of RAM as physical cores,
11160.939 -> which gives us, you know, over 303 100, virtual
close to 400 virtual cores, it's a beautiful
11161.939 -> system. But what's going to happen, it's something
that's not going to be enough capacity either.
11162.939 -> So we're gonna have to add systems. Now when
we're dealing with data bases, it's not like
11163.939 -> a web server, we can basically use it. Or
we can use a load balancer to load chakra
11164.939 -> servers. We're gonna have to do something
else. So there's different ways that we're
11165.939 -> going to scale out relational databases, and
no SQL databases. If we're dealing with no
11166.939 -> SQL databases, it depends upon the kind of
database. If we're going to be dealing with
11167.939 -> something like Dynamo DB, but just partitioner,
which chops the database into petitions, and
11168.939 -> it's great. If it's Apache Cassandra, we just
add more nodes that we can write to all notes.
11169.939 -> And Apache Cassandra is designed to run on
commodity hardware. And if it's MongoDB, we
11170.939 -> could do kind of a combination of things.
We've got options that we can use, based upon
11171.939 -> the databases. Now that's for no SQL databases.
Now, what about relationship relational database?
11172.939 -> They're a little different. With relational
databases, for the most part, except for Moniteau,
11173.939 -> we can only write to the master database.
But we can read from different databases.
11174.939 -> So how do we do we add read replicas. So right
now there's a bunch of truly amazing cloud
11175.939 -> architects that have blue wrenches that are
sitting here in the chatbox. I see even like
11176.939 -> you there, she's fantastic and exceptional
Cloud Architect. It's there. I see. Abigail
11177.939 -> marks a wonderful Army veteran and a terrific
cloud architect and see Alonzo Coleman from
11178.939 -> our team. I see Chris Johnson from my team.
I see Chow and Pham. She's the Cloud Architect
11179.939 -> extraordinaire. She's an incredible architect
and every single day of the week, and you
11180.939 -> know, there's many other people that are there.
And they're answering your questions while
11181.939 -> I'm presenting because I can't look at a chat
box talk and talk back at the same time, it's
11182.939 -> not feasible. So they're kind of like read
replicas, what I mean by read replicas, they're
11183.939 -> answering questions while I'm writing or presenting.
And I'm grateful to have these wonderful,
11184.939 -> wonderful, amazing people helping me today
as also being part of my community. So when
11185.939 -> you think about what's going on, the way you
scale, a relational database is as follows.
11186.939 -> You add additional people, to towels out there
helping people right now my child is answering
11187.939 -> people's questions. I don't have to think
about it. She's offloaded the read work for
11188.939 -> me, making life simple and elegant for me.
And because now I only have to focus on presenting
11189.939 -> not all that work. So read replicas are ways
we add additional compute, to help with scaling.
11190.939 -> Suddenly, Skeletor relational database, it's
by adding read replicas. So what is a read
11191.939 -> replica is a is a read only copy, except in
Maria dB of your database instance. Now let's
11192.939 -> synchronized in real time, meaning real time,
which means something gets written to me the
11193.939 -> master database, and ciao and even though
AQR and Chris, and Alonzo. And Abigail, they
11194.939 -> can answer you immediately because they can
see it. So now we've got five people answering
11195.939 -> your questions. I'm not thinking about the
questions. And what does that give me more
11196.939 -> focus on presenting mellophone relational
database, and I've got read replicas, I focus
11197.939 -> on writing. And they answer the questions
again, ticking load off. So read replicas
11198.939 -> are just additional service to take the reload
off of the database. So let's look at a little
11199.939 -> picture that I had drawn a while back. Here,
we've got traditional three tier environment.
11200.939 -> We've got our web servers, we've got our app
servers, and we've got a database. And to
11201.939 -> make the database skill, we added to read
replicas. So the queries are the information
11202.939 -> requests from the database can go to the read
replicas. Well, I one of the main database
11203.939 -> can focus on writing. It adds scalability.
So when do you add read replicas? Well, you
11204.939 -> got a lot of read activity. If all my chart
of activity is right, or if nobody was asking
11205.939 -> questions in the chat box, without read replicas
be helping a lot. No. But if there's people
11206.939 -> answering in the chat box, I can't do without
those wonderful, amazing blue wrenches. So
11207.939 -> thank you so much. They're functioning as
read replicas. So when there's lots of read
11208.939 -> activity, you need read replicas. If I told
you the read load is four times greater than
11209.939 -> the right load, I would use for read replicas.
So when the query or read traffic in the database
11210.939 -> is slowing things down, at a read replica,
if your database gets two requests a month
11211.939 -> chances are you don't need a read replica.
Now read replicas boosts performance, they
11212.939 -> don't provide disaster recovery. And I'm going
to put this together for you. Now let's talk
11213.939 -> about caching. Let's cache. Now let's say
we've got Chow would even do a kill over there,
11214.939 -> Chris, and Eddie, Patrick, and Alonzo, all
kinds of great people all over the world.
11215.939 -> And let's say that Alonso got asked the same
question 60 times per day. Question You got
11216.939 -> to ask is, do I need to code as an architect?
And he says, No. And they're going to three
11217.939 -> minutes later, do I need to quit as an architect?
And he says, No, then you got to ask the same
11218.939 -> question. 30 seconds later, you're going to
get code as an architect? And he says, no.
11219.939 -> It's some point it wouldn't make sense for
Alonzo to basically asked a question all the
11220.939 -> time. And he'd record if that's the only question
he got. He recorded in his iPhone, do I need
11221.939 -> to quit as an architect? And he'd say, No.
And as soon as somebody would ask the question,
11222.939 -> he would just play it and play it and play
it. And he would say, this voice who doesn't
11223.939 -> get learned just like me? No, that's like
caching does caching offloads, frequent requests
11224.939 -> from your read replicas. Now, let's say now
that Alonso has 20 questions. Question one
11225.939 -> is going to code. Question two is, so they
get a cat. Question three is, should I get
11226.939 -> a dog? Question four is do I need to know
the network? Question Five is do I need to
11227.939 -> know Linux? Question Six is how important
is business acumen question section seven
11228.939 -> is how important is leadership? Now, obviously,
he couldn't record to the same answer the
11229.939 -> same question and push the button every time
to answer the same question. The caching only
11230.939 -> works when your information requested is the
same. The same? In fact, if you add caching,
11231.939 -> and the questions are all different, it actually
introduces latency and reduces the functionality
11232.939 -> of your system. reduces it. So caching is
good going back to the situation for alignment
11233.939 -> invest 1000 times a day, going into code as
an architect, no, no, no, no, no, no, no,
11234.939 -> no, no. That's that.
11235.939 -> That's why we use it. And what is caching
really, it's a service where we take excess
11236.939 -> of frequently accessed information. And we
store it in D RAM or memory. So we can just
11237.939 -> serve it to people as needed without affecting
or compute capacity. And that's what we So
11238.939 -> caching or any kind of caching, whether it's
content delivery networks, whether it's five
11239.939 -> gateways and cache mode, or database caching
is really sending requests for the same information
11240.939 -> to an intermediary stop, before they get to
the ultimate people that are going to answer.
11241.939 -> Now, just like a content delivery network,
to protect against steal data, cash won't
11242.939 -> keep your information in there forever. But
remember, caching will not help if each request
11243.939 -> is unique. So you need to know your data pattern.
Before you recommend the caching in your architecture.
11244.939 -> You always need to know your business requirements,
otherwise, you never know what to do. When
11245.939 -> it comes to caching, there's three ways to
do this.
11246.939 -> You can build your own cache, your own virtual
machine, install a Redis cache on it, like
11247.939 -> you would do in data center. You can do this
nice and simply and elegant, and deploy the
11248.939 -> same cache across your three different clouds
all in the same virtual machine. Or you can
11249.939 -> take the AWS fully managed cache, and they've
got one called Redis, and elastic cache. On
11250.939 -> memcache D, they make the bread proprietary
term elastic cache is the name of their serve
11251.939 -> service that is just a cache, you can create
your own cache. Now Redis is basically speaking
11252.939 -> the most feature rich of all caches. And that's
typically what enterprises use in today's
11253.939 -> world. Now, the AWS elastic cache for Redis
is correct compatible with Redis. So you can
11254.939 -> bind regret your Redis let workloads to Elastic
cache or you can make your own elastic cache.
11255.939 -> Now memcache D is another type of cache. But
when you're dealing with memcache D, it's
11256.939 -> got a much reduced feature set. It's really
designed to be simplicity. So tools that are
11257.939 -> designed to be working with memcache D can
be used, but less organizations are going
11258.939 -> to use Redis. And many of them will just set
up their own car. Styles caching help one
11259.939 -> more time. it offloads frequent requests to
the database server or read replicas. It lowers
11260.939 -> CPU and memory requirements. Learn to use
caches to read to improve performance and
11261.939 -> reduce latency to improve scalability. When
there's a lot of requests for the same information.
11262.939 -> What's it going to look like? It's going to
look like this. You've got your web servers
11263.939 -> basically using two availability zones, hosting
through your app servers that are then passing
11264.939 -> your information to the database, read information,
instead of hitting the database, if it's frequently
11265.939 -> access to the same as gonna come straight
from the database, be stored in the cache,
11266.939 -> and you'll be good to go.
11267.939 -> Now, let's talk about killer.
11268.939 -> And we're going to talk about killing in the
capacity of databases. And it's really great.
11269.939 -> We're going to talk about the AWS proprietary
cue, which if you're going to be in a multi
11270.939 -> cloud environment you can't use and I'll tell
you what you could use instead. But we have
11271.939 -> to discuss the AWS proprietary technology,
because this is an AWS exam. So what is killer
11272.939 -> killing is just a means to schedule your delivery,
where we all have formed killing for the Americans.
11273.939 -> I'll give the example that's used in England,
because a queue is just a lie. So if you go
11274.939 -> to England, and you want to get on the plane,
they see, please form a cube, which is a line.
11275.939 -> And then they say anybody with health issues
gets on first. Anybody that's got a first
11276.939 -> class ticket gets on second. Anybody in the
rear of the plane that gets on third, and
11277.939 -> they migrate it on? It's killing your schedule.
Now, why do they do it? Well, when I was a
11278.939 -> kid, and I went to my home airport in Greece,
and they said, Everybody get on the plane,
11279.939 -> it was like we're all rushing to get on the
airplane, it was kind of scary. Everybody's
11280.939 -> trying to get in the same day or the same
place, it's going to the same time. So to
11281.939 -> manage and schedule the delivery, who gets
in the seats, the airplanes basically. So
11282.939 -> first, second, third. Now imagine we've got
a really critical mission critical business
11283.939 -> thing. Got our web server. And we've got let's
say Abigail is here. So Abigail had a blue
11284.939 -> wrench. Abigail has probably the most beautiful
cat in the world, Noni, even though Cindy
11285.939 -> might be jealous if I said that, but it's
one of the prettiest cats I've ever seen.
11286.939 -> And let's say Abigail, I'm running a business
and she wants to buy cat toys for her beautiful
11287.939 -> cat Noni. And she hits the website, which
is opening. And then she hits my application
11288.939 -> server and logs in. And then she buys 10 Fuzzy
cat balls, three fuzzy cat mice. And that
11289.939 -> message has to be sent to the database. Now
if the database is busy when Abigail is trying
11290.939 -> to buy cat toys, and only the beautiful cat,
I don't get the order, which means as a business,
11291.939 -> I lose money. And Abigail's cut, Noni is sad
because she didn't get her fluffy cat toys.
11292.939 -> So we can have that split, the Q news is an
intermediary stop. So first, the girl has
11293.939 -> the website makes beautiful cat toys.com.
And then that go to the application server
11294.939 -> where she logs in. Then she orders the beautiful
cat toys, the message stops in a queue. And
11295.939 -> as soon as the database has capacity, it gets
taken out of the queue placed into the database.
11296.939 -> And that way the business doesn't lose any
orders. So that's why organizations use killer.
11297.939 -> So killing is just a means to schedule your
data delivery, choosing us using lots of applications
11298.939 -> as well. We do it to decouple the traffic
environment from our systems. Here's a picture
11299.939 -> that we drove cash sender sending, I'm sorry,
I have a cube I'm sorry, sender sending message
11300.939 -> into the queue. I've been talking about a
queue, the message deposits in Nikhil, when
11301.939 -> the receiver is ready, they pull it from the
queue. And then the data the message is removed
11302.939 -> from the queue. So simple, elegant environment
killing is used in everything from networking,
11303.939 -> to applications to databases to jumping on
an airplane. Now, when you use Amazon, you've
11304.939 -> got two queues, they've got the Amazon Simple
queuing system, which is their proprietary
11305.939 -> queue. It's a prebuilt queue, which means
you shouldn't be using it if you're dealing
11306.939 -> with multi cloud. If you're dealing with multi
cloud, you've got Apache Kafka, you can set
11307.939 -> up the same queues across all your clouds.
But this is the AWS proprietary one, which
11308.939 -> is going to be what's on your AWS exam. Now
with a standard glue, they use what's called
11309.939 -> FIFO. As soon as the message has come into
the queue, and they can be drained or drained
11310.939 -> out of the queue. Fastest and first and first.
I'm sorry. So first kind of queue is a simple
11311.939 -> queue. Fastest in fastest out fastest in vs
out. And why do we use a standard kill? It's
11312.939 -> most scalable, and it's the fastest? What's
the problem? There's no guarantee of message
11313.939 -> delivery. Now does it really matter? If I'm
getting 100,000 orders for cat toys if Abigail's
11314.939 -> cat comes in before Christmas cat who comes
in before Michelle's cat who comes in before
11315.939 -> Mike's cat? As long as all the cats get the
cat toys? No, it doesn't matter. But if I
11316.939 -> had an application that was dependent upon
the messages being correct. We could with
11317.939 -> SQS, we could create what's called the FIFO
queue or first in our first out queue where
11318.939 -> message one comes in, the message goes out,
that message still comes in and goes out.
11319.939 -> But when you do that we're losing the cost
of performance. Because what if message two
11320.939 -> is 10 times greater than the size of message
three, four, and five, and it slows everything
11321.939 -> down. Now, how does this queueing help? Well,
let's walk through an example. Let's go look
11322.939 -> at look at the CPU performance of systems.
So let's go back to our three tier architecture
11323.939 -> here. We've got our web servers, app servers,
our queue going into a database. And here
11324.939 -> we go, we're going to be coming into the database
that is nothing other than cat toys. So if
11325.939 -> we don't have a queueing system, our traffic
orders aren't going to be normal. Maybe we
11326.939 -> got more orders at breakfast during lunch
and those kinds of sectors. So what have we
11327.939 -> chosen to do? You'll see your CPUs are going
to spike up and down and up and down, up and
11328.939 -> down. And we're going to be reaching times
where our CPU performance is 100%. And we're
11329.939 -> a disk performance will be 100%. And we'll
lose messages. And we're going to have other
11330.939 -> times where systems are going to be sitting
idle, and everything's good. That's not a
11331.939 -> good situation. By adding the queue, which
you can see, as we can smooth out the CPU,
11332.939 -> and disk performance, it may be 40%, as opposed
to going from basically 20% to 100%. And as
11333.939 -> you can see, messages come in from the web
server to the app server, they get dropped
11334.939 -> in this queue. And they get placed in the
database when needed. So when do we use it
11335.939 -> to increase scalability, and there's lots
of right requests to decouple our application
11336.939 -> architectures. So that if one thing goes wrong,
we don't lose messages, extra assurance that
11337.939 -> you don't lose messages. Now we're going to
talk about a couple of AWS tools. Now, somebody
11338.939 -> asked me about, hey, how do you take your
information from Monday to base could you
11339.939 -> backup to another database, and I said, you
wouldn't want to. But what if you are migrating
11340.939 -> your data out of one database to put it into
another database, or you're pulling data out
11341.939 -> of your database to do something else. Typically,
you need some form of tool that's designed
11342.939 -> to do it, you can extract your data, meaning
it pulling it out, transform your data to
11343.939 -> be in whatever format, it needs to be another
database and then loaded into another database.
11344.939 -> Now, every database has their strengths and
weaknesses. One database might be able to
11345.939 -> be more scalable, one gives you better information
between variables to make a different kind
11346.939 -> of business decision. And we're going to need
to be pulling information from databases to
11347.939 -> another. Now, the less of this we do, the
better. Because anytime we translate something
11348.939 -> to something else, we lose something. Now,
in Greece, if someone says, I'm going to change
11349.939 -> your life, and he's they're going to beat
the living daylights out of you, and it's
11350.939 -> not a good thing. But if I told Chris, let's
change, I'm gonna change your life, you'd
11351.939 -> say, Oh, you're gonna come to my house and
choose lightbulbs. I mean, so yeah, I'm gonna
11352.939 -> come bring you fancy LED light bulbs. Never
have anything negative to say about Chris,
11353.939 -> my chief operating officer. He's amazing.
But what we're talking about is, you know,
11354.939 -> that's the problem with these ETL tools. When
we pull something and go somewhere else, things
11355.939 -> don't always translate. Now, Amazon has their
own fully branded ETL tool. Of course, there's
11356.939 -> other very good commercial tools in the industry
that are designed by database companies and
11357.939 -> special ETL companies what to use, that's
up to you. But Amazon has an ETL tool called
11358.939 -> glue, and is their branded ETL tool. And it's
used to pull information from one database
11359.939 -> and put it into another one. Amazon has a
fully managed serverless ETL cool, they call
11360.939 -> it glue. And basically speaking you pine glue
to where your data is stored. It discovers
11361.939 -> your data creates a metadata catalog. And
after the data's catalog is courier searchable.
11362.939 -> And from there, whether you want to copy your
data loaded into a database, data warehouse,
11363.939 -> that's kind of your thing.
11364.939 -> Pretty simple here.
11365.939 -> Can see we're using three databases. And we're
trying to use something to take the information
11366.939 -> from one source of information and put it
into another source of information. That's
11367.939 -> what we're doing.
11368.939 -> Now let's next talk about the schema
11369.939 -> conversion tool. The schema conversion. The
schema conversion tool is something that will
11370.939 -> help you migrate databases. So the AWS schema
conversion tool as CTE is an AWS managed service
11371.939 -> that simplifies the moving of lende database
and into another. So if you are going to your
11372.939 -> Oracle database in the data center, and you
want to move it to Amazon Aurora, you're going
11373.939 -> to need to get your data out of Oracle and
into Aurora. And that's what the schema conversion
11374.939 -> tool is designed to do. When you migrate a
database to AWS, the schema of your source
11375.939 -> database is going to be analyzed. Typically,
there are OLTP slash O lab, and they need
11376.939 -> to get converted into a format that's used
by the target database. And the schema conversion
11377.939 -> tool gives you a graphical interface to do
these automatic schema conversions. Trust
11378.939 -> me, these schema conversions are never going
to be perfect, you're going to do the conversion,
11379.939 -> and then you're going to have to fine tune
your data before you stick it into the next
11380.939 -> database. We can use the schema conversion
tool for migrating data between different
11381.939 -> databases and convert them it's a helpful
way to to migrate your data from one database
11382.939 -> to another. And because it's an ETL, tool,
extracts, transforms and loads existing. Let's
11383.939 -> talk a little bit about high availability
network design. Sorry, database design. Now
11384.939 -> how do you design a database for high availability?
Well, truthfully, he put it in three clouds.
11385.939 -> But minimum minimum minimum, you put your
database in multiple data centers, otherwise
11386.939 -> known as multiple availability zones. Remember,
AWS defines their network and their systems
11387.939 -> and the regions and availability zones. Regions
are a large geographic area, like a continent
11388.939 -> or part of the continent. And availability
zones or data centers inside of those continents.
11389.939 -> And high validate database design minim uses
multiple availability zones, so copies from
11390.939 -> database one to database two. Now by doing
this, you're not increasing your performance.
11391.939 -> You're creating an active database in one
place, and a failover database someplace else.
11392.939 -> So if data center one goes down, data center
two comes back. If the primary database fails
11393.939 -> on the system, the primary server fails, the
backup comes up. It's pretty cool. You're
11394.939 -> right to the main database, and it synchronously
copies it to the backup.
11395.939 -> So what's it look like? Looks like this.
11396.939 -> We've got our web servers or app servers in
our databases. And you can see we've got our
11397.939 -> main database and availability zone one, which
is data center one, we've got our backup database
11398.939 -> in availability zone two.
11399.939 -> So what will cause your multi availability
zone database to failover? Well, your database
11400.939 -> dies or fails, which is kind of beautiful.
One of the data centers has a power outage
11401.939 -> or network outage or any kind of outage, switch
over the next data center. He changed the
11402.939 -> database instance type. Poof, it's gonna switch
you over to the backup, which is beautiful.
11403.939 -> You put the database under maintenance, like
upgrading the operating system or patching,
11404.939 -> it's going to send you the backup. If you
manually reboot the system like with a reboot
11405.939 -> with failover. And poof, you're going to go
to the backup system. Now the next topic that
11406.939 -> we're going to be covering is networking.
I'm going to basically talk a little bit about
11407.939 -> IP addressing a little bit about the OSI or
open systems interconnect modeling. I'm going
11408.939 -> to touch on subnets without getting deep into
them. briefly talk about route summarization.
11409.939 -> And then we're going to stop there. I'm going
to tell you right now, we know that this is
11410.939 -> going to be glancing over these things. I'm
also going to tell you that the AWS advanced
11411.939 -> networking is too Junior for what you guys
need to know. So next month, we're going to
11412.939 -> do an AWS advanced networking course plus
the stuff you need to know. We're going to
11413.939 -> have a lot of subnetting and super netting
and BGP and routing things. So let's briefly
11414.939 -> talk about the OSI model. So what is the OSI
model? Well, for network Architects like me,
11415.939 -> network engineers like I used to be and anybody
that's designing systems, we need to have
11416.939 -> a common language or lexicon. You want to
get kicked out of a Chief Information Officers
11417.939 -> office and fired and Bell three minutes. Tell
him about your EC two instances and s3 buckets.
11418.939 -> He's gonna laugh at you or she's gonna laugh
at you because they're gonna say, I don't
11419.939 -> know what that marketing variable is. No by
comparison, if you'd walk in that Chief informations
11420.939 -> office, and you talk to them about their 10,000
10,000 virtual machines, and their six pet
11421.939 -> bytes of object storage. Now you're speaking
the same language. When we speak different
11422.939 -> languages we have Earth. So when it comes
to system design, or system troubleshooting,
11423.939 -> we must speak the same language. While we're
at it since we're going long, everybody please
11424.939 -> give me a hashtag AWS Certified Solution Architect.
So now we must speak the same language a common
11425.939 -> language a common lexicon. So Alex is here
Alex is great. If I say Alex posts isa scimitar
11426.939 -> he's gonna say EMA Doxie postseason Mikey's
because we're speaking the same language.
11427.939 -> But if we had to translate that into another
language, things get lost in translation.
11428.939 -> So when we communicate the network, we have
to communicate it in terms. So we've come
11429.939 -> up with a seven layer model that describes
networking. Now I'm going to tell you right
11430.939 -> now, networking professionals like me, work
at layers one through four, we don't go above
11431.939 -> that at all. But we also have to know about
all of it. So let's talk about the seven layers
11432.939 -> at layer one. That's the physical layer. Now
what are we talking about? If the physical
11433.939 -> layer is a wire, what are we transmitting
over this physical layer? Electrons right.
11434.939 -> Now, if we're going to be dealing with a fiber
optic cable, what are we going to be transmitting
11435.939 -> laser light, which is what photons Okay, so
the physical layer is the physical connection
11436.939 -> between our devices. Now this physical connection
can be a wireless thing too, but that's the
11437.939 -> now we're getting into some weird stuff. So
let's just talk about wire. Physical layer
11438.939 -> is wire or you're transmitting photons or
electrons to send bits, bits and pieces of
11439.939 -> data. Now, if you have ever had a computer,
you notice that you plug it in to the Ethernet
11440.939 -> card, right. And the Ethernet card is layer
two of this, that's the actual physical device,
11441.939 -> you're plugged into layer one wire called
the physical layer. Layer two, we've got a
11442.939 -> MAC address and your Ethernet card. It's called
the data link layer. What do you send at the
11443.939 -> data link layer frames. That's where the first
club that I worked on in 1996 was called frame
11444.939 -> relay. Because we send frames, layer one wire,
layer two Ethernet card, MAC address. Now
11445.939 -> layer three is where the fun begins. For network
engineers and architects like me, this is
11446.939 -> where we put a logical address, the IP address
manually gets assigned to your system. It's
11447.939 -> not hard coded into it like the MAC address,
which is your Ethernet card, that's your data
11448.939 -> link. So layer one wire, layer two card layer
three IP address. Now when we send our data,
11449.939 -> we have to determine the optimum way to send
it. If we need reliability, we use TCP or
11450.939 -> transmission control protocol. And we'll cover
this much more in depth in the AWS advanced
11451.939 -> networking plus what you need to know course.
Now what if we wanted to send real time data,
11452.939 -> we would use the uniform data gram protocol
or UDP traffic. So that's how we send the
11453.939 -> data called transport. So layer one wire there
to card layer three IP address, layer four,
11454.939 -> the method that we send it. So layer one bits
layer two packets, layer Earth, I'm sorry,
11455.939 -> layer one bits, layer two packets, layer three
frames, layer four, we're sending segments.
11456.939 -> Now there's this weird layer five session
protocol. Basically, this controls the connection
11457.939 -> on both sides. What's being sent here as data,
me think of an example as a socket. Then we're
11458.939 -> gonna get to layer six, which is presenting
our data at the presentation layer, which
11459.939 -> presents all this lower layer stuff to the
application. Layer six of the presentation
11460.939 -> layer also does encryption. And layer seven,
what we're talking about at the application
11461.939 -> layer, which is the application so you go
to a web browser, that's a layer seven application,
11462.939 -> layer one wire, layer two card, layer three
IP address, layer four transport protocol,
11463.939 -> TCP, UDP, ICMP, layer five session controls
the connection, layer six presentation deals
11464.939 -> with encryption. And the layer seven is application.
Now when we're dealing with the system, we
11465.939 -> need to address the system. So if I want you
to send mail, to super chat over here, I need
11466.939 -> to know Charles IP address and tell his mailing
address, because if I didn't, I took a letter.
11467.939 -> And I wrote child T fam, Cloud Architect extraordinaire,
and I didn't have her I've heard her heard
11468.939 -> city state street address. You know, the mailman
or mail woman might not know how to get the
11469.939 -> child Cloud Architect extraordinaire, though,
she probably wouldn't. So because of that
11470.939 -> we need an address. But if I want to send
data to if a dog gets computers, another fantastically
11471.939 -> Technical Professional over there in Europe,
I need to know her mailing address or her
11472.939 -> IP address. So when we're dealing with data
on a network, we must know the destination
11473.939 -> address we're sending it to. And that's why
many of us, for example, can do the following.
11474.939 -> They can do one of these three things. For
example, they have the ability, you can have
11475.939 -> an address 123 Main Street, right. But somebody
else has a different zip code, or postal code
11476.939 -> for those of you that are not in the US. So
every device needs to have an IP address,
11477.939 -> and it needs to be unique. There's going to
be two versions of IP addressing 99% of what
11478.939 -> we're dealing with is ipv4. ipv4 has been
around forever, it's still 90% of what we're
11479.939 -> dealing with. But there's also ipv6, which
we're gradually slowly adopting. When you're
11480.939 -> dealing with ipv4, we have public addresses
and private addresses. So here's the problem.
11481.939 -> When ipv4 was invented many, many years ago,
nobody knew what the internet was going to
11482.939 -> look like. Nobody thought of Internet of Things,
whether just other sensors, IP enabled refrigerators,
11483.939 -> IP enabled, Mark phones, six houses having
IP TVs in their house printers. So the problem
11484.939 -> is, if we do two to the 32nd power, there's
not that many IP addresses. There's a couple
11485.939 -> billion but now we're dealing with an environment
where many people have five to 10 different
11486.939 -> IP addresses per person, little businesses.
We ran out of IP addresses a long time ago.
11487.939 -> So the Internet Engineering Task Force and
if you want to learn networking stuff, you
11488.939 -> got to go to the Internet Engineering Task
Force ietf.org created a specification, otherwise
11489.939 -> known as a Request for Comments called 90,
the RFC 1918. And they established three places
11490.939 -> that all organizations internally use their
IP addresses. They're called private addresses,
11491.939 -> RFC 1918, addresses. Those addresses are as
follows the 10.0 dot zero slash eight, the
11492.939 -> 172 16 dot 0.0, all the way to the 172 dot
16, I'm sorry, the 172 dot 31 dot 0.0 slash
11493.939 -> 16. So what that really comes down to is 170
2.1 68 0.0, slash 12. And the 192 168 dot
11494.939 -> 0.0 supernet. And those are private addresses.
They're only allowed on internal systems.
11495.939 -> Now you're gonna hear the term cider range.
Now, a long time ago, back when the dinosaurs
11496.939 -> roamed the earth. And, you know, I first started
working in networking, which was lots of fun.
11497.939 -> You know, we had this thing called Classical
IP addresses, we don't have them anymore.
11498.939 -> And that basically meant there were things
that would apply to classical boundaries,
11499.939 -> I'll see what these boundaries are, they don't
exist anymore. And what they used to be is
11500.939 -> no class A addresses all how to slash a. Class
B addresses all how to slash 16. Class C addresses
11501.939 -> will fit in this space. And we're slash 24.
Class, these were used for multicast, we still
11502.939 -> do use the multicast addresses. But here's
the point, any class A address, but actually
11503.939 -> use up burn 16 million IP addresses, almost
17 million. And now remember this every device
11504.939 -> on your server, if you've got three network
cards needs to be on a different subnet. So
11505.939 -> if you use three Class A addresses inside
of your server, you would ultimately burn
11506.939 -> over 49 million addresses on a single server,
which is obviously a problem. So what happened
11507.939 -> was IP classes all went away about 20 years
ago used to have to put on the Cisco router
11508.939 -> IP classes until it became the default. And
classless meant we no longer have AC or by
11509.939 -> standard subnet boundaries, and we can subnet
or supranet as needed. I'm going to cover
11510.939 -> that extensively in the AWS mass networking
plus what you need to know. So what happens
11511.939 -> is modern routers enable us to subnet or superordinate
or change the castle masks on our network
11512.939 -> boundaries. And it's called classless inter
domain routing. All that means is we're not
11513.939 -> bogged down from the cost a Class B Class
C type things that you actually
11514.939 -> so consider AWS, let's use classless inter
domain routing, like everything else. Now
11515.939 -> normally speaking, you're gonna be given a
cider block that you use for your IP address.
11516.939 -> And you're gonna have to subnet that down.
So I can't in this discussion go over subnetting.
11517.939 -> But I can't actually give you some examples
of it. In order to use our address base, we've
11518.939 -> got to chop it down. So what does this really
really mean? Submitting? Well, let's say right
11519.939 -> now, let's say you had a whole pizza, right?
And you were just one person, but chances
11520.939 -> are, you're not going to eat this extra large
18 inch pizza by yourself. If you do, you're
11521.939 -> probably have some health issues long term
eating that way. You might divide that pizza
11522.939 -> into three pieces with your buddies or four
pizzas with your buddies. The subnetting is
11523.939 -> basically taking a large IP block and chopping
it down to the smallest thing. Maybe you've
11524.939 -> got some skinny friends that eat a quarter
of a piece of pizza. And you could chop it
11525.939 -> into 16 pieces, and each one of your skinny
friends eats 116 to the pizza. Maybe you got
11526.939 -> a couple of big friends need to split it into
two half of the pizza. Maybe got some hungry
11527.939 -> friends. And you need three pizzas for two
people I don't care. subnetting is really
11528.939 -> about taking your IP address blocks, chopping
them down and making them exactly what you
11529.939 -> need. So for example, this was a Class C network
192 168 dot 1.0 slash 24. It's a Class C that
11530.939 -> means 254 addresses on this single subnet.
But it might make sense if we don't need all
11531.939 -> those to chop it down the small segments.
So for example, I created one subnet 192 168
11532.939 -> 210 and created another subnet 192 160 8.1
dot 16. I created a third subnet 192 168,
11533.939 -> one dot 32. I can create another subnet 192
168, one dot 48. And what you're seeing is
11534.939 -> picking this one classful address, chopping
it down the multiple ones and got it. Now
11535.939 -> that's called subnetting. Here's another example.
I can show you this exact subnet that I just
11536.939 -> did. I can take this one night this one subnet
and chop it into multiple little things. Now
11537.939 -> when you subnet an address, you always have
to remember that you normally lose two addresses.
11538.939 -> So normally use you need as the first address
and the last address. So let's take this first
11539.939 -> subnet. The 192 168 1.0 is actually used by
the router as the network. That's what's going
11540.939 -> to be in the routing table. The end of that
subnet is what's called a subnet directed
11541.939 -> broadcast or an IP directed broadcast. In
which case, I would set it to 192 160 8.1
11542.939 -> dot 15, which is all hosted set because I
couldn't use those two. And then we'd have
11543.939 -> 14 usable addresses. Now when you're on the
AWS cloud, basically they reserved five addresses
11544.939 -> out of out of them automatically, the network
one and the broadcast one plus three others.
11545.939 -> So they always lose five IP addresses per
subnet with AWS.
11546.939 -> I'm just going to end on this route summarization
concept. So if you're connecting to AWS, you've
11547.939 -> got to give him routing information connecting
back to you. If AWS doesn't know how to reach
11548.939 -> your data center, and you don't need a reach,
or something that's an AWS, nobody's talking
11549.939 -> to anybody, it seems no matter how much stuff
you have in the cloud, you got nothing. Something
11550.939 -> my grandmother would call book is nothing
zero, no matter. All the beautiful cloud no
11551.939 -> network, you got nothing. So super netting
is basically how you take the route in your
11552.939 -> some in your routing table. And you aggregate
those routes. And therefore you can send a
11553.939 -> little bit of information to the cloud provider
versus all of your cloud provider. And what
11554.939 -> does that really look like? Well look at it
this way. If you've got four subnets, these
11555.939 -> are four Class C subnets. That you have. And
you want to only send one route AWS, you can
11556.939 -> route summarize, or aggregate these routes,
pop it into BGP until AWS, hey, to reach my
11557.939 -> data center, all you need to reach is when
I need to 168 dot 0.0 slash 22. That gets
11558.939 -> you to the data center. What does that really
like? Love any of you flown overseas, flown
11559.939 -> to a new city, you don't know where you're
going in the New City. So let's say I want
11560.939 -> to go to Denmark, I think he would like is
in Denmark and I want to go visit her. I get
11561.939 -> to the Denmark airport. And then I get a kid
into a taxi. And he give the taxi even like
11562.939 -> is not IP address or the street address. And
the taxi knows how to get there. I don't know
11563.939 -> how to get there. I just need to know how
to get to the airport. From the airport, I
11564.939 -> need to get to a taxi and the taxi driver
needs the intelligence. Why is this so critical?
11565.939 -> Well, too many routes in the routing table
you have routing problems. But also AWS only
11566.939 -> takes 100 routes. Normal enterprise might
have 30 or 40,000 routes in the routing table.
11567.939 -> So if we don't summarize, we can't we can't
really deal with AWS because they have very
11568.939 -> limited networking. Not because they're bad
at all. Because you know, when I connect to
11569.939 -> the internet or a normal router, and run BGP,
I'm taking an eight or 1000 routes. But when
11570.939 -> I connect to the content of the cloud provider,
imagine them taking 3000 routes 10,000 routes
11571.939 -> from 50 to five and 1000 different companies.
The routers wouldn't handle it so they make
11572.939 -> you route summarize and only send 100 rounds.
So for an architect Sukumaran being submitting
11573.939 -> route aggregation is a really critical skill.
Last thing I'll end with today is just ipv6
11574.939 -> addresses. ipv6 addresses are just a newer
form of IP addressing. Normally speaking with
11575.939 -> IP addresses, we have two to the 30/32 power
of addresses. When we're dealing with ipv6,
11576.939 -> we've got 120 bit hex and decimal address.
So normally binary is zero and one hexadecimal
11577.939 -> is 0123456789. Alpha Bravo, Charlie, Delta
Echo Foxtrot. So that's how we get to 16.
11578.939 -> So it's 16 to the 120/8 power, infinitely
more address spaces much more scalable, typically
11579.939 -> used by mobile phones. Every interface in
AWS is automatically assigned an ipv6 Global
11580.939 -> Address. Most people remove this global address
because you don't want to dress as a turd
11581.939 -> Not using and just use the IP before
11582.939 -> we're going to talk about my absolute absolute
favorite part of the cloud. You know what
11583.939 -> it is. It's the VPC or the virtual private
cloud. Why? This is where we get to do as
11584.939 -> much networking as possible. And you guys
know me, I'm a network person. Back when the
11585.939 -> CCIE was a complicated examine, it was challenging
when it used to be two days. I remember taking
11586.939 -> mine my CCIE number 7417. And I love love,
love love networking. Today we're going to
11587.939 -> talk about the VPC. Now, under the VPC, we're
going to talk about a lot of things. But we're
11588.939 -> going to talk a little bit about routing.
And we're going to talk about much more about
11589.939 -> routing, when we actually go through the AWS
advanced networking plus what you need to
11590.939 -> know. So we'll talk about that. That is a
little now but a lot when we do that, we'll
11591.939 -> discuss internet gateways. today. We'll discuss
egress only internet gateways. We'll discuss
11592.939 -> NAT instances, but also NAT gateways. We'll
discuss elastic IP addresses, VPC endpoints,
11593.939 -> VPC, peering, access control lists, security
groups, and we'll have some more fun as well.
11594.939 -> But I want to begin with, let's begin with
the routing tables. What is a routing table?
11595.939 -> Well, it's really a map of how your traffic
gets to its destination. And routers build
11596.939 -> maps the way routers typically build maps,
they run a routing protocol. Inside the network.
11597.939 -> It's called an Interior Gateway Protocol.
Typically speaking in today's world, it's
11598.939 -> using something called OSPF or intermediate
systems that our immune systems, routers identify
11599.939 -> with each other, and they tell each other
the state of their routes. When we connect
11600.939 -> to external entities, we use BGP, and I'm
going to show you graphically what that looks
11601.939 -> like. And it builds a table that says how
do we get from point A to point B? What's
11602.939 -> this table look like? It looks like this.
To reach Joey, go out my right arm to reach
11603.939 -> Nick go out my left arm to reach Sally go
north to reach Blake go out my my leg. So
11604.939 -> it's basically building a table. Now I built
the routing table for you in an Excel just
11605.939 -> so you can get a feel for it. And it's going
to look like this. The routing table is going
11606.939 -> to tell you the destination subnet and where
to send it. Now when it comes to routing,
11607.939 -> we're talking about the most specific route.
And if you notice, I have two routes, which
11608.939 -> are very similar. I've got the 192 168 dot
0.0 slash 16. And I also have the 192 160
11609.939 -> 810 slash 24. For those of you that know subnetting
and super netting and route summarization,
11610.939 -> you're aware that 192 168 dot 1.0 Slash 24
falls within the 192 168 dot 0.0 slash 16.
11611.939 -> That which one's more specific. The one with
a longer subnet mask the 192 168 dot zero.
11612.939 -> So if we want to reach the 192 168 1.0, we're
going to end up using the interface PC x dash
11613.939 -> 654321. But if we want to reach any other
subnet inside of that range, we're going to
11614.939 -> use the interface PC X 123456. And of course,
we have a default route, what is the default
11615.939 -> route mean? If you don't know where to go,
take the default route. And here you can see
11616.939 -> we've got a default route pointing to an Internet
Gateway. And there you go. So that's realistically
11617.939 -> what we're talking about. Now the VPC has
a routing table. But let's talk about what
11618.939 -> they really look like in real life. Let's
assume on the left side of this, this 64513.
11619.939 -> This is your entity, your data center. And
let's assume for right now, on the right side
11620.939 -> of this, we've got the AWS cloud, the Azure
cloud, the Google Cloud or other data center,
11621.939 -> another company, it doesn't matter, it's all
the same way. Now inside of your data center,
11622.939 -> or the AWS cloud, they're going to have to
calculate the routes in between their stuff.
11623.939 -> And that's us visit an IGP or an Interior
Gateway Protocol. We'll discuss that much
11624.939 -> more when we cover the AWS events network.
But for right now, understand, inside of an
11625.939 -> organization, routers have routing protocols
that determine the best path for the traffic.
11626.939 -> Kinda like your GPS does. When you go to somebody's
house, make a lot goes two miles make a lot.
11627.939 -> Go three kilometers, make a right kind of
keep that in the back of your mind. Now you'll
11628.939 -> note that we Have where it says EBGP peering
between the two organizations. Now BGP is
11629.939 -> a path vector routing protocol that's used
to connect to external entities. When you
11630.939 -> connect your cloud providers, they are not
your organization. They are an external company.
11631.939 -> And you're going to use BGP. Now we're going
to be using BGP to exchange certain information.
11632.939 -> I'll talk about what that is. But understand,
internally, all organizations have an Interior
11633.939 -> Gateway Protocol. And in between them, they
use it, they use an exterior gateway protocol,
11634.939 -> because BGP, and when you connect to AWS,
you are going to be using BGP to exchange
11635.939 -> routing information, especially if you're
using a direct connection with the required.
11636.939 -> And if you're using, if you're using a VPN,
you could use the you could use BGP or create
11637.939 -> a static route, but you're gonna want to use
BGP, because otherwise you're gonna be manually
11638.939 -> updating route and that is a night. I can't
get into a full BGP discussion here. But I
11639.939 -> can tell you this right now, when we do the
AWS events that are coming very soon, I will
11640.939 -> spend hours on BGP hours on subnetting of
super nine will spend time on interior gateway
11641.939 -> protocols, we'll spend substantial time on
switching. And then we'll cover the silly
11642.939 -> easy AWS advanced networking, which is honestly
an intro to junior level networking, we're
11643.939 -> going to add our critical networking up front
so you guys understand it because it's critical,
11644.939 -> critical knowledge. So let's talk about a
little bit about dynamic routing with BGP.
11645.939 -> BGP is the de facto standard, your exterior
gateway protocol. And because AWS, Azure or
11646.939 -> Google, you connect with an external externally,
you'll be using BGP to connect to them. Now,
11647.939 -> the reason we use BGP as opposed to an Interior
Gateway Protocol as a solid, the tunability
11648.939 -> of it is incredible. The scalability as an
increment is incredible. Then I connect to
11649.939 -> three different internet service providers,
the BGP, I'm taking in about 800,000 routes
11650.939 -> per internet service provider. I mean, it's
incredibly incredibly, incredibly there. So
11651.939 -> it's scalable. Whereas interior gateway protocols
like OSPF kind of die once you hit 30,000,
11652.939 -> subnets or so. And then there's lots of tuning
and manipulation plus, we can't filter routes
11653.939 -> between us. And BGP gives us the ability to
filter routes. And why does this matter? If
11654.939 -> you don't have a path to it, you can't reach
it. So let's say I've got a buddy over there
11655.939 -> in England, I got lots of friends in England.
And here I am in South Florida. Now, if there's
11656.939 -> no airplane, and there's no bridge, I couldn't
visit my friend. There's no route. So with
11657.939 -> BGP, you can provide the paths that you want
people to access. And you can provide no route
11658.939 -> to the pets that you don't want to access.
Now, how would I get from Florida to England?
11659.939 -> Well, I could try and swim. But that's not
going to happen. I'm going to run out of fuel
11660.939 -> and beaten by sharks. I need a path, I need
a route. And BGP provides the task, it provides
11661.939 -> the routes the knowledge intelligence and
how they get your data from point A to point
11662.939 -> B. Now, when an organization wants more than
one connection to the internet, like two of
11663.939 -> them, they can either have one default route
and the backup default route, in which case
11664.939 -> they use one another one since they're sleeping.
Or they can use BGP and they can load share.
11665.939 -> So BGP enables you to load share, traffic
engineer and tune your data. It's magical,
11666.939 -> magical. I spent over 10,000 hours learning
BGP, and working on BGP, and trust me, people
11667.939 -> like me, that are network architects can do
really cool stuff with us. And if you want
11668.939 -> to be a great cloud architect, you must be
able to understand BGP, otherwise your systems
11669.939 -> will fall apart. So we'll cover that in more
depth with the AWS advanced networking. It's
11670.939 -> not covered in the AWS events, networking,
but we'll cover it anyway. We do that completely
11671.939 -> free. Now, when you use BGP, you kind of have
to identify yourself. So you know, basically
11672.939 -> saying, Hey, yo, Mikey, yo, Joey, let's be
friends. And that's really what has to happen.
11673.939 -> You actually have to connect to each other,
identify yourself and set up your policy.
11674.939 -> So like I said, when you use a direct connection
to AWS, you must use BGP. Now BGP has got
11675.939 -> a lot of tuning, tuning things. We cover the
AWS advanced network, we're gonna get deep,
11676.939 -> will prepend a ss and leak specific prefixes
and change the weights, play with the local
11677.939 -> preference is going to be party time, party
time, party time. That's the belt the only
11678.939 -> time when they talk about networking, we get
to put my propeller hat on and get real geeky
11679.939 -> anymore, and I love it. Because I started
out as a techie, it's just that I can't be
11680.939 -> a techie as an architect. I gotta be a business
executive. But I'm gonna talk about BGP, but
11681.939 -> my techie hat on and it's fun, fun, fun.
11682.939 -> So Well, one thing we'll talk about as AWS
supports the BGP community, no export. I'll
11683.939 -> show you what that means in a second. The
AWS BGP implementation supports the proprietary
11684.939 -> Wait, which is great because lots of other
routers due to local preference as pass specificity
11685.939 -> routing information. So it's a pretty standard
BGP implementation. But, but but AWS only
11686.939 -> allows you to inject a very small number of
routes, like 100. Zero, it's basically nothing.
11687.939 -> So when you're going to be connecting to AWS,
you better have somebody that understands
11688.939 -> IP addressing subnetting or supernova. So
you can use summarize and route aggregate.
11689.939 -> Now, let's briefly talk about what note export
means. So normally speaking with BGP, let's
11690.939 -> say you've got three of us that want to talk
to each other. Look up my data center, my
11691.939 -> superstar architect, Cloud Architect, child,
Alonso, also from my team, my chief content
11692.939 -> officer on our team, and we will exchange
information between us in a normal environment
11693.939 -> if I connect a child and now tell collect
so Alonso I know how to reach Alonso through
11694.939 -> child, Alonso knows how to reach me through
child. So what happens as Alonso is traffic
11695.939 -> wants to reach me. And here's what it'll happen.
It'll go through child to me, and then I'll
11696.939 -> respond, and here's what ultimately is going
to happen. I'm going to respond back my traffic
11697.939 -> will traverse trial and go through Alonso.
And we're all happy, right? Because we've
11698.939 -> got routing. But here's the problem. What
if child doesn't want to be the entire destination
11699.939 -> for the entire Internet to connect me through
Alonso? What would happen to make the simple
11700.939 -> is we tell Chow our routes. And Chow doesn't
tell anybody else our routes. So if, if by
11701.939 -> comparison, I tell show my routes, and Alonzo
Till's child hurled his routes around and
11702.939 -> child tells me her routes which are not putting
the arrow and and I tell chama routes, I can
11703.939 -> reach Jo know if Alonzo tells child harap
who Israel's and then child tells Alonzo his
11704.939 -> or has harassed they can talk to each other.
But if child doesn't send along those routes
11705.939 -> to me, I can't reach Alonzo. And that's typically
done via BGP community called no export. There's
11706.939 -> many other ways to do this. But AWS does support
that no export community to kind of keep that
11707.939 -> in the back of your mind. Alright, so we had
a little introductory BGP, we're gonna do
11708.939 -> it a lot better in a lot more depth when I
actually have, you know, four plus hours to
11709.939 -> do it. We do the AWS events, networking. Like
I said, it's not covered in AWS events, networking,
11710.939 -> but we're gonna cover it because you need
to know it. So how do you get to the internet?
11711.939 -> Well, you need a router that connects to the
internet. Now, what's the alternative name
11712.939 -> for a router? It's called the gateway. So
this is one of the few places where AWS didn't
11713.939 -> have their marketing people spend millions
of dollars to create a fancy name. That's
11714.939 -> doesn't mean any mean anything to anybody.
Internet Gateway, what do you think it is,
11715.939 -> it's a router that takes you to the internet.
I love this name. Because it's reality. And
11716.939 -> an Internet Gateway is going to be a virtual,
because it's cloud its own virtual router.
11717.939 -> And because it's a virtual router, not a physical
router, it can't go down. So this is going
11718.939 -> to be a highly available internet router.
Now AWS for certification points will tell
11719.939 -> you there's no bandwidth constraints or performance
limitations. Like there's always a bandwidth
11720.939 -> constraint or performance limitation. And
you'll have to figure that out as it as it
11721.939 -> takes to testing your applications. But at
the end of the day, the Internet Gateway is
11722.939 -> nothing more than a router that connects you
to the internet. So the way you create an
11723.939 -> Internet Gateway, as a very simple thing to
do, is you you attach an internet gateway
11724.939 -> to your V PC. You create a default route which
looks like 0.0 dot 0.0 slash zero. Planning
11725.939 -> to the Internet Gateway. You put a public
IP address on the Internet Gateway, why does
11726.939 -> it need a public address? It's going to reach
stuff on the public Internet needs a public
11727.939 -> address. And there you go, you're good. Now
here's the thing to remember. You've used
11728.939 -> an Internet Gateway. Now your stuff will be
accessible from the internet. Now, if your
11729.939 -> stuff is available from the internet as possible
from the internet, and you don't do something
11730.939 -> about it, you'll be hacked in about 15 minutes.
So when you're connected to the internet,
11731.939 -> you're going to need to do some serious security
things. Otherwise you're gonna get out. So
11732.939 -> let's look a little bit about what this looks
like. At least in concept and principle. Okay.
11733.939 -> Here you can see, we've got our stuff in our
VPC, where we have the term instances, you
11734.939 -> can think about them as maybe a web server,
an FTP server, whatever we want reachable
11735.939 -> by the Internet. The instances all need to
have a public IP because they're not behind
11736.939 -> a load balancer here. And the Internet Gateway
needs to have a public IP. And there you go.
11737.939 -> Our systems are going to be reachable through
the internet. And people can attach to our
11738.939 -> web servers, FTP servers, or any other kind
of server were put there. Everybody's happy.
11739.939 -> Let's say we've got a cat. My cat Cindy made
a website, www dot Cindy the cat.com. She
11740.939 -> puts it on some of these servers. And we've
got photos of my cat Cindy dancing, like cat
11741.939 -> Cindy sleeping, my cat Cindy climbing the
walls sitting on the roof running away from
11742.939 -> her scary friend, the main goon, which is
a beautiful cat that she doesn't like. So
11743.939 -> she hides on the roof and the cat comes and
it's all on our website. So kind of keep that
11744.939 -> in the back of your mind. Now your systems
are available from the internet.
11745.939 -> Now let's talk about something different and
egress only Internet Gateway. So let's talk
11746.939 -> about this ingress is traffic coming in? egress
is traffic going out. When this was first
11747.939 -> explained to me, it never made sense. So I
like to think of it as a parking lot. When
11748.939 -> you enter a parking lot to go to your favorite
pizza place. That's Ingress. And after you
11749.939 -> had your pizza, and you're full, you leave
that parking lot that egress. So let's talk
11750.939 -> about egress only internet gateways, they
allow your ipv6 traffic, not ipv4, which is
11751.939 -> 99% of your traffic, to go out to the internet,
and have stuff come back to them but not be
11752.939 -> reachable from the internet. So why on earth
would you ever want egress only internet traffic?
11753.939 -> Because it sounds crazy, right? Well, it's
not. So let's say you want all your systems
11754.939 -> secure behind the firewall, so nobody can
come into them. But you want your systems
11755.939 -> that are behind the firewall, and your users
to be able to go out to the internet to go
11756.939 -> by the by training from www.go, Cloud careers.com.
And then you want them to go to www dot cine
11757.939 -> the cat.com to look at some cat photos. And
then you want your person to be able to Google
11758.939 -> and Google something. And then you want your
system to be able to update their operating
11759.939 -> system from Red Hat, Ubuntu, Microsoft or
whatever. That's where you need egress only
11760.939 -> internet access, where you want your systems
to go out to the internet, be able to do something,
11761.939 -> allow the return traffic back in, but not
allow other traffic to come in. So that's
11762.939 -> what we're talking about when we talk about
an egress only Internet Gateway. It's for
11763.939 -> ipv6, it enables the traffic to go out to
the internet and come back. But your systems
11764.939 -> are not reachable. To how's it work? Well,
it's stateful. Just like a firewall, traffic
11765.939 -> goes out, comes back. Internal other traffic
externally tries to come in block block block.
11766.939 -> But here I am. And I want to go look at my
Facebook account where I've got cat Cindy
11767.939 -> photos, I don't have any cat photos on Facebook.
But let's say I want to go to my Facebook
11768.939 -> account, I would go through the egress only
Internet Gateway. And when the traffic comes
11769.939 -> back from Facebook, it would hit that fire
it would hit that egress only on our gateway,
11770.939 -> which acts like a firewall here and says yep,
Mike requested it send the traffic back to
11771.939 -> Mike. So no inbound electricity, traffic out
traffic back us for ipv6 systems to go out
11772.939 -> to the internet and come back. Now, we're
going to talk about a net instance, which
11773.939 -> was kind of an AWS managed service, which
has been sort of we don't recommend gi do
11774.939 -> this anymore. But there's still times where
you're going to need to create these on your
11775.939 -> own. So let's at least talk about what it
is. And not instance is basically a system
11776.939 -> like a virtual machine that's got two Ethernet
cards in there. To translates a private address
11777.939 -> into a public address. Now this was available
from AWS as an AMI, so basically a system
11778.939 -> image and it runs on an EC two instance. I
knew in this particular case, NAT is only
11779.939 -> going to the internet. You have to put part
of it in a public subnet. And part of it in
11780.939 -> a private subnet. And what happens is and
I'll show you later, Nat instance will then
11781.939 -> translate your private addresses to a public
address so they could go out your internet
11782.939 -> gateway. So no inbound internet access. And
the way this The work is as follows. Let me
11783.939 -> draw you a picture, you would keep your systems
in a private subnet, you would create this
11784.939 -> NAT instance, which is just a virtual machine
with two or four network cards. This NAT instance
11785.939 -> would do something called NAT overload, otherwise
known as port address translation. And it
11786.939 -> would translate your private IP addresses
into a public IP address, your system would
11787.939 -> have a default route to the NAT instance,
that instance would have a default route to
11788.939 -> the Internet Gateway, the NAT instance would
have an external IP address, the Internet
11789.939 -> Gateway will have an external IP address,
and all your systems would have access to
11790.939 -> the network, the internet. That's a standard
AWS NAT instance. Now what if you want to
11791.939 -> translate between two IP addresses? Well,
you could obviously create a Linux machine
11792.939 -> on your own, put two Ethernet cards in there
and translate between a private address and
11793.939 -> another private address. And why might you
want to do this? Well, let's say I address
11794.939 -> my system 10.0 dot 0.1. And about a company
who address their system 10.0 dot 0.1. Wait,
11795.939 -> they can't talk to each other, but if we nap
between them, and we can. So there's lots
11796.939 -> of use cases to use not only the ones that
were mentioned. Now, if you notice that NAT
11797.939 -> instance, requires an Internet Gateway to
work. So AWS likes to make people's lives
11798.939 -> simple. The whole point of the cloud is it's
simple. We lose features, we lose functionality,
11799.939 -> we lose performance. But it's simple. We go
to the cloud, because it's agile, it's fast,
11800.939 -> we don't need as much sophistication, because
they manage three quarters of the workload
11801.939 -> for us, which is kind of beautiful. That's
why we all love it so much. So AWS came up
11802.939 -> with a simpler, more elegant solution for
most people. And it's called the NAT gateway.
11803.939 -> And the NAT gateway kind of combined the NAT
instance, and our internet gateway in the
11804.939 -> same device. So my NAT gateway is a fully
managed not service. And not get was redundant
11805.939 -> inside of an availability zone, every availability
zone will require its own gateway. So what
11806.939 -> happens, you create the NAT gateway, in a
public subnet, it will have an we'll call
11807.939 -> it an external public IP address which AWS
likes to call it elastic IP for the life of
11808.939 -> the gateway, you'll put a default route in
your system to the NAT gateway. And then your
11809.939 -> systems will can reach the internet and your
traffic come back. But they will not be reachable
11810.939 -> from the internet. Remember, this is egress
only, just like the egress only Internet Gateway,
11811.939 -> except for the egress only internet gateways
for ipv6. And this is for IP version four.
11812.939 -> Simple stuff, simple stuff, simple stuff.
So let's look at this. Under the concept of
11813.939 -> what we're doing here, can see here we've
got our systems private subnet, we've got
11814.939 -> our NAT gateway, and they can go to the internet.
But remember, our systems will not be reachable
11815.939 -> from the internet, our systems, our servers
can go out there and update their operating
11816.939 -> system, click new operating system patches
and all kinds of good stuff goes through the
11817.939 -> firewall and get out to the internet, our
traffic and come back. simple, elegant solution.
11818.939 -> So now let's talk about the elastic network
interface. This, to me is the most ridiculous
11819.939 -> name in the world. When you have a server
to connect to network, you plug it into its
11820.939 -> Ethernet card. When you have a virtual machine,
guess what it's got an Ethernet card in it
11821.939 -> a virtual one usually, although it could be
a physical one if we talk about single route
11822.939 -> IO virtualization, which I'm sure will address.
But what's going on is, if you ever want to
11823.939 -> put your virtual machine connected to the
network, you need an Ethernet card. So let
11824.939 -> us AWS called the Ethernet card, your virtual
machines, they call it an elastic network
11825.939 -> interface. So by default, your systems come
up with a single elastic network interface.
11826.939 -> But if you want two systems to be on two different
subnets, well, then you could use two of them.
11827.939 -> Now in many certifications, they teach you
how to create something called the bastion
11828.939 -> host, which is about the fastest way to get
hacked, fastest way to get fired. So I'm not
11829.939 -> going to teach you how to do that. There's
a way to do it intelligently but 99% of them
11830.939 -> that I've seen out there are hacking events.
I've seen people get fired for putting these
11831.939 -> things up there. So I'm not going to teach
you how to do that because I want I don't
11832.939 -> want you getting fired, and then they keep
sending a lot of certification courses, but
11833.939 -> there's good reasons not to do it. We've got
a video on why you should never create a bastion
11834.939 -> host and my team could pop that in there.
But if you had a server that you wanted to
11835.939 -> have on two different subnets. So you could
put two network interfaces in there. And that's
11836.939 -> what we always used to call a dual home server.
Now, we can put them have a management subnet
11837.939 -> on one side versus another side inside outside
of our network. So there's lots of reasons
11838.939 -> we might want to do these things. So let's
talk a little bit about elastic IP addresses.
11839.939 -> Okay, now, AWS could just say public IP address,
and I'd be happy, happy, happy, happy, happy,
11840.939 -> right. But, you know, they don't. If you want
a public IP address from AWS, they have to
11841.939 -> stick the word elastic and everything. Because
they have to stick the word elastic and everything.
11842.939 -> They call it an elastic IP address, it just
means a public IP address. So here's a normal,
11843.939 -> you would get a public IP address, you've
got a network architect, like me, I need a
11844.939 -> public IP address, I go to my ISP, and I request
11845.939 -> one. And I own it until I'm done with them.
Now, by comparison, with AWS, when you need
11846.939 -> a public IP addresses, you get one of their
elastic IP addresses, they own the address,
11847.939 -> they give it to you for as long as you need
it. And when you shut your system down, it
11848.939 -> goes back into the pool. And they can go and
resell that IP address to somebody else. And
11849.939 -> elastic IP address can have a single public
IP address mounted to it like at the edge
11850.939 -> of a load balancer. Or it could be used in
a NAT overload situation like you wouldn't
11851.939 -> a NAT gateway, which provides port address
translation a
11852.939 -> little bit of an appearance of what's an elastic
IP address look like very, very simple and
11853.939 -> elegant, very simple and elegant. Here we
go. We've got our private systems. We've got
11854.939 -> our instances, which are sitting behind the
firewall, all using the public IP address,
11855.939 -> otherwise known as elastic IP address 3.3
dot 3.3 goes out to the internet, and we should
11856.939 -> be good to go. Pretty simple and elegant.
So let's get into the next thing. If you guys
11857.939 -> can give me all a hashtag that says AWS Certified
Solution Architect Associate and the chatbox.
11858.939 -> I know you're awake, I need to know you're
awake. I'm teaching here with laryngitis to
11859.939 -> try and make sure you guys have a good learning
experience. And I want to know you're awake.
11860.939 -> So now let's talk about VPC endpoints. VPC
endpoints are essentially devices that are
11861.939 -> high availability, and enable you to connect
to things. There's two kinds of endpoints.
11862.939 -> There's gateway endpoints. And there's interface
endpoints. Let's first begin with Gateway
11863.939 -> endpoints. Gateway endpoints are high speed,
high security access to AWS services. And
11864.939 -> what happens is it places a route in your
routing table. And gateway endpoints are typically
11865.939 -> to things such as Amazon s3. And what happens
it will put a router routing your routing
11866.939 -> table in order to reach AWS s3. So you'll
create an endpoint, it's going to create a
11867.939 -> prefix list. And I'll attach you to the endpoint.
The reason we're using the endpoint is it's
11868.939 -> going to provide secure access. Let me show
you what it would look like without the endpoint.
11869.939 -> So let's say we were inside of our V PC or
virtual private data center, how we want you
11870.939 -> to connect to Amazon s3. There's really two
ways that we could do it. way one would be
11871.939 -> to go all the way up to the internet, cross
the internet, and come back to AWS and reach
11872.939 -> your s3 bucket. Let's talk about why that's
ugly. Well, we have to go to the internet.
11873.939 -> And that's outbound traffic. And guess that
one's we're gonna pay for all that traffic
11874.939 -> to go to the internet. Now the internet is
not secure. So we're going to have to encrypt
11875.939 -> that traffic, then it's going to come back.
And so cost is a reason we don't want to do
11876.939 -> this. But the internet is not guaranteed as
no guarantee so the performance of the internet
11877.939 -> isn't good. And the internet's not secure.
So now we got to have to encrypt it. So let's
11878.939 -> think about Alternatively, if we didn't want
to go to the internet, per se, and we just
11879.939 -> wanted to use the AWS private network, and
network with guaranteed speed, guaranteed
11880.939 -> performance, and guaranteed capabilities,
we could just send our traffic directly over
11881.939 -> the AWS private network. And that's what the
endpoints are for. Endpoints provide secure,
11882.939 -> private, high performance communication. And
now gateway endpoints are to reach AWS services,
11883.939 -> like s3. So let's talk a little bit about
gateway endpoint security. We can set up an
11884.939 -> endpoint policy that can be set out to limit
resources like to the s3 bucket, we can limit
11885.939 -> routing information so that not everybody
knows about the endpoint. If you don't have
11886.939 -> a route, you can reach it. It's some of the
best security in the world. And we network
11887.939 -> architects and network engineers, we're providing
security for decades, and you're here's what
11888.939 -> we're doing it, it's then give somebody a
route. If they didn't have a route, they couldn't
11889.939 -> reach it. And then we would use access to
this firewalls and other cool things. But
11890.939 -> first part of security is don't give somebody
a path you. So if you wanted to build a really
11891.939 -> secure house, right, and you and you created
an island in the ocean, and you needed a boat
11892.939 -> or a helicopter to get to you, it'd be more
secure than if you stuck it in the built your
11893.939 -> house in Philadelphia, for example, I'm from
Philadelphia, pretty high crime area. So I
11894.939 -> can tell you right now, if I had a house in
the middle of the ocean, it'd be less likely
11895.939 -> to get hacked and if it was in Philadelphia.
So keep that in the back of your mind. Now
11896.939 -> let's talk about the next kind of, kind of
endpoint, the interface endpoint. Now, interface
11897.939 -> endpoints are a way to connect to several
AWS services like EC two systems manager Kinesis,
11898.939 -> for streaming data, elastic load balancer
API's, or external services hosted by AWS
11899.939 -> partners or other customers in their own V
PCs. Now, the interface endpoints gonna work
11900.939 -> differently. And it's really kind of cool,
actually. Basically, what's going to happen
11901.939 -> now, if we had an a Gateway Interface, what
happens to the previous con, the puts a route
11902.939 -> in the routing table. Now here, when you create
an interface endpoint, it effectively puts
11903.939 -> another network interface or an elastic interface
on your V PC. And your interface is local
11904.939 -> to the VPC. And when you create this interface
endpoint, AWS will create this network interface
11905.939 -> in your subnets, that you want to have access
to this, which is going to be pretty cool.
11906.939 -> And then when you create the endpoint, AWS
will automatically generate a fully qualified
11907.939 -> domain name. So people can connect to it via
domain name, what's the domain name? mike.go,
11908.939 -> cod careers.com. That's a fully qualified
domain. And it's going to give you something
11909.939 -> just just just like another really cool point
of interface endpoints if they use a service
11910.939 -> called AWS, private link. Look, I love private
land, I've been working with the equivalent
11911.939 -> of private link now for 30 years, or 25 years,
feels like 30 and dog years, so to speak,
11912.939 -> because I've been doing it forever. And private
link is basically what's called a Virtual
11913.939 -> Private line. And what is a virtual, and it's
going to restrict all traffic between the
11914.939 -> Virtual Private line. So let's let me draw
it out what a Virtual Private line looks like
11915.939 -> for you. Because you know, if you're not used
to private lines, then you're definitely not
11916.939 -> going to be used to virtual private lines.
Let's go back to my fancy drawing board. So
11917.939 -> let's say you've got we used to call it the
frame relay cloud can be the internet cloud,
11918.939 -> it really doesn't matter. So we've got we've
got us over here our VPC. And we want to connect
11919.939 -> to somebody else's VPC over private. Now,
realistically speaking, there's two ways we
11920.939 -> could do this. Option one, we could connect
to the internet. And back to the internet,
11921.939 -> and woohoo, everybody's talking to each other.
Now, we have to understand that by doing this,
11922.939 -> we've got internet security issues. And the
performance of the internet is not guaranteed.
11923.939 -> So we have no guarantees that the Internet
are there. But what we could do instead is
11924.939 -> if this is the AWS private network, and they
control the private network, AWS. What they
11925.939 -> can do is they can create us a Virtual Private
line directly cost and we'll call this private
11926.939 -> link. And it's basically a pseudo wire, a
fake wire they're creating for you. It's no
11927.939 -> different than an MPLS te tunnel, GRE tunnel
across a private network. They're building
11928.939 -> you a private wire, so they're giving you
much, much better access to their own network.
11929.939 -> The reason we can't control our traffic on
the internet As our traffic goes to 10 or
11930.939 -> 12 different entities. When it comes to private
link, we're only using the AWS network. And
11931.939 -> you can guarantee performance across your
network using signaling things like resource
11932.939 -> reservation protocols, things which you don't
need to know about for this. But we can't
11933.939 -> guarantee performance across the public Internet.
And this is when you're already on your systems.
11934.939 -> Not for example, if this was a direct connection,
getting to AWS. So there's, let's say we're
11935.939 -> doing this. Let's say we've got a VPC over
here, to the left side of the screen, another
11936.939 -> VPC, we can basically create a private link
connection between us. And everything is done.
11937.939 -> This is done internally. This is the equivalent
of a pseudo wire, and we're good to go. I
11938.939 -> didn't show let me share this photo with you.
So in this particular case, we've got a service
11939.939 -> customer. And we've got a VPC and we're creating
that pseudo wire in between them. And that's
11940.939 -> the way they can talk to each other very simple,
very elegant solution. Very elegant solution.
11941.939 -> Now, there are other ways to get our systems
to communicate to each other. And the other
11942.939 -> way is VPC peering, and I'm going to get into
VPC peering in a minute. But before I do,
11943.939 -> I'm going to give you some backup information
about the difference between private link
11944.939 -> and VPC peering. Private link is only going
to allow you allow access to a single service.
11945.939 -> So I can create a private link connection.
And then I can only give people access to
11946.939 -> the sydney.com website and nothing else. My
cuts Cindy, she's pretty popular these days.
11947.939 -> She's like internet famous. She's always doing
fun stuff. So access to just Cindy's beautiful
11948.939 -> photos of her doing silly cat fix. By comparison,
VPC peering is a little different. I have
11949.939 -> my V PC, I connect to supercharged the amazing
cloud architect V PC. And she and I can exchange
11950.939 -> everything between. So private link, I give
child access to just send me the cat photos.
11951.939 -> And she's happy looking my silly cat Cindy.
But now I want to connect to tell. And I want
11952.939 -> to share information. I use VPC peering. We're
gonna get into VPC peering in a minute. But
11953.939 -> when you use V PC or fpfb V PC peering, every
organization must have private addresses.
11954.939 -> I mean, must be must have not have overlapping
addresses. So if I'm using the 10 dot 0.0,
11955.939 -> slash 16 space, and Charles using the 170
2.0 dot 0.6 16.0 slash 16. Once we hit a 16
11956.939 -> dot 0.0, slash 16. Yeah, we're both. We have
different addresses, Chow and I can use VPC
11957.939 -> peering, and we're all kinds of happy.
11958.939 -> Well, let us tell my super architect, and
she's an amazing architect read RFC 1980.
11959.939 -> And I read RFC 1980. And we decided to both
use 10.0 dot 0.0 Slash 16 on both of our system.
11960.939 -> And now we've got overlapping IP addresses,
much more commonly a thing. Now my systems
11961.939 -> and channel systems are not eligible to use
VPC peering. Because VPC peering is not does
11962.939 -> not work with overlapping IP addresses. Now,
when we've got overlapping IP addresses, our
11963.939 -> systems can talk to each other. No big deal
for we network people, we just use NAT to
11964.939 -> translate between them. But VPC peering doesn't
let you use NAT. So when you need to deal
11965.939 -> with overlapping IP addresses with organizations,
which is extremely common, because all organizations
11966.939 -> use RFC 1918, private address space, private
link automatically does not will keep that
11967.939 -> in the back. Now VPC peering, which we're
gonna get to in a minute, enables you to connect
11968.939 -> to other virtual private clouds or virtual
private data centers. But you can't get more
11969.939 -> than 125 connections. That's nothing. Nothing,
nothing that's like zero me then deep with
11970.939 -> it. But this is my grandmother would say,
nada, zilch. Nothing. We're private link gives
11971.939 -> you much more scalability. Private link, they'll
tell you the limits are based on the max throughput
11972.939 -> achieved by your low balances and servers.
There's some other stuff beyond that if your
11973.939 -> test private links limits are only based upon
the limits of your load balancers and servers.
11974.939 -> One last thing. Chauhan I have VPC peering
between us. She can get access to all my information,
11975.939 -> I get access to all of her information. And
it's unidirectional. I could set it up where
11976.939 -> child could only see photos as any of the
cat and I can't even reach her. Whereas the
11977.939 -> VPC peering is like opening a full conversation
between two people. Both sides can get access
11978.939 -> to everything So now let's talk about what
is VPC peering? VPC peering is simply a means
11979.939 -> to connect two private virtual data centers
to each other. Now VPC peering provides a
11980.939 -> non transitive connection and we'll do some
demos and explanations are what is non transitive.
11981.939 -> That means if I connected shell and shell
connects to Alonzo, I can't connect to Alonso
11982.939 -> through Chow, I can just connect a child and
child can just connect the lines that's called
11983.939 -> non transitive. VPC peering always uses private
IP address space. And inter region VPC peering,
11984.939 -> meaning going from like the US region to a
UK region or Asian region is encrypted. Let's
11985.939 -> look at basic, basic basic VPC peering. And
then we'll talk about some challenges and
11986.939 -> workarounds. This is normal VPC peering, I've
got one V PC, I've got another V PC. And we
11987.939 -> do VPC peering between us. And we can exchange
organizations information. Now, it's common
11988.939 -> to have a lot of V PCs, you might actually
find 1000 of EPCs, in your own organization,
11989.939 -> let alone external organizations. And here's
the reason why. In my data center, I can do
11990.939 -> beautiful micro segmentation, I can create
different subnets for different systems. And
11991.939 -> I can route between those subnets and put
ACLs, between every subnets or access control
11992.939 -> lists. Very simple and elegant. In my VLAN,
I can do rate limiting admission control and
11993.939 -> all kinds of cool stuff. Yes, I have greater
security in my data center in the cloud. If
11994.939 -> I design it, right. I don't have access to
any of those cool security features in the
11995.939 -> cloud. None. So sometimes, the only thing
that I can do in the cloud is to chop my company
11996.939 -> into multiple virtual VPCs, virtual multiple
many organizations, and then use BGP and routing
11997.939 -> to connect between them. This is some of the
complexity that we're trying to do in the
11998.939 -> cloud to try and equal the security we naturally
had in our data center 1015 years ago. So
11999.939 -> we're going to be dealing with a lot of VPC
peering. Now, as I mentioned VPC peering is
12000.939 -> not transitive. I'll explain what that means.
Which means you've got two options, hub and
12001.939 -> spoke and fully met. Now, if anybody wants
a funny math challenge, I want you to understand
12002.939 -> why 125 VPC peering connections is Deepa nada,
zilch, zero, event, Zaba, bubkis, whatever
12003.939 -> you want to call it. The formula for determining
how many VPC peering connections you're going
12004.939 -> to be is n times n minus one divided by two.
I hate math. Let me explain this to you. If
12005.939 -> we've got three V PCs that we're going up
here, and I'm going to show you this in a
12006.939 -> minute. It's simple. Three times three minus
two through n times n minus one, so three
12007.939 -> times two equals six divided by two, and we've
only got three peering sessions. Simple, simple,
12008.939 -> simple. Right? Now we've got 10 VPC peering
sessions we need to do. So 10 times nine is
12009.939 -> 90 divided by two is 45. Wait, only 10 VPC
is what about organizations that have 1000
12010.939 -> VPS 25 V PCs 25 times 24. Now you're getting
there divided by to see we've already exceeded
12011.939 -> 225 peering sessions that we're allowed to
do. So let's talk about hub and spoke when
12012.939 -> you'd want to use it and when you wouldn't
want to use it. So let's first talk about
12013.939 -> an environment where we want everybody to
talk to everybody. Here we go. We've got three
12014.939 -> V PCs here. A B and C. A is on the bottom
being in syrup top. Because we have VPC P
12015.939 -> V peered with VPC A and C. VPC D can talk
to a and c because the PCC is paired with
12016.939 -> a&b VPC, TCP, VPC can talk to BNA and because
VPC A is paired with VPC B and C. VPC a can
12017.939 -> talk to B and C. So here we go, everybody.
Now everybody's talking to everybody. Pretty
12018.939 -> simple, right? Simple, easy. But what if we
didn't want everybody talking to everybody?
12019.939 -> Mike that occur. So now let's pretend that
I'm a computer manufacturer. And I want to
12020.939 -> connect to other organizations. Perhaps I
want to connect with DRAM manufacturer, let's
12021.939 -> call them V PCB, and an NVMe drives manufacturer
called them V PC, and a CPU manufacturer called
12022.939 -> V PC D. And an SSD manufacturer called V PC
II. You and a GPU manufacturer called VPC
12023.939 -> F. And another GPU manufacturer called BPC
G? No, do I want to lie to GPU manufacturers
12024.939 -> Nvidia and AMD talking to each other through
me? Of course not. So here's a perfect place
12025.939 -> where I can do hub and spoke by doing hub
and spoke and having non transitive routing,
12026.939 -> I can connect to everybody. But they can't
connect to each other through me. So here's
12027.939 -> where security is good. But now what if I
want everybody to talk to each other? For
12028.939 -> example, what if I wanted B to be able to
stuck to see through A and D to connect to
12029.939 -> a through through E. And ADA connected? See,
well, I've got two options. Option one, option
12030.939 -> one is they fully mesh them. But as I told
you very quickly, we're gonna get through
12031.939 -> those 125 peering connections very quickly.
Option two, I break the rules. And there's
12032.939 -> two ways where we can break break the rules
over here, or rule breaking options, or something
12033.939 -> called transit gateway and cloud hub. For
the certification providers that are gonna
12034.939 -> make it sound very different. For the people
that build their clouds, no networking, they're
12035.939 -> pretty much the same thing that I'm going
to show you the difference is subtle differences.
12036.939 -> So in iBGP, or an interior bit with BGP, we
have the same problem called non transitive,
12037.939 -> we get into the same silly Hub and Spoke environment
that I talked about before, where the PCB
12038.939 -> will tell a and a cantos C, so they couldn't
reach each other. So for those of you that
12039.939 -> are networking and understand BGP, you may
recall that there's this thing that you can
12040.939 -> use to break the rule, and it's called the
route reflector. And all a route reflector
12041.939 -> tells BGP is Hey, be transmitted by the way,
and it would tell VPC B when it tells the
12042.939 -> PC A Israel's to tell it to see. So we need
some form of Route reflector kind of technology
12043.939 -> on the cloud in order to do this, in order
to do so. So this is where cloud hub comes
12044.939 -> in. And transit gateway. When you need to
break the rules of non transitive routing,
12045.939 -> you need a route reflector. Same solution
we've used externally forever. And what happens
12046.939 -> is you've got multiple V PCs, you want to
create a hub and spoke network, Hub and Spoke
12047.939 -> networks are used everywhere. They're used
in airlines. For me, for example, if I want
12048.939 -> to fly to New York, and I live in Palm Beach,
I fly to Atlanta, and I go from Atlanta to
12049.939 -> New York, and spoke, I want to go to California,
I fly to Dallas. And then I get to San Jose
12050.939 -> or Houston and I get to San Jose, and spoke
networks.
12051.939 -> And networking, they exist forever, connect
to the New York office. And that connects
12052.939 -> you to other places connect to the San Jose
office. And that connects you to other places.
12053.939 -> So what we're dealing with in the cloud is
they decided to rename the route reflector
12054.939 -> and call it cloud hub. And Cloud hub enables
your systems that are connected via VP ns.
12055.939 -> To have transitive routing on the cloud, each
site will use EBGP to connect to this little
12056.939 -> device in the center. And then our routing
will work. So what's it going to look like?
12057.939 -> Here we go. We've got our cloud. We've got
a Boston office, the New York office, or Washington
12058.939 -> office. In the San Francisco office, we all
connect into the cloud. We use Cloud hub over
12059.939 -> here, which means it can only support a VPN
connection, transit gateway supports, obviously,
12060.939 -> direct connections and some other things.
And now we've enabled our cloud to allow transit
12061.939 -> networking. So no Boston can talk to San Francisco
through the cloud, Washington and Boston can
12062.939 -> talk to each other through the cloud, we've
effectively created a transport network with
12063.939 -> VPN cloud. Now the only problem with just
VPN caught up is it only works with VPNs.
12064.939 -> What happens when you need high performance
networking, high performance computing, you
12065.939 -> don't want to use V pans. So that's where
AWS came up with a concept hug transit gateway.
12066.939 -> But realistically speaking is the same, same
same thing. But transit gateway is the following.
12067.939 -> Now we can use private lines, for example,
and connect to these systems still using EBGP,
12068.939 -> which doesn't have the non transitive routing
properties of iBGP. It's not forcing people
12069.939 -> to become familiar with route reflector technology.
It's simple and elegant technology. And we've
12070.939 -> created a transit environment. So unlike cloud
hub, with transit gateway, we can still use
12071.939 -> VPN, we can use private lines and other network
forms of transport. And that's why transit
12072.939 -> gateway is pretty much the way to go. Now,
Chris, I'm gonna get into access control lists
12073.939 -> and security groups. Okay, so let's get into
access control lists. So, normally speaking
12074.939 -> on a router, we create multiple subnets. And
we put an access control list between them.
12075.939 -> an access control list effectively says Cindy
subnet is allowed to talk for Cindy subnet
12076.939 -> is allowed to talk to caddy subnet. That's
what we're talking about. No reality is in
12077.939 -> here, we're going to do it via subnets. So
network ACLs. Keep unwanted traffic out of
12078.939 -> a subnet. And network ACL allows or disallows
traffic based upon a configured policy. The
12079.939 -> default policy by definition is to deny all
traffic. So an access control list is gonna
12080.939 -> have to specify the source and destination
address protocol and port number. Access Control
12081.939 -> Lists are stateless, and because they're stateless,
and they don't have any knowledge of the state,
12082.939 -> they can be configured inbound and outbound.
Inbound on out. So let's talk about how you
12083.939 -> put an access control list in order. You do
the following. You create a rule and I'm going
12084.939 -> to show the world and reason the rules matter
so much. Rule 100 denial traffic rule 110
12085.939 -> lol TCP port 80 traffic, what do you guys
think is going to happen? Tell me in the chat
12086.939 -> box. What's going to happen? Tell me right
now what's gonna happen? I can tell you right,
12087.939 -> right now. But tell me in the chat box, what's
going to happen? Rule 100 deny everything.
12088.939 -> Rule one channel. Well, TCP port 80? What's
going to be denied? Everybody? Tell me tell
12089.939 -> me tell me.
12090.939 -> It's going to deny everything. Why is it going
to deny everything? It's going to deny everything
12091.939 -> because it already says deny, deny, deny,
deny, deny. So it has to be done intelligently.
12092.939 -> correctly, we have to put it in sequence.
So now let's change the sequence. First, we
12093.939 -> don't need to put any denies. And here's the
reason why. It's implicit. The only time we
12094.939 -> do in tonight, we will do it at night. And
then a permit is maybe we have one bed host
12095.939 -> that we want to deny. And we want to permit
the rest of the subnet. So yes, then we would
12096.939 -> do certain things or we could just deny a
single IP address. Now what if I told you
12097.939 -> to just create a single rule? Rule 110 allow
TCP port 80 from any source to any destination?
12098.939 -> What's going to be allowed in tell me what's
going to be allowed in rule 110 allow TCP
12099.939 -> port 80.
12100.939 -> And while you typed that Fe the problem before
was the reason the order matters. If we have
12101.939 -> a deny before and allow and the deny is everything,
everything would have been too large. Okay,
12102.939 -> Alex, we're going to allow web traffic into
the web servers. Yes. Do you need port any
12103.939 -> web traffic is going to be in JSON port 80
web traffic is going to be really mad and
12104.939 -> allow web traffic. So good, good, good. Now,
because what you're dealing with is the AC
12105.939 -> ACLs are not stateful. Meaning they have no
way to track that you went out and to allow
12106.939 -> your traffic back. That's why you need to
apply them in both directions. That's why
12107.939 -> That's why That's why
12108.939 -> so now let's say we're going to do it together.
Everybody give me rule 110 allow TCP port
12109.939 -> 443. What's going to be allowed in specifically,
what kind of web traffic is going to be allowed?
12110.939 -> Basic unencrypted web traffic or only encrypted
web traffic? Tell me in the chat box everybody.
12111.939 -> Alexandros political HTTPS Good job. JSON
HTTPS app. G HTTPS Okay. Perfect. secure HTTPS
12112.939 -> web traffic. Okay, you got it. This guy's
got it. It's encrypted. It's encrypted. Now
12113.939 -> I'm feeling excited. I'm happy I'm happy.
So we have to put them in order. We have to
12114.939 -> apply the inbound and outbound because there's
no Do Now let's see what it looks like. Because
12115.939 -> this is gonna be a test question test test
button and more test question. Here's what
12116.939 -> we're gonna see, we're going to see our network
access control lists are used to keep traffic
12117.939 -> in unwanted traffic out of a subnet. And then
we're going to talk about a security group,
12118.939 -> which is to keep unwanted traffic out of a
host. Access Control List. unwanted traffic
12119.939 -> out of a subnet network access control, as
they like to call it. Security Group keeps
12120.939 -> traffic outside of a host. Now a security
group. So while an ACL protects your subnets,
12121.939 -> your security groups protect your host. So
let's talk about what that means. A security
12122.939 -> group as a stateful ACL, what's the stateful
ACL called a firewall everybody. So we'll
12123.939 -> security group is similar to a host based
firewall, does this mean you shouldn't put
12124.939 -> a host based firewall on your server as well?
Of course not, you're going to use both. Because
12125.939 -> when it comes to security and availability,
one is none two is one and three is greater
12126.939 -> than two. But a security group keeps unwanted
traffic out of a subnet, I'm sorry, out of
12127.939 -> a out of a host and a network access control.
This keeps security groups out of a subnet,
12128.939 -> which you're going to use both of them, you
can't just use one, you're going to need both
12129.939 -> and then some more. So all good system designs
are going to include both, both both and more
12130.939 -> both. So keep that in the back of your mind.
A security group being your Host Based firewall.
12131.939 -> Now when you write a security group, you don't
need any denies you just do allows. Why? Because
12132.939 -> you're only allowing stuff into a server,
the minimum amount of stuff that you need
12133.939 -> to if I want to allow FTP, I'm going to allow
FTP, not that we allow FTP anymore in today's
12134.939 -> world. If I wanted to allow TFTP, which we
don't do anymore, we would allow TFTP for
12135.939 -> the most part, which we don't do. If I wanted
to allow secure FTP, I would just permit a
12136.939 -> rule to allow secure FTP to allow HTTPS or
HTTP. So we just create a security group,
12137.939 -> which tells now when we create a security
group, they're smarter than access control.
12138.939 -> All rules will be evaluated prior to denying
traffic. So if we made the mistake of saying
12139.939 -> deny any any and then from an afterwards,
well, at least all rules are going to be evaluated.
12140.939 -> So it'd be wearing a better suit. But only
inbound rules are necessary. Why only inbound
12141.939 -> rules allow this stuff to come in. Because
once it's come into us, we know where it's
12142.939 -> coming from. We're tracking the state of the
connection, we allow the return traffic element.
12143.939 -> So let's going back to this diagram, what
are we really talking about here? We're talking
12144.939 -> about the following. We've got our network
access control is protecting this subnet.
12145.939 -> And our security group probably thinks and
practice protecting our hosts, our virtual
12146.939 -> machine, our instances are any name that we
choose to call it. Now what if we wanted to
12147.939 -> create a network and use the cloud. So there's
two ways you can create your own network,
12148.939 -> you can hire somebody like me, and say, I
need a network with 10,000 locations. And
12149.939 -> I'll design your beautiful wide area network,
they'll determine the routers, you need the
12150.939 -> switches, you need routing protocols. I've
been doing it for decades. And when I design
12151.939 -> a network, it's going to work it's going to
be high performance, but it's going to cost
12152.939 -> you money. Because you've got 30,000 locations.
Realistically speaking, you need 60,000 routers,
12153.939 -> these routers could be 30 $40,000 Each, each
router is then going to need its interfaces
12154.939 -> might need to win connection, each WAN connection,
say it's 1000 bucks a month, then I'm going
12155.939 -> to need three CCIE is at $300,000 a year to
be able to maintain this thing, at least at
12156.939 -> the design and high level stuff. I'm going
to need a network operation center, I'm going
12157.939 -> to need some basic network engineers that
can keep stuff up and running and build the
12158.939 -> stuff that we and architects do. And it's
gonna get real expensive, real fast. Or, if
12159.939 -> we're connected to the cloud, we can actually
use the cloud to build our entire wide area
12160.939 -> network. What that's called as a transit VPC,
it's another way to create a hub and spoke
12161.939 -> environment through the cloud. So with transit
VPC, it pretty much is an intermediary that
12162.939 -> allows you to kick Multiple V PCs, multiple
customers, multiple organizations through
12163.939 -> something, but about a service provider. For
let's not go that path for this class. It's
12164.939 -> essentially the way to use the cloud as a
private network. Now remember, you could create
12165.939 -> multiple VPNs on the internet, you could do
it. Each VPN is going to need a router and
12166.939 -> a connection to the internet. But here's the
thing. Internet bandwidth is not guaranteed,
12167.939 -> because it traverses multiple internet service
providers to get to your destination, but
12168.939 -> you can guarantee the performance on your
network. AWS can guarantee the performance
12169.939 -> on their systems. So we can create this transit
VPC, we can basically connect to anybody who's
12170.939 -> connected to the cloud already. And we can
use the cloud as a conduit as if it's a router.
12171.939 -> So a transit VPC acts like a cloud router
and directs all traffic, and a much the similar
12172.939 -> way of VBC peering in cloud hub. When we use
a transit visit the V PC. All it has hubs
12173.939 -> and spokes. And we use BGP as the routing
protocol to exchange information. The data
12174.939 -> is never going to be routed through the public
Internet, but use the AWS private High Performance
12175.939 -> Network. It's an elegant elegant thing. The
transit VPC, VPC has all spokes directly using
12176.939 -> it. And it's going to be using our exterior
gateway routing protocol, otherwise known
12177.939 -> as BGP. Data keeps flowing. And it's privately
and it's automatically encrypted across the
12178.939 -> private networks and private network with
encryption, high performance, high security,
12179.939 -> elegant, elegant, elegant.
12180.939 -> Very elegant. Okay, let's talk about implementing
network performance and placement groups and
12181.939 -> what they are. So let's say you had a low
latency application. And I'll tell you right
12182.939 -> now, most of your critically low latency applications,
you probably shouldn't put them in the cloud,
12183.939 -> you should keep them in your data center.
By putting them on the cloud, you've got the
12184.939 -> latency of your wide area, network connection,
multiple network hops, slower storage, and
12185.939 -> all the challenges that come from a virtualized
environment. But if you wanted to, how do
12186.939 -> you achieve the best performance in the cloud,
and this is where we get into placement groups.
12187.939 -> Now, placement groups are logical groupings
of your servers inside of a single inside
12188.939 -> of a single area, that availability zone.
instances in the placement group are close
12189.939 -> to each other are proximate to each other,
I'm by putting your stuff close to each other,
12190.939 -> which really get is lower latency and high
performance. Kind of keep that in the back
12191.939 -> of your mind. And so we're going to talk about
the kinds of placement groups you can actually
12192.939 -> deal with. So the first kind is a clustered
placement group. Cluster placement group is
12193.939 -> the way you get your best performance at your
lowest latency. Now, in architecture, everything
12194.939 -> is a trade off. Everything is a trade off.
So if we put our stuff close together, close
12195.939 -> together close together, the latency to connect
to our devices is nothing, right? Yes. But
12196.939 -> let's talk about what can go wrong. Generally,
placement groups are where your servers are
12197.939 -> all on the same physical server, you're not
traversing the network at all, just the backplane
12198.939 -> of the server. So you've got very low latency
and incredible performance. But but but you've
12199.939 -> got very, very little redundancy. So let's
talk about what we're dealing with. If you
12200.939 -> put all your servers and the same rack and
they're connected to the same network port
12201.939 -> to the same power distribution unit, hopefully
to power distribution units. And there's a
12202.939 -> power failure in the rack. Your whole placement
group has gone can't have that the circuit
12203.939 -> breaker blows can't have. Now what if this
your all your stuff is in the same server
12204.939 -> and the server encounters a hardware failure?
Whoa, okay, now you're still down. What if
12205.939 -> the switch that's connected to the server
fails? You're still down still down. Still
12206.939 -> though. So cluster placement group critical
performance look, I've worked for banks when
12207.939 -> they needed critical, low latency. And here's
what we did, we had two racks side by side,
12208.939 -> each plugged into different outlets, two different
power supplies, two different power distribution
12209.939 -> units, multiple switches plugged into the
back of these things. And that way, if one
12210.939 -> died, which fell over the other one kind of
instantly, we couldn't even use regular routing
12211.939 -> to get through the route. And we had to come
up with specialized routing to tune this to
12212.939 -> get maximum failover performance. So cluster
placement group, lowest latency, highest performance,
12213.939 -> single point of failure, scary if you're going
to create one, create a second one. So let's
12214.939 -> talk about a way that's going to give us good
performance, but not necessarily optimal performance.
12215.939 -> This is going to be a purchase and placement
group. And in a partitioned placement group,
12216.939 -> our instances are grouped across racks. Are
this perfect protects against failure of a
12217.939 -> rack, rack power or network switch. And because
we're providing systems across racks, we've
12218.939 -> got a little more latency, not much, but excellent
performance, which much lower risks. So what
12219.939 -> are we really talking about with regards to
latency, the speed of light, which is 186,000
12220.939 -> miles per second, then we go 1000 kilometers
or more to the cloud, that is latency. But
12221.939 -> if we go 20 feet into data centers, that lakes
we're talking about it's not. So partitioned
12222.939 -> placement group is, you know, inside of the
same data center, split across racks, excellent
12223.939 -> performance, not quite as good as a cluster
placement group. But you know, we're getting
12224.939 -> into some serious stuff here, good performance,
high quality networking, rack one rack to
12225.939 -> rack three, all in the same building, same
data center. So good performance, we don't
12226.939 -> lose much. Now, let's say we want a little
more availability, what if the data center
12227.939 -> fails? All right? Data centers. So now let's
talk about a spread placement group. Okay.
12228.939 -> So here's what a spread placement group is.
AWS has these regions, these large geographic
12229.939 -> areas, and they've got a bunch of data centers
in the same region. And a lot of their data
12230.939 -> centers can be across the street from each
other or close to each other. So a spread
12231.939 -> placement group is when you put your stuff
and spread it across availability zones in
12232.939 -> the same region. So by doing so, what can
we do for you here, we can put two in buildings,
12233.939 -> one, two, and building two, we've got a fiber
optic connection between them. So the latency
12234.939 -> is still relatively low latency, we've got
a much higher availability system. Believe
12235.939 -> me, this is higher latency in a cluster group.
But it's got much more availability. So when
12236.939 -> it comes to architecture, there's never ever,
ever, ever a single thing that we can do,
12237.939 -> the key is as follows. What do we need for
this application? What's the need that we're
12238.939 -> going to do, I don't know if I should share
my screen, but the cluster spread placement
12239.939 -> group is going to look like this. Now I understand
what we're actually dealing with, with a spread
12240.939 -> placement group. Now let's talk about some
kind of network performance and training.
12241.939 -> I'm going to use some complicated terms that
I hate it. I hate marketing fluff. So if you've
12242.939 -> ever worked in a virtual machine environment,
in a data center, and let's say you were dealing
12243.939 -> with a VM or server, and you needed really
good performance, like GPU performance, well,
12244.939 -> a virtual GPUs performance is terrible. But
a physical GPU performance is great. And if
12245.939 -> you've ever built a virtual machine that was
designed for machine learning, you might take
12246.939 -> your virtual machine, you might push for quadro
1000 cards into a single virtual machine.
12247.939 -> And that's called PCI pass through and what
that does is enable you to put a physical
12248.939 -> card directly into your virtual server. And
we've been using this for machine learning
12249.939 -> for awhile, people that would create lots
of devices that needed high performance. Now
12250.939 -> the problem is, is we deal with a network
card in a virtual environment. It's not the
12251.939 -> physical Ethernet card that's in the system.
It's a virtual card that's created in software.
12252.939 -> I want you to think about this hardware fast.
Software slow. So for people that were buying
12253.939 -> mining Bitcoin on their GPU, they might be
able to do a few 1000 hashes per second. But
12254.939 -> I think about an ASICs or hardware they could
do trillions of calculations per second 1000s
12255.939 -> versus trillions hardware is fast, fast, fast,
software slow, slow, slow. So if we needed
12256.939 -> high performance networking, the first thing
we could do was push a physical network card
12257.939 -> directly into our server. See, you think they'd
call it physical network card. But no marketing,
12258.939 -> people get paid a lot of money to come up
with crazy names to make it sound cool. So
12259.939 -> the first network performance option we have
is something that's called single route IO
12260.939 -> virtualization SR dash IO V, here's what it
means pop a physical card, and have the physical
12261.939 -> card in and push the physical card in the
virtual machine. And there's that. Now the
12262.939 -> next thing that we're actually going to talk
about is as follows The Virtual Fabric adapter,
12263.939 -> for organizations that need real high performance,
the other alternative with AWS is they've
12264.939 -> created a specialty software driver. And the
software driver can offer some incredible,
12265.939 -> incredible performance. And the performance
can go up to 400 gigabit per second, it's
12266.939 -> not there yet, but the drivers designed to
afford this to support this. So we're dealing
12267.939 -> with here is very, very cool stuff, network
performance options. And there, we're gonna
12268.939 -> go.
12269.939 -> I see there's something about a puppy in the
chat box. I've always wanted a puppy in my
12270.939 -> entire life. But my wife would only support
cats, and I'm allergic to everything. So I
12271.939 -> have a cat named Cindy. Now we're gonna get
into DNS next, Chris. And DNS is going to
12272.939 -> be a topic that I'm going to need to spend
30 to 45 minutes on. Now give me a hashtag
12273.939 -> AWS Certified Solution Architect Associate.
So I know you're awake, alert and oriented
12274.939 -> member of a medical person in medicine, somebody
falls over we say, Hey, what's your name?
12275.939 -> Who's the president? What's going on today?
Where are you? Because we want to know that
12276.939 -> you're oriented towards person, place and
time. So give me a hashtag AWS Certified Solution
12277.939 -> Architect Associate.
12278.939 -> And then we'll get back to the content as
long as I know that you're there. It's hard
12279.939 -> to do this, I've got I've had laryngitis now
for two weeks. And I want to make sure that
12280.939 -> we're doing it uh, you guys are paying attention.
So I want all of you to have the best possible
12281.939 -> career. Fantastic, fantastic. I know you guys
are here. Now let's talk about DNS on route
12282.939 -> 53. What is DNS everybody? DNS is simply a
way to map a name to an IP address. So let's
12283.939 -> say you wanted to connect to an IP address.
You could do it any day of the week, you can
12284.939 -> put the IP address in your browser, and it's
just going to work. No big deal. Now the question
12285.939 -> is, can you remember everybody's IP address?
My wife? Yeah, she couldn't remember everybody's
12286.939 -> IP address. Here's what is the phone number.
Lisa, the phone number is 256345789 10. And
12287.939 -> I asked Lisa, what's the phone number, and
she'll tell me a year later, 10 years later,
12288.939 -> 30 years later. Now me, I don't remember what
time I'm supposed to be somewhere. Sometimes
12289.939 -> I'm exaggerating the concept. But you know,
for me, it's very easy to remember Cindy the
12290.939 -> cat. That will be easier than to remember
her DNS sequence or DNA sequence, it will
12291.939 -> be hard to remember. So since every device
needs to be reachable, that you want to be
12292.939 -> reachable needs an address. You could either
be a genius, like my wife with 170 IQ and
12293.939 -> remember everything like an elephant, or give
you some sort of mapping agent. And this is
12294.939 -> where DNS comes into play. It's very easy
for me to remember amazon.com. But out of
12295.939 -> curiosity, let me do an NS lookup and actually
find the IP address of amazon.com. The IP
12296.939 -> address of amazon.com is one six 2.21 9.22
5.118. Now, which do you think is easier?
12297.939 -> Remember amazon.com Or one six 2.21 9.22 5.118?
Well, I'm going to tell you right now, I can
12298.939 -> remember amazon.com And I already forgot the
162 after the 219. Now remember it a week
12299.939 -> later, and now we've got challenges. So DNS
is really a means to map a name to an IP address.
12300.939 -> Here I go I'm Sitting on a browser, I type
www.amazon.com, my computer goes to the DNS
12301.939 -> server, the DNS server returns the IP address,
and my browser redirects me. Now here, I'm
12302.939 -> going to actually do an example with you,
every one of you, all of you, I want you to
12303.939 -> open up a window on Windows, it's going to
be your command prompt. If you're in a Mac
12304.939 -> or a Linux system, open up a terminal and
do the following with me. Let's go find the
12305.939 -> IP address for go cloud careers.net. So every
one of you type NS L Okay, up November, Sierra,
12306.939 -> Lima, Oscar Oscar kilo uniform, Papa, leave
a space. And then after you leave a space,
12307.939 -> type, www dot coklat careers.com, just like
I did in this example that I'm sharing with
12308.939 -> you right now, or at least I meant to be sharing
with you right now.
12309.939 -> And here you go. What IP address did you get
on your computer, you did an NS lookup,
12310.939 -> pop the address that you got in the chatbox.
Now that IP address may be different than
12311.939 -> it was when I ran this. But here's what you're
going to do, you're going to do an NS lookup,
12312.939 -> and you're going to be able to find the IP
address to any website. After we do mind,
12313.939 -> do an NS lookup to www.cisco.com. Big website.
And that's what DNS is doing. It's mapping
12314.939 -> a name that we can remember, like go cut careers.com.
And we're mapping it to the IP address of
12315.939 -> 192 dot 0.7 8.217. There you go. I can remember
go cut careers.com, but one nine or 2.0 dot
12316.939 -> 78.217. That's a little harder for me to remember,
even if it's my own IP address. So that's
12317.939 -> what we came up with these things. But DNS
can also do some more. But let's go with talks
12318.939 -> about what goes into a DNS name or domain
name. A domain name is going to be broken
12319.939 -> down into three sections. Now when we talk
about a fully qualified domain name, domain
12320.939 -> name, we're talking about the following the
host name, which is the given name of the
12321.939 -> endpoint, the domain name and the top level
domain. So if we go to w w w.go, cod careers.com.
12322.939 -> The host name is going to be www domain name
is going to be go Khan careers. And the top
12323.939 -> level domain is going to be.com could be dotnet,
which also, but those are the kinds of things
12324.939 -> that it could be. So fully qualified domain
name, host name, Mike easy to go cloud careers.com
12325.939 -> is a fully qualified domain.
12326.939 -> Now we work with DNS, you got to be dealing
with something called DNS records. DNS is
12327.939 -> kind of like a database that map's IP addresses
to different addresses. So we need to have
12328.939 -> these things. So when we're dealing with DNS
records, we're dealing with something called
12329.939 -> the zone file as well. Same thing DNS record
zone parameter. And what they are are they're
12330.939 -> sets of particular instructions that are located
in the DNS servers and provide information
12331.939 -> about the domain. The records are in a particular
format known as DNS syntax, which is a type
12332.939 -> of text file. And the DNS syntax is instructions
to tell the DNS server how to carry on that's
12333.939 -> actually now when we're dealing with anything
on the internet, we have something called
12334.939 -> the TTL or a time to live. And the TTL with
DNS is how many how many seconds it will take
12335.939 -> for the DNS service to refresh its information.
So why do we need a TTL? If I put an IP address
12336.939 -> and it was permanent in the DNS, and we changed
IP addresses, nobody would ever figure it
12337.939 -> out. So we can't leave records up there forever.
Now, there's a tremendous number of DNS records
12338.939 -> that you're going to need to know. And we're
going to talk about them. So kind of keep
12339.939 -> that in the back of your mind. Understand
when we talk about DNS and AWS, we're going
12340.939 -> to be talking about route 53, which is AWS
is highly available scalable DNS platform,
12341.939 -> which uses something called anycast. It's
low latency high availability supports health
12342.939 -> checks, but here's the thing to remember.
If you want a high availability, cloud architecture,
12343.939 -> a true high availability cloud architecture,
you're not going to use AWS route 53. And
12344.939 -> here's what AWS route 53 is the eighth of
its proprietary DNS system. So now imagine
12345.939 -> use route 53, which is great DNS by the way.
And now you've got the Azure called the Google
12346.939 -> Cloud. And you're just had this cloud on the
AWS cloud. And now, now you're using all your
12347.939 -> DNS from AWS, and AWS goes down, guess what
none of your other calls are going to work
12348.939 -> either. So when you're dealing with high performance,
high availability systems, you can't afford
12349.939 -> to use your cloud providers DNS, you're going
to need to use a critical high availability
12350.939 -> system, that kind of thing that we've always
used from f5 or any other way you want to
12351.939 -> do it. And we're going to put DNS servers
in each cloud and data center. Now, you don't
12352.939 -> need to know every DNS record. But there are
certain DNS records that you for the most
12353.939 -> part need to know. You need to know the a
record which will cover the AE record, which
12354.939 -> will cover the CNAME record, you definitely
need to know some of these start authority
12355.939 -> records and MX records and the CNAME record
will probably cover I'll cover a few more
12356.939 -> of them, but kind of keep this in the back
of your mind. They are critical knowledge.
12357.939 -> So let's start with the most fundamental record
the simplest thing, the a record, it maps
12358.939 -> a name to an IP address, one dot 2.3 dot Florida
pretty Sydney, the cat.com. One day, I'm going
12359.939 -> to make a website pretty send me the cat.com.
If I ever have more than five minutes to myself,
12360.939 -> and about five minutes, I usually plan it
with my cats in near my wife. And it just
12361.939 -> maps a name to an IP address. Now this with
ipv4, a record one address maps to the IP
12362.939 -> address the website simple. Now what if I
had an ipv6 address? Well, then it wouldn't
12363.939 -> be an A record anymore, it would be an A record
a record. So an A record and an AE record
12364.939 -> are identical. The differences in a record
is used for ipv4 and a record is used for
12365.939 -> ipv6. Now next on the list, we have a CNAME
record. Oh, why do we use a cname? Record?
12366.939 -> Well, I'm going to show you why we use a CNAME
record in a second.
12367.939 -> Okay, so let me make this a little bigger.
Chris, I'm gonna I'm gonna need your help
12368.939 -> figuring out how to share a window on my screen.
Let me go deal with this bear with me only
12369.939 -> present a window, share our screen. Window.
Okay, can you guys, okay, good. You guys can
12370.939 -> see my screen. So I did an NS look up about
Amazon. And if you notice, what you're really
12371.939 -> going to see is first these are my google
DNS servers. Why does it have a hashtag 53?
12372.939 -> Well, 53 is the is the port's that did the
DNS, TCP UDP ports that are used by DNS. And
12373.939 -> that's why it's relative. That's why it's
53 a Jumbo scolaro. And you're also going
12374.939 -> to see the amazon.com. This is actually its
DNS name. Now this is what's pointing to it
12375.939 -> know what is this ugly, ugly thing. This delta
three Alpha golf for hotel uniform kilo kilo
12376.939 -> hotel six to Yankee november.cloudfront.net.
That's actually the address the content delivery
12377.939 -> network that's used by amazon.com. Mill, have
you think any of you are ever going to remember
12378.939 -> that? Except for my wife, for those of you
with photographic memories, you're not. But
12379.939 -> you can remember amazon.com. So a CNAME record
will map amazon.com to this ugly, clunky name,
12380.939 -> which is the actual name. So it's effectively
like it's mapping one IP address to another
12381.939 -> IP address. And that's what we're creating
a CNAME record to map one IP address to another
12382.939 -> IP address. I'm going to stop sharing right
now if I can figure out how to do that. Share
12383.939 -> a screen. And Chris, you can stop sharing.
Okay, so there we go. So that's what we're
12384.939 -> creating a CNAME record. It's not exactly
an alias record, but it's kind of mapping
12385.939 -> and donating to another domain. Let's talk
about an NS record or a name server record.
12386.939 -> Well, we've got DNS servers, we need to know
what are the real DNS servers the most authoritative
12387.939 -> servers the servers to trust servers that
propagate our organization's DNS information
12388.939 -> to the rest of the internet. We need an NS
record that identifies those servers. Now
12389.939 -> let's say you want to receive email. So my
cat Cindy, she's here cleaning referrer doing
12390.939 -> cute little hand stuff, and she wants to send
an email to her friend signing the cup. Well,
12391.939 -> if your organization wants to receive email,
you need a MEL record called an MX record.
12392.939 -> So an MX record, what we're dealing with is
really a record which tells you which mail
12393.939 -> servers can accept and receive mail from your
domain. last record we're going to talk about
12394.939 -> is something called the start of authority
record or SOA record. And that's the primary
12395.939 -> name server responsible for your domain tells
you the responsible party for your name. And
12396.939 -> it'll have a timestamp that lists any changes
that were made, and a number of seconds before
12397.939 -> your information to be fresh. So now let's
talk about Amazon route 53. Route 53 is a
12398.939 -> highly scalable proprietary DNS service provided
by AWS. If you use AWS and AWS alone, it gives
12399.939 -> you a very nice low cost method for Dannette.
supports ipv4, but IP, ipv6, but remember,
12400.939 -> it's proprietary. And if you use multiple
clouds, and AWS goes down, you lose all your
12401.939 -> clouds. So you don't want to be using something
like this in a high availability environment.
12402.939 -> You want a high availability DNS solution.
But for your exams, here you go. Now there's
12403.939 -> nothing wrong with the service. It's a great
DNS service. The problem is when you put all
12404.939 -> your eggs in one basket, and the basket gets
dropped, all your eggs are lost. That's why
12405.939 -> people diversify their portfolios and don't
have a portfolio of a single stock. That's
12406.939 -> why organizations never use the same service
provider when they have a when they use two
12407.939 -> different service providers. That's why it's
insanity to use a single cloud when you should
12408.939 -> be using multiple copies, same problem.
12409.939 -> With route 53, you can route customers inside
or outside of a dose resource explicit standard
12410.939 -> AWS standard up DNS, and you could use route
53 to connect to AWS and Azure and Google
12411.939 -> the problem is with route 53, goes down, you
lose your other clothes. You don't really
12412.939 -> want to do that. The way DNS servers always
determine whether your 100 points are healthy
12413.939 -> with a health check with a health check. So
they work via health checks. I'll be describing
12414.939 -> health checks and in a minute now I may actually
give you a health check right now. So Chris,
12415.939 -> you and the other others phone right now you
want to I'm going to do a health check. Here's
12416.939 -> what a health check is. Let's say Chris, is
there anybody else behind the scenes like
12417.939 -> you right now? No? Okay, so it's just Chris.
Chris, are you there? Yes. Chris, are you
12418.939 -> there? Yes. Chris, are you there? Whoa, Chris
has failed as far as health check. Chris,
12419.939 -> are you there? Yes. Okay, Chris is here. Now.
I can see keep sending traffic to Chris. But
12420.939 -> let's pretend I had two people there. Now
there's going to be Chris one. And there's
12421.939 -> going to be Chris to Chris one. Are you there?
Yes. Chris two. Are you there? That's scary.
12422.939 -> Chris one. Are you there? Oh, sorry. I was
here a couple coming up with accents and a
12423.939 -> muted. Yes. Yes. Chris one is here. Chris
two. Are you there? Yamaha. We Jama. Okay,
12424.939 -> good. And Chris knows I love Bob Marley. And
anything Jamaican? Chris, are you there? One?
12425.939 -> Are you there? Yes. Chris two. Are you there?
Yeah, I'm on. Okay. See, I'm happily sending
12426.939 -> traffic. Now. Chris one's gonna get really
tired and lazy and not be there. Chris one
12427.939 -> are you there? Oh, Chris two. Are you there?
Yeah, I don't know what happened to the other
12428.939 -> man. Okay, Chris one. Are you there? No, he's
not here. Chris Tillery. There. Chris, twos
12429.939 -> there have real trouble. Yes, yes. Chris,
what are you there? Yes. Okay, now the Chris
12430.939 -> one just passed the health check. Okay, I
was hoping Chris one was not going to be there.
12431.939 -> So we could revert all traffic to Chris Dell
to what the health check is, is me as your
12432.939 -> system is asking somebody if they're there.
If they don't respond, you send your traffic
12433.939 -> to the other device. But it doesn't always
work in a completely clumsy, uncoordinated
12434.939 -> manner, where you try to do it live. So there
you go. That reminds me, I need more Tumeric
12435.939 -> tea for my for my laryngitis. I did have some
bamboo this morning with breakfast. But I
12436.939 -> need some Tumeric too. So now if we're going
to use DNS to determine what's available and
12437.939 -> happening to an IP address. Can we use it
for more? And the answer is of course we can
12438.939 -> we can use it for high availability. So let's
deal with high availability. We're first going
12439.939 -> to begin And we're first going to begin with
a simple routing policy. And a simple routing
12440.939 -> policy is the most basic form of routing.
And what are we talking about here, you have
12441.939 -> one DNS record and it maps to a single IP
address. So send you the cat maps to 1.2 dot
12442.939 -> 3.4. Simple routing. Very, very simple. Now,
that's great if you've only got one website.
12443.939 -> But what if you have something different?
Let's say you want to you want you want to
12444.939 -> send traffic to two places. Let's say you
want to spend 50% or 75% to your data center.
12445.939 -> And you want to produce some 25% to the cloud.
Well, you could use a weighted routing policy
12446.939 -> weighted routing is really cool. You send
50% to Azure 50%, to AWS, AWS goes away send
12447.939 -> 100% to Azure. That's weighted routing or
weighted routing. Weighted routing is also
12448.939 -> good when you've got new applications. So
let's say you want to test a new application
12449.939 -> or a new website. In this particular environment,
we could send 85% of the traffic to the website
12450.939 -> that's existed for a long time, and 15% to
the new website. And that way, we can test
12451.939 -> it with a subset of our customers, before
rolling out a brand new website to the entire
12452.939 -> world. What if the website crashes. So when
you see bluegreen deployments and things like
12453.939 -> this, they typically use for new applications
and new code, they typically use some form
12454.939 -> of a weighted routing policy. Link to based
routing, latency based routing enables you
12455.939 -> to direct your traffic to the site or the
region with the least traffic. How does this
12456.939 -> work? Well, it really works based upon your
IP address. See, I go to the internet, and
12457.939 -> it determines via my IP address that I'm in
South Florida, it will send me to the web
12458.939 -> server in South Florida. Now what if I was
in Tokyo? Instead of South Florida, would
12459.939 -> I want to go to the Florida website? Probably
not, I might want to go to the web server
12460.939 -> in Tokyo or Kyoto or someplace else that will
be close by can. By comparison, that's what
12461.939 -> latency based routing because it determines
where you're at, and determine what's the
12462.939 -> lowest latency server next to you and send
you to that server. That's pretty cool. Latency
12463.939 -> based routing. I'd like to look at it this
way. You hit our site, which one's got the
12464.939 -> lowest latency, send it to the site with the
lowest latency we're not go caught architects
12465.939 -> anymore, we go click careers that there you
go maybe slides a long time ago. Now let's
12466.939 -> talk about failover routing, I love failover
routing, failover routing is done by the following.
12467.939 -> It enables you to create your active and passive
system. So send all traffic to AWS. AWS has
12468.939 -> a clot out and send all traffic to Google
that's felt overcrowded. And that works via
12469.939 -> the health checks that we didn't demonstrate
as elegantly but I'll be demonstrating a health
12470.939 -> check job very soon. The point of failover,
it's going to check the health. And if one
12471.939 -> goes away, there's good. So let's look at
it in this environment. Here we go. We've
12472.939 -> got our main servers, go Cloud Architect primarily
goes to the primary one. But if it fails,
12473.939 -> goes to the secondary one. That's called failover
routing. I absolutely love it.
12474.939 -> Geolocation routing, now this is really, really
cool. Geo locating route routing policies,
12475.939 -> looks at your user and puts them to the website
that's closest to the user. But we can get
12476.939 -> pretty cool with this. Let's say you're in
a country like Cameroon, I have so many wonderful
12477.939 -> people with us from Cameroon. Now there's
an English side of Cameroon. And there's a
12478.939 -> French side of Cameroon. And if you want something
in English is pretty easy to do. So we could
12479.939 -> set up a routing policy that could say French
side and Cameroon goes to the French web page.
12480.939 -> English side goes to the English side based
upon your source IP address. So that's actually
12481.939 -> called geolocation router sends you the source
that's closest to you. But think about about
12482.939 -> a country is where you speak. There's three
languages in these countries. Many countries
12483.939 -> there's two different languages For many regions,
there's two different regions. You know, Greece,
12484.939 -> where I'm from, it's pretty close to Egypt,
which is, which is pretty close to Israel,
12485.939 -> it's pretty close to Turkey. Well, in Turkey,
they speak Turkish and Egypt, they speak Arabic,
12486.939 -> and Israel, they speak well, Arabic, as well
as Hebrew, as well as English. And in Greece,
12487.939 -> they speak Greek. Figuring out my IP address
and sending me to the right website, is the
12488.939 -> determination whether I buy something off
of that website, or whether I read it go,
12489.939 -> I don't know, it's not great. And I don't
know how to read it. So you know, kind of
12490.939 -> love these kinds of things. But we use it
like this. I just I love geolocation routing.
12491.939 -> Where do you go go to the close go to the
place that makes more sense to you? No, multi
12492.939 -> answer routing policy to me is ridiculous.
It's the biggest random thing in the world.
12493.939 -> I don't do random. I don't do random at all.
But do proximity mean multivalue answer is,
12494.939 -> you've got multiple entries. And it's just
going to randomly pick some to choose from
12495.939 -> kind of like rolling the dice. And I don't
like rolling the dice with any architecture
12496.939 -> here, throw the dice in the air. And what
are you going to go which one of these websites
12497.939 -> you're going to, but it's still used as a
health check. So will only send your traffic
12498.939 -> to a healthy system.
12499.939 -> Now let's talk about geo proximity routing.
This gets a little ridiculous here. This lets
12500.939 -> you to divide your region into different parts
of the world. And AWS, then lets you kind
12501.939 -> of do the following. And enables you to create
something called a bias, which is going to
12502.939 -> spread and shrink regions. And by changing
your regions, you can shift where your traffic
12503.939 -> is going to focus. Like mine, I've never used
it for anything that I got, I'm always going
12504.939 -> to use my own DNS and a tiny business, you
can use the DNS from your provider, in a big
12505.939 -> business, you've got to manage your own DNS
servers. If they need to cloud architect,
12506.939 -> they're going to be managing their own servers.
So let's go get back into this concept of
12507.939 -> a health check. Which I tried to demonstrate
before. I know it didn't exactly work. But
12508.939 -> my team didn't coordinate ahead of time. That's
okay. The health checks gonna monitor the
12509.939 -> functionality where stuff anything's have
fun when you go live. If the system doesn't
12510.939 -> respond to the Health Tech, it'll be marked
as unhealthy. Now, I wasn't sure if the slide
12511.939 -> was here, because we got our slides beautifully
redone. I was trying to create some availability,
12512.939 -> but it is it let's do it. Here. I've got two
responses. A server one are you there? responds
12513.939 -> Yeah, server two either no response that's
getting scary. Server running in there. CERAM.
12514.939 -> server two, either no response. Server one,
are you there? I'm here server to response,
12515.939 -> shift all traffic to server one. So Chris,
the next topic is load balancers, which is
12516.939 -> one of my coolest favorite, most happy things
to talk about in the entire world, because
12517.939 -> I love them. They improve performance and
availability. Okay, let's get back to the
12518.939 -> content. Everyone. Let's talk load balancers.
I love little balancers. I think that the
12519.939 -> coolest thing ever. We network architects
don't work with them. But you know, they're
12520.939 -> cool. Cool. Cool. Cool. Cool. Um, why don't
I let a little bouncer so much? Well, load
12521.939 -> balancers are devices. And yes, I called it
devices. That enables you increase system
12522.939 -> performance and availability at the same time
with better performance and making sure the
12523.939 -> systems are there when you need it. But how
could you not want that in your system. Load
12524.939 -> Balancers can reduce cost. And I'll explain
to you how but they can really help a scalability.
12525.939 -> And here's why. They can let you skip use
multiple servers and makes them act like a
12526.939 -> single server. And in many cases, it may be
cheaper to buy more small servers than one
12527.939 -> giant server. But also, let's say you instead
of using a 256 core server, you had decided
12528.939 -> to use 832 core servers. Now, here's the thing.
Now, if you use 832 core service, and one
12529.939 -> of those servers fails, you still have seven
left. But if you use the 250th course 56 core
12530.939 -> server and that fails, you got nothing, like
my grandmother call it bubkis or Depa, depending
12531.939 -> upon which grandmother had the Jewish one
or the Greek one. So when you're in this position,
12532.939 -> the low balancer remove that single point
of failure. Now the load balancer improves
12533.939 -> scalability as well. As why because you know,
I might need eight servers. But if I need
12534.939 -> nine servers 10 servers left on servers 500
servers. By using load balancers, I can keep
12535.939 -> spreading the load. And no one's the wiser.
So I can allow a lot of performance. And at
12536.939 -> the same time, I can produce availability
by removing single points of failure. So I
12537.939 -> love, love, love single points of failure.
Now how to load balancers remove single points
12538.939 -> of failure through a HealthTech server one,
are you there? Yeah, I'm here, server two
12539.939 -> here. Yes, I'm here. Server three, I'm here.
I got it, I got it. I love it. I love it.
12540.939 -> I love it. It's kind of keep that in the back
of mind. That's why we're using load balancers
12541.939 -> to improve performance and availability. Now,
load balancers don't think they're new devices.
12542.939 -> They're 20 plus years old devices. We love
load balancers that typically fall into two
12543.939 -> categories. AWS has lots of names for them.
But you either have network load balancers,
12544.939 -> or we have application load balancers. I don't
care what names you call them. Gateway. Load
12545.939 -> balancers are one of two. And network load
balancer operates at layer four, which means
12546.939 -> it looks at the TCP UDP information. And network
load balancers are fast, fast, fast. So why
12547.939 -> not too bright? 246-810-1214 1618 2224 2623?
I mean, it's fast, right? It's not doing that
12548.939 -> much. And application load balancers really
smart. So instead of doing two plus two equals
12549.939 -> four, now we're doing calculus in a row. Now,
how fast can you do calculus me, my wife pretty
12550.939 -> quickly, me. I don't know how to do calculus,
I'd have to learn I could learn anything.
12551.939 -> But it wasn't something that I ever had to
learn sort of learn it. But the point is,
12552.939 -> is it would take longer to do calculus, actually,
to actually do not simple addition. So when
12553.939 -> we deal with application load balancers, we're
looking at deep stuff inside of an HTTP or
12554.939 -> HTTPS header. No one, we're on AWS. They have
network load balancers, they call them elastic
12555.939 -> load balancer, because the marketing people
have to stick the word elastic in front of
12556.939 -> everything. And they also have application
load balancers, for example, but they call
12557.939 -> them elastic load balancers to and because
they call classic load balancer, which of
12558.939 -> course can be a network or an application
load balancer, they call it a classic one,
12559.939 -> they recommend you don't use them, same concept.
So when elastic load balancers a virtual load
12560.939 -> balancer instead of a physical load balancer,
and it distributes traffic, know what to distribute
12561.939 -> traffic to, wherever you want it to typically
speaking virtual machines like your web servers.
12562.939 -> Now, the load servers are kind of auto scaling,
they kind of do whatever they need, they give
12563.939 -> you enough capacity.
12564.939 -> Load Balancers can load across most spread
load across multiple availability zone failure
12565.939 -> support health checks, and they can terminate
your SSL connection. So why is it cool to
12566.939 -> terminate your SSL connection? Well, SSL is
a form of encryption, encryption. And what
12567.939 -> do I mean by bad encryption encryption is
running mathematical calculations. And let
12568.939 -> me tell you mathematical calculations take
CPU performance. And if you put your if you
12569.939 -> put these math calculations in the load balancer,
where does this encryption not have to occur
12570.939 -> on your web servers, so by offloading the
encryption onto the load balancer, instead
12571.939 -> of your web servers, your web servers can
be hanging out there like Cindy the cat, who's
12572.939 -> eating tuna fish looking happy as a lark,
relaxed, relaxed, relaxed. That's what we
12573.939 -> love this.
12574.939 -> So AWS network load balancers, route traffic
based on network stuff. Millie can handle
12575.939 -> millions of requests per second. Excellent
was rapidly changing conditions and network
12576.939 -> load balancers because they look at their
TCP port, source and destination protocol
12577.939 -> and port number. And that's it. They're fast
and they're stateful. Send this thing to server
12578.939 -> one goes to server one. Next one goes to server
two next to server two, certain sessions load
12579.939 -> balancer and server three. And those connections
stay until the connection is terminated between
12580.939 -> the users are stateful. What happens they
call it a sticky session that map's the source
12581.939 -> and destination of the connections. But it's
by default on network load balancer. Know
12582.939 -> now with AWS, you can put a static IP address
on a load balancer? Well, we've been putting
12583.939 -> static IP addresses on load balancers for
20 plus years. And you can also route to containers
12584.939 -> and then when you're going to be running containers,
you're typically going to be using an application
12585.939 -> load balancer. Well, let's see what it looks
like in action. Got a network load balancer
12586.939 -> load balancing and high speed between two
availability zones. Boom, boom, we're gonna
12587.939 -> go. Let's talk a little bit about application
load balancers. application load balancers
12588.939 -> work at layer seven of the OSI model. And
they look at the paths provided in the URL
12589.939 -> elements inside of a HTTP or HTTPS header,
the HTTP routing method like push or get,
12590.939 -> they can route based upon source IP addresses.
And these application load balancers are truly
12591.939 -> ideal for balancing HTTP and HTTPS traffic.
Ideal from balancing request between micro
12592.939 -> services and container applications. optimal
load balanced multiple requests on the same
12593.939 -> server by registering the same server on multiple
ports. And they're pretty good for load balancing
12594.939 -> there for those types of things. Now, how
does this thing work? Well, in a similar manner,
12595.939 -> we've got our load balancer, this listening,
and all load balancers route to something
12596.939 -> called the target group. But here we're dealing
with much much, much greater intelligence.
12597.939 -> Now, AWS has a classic load balancer, guess
what, it's the same thing. And it works on
12598.939 -> both EC two instances, classics and V PCs,
auto scalars. Just like the rest of them,
12599.939 -> provides the same cloud trail auditing, they
don't want you to use it, they want you to
12600.939 -> use them, called an elastic load balancer.
Now let's talk about internal load balancers
12601.939 -> versus external load balancers. internal load
balancers are for your internal applications,
12602.939 -> like you're not going to put your HR database
on the public Internet. An organization may
12603.939 -> have its private website called www i n, which
is pretty common for an organization, especially
12604.939 -> tech companies, they have an internal website
called www i n, which is only accessible for
12605.939 -> people inside of the network.
12606.939 -> So there will be an internal load balancer
an external load balancer, also called an
12607.939 -> Internet facing load balancer is one that
protect coverage your systems to the internet.
12608.939 -> And the way load balancers work is they typically
have a listener. A listener is a process that's
12609.939 -> going to wait for connection requests. application
load balancers are gonna look for HTTP HTTPS
12610.939 -> requests. Not like globein. Ca balancers by
nature are going to look at a TCP or UDP request
12611.939 -> or TCP UDP request. So let's talk a little
bit about load balancer concepts we've got
12612.939 -> targets. Target is where the application distributes
his traffic targets can be a single instance
12613.939 -> or an IP address. When the target an IP address,
it needs to be from the private address base,
12614.939 -> meaning RFC 19 address space or the shared
address space. So when we're using elastic
12615.939 -> load balancers, we can only put route to private
addresses. So you're gonna have private addresses
12616.939 -> in your web servers anyway, because the load
bouncer is going to be your public facing
12617.939 -> drugs. So what does that mean? RFC 1918 addresses?
Well, that includes the 10 dot 0.0, slash
12618.939 -> eight, the 172 16 dot 0.0, slash 12, the 192
168 dot 0.0, slash 16. And the 100 dot 0.0,
12619.939 -> slash 10, RFC 6598. That's what we're talking
about. Now, I mentioned we can send to a target,
12620.939 -> but we could also create a target group, what's
the target group a group of systems. Now as
12621.939 -> I previously mentioned, when we're dealing
with load balancers, we can group our things
12622.939 -> to, we have the concept of sticky sticky sessions.
When we're dealing with sticky sessions. On
12623.939 -> the network load balancer, it's by default.
But on the application load balancer, you
12624.939 -> might want to enable it. And if you want user
one, to say on the same web server, we can
12625.939 -> do that. Through a sticky session, the way
that I work on a network load balancer is
12626.939 -> as part of the flow. When an application load
balancer they don't really have these kinds
12627.939 -> of flows. So what'll happen is the application
load balancer will give a cookie and it will
12628.939 -> use a cookie to trust the session, practice
session. And that's the way these work. Now
12629.939 -> all load balancers use a health check. Are
you there? Are you there? Don't get a response
12630.939 -> removed from the absolute rotation.
12631.939 -> Now we've reached an interesting break in
the content. And this is where we're going
12632.939 -> to do some voting
12633.939 -> We're in the next section is security and
it's a pretty big session. Today we're going
12634.939 -> to talk about security on the AWS platform.
Now when we talk about security, realize this
12635.939 -> is just a subset of security. This is an AWS
Certified Solution Architect Associate course.
12636.939 -> So we're going to cover the AWS security services
in the associate and professional exams. Now
12637.939 -> remember, in real life, security is much bigger
than this. We're going to be using things
12638.939 -> from the marketplace next generation firewalls,
but they're not part of your AWS exam. And
12639.939 -> we need to focus on the exam. That's why this
is the solution architect certification versus
12640.939 -> cloud architect training, but it's on your
exam, your exam is going to help you get the
12641.939 -> interview. And then it's your knowledge after
the interview on cloud computing that gets
12642.939 -> you caught hired. But we still want you to
get that interview. So in this section, what
12643.939 -> are we going to talk about, we're going to
talk about who's responsible for what parts
12644.939 -> of your VPC, we're going to talk about principle
of least privilege, which I like to call need
12645.939 -> to know. We'll talk about industry compliance,
identity and access management, multi account
12646.939 -> strategies, network access lists, security
groups, the AWS version of a firewall called
12647.939 -> WAF, we'll talk about the AWS is an intrusion
detection systems. We'll talk about DDoS mitigation,
12648.939 -> we'll talk about the service catalog, and
we will talk about the systems manager parameter
12649.939 -> store. So we're going to begin by security
who is responsible. And the reason we're going
12650.939 -> to deal with this is normally in your own
data center, you're responsible, right? You're
12651.939 -> responsible for all your firewalls, your routers,
your switches, your QoS policies, your identity
12652.939 -> and access management, everything that because
you own data center, you manage the data center.
12653.939 -> And if you manage the data center, you want
to hire Navy SEALs, snipers to be on the roof,
12654.939 -> you could do that. You can hire whatever level
of security you want in your data center.
12655.939 -> Now on the cloud, you don't have access to
that, because the cloud provider manages their
12656.939 -> infrastructure, and you manage your virtual
infrastructure. So when we deal with this,
12657.939 -> we're dealing with a shared security model.
And you can think of it this way, AWS maintains
12658.939 -> the security of their cloud. And the customer
maintains the security of their virtual cloud
12659.939 -> or their virtual data center. So when we talk
about security, we can only control our stuff.
12660.939 -> If the college gets hacked into, we have no
control over that. So we have to trust that
12661.939 -> our cloud providers are doing a great job
doing security of their own systems. And for
12662.939 -> the most part they are now they're not in
variable to hacking, they get hacked to we've
12663.939 -> seen in the past few years, Azure was recently
hacked. And we know that anybody can get hacked
12664.939 -> and everybody will get hacked. It's just no
matter what, but you manage the security of
12665.939 -> your virtual private cloud. AWS manages the
security of the underlying hardcore tech infrastructure.
12666.939 -> So let's talk about what that means. It means
the customers responsible for their identity
12667.939 -> and access management users and roles. And
we'll talk a lot about that patching of the
12668.939 -> operating systems of our virtual machines,
maintenance and security of our own applications,
12669.939 -> configurations of our security groups, physical
security for the devices, that we're dealing
12670.939 -> with our own firewalls, for example, that
we're going to use inside of our systems,
12671.939 -> pretty important to us. Whatever intrusion
detection prevention system we use, and they've
12672.939 -> gotten rid of our own security services. So
that's kind of what we maintain. And of course,
12673.939 -> you know, AWS manages the security of their
infrastructure. So I drew it out for you to
12674.939 -> kind of make it a little easier for you. You
can see on the bottom, AWS manages the servers
12675.939 -> and other BIOSes and their servers, their
hypervisors. They manage their storage area
12676.939 -> networks, whether they be block storage, object
storage, file storage, they secure their databases.
12677.939 -> They secure their networking, they secure
their regions, their Edge locations, the data
12678.939 -> centers, otherwise known as availability zones.
What are we secure? Let's make it a little
12679.939 -> simpler. Our data, our applications, the operating
systems and our virtual servers, any kind
12680.939 -> of encryption of our data we're using any
kind of networking traffic that we're using,
12681.939 -> for example, you could run IPsec over our
direct connections or over a VPN. So there's
12682.939 -> that. That's kind of what we're talking about.
Now, the first concept whenever you get into
12683.939 -> security It is the principle of least privilege.
I hate this term, I like to call it mean to
12684.939 -> No. Military, it makes it simple need to know.
And here's what it means. If you don't need
12685.939 -> to know that, know anything about that for
your job, you're not told about it, if you
12686.939 -> need to know it, you're told and here's why.
The more information you have, the more you
12687.939 -> can harm the company, either maliciously,
by going to a competitor and selling your
12688.939 -> secrets. Or by accidentally disclosing information
you don't even know we're by using a system
12689.939 -> and the wrong way and damaging things. So
the principle of least privilege is very critical.
12690.939 -> He basically says, give your users the least
amount of access necessary for them before
12691.939 -> them front perform their function, and no
more, no moss, only what's necessary to do
12692.939 -> their jobs and nothing else. When somebody
leaves your company, when they're walked out
12693.939 -> by security, lock their systems down, so they
can't damage you. So principle of least privilege
12694.939 -> means as follows. provide only the necessary
features, functionalities and access that
12695.939 -> somebody needs to do their job, and nothing
else. And when they leave that company, you
12696.939 -> revoke it immediately. And that's why organizations
just to let you know, actually have security
12697.939 -> walk people out. And sometimes it's the saddest
thing in the world. And I've seen it over
12698.939 -> the past few decades happen a lot. Sometimes
the only way somebody finds out they were
12699.939 -> laid off is their email doesn't work. They
can't log into the systems, they call Help
12700.939 -> Desk and all of a sudden they find out they've
been laid off. Now this is a horrible, horrible
12701.939 -> situation. But that's why it's going on. And
I've seen it happen so many times, not good
12702.939 -> companies, well run companies don't do this.
But you know, it happens and it happens more
12703.939 -> than you would you'd like to know. So let's
look at this in another context. Here I am,
12704.939 -> I'm an administrator, I need to access something
needy. And I basically got authenticated by
12705.939 -> the system. The system says yes, Mike, you're
allowed to do this. And yes, you're authorized
12706.939 -> to do this. And I'm allowed. Now by comparison,
we've got another user, that's not me. And
12707.939 -> this user is not allowed to do their thing.
And because this user is not allowed to do
12708.939 -> their thing, they're denied access denied.
And you know, this is really we're talking
12709.939 -> about by using the principle of least privilege.
So before we get into real security concepts,
12710.939 -> and we're gonna get into a lot of them, let's
talk about industry compliance. Many industries
12711.939 -> have all kinds of security regulations and
requirements, data retention, etc. And AWS,
12712.939 -> like all cloud providers supports the main
industry where compliance and you can see
12713.939 -> a full list on the AWS website, but the main
ones I'll cover, you know, PCI DSS, or payment
12714.939 -> cards, or ISO 9001 27,001 27,017 27,018, pretty
standard requirements. AWS supports them.
12715.939 -> FedRAMP if you're gonna do anything with the
US government, and HIPAA, which is basically,
12716.939 -> you know, health care us privacy rules and
regulations. Now, let's get involved with
12717.939 -> identity access management. And this is a
key part last line of defense in your security
12718.939 -> architecture. Last line up first one. Now,
I hate the term identity access management
12719.939 -> because it sounds so fancy and complicated.
I'm going to simplify it. Many years ago,
12720.939 -> before we used word inflation we used to call
a spade a spade. We called Coffee Coffee before
12721.939 -> it became a latte and all these other funny
things. And we used to use the term triple
12722.939 -> A authentication, authorization and accounting.
And I'm going to cover those concepts because
12723.939 -> I want you to truly understand this I am or
identity and access management. Authentication.
12724.939 -> Who are you? Who do you claim to be authenticating
right now? I am Michael Gibbs CEO go cloud
12725.939 -> careers. Now, they could authenticate me via
a retina check. They could use my what they
12726.939 -> call it my fingerprints. They could authenticate
me by via DNA. They could authenticate me,
12727.939 -> they a password and a username. They can authenticate
me via something you have and something you
12728.939 -> know, like your ATM card and your PIN number.
So authentication is who are you? So the first
12729.939 -> component of identity and access management
is who are you? Now the next component is
12730.939 -> authorization. So let's talk about what authorization
is. authorization is what are you allowed
12731.939 -> to do?
12732.939 -> So we can have all users accessing all things.
I'll give you an example. Chow them. She's
12733.939 -> an incredible Cloud Architect of mine. She
works in our team. She's absolutely amazing.
12734.939 -> If Charles says to me, Mike, I'm going to
come visit you in Florida. I'd say thank you
12735.939 -> child can't wait to see you mean she'd knock
on the door. She I'd look at her and I know
12736.939 -> she's child because I've seen her before.
Then I would give her the keys to the house.
12737.939 -> I'll give her the keys to the Mercedes and
tell her to go in the house, take the guest
12738.939 -> bedroom, my wife would prepare all the things
for her and chocolate have access to every
12739.939 -> room in my house. Yeah, it would be authorization.
No, by comparison, if it wasn't super child,
12740.939 -> the amazing cloud architect that walked into
my house, and it was a stranger, I might look
12741.939 -> to the people on the door and say, Get out
of here. Or I might question them, and they
12742.939 -> say I need to use your phone, my car's broken
down, maybe I bring my phone outside to them,
12743.939 -> let them use the phone. Or maybe I'll allow
them to come in. And I stand by and I stand
12744.939 -> guard. See authorization. And the key is we're
gonna give different privilege levels to different
12745.939 -> people based upon their needs to know and
how trustworthy they are. So authentication,
12746.939 -> identified its child authorization until Josh,
you can do anything because I totally trust
12747.939 -> show. Now the next thing is the counting.
That's the last part of this triple eight
12748.939 -> concept. I don't give you the example of accounting
child comes in visits, she stays with us,
12749.939 -> she plays with my cat, Cindy, my wife gives
her all the things that she needs. And then
12750.939 -> after child leaves, my wife texts and says,
Tell us three shampoos, four bars of soap,
12751.939 -> a 22 cans of tuna, which are all really what
this Cindy Christie Cup opening cuts cans
12752.939 -> of tuna for Sunday. So I need to go to the
store. And I need to buy 22 cans of tuna,
12753.939 -> this many bottles of shampoo. And this much
though. That's called the counting. No CIO
12754.939 -> Identity and Access Management real is really
about who you are, what you're allowed to
12755.939 -> do, and then keeping track of it, or building
an audit trail, so you can find out after
12756.939 -> the fact. Now, when you're dealing with AWS,
they're gonna define the concept of users
12757.939 -> and roles. And we're gonna get much, much,
much more into that depth later. But here's
12758.939 -> the thing you need to remember, it uses the
person, like super child, the amazing cloud
12759.939 -> architect, that's a user, or role, generally
speaking is a computer, meaning one system
12760.939 -> accessing another system, you may have been
involved in Linux, and you're familiar with
12761.939 -> the term service account, which is typically
used, like in your three tier web location,
12762.939 -> where you've got your web servers, your app
servers connecting to your database, and the
12763.939 -> service account connects your application
servers to your database. So if you've got
12764.939 -> an easy to instance, accessing DynamoDB, that
would be a role. But if we've got me accessing
12765.939 -> a system, I am a user. So while we're at it,
let's look at this concept. Again, authentication,
12766.939 -> user signs in and we know who they are. Maybe
we use a username and password, a one time
12767.939 -> password, something you have in something,
you know, but whatever the case, that's what
12768.939 -> we're using. Now, next.
12769.939 -> After we've identified that user, we have
to authorize that user for what they're allowed
12770.939 -> to do.
12771.939 -> And then after that, we have to track that
user. So that's the basis of authentication,
12772.939 -> authorization accounting. Otherwise known
as identity and access management, I don't
12773.939 -> make up those terms somebody else does. Let's
talk a little bit about more about Iam users,
12774.939 -> users or identities, people that have the
permission to access or interact with your
12775.939 -> resources on AWS, what are your resources,
your virtual machines, or containers or storage.
12776.939 -> Now let's create it by a principle and get
into the term principle and what that means
12777.939 -> later. But in other words, a systems administrator
needs to grant you access to things otherwise
12778.939 -> you won't be able to reach it. And we can
create our user accounts, you know, with a
12779.939 -> management console, the command line interface
with the software development kit, that means
12780.939 -> pushing it over the API. An im users are permanent
lists deleted by the administrator. So think
12781.939 -> about this, somebody works for you to get
a job going somewhere else, and you have to
12782.939 -> remove their access, you must delete their
account. So let's look a little more into
12783.939 -> this. We've got a user you can see the user
logs in they identify themselves. And you
12784.939 -> can see they have access into other proprietary
no SQL database or the object storage or anything
12785.939 -> that's sitting on a virtual machine.
12786.939 -> So let's talk a little bit about authentication
options. Let's talk about the simpler ones
12787.939 -> and get better at the simplest name, username
and password. Hi, my name is Mike and my passwords
12788.939 -> name is cat. No, you'll never find the user
password name cat but you get the concept.
12789.939 -> Username and Password. Log into the console.
enter my username Mike, enter my password
12790.939 -> name cat. And of course, I'd be hacked in
about three seconds with a password like that.
12791.939 -> So it would never use something like that.
But that's your username and password. What
12792.939 -> if I want something a little better, we can
use something called an access key. And an
12793.939 -> access key is a combination of a 20 character
key ID, and a 40 character secret. That's
12794.939 -> some security. And this access key you would
use to connect to AWS via an API, one system
12795.939 -> connecting to another one done over the software
development kit, so to speak, when you're
12796.939 -> pushing some decent security between systems.
Now, if we want to get even better, we can
12797.939 -> use an access key in a session Towson. And
what we're dealing with here is when I am
12798.939 -> authentication needs to occur under an assumed
role, our secure token, we're going to use
12799.939 -> the token alongside the asset access key,
and that's going to maximize our security.
12800.939 -> Now, I know I briefly covered what is authorization,
but I want to do it again. Authorization occurs
12801.939 -> by determining what specific things you're
allowed access to. And these are going to
12802.939 -> be policies that are going to be written,
you can give it to a user or a group or a
12803.939 -> role. So let's talk about it. Hi, I'm a user,
you can add specific policies for me under
12804.939 -> authorization. Now, let's say you've got a
company with 200,000 employees, you want to
12805.939 -> add policies per user one on one manually
200,000 times. I don't think so. So what you
12806.939 -> couldn't do, and we'll talk about more of
this later, is you can create groups of users,
12807.939 -> network admins, sis admins, cloud architects,
finance people, HR people, and then you could
12808.939 -> pile up apply a policy to the group. And then
when you hire someone, you hire 5000, new
12809.939 -> solution architects, put them all in the solution
architect group, and they inherit the permissions
12810.939 -> of the group, much, much more scalable. That's
how everybody does things. Now when we write
12811.939 -> policies with regards to AWS, they're written
in JSON, which is otherwise known as JavaScript
12812.939 -> Object Notation. And default policy for anything
with IAM is deny access to everything until
12813.939 -> you configure it. Now, there's two ways that
you can set up your systems allow everything
12814.939 -> until you lock it down, hacked in three seconds,
or allow what you need. So that's why they
12815.939 -> start locked out. Now, when it comes to a
policy, there's a few things that we have
12816.939 -> to determine the effect first, do I allow
Cindy, access to the room? If the answer is
12817.939 -> yes, I allow? If the answer is no, because
the room is full of birds, and my cat Cindy
12818.939 -> likes to eat birds, the policy is denied.
Now we also under the authorization authentication,
12819.939 -> authorization, sorry, authorization policy
needed to find the service. What is the cat
12820.939 -> allowed access to with the camera allowed
access to s3, as the captain had a lot access
12821.939 -> to the room is the cloud not allowed into
a room because it's full of birds. So the
12822.939 -> effect allow or deny the service is what we're
protecting or not protecting. And then we
12823.939 -> put the resource. Now with AWS, we have the
opportunity to use a full Amazon resource
12824.939 -> name. And by doing this, we can point to the
exact resource that we're allowing access
12825.939 -> or denying access. Now the last things that
we're going to talk about Under this policy
12826.939 -> include the action, what is the permissions
of the user Read, read write. And we can add
12827.939 -> some conditional elements which are optional,
that very granular, maybe it will allow access
12828.939 -> to a certain subnet, at a different time during
the day. So go through, so now you get what
12829.939 -> they're actually doing. So let's go back to
looking at authorization, again, from a graphical
12830.939 -> perspective. Here, we see we've got a user
this user has a lot access to object storage,
12831.939 -> otherwise known as s3, and DynamoDB. But when
they try to get to that management console,
12832.939 -> they're not an authorized user. So they are
denied, denied denied.
12833.939 -> Now, when you're dealing with AWS I am concepts,
I talk about some more critical things, it'll
12834.939 -> be on your exam, and you need to know what
the credit policy will first talk about a
12835.939 -> principle. All that a principle is, is an
im entity, or something meaning a user or
12836.939 -> role that has permissions to access something
on the AWS cloud. Let's talk about the root
12837.939 -> user, the King, the Queen, whatever you want
to call it. When you first create the account,
12838.939 -> you're creating the root user, the person
that's the owner of the account. And when
12839.939 -> you own the account, and you're paying for
the account, you have unrestricted access
12840.939 -> to anything. So of course, you're going to
be the root user. Now, don't log in as root,
12841.939 -> because you got to accidentally delete your
entire organization by mistake. And if any
12842.939 -> of you have ever been Unix users or Linux
users, you've been told don't log in and wrote
12843.939 -> was working on root as root, it's the same
thing, same thing. Because you can't restrict
12844.939 -> access to the root user. And one little silly
thing. And it's good to know, when you have
12845.939 -> a root user, don't use the password cat. Because
somebody could use the password cat, which
12846.939 -> they can crack with a GPU in less than five
minutes. Poof, they've used the password cat.
12847.939 -> And now they're inside of your systems, right.
And now they can spend a billion dollars on
12848.939 -> systems if they wanted to, and it's gonna
be billed to you. So use a strong password.
12849.939 -> No, realistically speaking, you should also
secure that strong password somewhere, maybe
12850.939 -> on a key in a safe, has locked down inside
of a safe and another safe and another safe,
12851.939 -> hands on you know your systems and how critical
they are. And maybe enable multi factor authentication
12852.939 -> on your root account. So it's not just a username
and password. And don't use for programmatic
12853.939 -> access, meaning don't use this key on a computer
that's connecting to another computer, because
12854.939 -> when that computer gets hacked, your whole
account is hacked. You think these things
12855.939 -> sound very simple. But reality is, I've seen
it all done before. So let's talk about this
12856.939 -> root user. You'll note that I had the graphics
person put a crown on them. Because if they're
12857.939 -> the crown queen, or the Crown King route has
unlimited privileges inside of your virtual
12858.939 -> private cloud, otherwise known as your virtual
private data center.
12859.939 -> So let's talk a little bit more about identity
and access management. Identity and Access
12860.939 -> Management is used to determine who can access
the system uses standard concepts like users
12861.939 -> and groups and access control policies. These
are the same things that you'd be dealing
12862.939 -> with with a RADIUS server, for example, or
a Microsoft Active Directory scope server.
12863.939 -> And the plan is we create a group create a
group versus the security personnel. And they
12864.939 -> all get security personnel positions, the
accounting team, the finance team, this is
12865.939 -> the MIT administrators. Member, as I mentioned
before, could you imagine writing 200,000
12866.939 -> security policies? No. But what if you're
AWS, new 20,000 solution architects, I don't
12867.939 -> know how many of you put them all under a
single policy. It's better than nothing, making
12868.939 -> 20,000 single policies. So here's how the
groups work. I create a group cats. I provide
12869.939 -> permission so the cats can open and close
the back door, but they can't enter the bird
12870.939 -> room. And then all the cats named to the room,
Cindy Sonny caddy, Melanie, any kind of cat
12871.939 -> I want has allowed to the group. Now that
cat has the same permission, they all have
12872.939 -> the same permissions. So my cat, Cindy, and
Sonny are under the same permissions. And
12873.939 -> Sonny can enter a room Cindy can't enter that
room either, which would make Sonny the cat
12874.939 -> probably not so happy. And Cindy the cat not
so happy either. As I mentioned before, roles
12875.939 -> are generally systems. And we're going to
talk about several kinds of roles, we're going
12876.939 -> to get a little bit in the weeds here, it
gets a little complicated here. So please
12877.939 -> bear with me. There are a few kinds of roles
there what's called a service role for easy
12878.939 -> to hear, we got to service the service role
roles, this system into this. Simple, easy.
12879.939 -> There's a cross account role, which is when
you go from one VPC, to another AWS, etc,
12880.939 -> as a rule. And there's an identity federation,
let's be fair, no serious business is going
12881.939 -> to be using the AWS Iam system, they're going
to be using Microsoft Active Directory, all
12882.939 -> their users are going to be in Active Directory.
And they're going to connect to Active Directory
12883.939 -> and pull that active directory information
into AWS, called federated identity. And we'll
12884.939 -> talk much more about that. But understand
this roles enhance security by making sure
12885.939 -> that credentials are never stored anywhere.
You don't want to put a password in a computer
12886.939 -> to attach another computer because if one
pin computer gets compromised guess what your
12887.939 -> entire systems or paths are, are compromised.
And the way roles and whose security is what
12888.939 -> will happen is the AWS service, the API will
provide a temporary token for the system that
12889.939 -> has to access the other system. And here's
what's so great about the token, expire, I
12890.939 -> give you a token and it's only good for an
hour. You can use it for an hour. Now if the
12891.939 -> token will change within an hour. Now if a
hacker got access to your token, the worst
12892.939 -> case scenarios they can use it for an hour.
No 60 minutes 45 minutes of the hour pass
12893.939 -> the hacker gets couldn't get control of your
token. and they can only use the system for
12894.939 -> 15 minutes. And guess what, at the end of
the 15 minutes, they can't access anything
12895.939 -> because the token has been expired. That's
why we love them so much.
12896.939 -> So, I am relatively used for one system to
access another system. I am roles can be assumed
12897.939 -> by application services. I am relatively short
term credentials, meaning periodically which
12898.939 -> is substantially enhances their security.
I am roles will basically leverage the Security
12899.939 -> Token Service, which we'll talk more about.
And tokens are temporary. Default expiration
12900.939 -> time is 16 minutes. But in a really high security
environment that can be reduced down to 15
12901.939 -> minutes, or they can be extended to 36 hours
to promote additional scalability. Now, talking
12902.939 -> a little bit more about IAM roles they are
typically used to grant permissions for applications
12903.939 -> running on EC two instances. I am roles are
really used by people when connecting to external
12904.939 -> identity providers like Active Directory,
or using your Amazon account or your LinkedIn
12905.939 -> account. I am roles are used to grant permissions
to im users in the same account to a different
12906.939 -> role. And grant permissions to different accounts.
It's called a cross account, log into my V
12907.939 -> PC. My V PCs peered with Chris's V PC. That's
called a cross account role.
12908.939 -> What I'm going to do is briefly mentioned
the Security Token Service. And then we're
12909.939 -> going to take some questions, and then we're
gonna get deep into the roles. So most of
12910.939 -> these roles require something called the AWS
Security Token Service. What that is, is something
12911.939 -> that's designed to provide trusted, trusted
users access with a temporary token. But the
12912.939 -> tokens expire. Here, I request access I get
given my token, I'm allowed access to the
12913.939 -> system. When that token expires, guess what?
It's no longer recognized by AWS. And we are
12914.939 -> done. The hackers, the hacker fake audit gets
access to expired information.
12915.939 -> Let's go back to the content. Now let's talk
about a cross account role. Actually, before
12916.939 -> we do everybody give me a hashtag, AWS Certified
Solution Architect Associate. So I know you're
12917.939 -> awake, alert and oriented.
12918.939 -> No cross account role enables you to access
another account, meaning you're in my account.
12919.939 -> And I'm connected to somebody else's account,
or cross account role and enabled me to do
12920.939 -> this. So Chris over there has his own AWS
VPC? No, he doesn't, because we're running
12921.939 -> an OpenStack cloud was much cheaper for us
based on our business, but for other things,
12922.939 -> it wouldn't be. But if Chris has his VPC and
I have my VPC and I want to access something
12923.939 -> on his VPC, I would get a cross account role.
And that's often set up to allow a user in
12924.939 -> one AWS account access to an account that
they don't own. So when you're connecting
12925.939 -> recruiting across a chrome, meaning you're
allowing somebody else into your account,
12926.939 -> and they're not you part of your company,
now you gotta get scary, scary, scary, good
12927.939 -> when it actually comes to the security. So
you know, super Chow or Chris, they're part
12928.939 -> of my company, they have pretty much full
admin rights to anything they need to. But
12929.939 -> if it was somebody else that I was dealing
with, perhaps I had an adjunct instructor
12930.939 -> from some other company, and I only wanted
them access to Tuesday's class material. With
12931.939 -> a cross account role, I would only give them
access to Tuesdays class material, not everything,
12932.939 -> because with the cross account role, remember,
you're bringing in other people that are not
12933.939 -> part of your company, into your business.
So that need to know that principle of least
12934.939 -> privilege becomes critical, critical critical.
So give access to only what's needed. And
12935.939 -> nothing nothing, nothing else. So while it's
always essential, use the principle of least
12936.939 -> privilege. With a cross account role, it is
critical, critical critical. Cross account
12937.939 -> roles. When we're dealing with cross account
roles, an External ID is needed. Now this
12938.939 -> External ID is going to be uniquely associated
with the role. The External ID can be a secret
12939.939 -> identifier that is only known by a third party
for example. But when you use this cross account
12940.939 -> role, you must specify this ID when you define
a trust policy. The third party obviously
12941.939 -> will provide this ID when somebody assumes
the role. permissions needed by the third
12942.939 -> party are obviously necessary to work with
your AWS account. So let's graphically look
12943.939 -> at across account real quick. Here you can
see Company A, company B and Company C. They're
12944.939 -> all allowed into my virtual private cloud,
which I like to call my virtual private data
12945.939 -> center. And by using this, each one gets access
to privilege. So I kind of like to do it that
12946.939 -> way.
12947.939 -> Across the columns roles will work, a role
is going to be created for your external user,
12948.939 -> the external user is going to connect to the
AWS Security Token Service and get a temporary
12949.939 -> token. And when the external user wants to
access it, we'll provide that temporary token.
12950.939 -> Last, one of the more complicated roles we'll
get into, let's get into a much simpler role,
12951.939 -> a service role, which everybody else calls
a service account, but it'd be what was called
12952.939 -> a service role. And this is a role taken by
a virtual machine called and you see to instance
12953.939 -> that it connects us with another service.
Effectively, what's enabling your applications
12954.939 -> to make secure API calls. So think of it this
way, you've got an easy to instance that wants
12955.939 -> to post messages into an SQS queue, you've
got a system that wants to access something
12956.939 -> in an s3 bucket, you've got your AC two instance
that wants to access one of your relational
12957.939 -> databases. Now we're dealing with this service
role. So let's graphically look at this real
12958.939 -> quick. Here we go. Easy to instance, master
on access to proprietary Amazon, no SQL database
12959.939 -> Dynamo DB.
12960.939 -> And we create an easy to service roles. Pretty
simple. Let's talk about how you create a
12961.939 -> policy and ion policy.
12962.939 -> The im policy is going to determine who and
what can access what systems or resources.
12963.939 -> In this policy, you can assign permissions
to specific resources or all resources. And
12964.939 -> when you provide access to specific resources,
using the Amazon resource name, we get real
12965.939 -> granular and specific accesses, but not access,
which is fantastic. Now, many of you guys
12966.939 -> are fully familiar with regular expressions
or Boolean things. And if we want access to
12967.939 -> everything, we can just use that Asterix that
wildcard, just like you would in a regular
12968.939 -> expression with BGP, or many other things,
you know, with Linux. Now, there's going to
12969.939 -> be two kinds of policies that are two main
types of policies in AWS manage policy and
12970.939 -> a customer manage policy. Let's talk about
the two of them. A customer managed policy
12971.939 -> means you make it yourself. And an AWS manage
policy means you take it from them. So let's
12972.939 -> talk about how we're going to create a policy
under either case, we're going to sign into
12973.939 -> the AWS Iam console. In the navigation pane,
we're gonna choose policies, and we can create
12974.939 -> our own. Or we can use one that's made by
AWS. And let's think about why most of us
12975.939 -> are not JSON programmers. And if we're not
JSON programmers, AWS has a million kinds
12976.939 -> of policies from exaggerating the number but
a lot. And they work for 90% of use cases.
12977.939 -> So we can basically create our own policies,
or we can use the launch from AWS. Now our
12978.939 -> policies are not visible outside of our organization.
Keep that in the back of your mind. Now, if
12979.939 -> we create a customer managed policy, let's
talk about how we do it. Once we can take
12980.939 -> one of the AWS managed policies, for example,
and tune it works. Two ways, we can use something
12981.939 -> called the policy generator, which I'll show
you what that looks like in a minute. And
12982.939 -> that basically is going to ask you some questions.
And in the questions, you'll fill it in like
12983.939 -> an interview. And it's going to generate a
policy for you, which would kind of like,
12984.939 -> or you can create one from scratch. But don't
create a JSON policy from scratch unless you
12985.939 -> understand JSON grammar and syntax. So this
is perfect. So some of them JSON programming.
12986.939 -> So let's look at you know, what is this policy
generator, you go to the AWS web page, and
12987.939 -> you you put in your information for a policy,
it's going to ask you some questions, and
12988.939 -> you'll fill in the questions and you're gonna
get something that's going to help you. Now
12989.939 -> what do these policies actually look like?
Well, here's an example. Remember, I talked
12990.939 -> about a flat or the action factor allows if
your case we're going to allow an EC two instance
12991.939 -> to attach a volume and detach the volume,
and we specified a resource by the Amazon
12992.939 -> resource locator name. You can see that that's
over there. We've highlighted this and we
12993.939 -> specified some optional conditions over here.
12994.939 -> So now that we've created a policy, we have
to apply them somehow. Now we could have created
12995.939 -> a policy for the user, like I talked about,
Mike's allowed to do this. Chris is allowed
12996.939 -> to do this towel is allowed to do this. Alonso
has a lot to do this, Cindy's a lot of do
12997.939 -> this Leo's allowed to do this man, well, there's
a lot it is. And he can do this. And some
12998.939 -> can do this, we could do that. Or we could
create a group and put those users in similar
12999.939 -> jobs in the same group. So let's talk about
how we apply them. In most cases, we go we
13000.939 -> create an account, right? That's us. And then
we communicate. By voc our group people into
13001.939 -> groups, our network admins are caught admins
are put in one group, they have a certain
13002.939 -> set of privileges, or software developers
are put into another group. Our test engineers
13003.939 -> are put into another group. And each one gets
access to different policies.
13004.939 -> Hello, os do we further secure identity and
access management? Well, we use multi factor
13005.939 -> authentication, which can greatly increase
your Iam effectiveness. And this way, if you
13006.939 -> use the username Mike and the password cat,
which would be insanity, and at least it reaches
13007.939 -> out to you and ask for a one time password,
you're better off because the password cat
13008.939 -> will be instantly copied by anybody in a second
and a half. But, but won't be compromised
13009.939 -> is that one time password. So the key is to
use a good really strong password, and then
13010.939 -> use a multi factor authentication. And multi
factor authentication is not new, we've been
13011.939 -> using it forever, we used to have this thing
called the Mac card, money access card got
13012.939 -> renamed into an ATM card, I think that's what
they call it. Now. When you put your card
13013.939 -> in, you enter your password, I still call
it a Mac card because I've been around too
13014.939 -> long. You enter your PIN number and all of
a sudden money comes out of the machine that
13015.939 -> comes out of your bank account. Something
you have something you know, you may have
13016.939 -> seen some RSA secure ID cards that people
have had for the last couple of years. Again,
13017.939 -> something you have and something you know,
kind of keep that in the back of your mind.
13018.939 -> So kind of keep these things in your mind.
You know, that's the concept something you
13019.939 -> have something you know, it's not no. Keith
sold Mac cards. Yes, key I could see doing
13020.939 -> that. I knew you would remember mag cards
with me love that money access cards, I still
13021.939 -> think it was much simpler. But it was the
blue mat card. And before they turned into
13022.939 -> these easy things and credit card thing with
debit things now cards were so much easier.
13023.939 -> So, you know. So how does it work? Use the
organization sets up an authenticator app,
13024.939 -> which is basically a device with a key. The
authenticator device will create a one time
13025.939 -> password changes every few seconds like an
RSA Security Key when the user logs in with
13026.939 -> your username and password AWS and provide
a challenge asking for a one time password.
13027.939 -> And if the user provides the correct one time
password, they're authenticated. Maybe you
13028.939 -> guys have the Google app on your phone or
use the old RSA secure IDs. Key is something
13029.939 -> you have and something you know. Let's look
at multi factor authentication and action
13030.939 -> because I always love multifactor authentication,
something you have in something, you know.
13031.939 -> Here we go, we've got the user Billy Bob,
who logs into the system. Now the system says
13032.939 -> Hey, Billy Bob, what's the special one time
password you have? Billy Bob provides that
13033.939 -> user and he's allowed in. Now next, we got
somebody bad. Call it Joey that's impersonating
13034.939 -> Billy Bob. No, Billy Bob science in jelly
compromise Billy Bob's password. So Joey tries
13035.939 -> to log in. How many tries to lock in and pretends
to be Billy Bob? Billy, but he's really Joey.
13036.939 -> Billy Bob gets sent this one time password
request because it's sent to Billy Bob. And
13037.939 -> Billy Bob says I didn't try to log in doesn't
provide the access. And then Joe the bad hacker
13038.939 -> is not allowed. And that's really why we're
using you know, multi factor authentication.
13039.939 -> That's why you'll notice in recent years,
your banks, your phone companies or cable
13040.939 -> companies, they have almost mandated it. It's
due to the security issues. Let's talk a little
13041.939 -> bit about identity Federation's identity federation
has enabled management of access of identities
13042.939 -> in a single place like Microsoft Active Active
Directory. And the key components of identity
13043.939 -> federation are following an identity a user
Mike and identity store place where the users
13044.939 -> are stored like Microsoft's Active Directory
or fake Facebook, or LinkedIn, or Apple or
13045.939 -> Amazon. And then we typically have something
called an identity broker, which is an application
13046.939 -> that's going to check with the identity store
and provide access to the AWS resources. So
13047.939 -> not that complicated, what we're talking about.
Now, now I'm gonna give you the complicated,
13048.939 -> ugly steps of how this works. So we're gonna
get into the complicated, ugly stuff. Here's
13049.939 -> what's going on behind the hood, the user
is going to log into an identity broker using
13050.939 -> their corporate credentials. The identity
provider is going to authenticate the user
13051.939 -> against an LDAP based directory store identity
store. The identity provider will then establish
13052.939 -> a Security Assertion Markup Language token
with all the required information. And it's
13053.939 -> going to submit that assertion to the identity
broker. The identity broker will then call
13054.939 -> the assume role with SAML Security Token Service
API. And that's going to pass the SAML assertion
13055.939 -> to the role and for the Amazon resource to
basically assume, and if the API response
13056.939 -> is successful, it's going to include AWS temporary
security credentials for the associated permissions.
13057.939 -> And with the temporary credentials, the client
application can perform operations on AWS
13058.939 -> resources. So why don't we use an identity
Federation's? Well, why don't we just use
13059.939 -> AWS IAM? Well, scalability? Are you going
to have a person log into im Council and AWS
13060.939 -> and type all this stuff? No, that's just too
much work. It's unnecessary work. So you're
13061.939 -> going to establish a trust relationship with
unknown identity provider? Google's unknown
13062.939 -> identity provider, Amazon's unknown identity
provider, Facebook's unknown identity provider,
13063.939 -> apples unknown identity provider, Twitter's
unknown identity provider LinkedIn, Hey, have
13064.939 -> you ever been, you know, use pay using your
Amazon pay account, because it's pulling your
13065.939 -> information from Amazon. It's really the same
thing we're talking about you're no different.
13066.939 -> And identity Federation's can enable organizations
to connect their AWS VPC, to internal identity
13067.939 -> management applications, most likely Active
Directory, or some kind of an LDAP directory.
13068.939 -> AWS Iam functions are connected to the identity
provider. When a user attempts authentication,
13069.939 -> the request is passed to the identity provider,
the user will get their im authentications
13070.939 -> and receive their privileges based upon the
job role organizational causal center, and
13071.939 -> so many other providers. And this enable a
singular and granular control of your users.
13072.939 -> Alright, thankfully, we got through that.
I know that's a little bit ugly. But it's
13073.939 -> definitely definitely definitely something
you need to know. And there's some some questions
13074.939 -> going on with regards to networking in the
chatbox. They're not exactly correct. If there's
13075.939 -> some networking questions, we'll enter that
at the next time we actually get through things.
13076.939 -> Let's talk about single sign on. When we're
dealing with single sign on, it's really an
13077.939 -> authentication method that enables users to
securely authenticate with multiple applications
13078.939 -> and websites. So normally, it used to be you'd
log into your systems. And when you'd log
13079.939 -> into your systems, you'd have to then log
into the next site, the next site, the next
13080.939 -> site. And then maybe you noticed a couple
of years ago, things got a little smoother.
13081.939 -> you logged into your systems once and then
you had access to everything that's single
13082.939 -> sign on. And Single Sign On is a service that
allows your users to sign in to one place,
13083.939 -> and then access resources in your account.
So instead of logging into every system, you
13084.939 -> log into one typically used in a federated
environment. And it integrates with Active
13085.939 -> Directory assures Azure Active Directory,
Salesforce and other identity providers. It
13086.939 -> basically enables your user to authenticate
once and they don't have to authenticate again
13087.939 -> and again and again, when they authenticate
once the privileges are determined and the
13088.939 -> roles are assumed. Going back to this environment.
You can see what's going on we've got an on
13089.939 -> premise Microsoft Active Directory server,
which is then accessed or connected via direct
13090.939 -> connection or VPN, which provides network
layer reachability and communication between
13091.939 -> that and the AWS single sign on up. By logging
in that way, users can access everything they
13092.939 -> don't need to log into s3 They don't need
to log into DynamoDB and they don't need to
13093.939 -> log into the EC tunes.
13094.939 -> Identity Federation's Amazon Cognito is a
great service that provides authenticate ation
13095.939 -> authorization and user management for web
and mobile apps. It provides a means to connect
13096.939 -> to identity providers could needle enables
organizations to synchronize identity management
13097.939 -> and data across multiple devices. Cognito
users can basically sign in using a directory
13098.939 -> like username and password with third party
providers such as Facebook or Google. And
13099.939 -> the way it works is a user app authenticates
against Cognito and gets a token. The token
13100.939 -> is then used to provide access to AWS resources.
Visually graphically, I'll show you what that
13101.939 -> looks like. Got a user that logs in and get
the token. They then trade their token for
13102.939 -> credentials. And then they then use those
credentials to access or whatever services
13103.939 -> that they're they've been assigned. That's
really what's going on, we're dealing with
13104.939 -> identity Federation's with Cognito.
13105.939 -> Now, when we deal with Cognito, we're dealing
with the concepts of user pools and identity
13106.939 -> pools. And the user pool is a secure directory
within Cognito that enables you to manage
13107.939 -> users and one place that happens upon successful
authentication Cognito will issue a temporary
13108.939 -> set of tokens also called a JSON, which is
really a JSON token a little bit more about
13109.939 -> Amazon Cognito. Identity pools, Amazon Cognito
identity pools provide temporary AWS credentials
13110.939 -> Cognito identity pools work with authenticated
and unauthenticated identities, and Cognito
13111.939 -> can work with guests which are basically unauthenticated
users and authenticated users who have received
13112.939 -> the token a little more about Cognito. The
way Cognito user pools work is the user logs
13113.939 -> into the identity provider. And after they've
been authenticated by the identity provider,
13114.939 -> basically, they get a session key for the
user, then what'll happen is this using the
13115.939 -> session key, the application will place a
call to the Amazon Cognito get ID API. And
13116.939 -> it's going to get an identifier for the user.
And then what will happen is Cognito, Val
13117.939 -> will validate the session key from the login
provider. And if the session key is valid,
13118.939 -> it will get an API, get ID API and return
that for the user. The user will then send
13119.939 -> the key identity to Cognito Cognito will validate
the session key against the identity provider.
13120.939 -> And if that key is valid Cognito will call
the eight AWS Security Token Service provide
13121.939 -> a token, of course Cognito will return a temporary
token to the application so they can access
13122.939 -> to users. Now next thing we're going to talk
about is the directory service. directory
13123.939 -> service provides a hosted dedicated service
for Windows Active Directory servers, the
13124.939 -> basically Windows ad servers. So you can manage
yours like most businesses would, or you can
13125.939 -> use the AWS pre managed services for either
cases your option. Basically, they're theoretically
13126.939 -> high availability servers that are in two
availability zones by default. And you know,
13127.939 -> Microsoft ad is necessary for the most part
for Microsoft direct based workloads. So you
13128.939 -> can either maintain your own, and federate
that to AWS and not have to worry about any
13129.939 -> other stuff. And that way, you can use your
same ad servers, and AWS, Azure or Google
13130.939 -> in your data center and never have a problem
where you can use the AWS pre managed ones
13131.939 -> for you. It's your choice, based upon what
your business needs are, what your goals are
13132.939 -> your availability requirements. And they're
basically hosted servers that can be used
13133.939 -> by any your systems, your EC two instances,
your relational databases for Microsoft SQL
13134.939 -> Server, AWS and computing, to get back to
the content, and we'll talk about some firewall
13135.939 -> stuff, where we're starting to get into the
fun of security.
13136.939 -> Now we're going to talk about AWS Wow. And
there are times where AWS offers perfect,
13137.939 -> AWS WAF as a fine, traditional nangia generation
firewall, and it protects against common attacks.
13138.939 -> Typically, your man in the middle attacks
your DDoS protection to catch your SQL injection
13139.939 -> kind of attacks, cross site scripting attacks,
it's a fine basic firewall. And for a small
13140.939 -> business that doesn't have a lot of critical
requirements. It's completely completely fine.
13141.939 -> Your developers can customize a rule to block
or monitor web requests. And that's a totally
13142.939 -> fine, generic basic web application firewall.
The only problem is it doesn't adapt. Now,
13143.939 -> in reality, you're going to be using two clouds.
And the second use proprietary AWS WAF. You're
13144.939 -> going to be in trouble because you're getting
the same security policy on AWS and Azure,
13145.939 -> which means you can't use any of these proprietary
services. You're going to need something like
13146.939 -> a palo alto firewall, Cisco firewall, a fortunate
firewall, a checkpoint firewall, which all
13147.939 -> As much more robust security features and
functionalities, but let's talk about Well,
13148.939 -> well, if there's a basic firewall that users
can create rules, and place limitations on
13149.939 -> which IP addresses can be reached, which protocols
and port numbers can be reached, you know,
13150.939 -> benefits of laughs are that it's very, very
simple. And, you know, basically, we'll look
13151.939 -> at the IP addresses where they originate,
the country where they originate. I can validate
13152.939 -> requests, it can look in strings that appear
as requests, or the left month of requests,
13153.939 -> it can look at some bad SQL code that's in
your request, and you can block it. So it's
13154.939 -> really just a firewall that protects against
web application attacks, it looks for common
13155.939 -> exploits, you can put it on your CloudFront
distribution, which is a content delivery
13156.939 -> network, which we'll talk more about. You
can put it on an API gateway, our REST API,
13157.939 -> of course, your load balancers, and all sorts
of block your connections at Edge locations
13158.939 -> before they get onto your network. And there's
nothing to preclude you from using Raph was
13159.939 -> a full next generation firewall as well, for
additional where it was a security and that's
13160.939 -> totally fine. And, you know, WAF will give
you somewhat granular things. It's basically
13161.939 -> your routing. It's basically like a stateful
ACL, we create web rules and rules in rural
13162.939 -> groups. And you're either kind of coming from
MIT stuff, or not permit stuff. And we'll
13163.939 -> provide the ability of traffic metrics. So
let me show you how they put it. And then
13164.939 -> let's do a walk through the way WAF works
is you're going to enable it on your device,
13165.939 -> you're going to create a policy that provides
access or filters to the device, when people
13166.939 -> look at the policy and say good or bad. And
that's good and allow the traffic thrown,
13167.939 -> if not. So let's realistically look at you
know how this works, you know, on AWS, and
13168.939 -> then let's whiteboard it out. So you truly
understand firewall. Here, we put WAF on our
13169.939 -> on our cloud front, which is a content delivery
network, we'll get into that. We'll put it
13170.939 -> on our load balancers or API gateways. We'll
set our policies and keep stuff from getting
13171.939 -> into our systems. Now, how do we combine it,
for example, we'll talk about shield, which
13172.939 -> is some DDoS protection. And basically, every
Content Delivery Network gives you DDoS protection,
13173.939 -> the AWS branded one shield, and we can put
this web application firewall so this will
13174.939 -> keep unwanted traffic out of your systems.
And then you'll keep unwanted traffic out
13175.939 -> of your subnets with the difference between
an access control list, and then we'll use
13176.939 -> a security group. So realistically speaking,
what are we really talking about? We're talking
13177.939 -> about this. So let's say you've got your your
load balancer over here. Here's your load
13178.939 -> balancer.
13179.939 -> Behind your load balancer, you've got some
web servers. Obviously being a private subnet,
13180.939 -> an additional subnet, you'll have your app
servers. And if there's more than one app
13181.939 -> server, what are you going to need, you're
gonna need another load balancers, let's make
13182.939 -> these things a lot smaller.
13183.939 -> Three tier web environment, typically about
a load balancer, you've got your web servers,
13184.939 -> you're gonna have another load balancer. Over
here, you'll have some app servers. And you'll
13185.939 -> typically have a database back here. What
you really want to do is you for your load
13186.939 -> balancer, because this load balancer over
here, if it's a web app is going to have a
13187.939 -> public IP address. And the front of this,
you're going to want to have an access control
13188.939 -> list. Actually, when I want to use a security
group before we get to the load balancer,
13189.939 -> so let's pop in a security group over here.
And we're going to pop in a network access
13190.939 -> control list over here. And in front of this
network access control list, we'll have a
13191.939 -> firewall of some kind. Now, usually, it'll
be from the marketplace with and it'll be
13192.939 -> next generation firewalls, or it could be
Wow, this is really how the pieces and parts
13193.939 -> are going to fit together. The firewall is
going to keep unwanted stuff from getting
13194.939 -> into your systems, which is going to be further
blocking the subnets with access control list.
13195.939 -> And then after this, we'll have a security
group Protecting Access to the load balancer.
13196.939 -> And then our web servers will also have a
security group of most likely to have an access
13197.939 -> control list between them. And then we'll
another security group for this load balancer
13198.939 -> and vice versa. So that's typically the way
that we tie the pieces together.
13199.939 -> Now the next thing we're going to talk about
is preventing DDoS attacks. And let me tell
13200.939 -> you when it comes to preventing DDoS attacks,
we're actually dealing with a lot of things.
13201.939 -> So there's no one thing that protects against
DDoS. You know, just adding a firewall to
13202.939 -> next generation firewalls, next generation
firewalls fronted by more next generation
13203.939 -> firewalls and IDS, IPS systems, that's not
going to stop it. He takes a lot of work to
13204.939 -> stop, and he doesn't text. So let's talk about
what a DDoS attack is a distributed denial
13205.939 -> of service attack, I want to make sure you
guys understand this. So let's say over here,
13206.939 -> we've got a web application, okay. And let's
say this web application, which is on the
13207.939 -> right side of the system can handle 100,000
web requests per second 100,000 web request.
13208.939 -> So it's a big, big, big server, that's a server?
No, no, normally, we've got 50,000 web requests,
13209.939 -> the server can handle 100,000. Life is good.
Now, where does it break, there's a DDoS attack
13210.939 -> that can happen by accident. Let's say the
company says Christmas sell 80% off, and they
13211.939 -> get hit with 300,000. web requests on their
server can only handle 1000. The company effectively
13212.939 -> DDoS themselves by taking in more requests
than the web server can handle the web server
13213.939 -> crashes, and that's a DDoS attack. But that's
when organizations makes mistakes. Let's talk
13214.939 -> about the more traditional DDoS attack, which
is what goes going on here. And these DDoS
13215.939 -> attacks are getting big, big and even bigger.
In a DDoS attack, you got a hacker a specified
13216.939 -> by this red guy over there, that looks real
neat. The Hacker has his server or her server
13217.939 -> and uses that server to hack into 20 3040
100,000 servers on the Internet. And then
13218.939 -> those servers are used to create web requests
for the web application. So by the server
13219.939 -> can handle 100,000 web requests, we now control
100,000 servers, and each one of those 100,000
13220.939 -> servers does 50,000 requests per second. And
now we can see our servers getting hit with
13221.939 -> a trillion web requests when it can only handle
100,000. The server crashes, potentially buffers
13222.939 -> are overflowed and that server, maybe people
get inside of our systems or else they just
13223.939 -> sit us down. So all the DDoS attack is using
multiple servers to completely overload your
13224.939 -> systems. And there's a lot of things that
can go into preventing these DDoS attacks
13225.939 -> are improving, for imagine take this web application
that could handle 100,000 web requests. Now
13226.939 -> if it was an Auto Scaling group, and it could
then auto scale out to 15,000 servers, well,
13227.939 -> that could help the organization mitigated
the Weber DDoS attack, maybe the DDoS attack
13228.939 -> can be blocked by the firewall maybe can be
blocked by the content delivery network, there's
13229.939 -> lots of things that get involved in mitigating
a DDoS attack. It's not just one thing. It's
13230.939 -> not just one. So let's talk about presenting
preventing DDoS attacks. When it comes to
13231.939 -> preventing a DDoS attack, we're talking about
a full security posture, we're blocking unwanted
13232.939 -> traffic out of subnets with regards to ACLs.
The keeping unwanted traffic to servers and
13233.939 -> security groups. I talked about auto scaling
and how we can do that. Firewalls will keep
13234.939 -> unwanted traffic. And while it can help. Now
typically speaking, here's where we can make
13235.939 -> a big, big, big difference in what's in our
content delivery network. See, the content
13236.939 -> delivery networks will only forward legitimate
web requests to a server. And one of the ways
13237.939 -> you kill a web server with a DDoS attack because
you send an overwhelming number of half open
13238.939 -> TCP connections, for example, requiring the
server to open up and they never close these
13239.939 -> connections because they're waiting on something.
So by using a Content Delivery Network, the
13240.939 -> Content Delivery Network can recognize the
web requests being bad, which are usually
13241.939 -> bad requests and DDoS attack. And they don't
let them go to the server anyway. So there's
13242.939 -> lots of wonderful content delivery networks
out there. And they all have some massive
13243.939 -> DDoS protection, whether it's the Akamai which
is kind of the the King and Queen for most
13244.939 -> people to consider if content delivery networks.
Or whether it's CloudFlare, or whether it's
13245.939 -> AWS CloudFront, or the Microsoft CDN or the
Google CDN. There's lots of content delivery
13246.939 -> networks out there. So when you have a content
delivery network, they enable you to put some
13247.939 -> DDoS protection and you put the DDoS protection
on the content delivery network. And that
13248.939 -> DDoS protection Trouble not forwarding the
request to the system, they'll recognize problems.
13249.939 -> And they'll block them. Now, every every content
delivery network provider has a DDoS attack.
13250.939 -> And you just prevention system and AWS has
quite a good one for their content delivery
13251.939 -> network. They use shield shield is the AWS
branded DDoS prevention service. And shield
13252.939 -> standard provides very basic DDoS protection.
It's about as basic as AWS WAF. But it comes
13253.939 -> free if you're using Wow. And then there's
shield defense. Shield advanced is much better.
13254.939 -> So the advanced you can put on your AC 10
instances, your load balancers or CloudFront,
13255.939 -> your DNS global accelerators. And it does
a lot more. So when you're using shield standard,
13256.939 -> it's free. And it's going to protect you against
the most common attacks. Common attacks. AWS
13257.939 -> says 96% of attacks. So it protects against
your main things your SYN ACK floods, reflection
13258.939 -> attacks, your HDFS slow read, but it works
based upon a policy. And it's static, and
13259.939 -> I hate static when it comes to security. It's
not good enough. And here's why it's not good
13260.939 -> enough. Once you've been hacked, you've been
hacked, you've been hacked, been hacked, great.
13261.939 -> No adoption, you're still getting hurt. Now
you've got better options. With regards to
13262.939 -> your DDoS protection on AWS, you can provide
use shield advance. And now we're starting
13263.939 -> to get in the range of good DDoS protection.
Now, of course, you're gonna pay for this.
13264.939 -> And it's an additional cost. And you provide
this protection, your load balancers, your
13265.939 -> virtual machines cloud front route 53. And
now we've got intelligent attack mitigation.
13266.939 -> So now you've been hacked, and they'll shields
this, like this, and it's gonna stop the attack.
13267.939 -> Kind of like the way Pac Man would eat the
dots on a video game. I know Keith West remembers
13268.939 -> Pac Man and a few others do but not everybody.
So kind of keep that with what you're dealing
13269.939 -> with. This is what we're going on with regards
to DDoS. And this is what we're dealing with
13270.939 -> shield advanced. Shield advanced to look at
traffic patterns to plan ACL to mitigate the
13271.939 -> attack for example, it allows visibility into
your notification layers for three, four and
13272.939 -> seven and AWS shield advanced customers have
access to 24 by seven DDoS people, assuming
13273.939 -> you're using business or enterprise support
options. Now, because some of these solutions
13274.939 -> are kind of weak, there's an insecurity takes
a ton of other things. There's some other
13275.939 -> things that you can use. Some AWS proprietary
security services include guard duty, which
13276.939 -> is a service to monitor your AWS accounts
and look at your cloud trail logs, DNS VPC
13277.939 -> flow logs, and look for patterns of behavior
with compromised systems. And it'll send you
13278.939 -> a notification, hey, something doesn't look
right. So you can use systems like this. There
13279.939 -> are also industrial grade systems, seems systems
that really do this and do this really well.
13280.939 -> Big industrial quality systems that you can
use the same systems across multiple clouds.
13281.939 -> While we're at it, you've got something called
down with an inspector, which is a security
13282.939 -> assessment service that helps improve use
of prepared security posture and compliance
13283.939 -> of applications. It looks and constantly assesses
for applications, exposure, vulnerabilities,
13284.939 -> etc. And after performing an assessment, it
produces a detailed list of findings. And
13285.939 -> then it'll give you some recommendations,
again, automate services or automated services,
13286.939 -> which are automated services. They're no substitute
for having professionals look and see what's
13287.939 -> going on. You also have Amazon Macy, which
is a fully managed data security and privacy
13288.939 -> service that uses machine learning and pattern
recognition technology to protect your data.
13289.939 -> It's going to look for in your s3 buckets
and unencrypted buckets in publicly accessible
13290.939 -> buckets. And it's going to make some recommendations.
And it will apply machine learning for example,
13291.939 -> and pattern matching techniques to identify
you with an alert. Of course, there's many
13292.939 -> better things that you can do. You can find
things that are notified and create some event
13293.939 -> driven security with lambda functions to go
fix those. But these are these are basically
13294.939 -> services that are designed to assist you.
Let's look a little bit about the service
13295.939 -> catalog. Now this is pretty good stuff here.
Pretty good stuff.
13296.939 -> Now what we're actually dealing with is, you
know, when I was a little by little bear,
13297.939 -> getting into networking, and I was a young
kid, they called me sniffily. Why would was
13298.939 -> I sniffer blood? I was plugging in the sniffer
or protocol analyzer and I'd find a way this
13299.939 -> person opened up the firewall so they can
use Napster. This one was downloading the
13300.939 -> entire Our internet library of porn, this
one opened up a port on the firewall, so they
13301.939 -> could do stuff. And we would find systems
that were vulnerable. People would put their
13302.939 -> FTP servers on the network, or they're putting
servers on the network. And we'd get hacked
13303.939 -> because other people in the things they do.
We'd have systems that weren't properly patched.
13304.939 -> You jelly stuff was out there. It didn't comply
to security policy. And we had the sniffer
13305.939 -> behind me that was running around trying to
figure out what the traffic was on the network.
13306.939 -> Now, in those days, it was pretty hard to
lock down your systems. Now in today's world,
13307.939 -> we can use the service catalog talk about
a great service. The service catalog can help
13308.939 -> you control what's placed on your systems,
and make sure they adhere to an organization's
13309.939 -> security policy. Now, this is good stuff.
The service catalog will help you control
13310.939 -> what's placed on the network. This is really
really good stuff. So what happens is you
13311.939 -> create a list of approved things, approved
virtual machines, approved servers, approved
13312.939 -> software, approved databases, approved application
architectures, anything, and you pop them
13313.939 -> in the service catalog. And you only allow
systems admin people to use stuff directly
13314.939 -> out of the service catalog. So yeah, this
is why I love this stuff. So the user can
13315.939 -> access something in the catalog. They can
deploy it with an infrastructure as code strip.
13316.939 -> And poof, it'll automatically deploy your
things and you're sure that they guarantee
13317.939 -> with security policy, and here's why you've
already approved them ahead of time. This
13318.939 -> is one of these transformational things in
the cloud infrastructures, code, deploy things
13319.939 -> practically at the speed of light, and make
sure they're exactly what you need. So this
13320.939 -> some real digital transformation here, this
is excellent.
13321.939 -> To talk about some more security services,
and hope you're gathering that security is
13322.939 -> about using a lot of tools from a lot of people,
some of these great AWS tools, some tools
13323.939 -> from Microsoft's on the calls from the security
vendors, some kills from identity people is
13324.939 -> the combination of everything. It's like an
onion, where you keep pulling back the let's
13325.939 -> talk about the systems manager parameter store
Another very cool security service. And it's
13326.939 -> a key component of the strong security posture,
because a lot of things that we have to deal
13327.939 -> with our licenses, passwords, strings, database
strings, and it's probably not good for you
13328.939 -> have sticky notes all over your desktop with
everybody's password. I've seen it I know
13329.939 -> Keith West's has seen it. And I know Chris
has seen and I know many other people have
13330.939 -> seen it like Alonzo, I'm sure you've seen
that too. Some of the younger people may not
13331.939 -> have seen that. And what we're dealing with
here is, if your information is compromised
13332.939 -> like a password, it could be a bit of a problem.
And AWS provides a solution for securely storing
13333.939 -> your secret information that's called this
systems route. Systems Manager parameter store.
13334.939 -> I don't have to make up I mean, but it's a
good service. Now the systems manager parameter
13335.939 -> store is a scalable hosted serverless environment
that's designed to store your passwords, database
13336.939 -> strings, license codes and API keys. to kind
of keep that in the back of your mind. If
13337.939 -> you've got extremely sensitive information,
stick it in the systems manager parameter
13338.939 -> store, it provides a means to store and encrypt
your encrypted data. And it's a great way
13339.939 -> to store manager instance receives is going
to separate your code from your passwords
13340.939 -> is going to provide an excellent means to
audit access. And it's going to provide a
13341.939 -> method for you to track your password. Let's
talk about some more AWS security services
13342.939 -> the security hub, which is a service that
provides users with a broad scope or extensive
13343.939 -> view of user security posture and facilitates
AWS environments compliance with industry
13344.939 -> standards. Okay. It simplifies how users understand
and improve their cloud security posture with
13345.939 -> automated security best practices shows by
collecting priorities and security data across
13346.939 -> accounts. automated system, make sure you
got real security people that understand how
13347.939 -> to do real security. And this is informational
that they can use to give them additional
13348.939 -> information, in addition to the other things
that you may need to be doing. Provides a
13349.939 -> central view of security and compliance posturing.
The AWS security hub is an aggregated and
13350.939 -> analytical tool that works across AWS services
accounts and some third party tools. That's
13351.939 -> the key some third party tools. This tool
tracks data against best practices and standards
13352.939 -> to identify oversights. Look, there are really
good tools that you can use out there that
13353.939 -> are not proprietary that work with everything
that are going to work on all your your things
13354.939 -> but if you only had a customer and they were
only on AWS and they had a small budget And
13355.939 -> we use them only in AWS services and they
didn't have a lot of security. Things like
13356.939 -> this are excellent because they give you additional
information.
13357.939 -> Let's talk about the firewall manager. It's
a security management service that allows
13358.939 -> users to essentially run up and controller
under WAF. They're sealed security groups,
13359.939 -> and to some degree, add some third party marketplace
firewalls. It ensures new users and applications
13360.939 -> can be upgraded automatically under procedures.
Basically, an administrator can apply a rule
13361.939 -> across an entire organization, and limit policies
to a single group users or specific applications.
13362.939 -> Users basically set up their projections once,
and the service automatically applies new
13363.939 -> things to your accounts and resources. Firewall
manager can basically be used by companies
13364.939 -> and an operating in a highly regulated environment.
So you've got some stuff, you're doing some
13365.939 -> analysis. Service integrates with WAF rules
to protect things can also be used to automatically
13366.939 -> patch and protect systems. Like when you're
dealing with next generation firewalls. Many
13367.939 -> of them have their own platform that can be
used to manage across multiple multiple clouds
13368.939 -> all at the same time. And when it comes to
availability and performance, one is none
13369.939 -> two is one and three is greater than two,
a single cloud no matter how many regions
13370.939 -> and availability zones you use, as a single
point of failure, because the control plane
13371.939 -> goes, the cloud is dead, the caller gets hacked,
the cloud can die if there's a serious network
13372.939 -> issue, the call can be done. So there's lots
of systems that you can use across platforms
13373.939 -> to really do this. Now we're gonna get next
into the AWS applications and services which
13374.939 -> has got some really cool stuff on the way
so please give me a hashtag AWS Certified
13375.939 -> Solutions Architect Associate so I know you're
awake, alert and oriented.
13376.939 -> Keith, no acronyms. Full full full word. I
know you know. In fact, in my course, I think
13377.939 -> we're gonna have a swear jar. Anytime somebody
uses an acronym they owe $20 in the swear
13378.939 -> jar, and we'll donate it to charity. Because
acronyms create communication nightmares,
13379.939 -> and we don't want to use acronyms as architects.
13380.939 -> Tyrone, we're gonna get to get you into that
swear jar as well. And Tyrone, you're a pretty
13381.939 -> solid rock star, I know who you are. Okay,
let's get involved into, into into AWS services,
13382.939 -> we're first going to start with SQS or simple
queue service. Now, this is a wonderful proprietary
13383.939 -> killing system. In a multi cloud environment,
you would not use this, you would use Apache
13384.939 -> Kafka. But here's what we're dealing with.
It's a message queuing service that provides
13385.939 -> temporary message storage. I love this. Now,
queueing systems enhance application availability
13386.939 -> by providing a means to store and keep messages
from being lost. Now, the standard SQS queue
13387.939 -> you typically think of as being used in a
database, and I'll get back to that in a minute.
13388.939 -> And it's going to be used for transient storage.
In fact that the default queue retention time
13389.939 -> is four days, but it can be configured for
up to 14 days. As QoS or any queuing system
13390.939 -> enables right sizing of of your of your applications.
It'll facilitate auto scaling. And SQS mitigates
13391.939 -> the need for middleware messaging systems
and multi tiered applications. So what is
13392.939 -> it? It's an AWS proprietary queuing system.
It's typically high availability, it scales
13393.939 -> well. And the whole point of it is to decouple
your systems environments. Simple queuing
13394.939 -> system will help you decouple your environments.
And let me show you exactly what we're talking
13395.939 -> about. Let's say in this environment, for
example, we have a web server and a sale comes
13396.939 -> in right, it hits the app server, we we temporarily
hold the message and the Amazon SQS server
13397.939 -> until the database is ready to receive it.
So web server, app server queue on the way
13398.939 -> to the database. Now the reason we're doing
this, if the database was full, we'd be losing
13399.939 -> the messages. But if it's in a queue, and
the database is down for 30 seconds, it's
13400.939 -> no big deal. We're all kinds of happy, right?
And the reason we're all kinds of happy is
13401.939 -> as follows. The message is still stuck in
the queue. So killing enables right sizing
13402.939 -> of our systems. Now In this case, DynamoDB
serverless. But let's pretend it was a server
13403.939 -> based database. What if all these messages
comes in at one time, and then no messages
13404.939 -> come in for a half an hour, that's pretty
normal. Things aren't like slow and fast.
13405.939 -> They're all kinds of weird patterns of traffic.
So killing enables you to smooth the systems
13406.939 -> out and have the exact right size. So we're
dealing with kids, we're gonna have the option
13407.939 -> for standard queues, and FIFO. Queues, a standard
queue is this as fast as this stuff enters
13408.939 -> leaves. Every message is going to be delivered
once. That's the short delivery. Now what
13409.939 -> if we had an application that needed something
specific, we'd be dealing with a first in
13410.939 -> first out queue. Now in this particular way,
message one gets delivered before message
13411.939 -> two, which gets delivery for message three,
which gets delivered before message for now
13412.939 -> this is going to slow it down. And the reason
it's going to slow it down is what if message
13413.939 -> one is big and message two, three, and four,
slow to three and four will wait for message
13414.939 -> one to be delivered. But it really doesn't
matter. We're really talking about as follows.
13415.939 -> We're talking about what's best based for
the application for the application. Let's
13416.939 -> talk about the next thing called the dead
letter Q message comes in, doesn't make it
13417.939 -> into the database, when we store it, so we
can go back and take action on it later, kind
13418.939 -> of like the mail. Never notice the mail doesn't
get it gets delivered to you, you send it
13419.939 -> back and they store it somewhere. It's called
a dead letter. So how does skewing work? messages
13420.939 -> are sent from the computer to the cube. They're
held into the queue. As soon as the receiver
13421.939 -> can take it, the messages are drained from
the queue. And then new messages come in.
13422.939 -> I showed you this before on the first day.
When we talked about databases that I want
13423.939 -> to show it to you again, here we've got in
the same queueing system. messages come in.
13424.939 -> They're stored in the cube. They're drained
from the queue if and when necessary, and
13425.939 -> then they're given to the receiver. So when
would you use SQS? Well, if you're using a
13426.939 -> single cloud, you would use SQS. We're using
multi clouds, you would use Apache Kafka.
13427.939 -> But you will use SQS to assist with Casper
capacity planning and application scalability
13428.939 -> to make sure messages are not lost messages,
meaning orders usually as it relates to the
13429.939 -> sale, as opposed to systems being overloaded.
SQS is fantastic for cost optimization, because
13430.939 -> instead of having to purchase your servers
for the maximum capacity might read, we can
13431.939 -> base upon an average capacity and store those
messages inside of a queue. And SQS can be
13432.939 -> can be very effective for auto scaling with
its ability to to provide a trigger. So for
13433.939 -> example, you could have messages in a queue
of a certain thing of a certain idea. When
13434.939 -> the message is there in the queue, you could
say add compute capacity, if it's necessary
13435.939 -> to kind of keep that in the back of your mind.
It can help you handle spikes on platform
13436.939 -> without having to scale or make changes to
the platform. SQS is good for handling. What
13437.939 -> are we talking about increased traffic and
write capacity.
13438.939 -> Now let's talk about message queue. Amazon
message queue is a fully managed open source
13439.939 -> message queue. Message Broker type service,
kinda like Apache message queue or rabbit
13440.939 -> MQ is it's a fully managed service for that.
Amazon message queue makes it easy to set
13441.939 -> up and operate message brokers in the cloud.
Secure users can mitigate messaging and applications
13442.939 -> without rewriting their code. Enterprise level
customers could benefit the most from using
13443.939 -> message queue. Because they no longer have
to re engineer application to use SQS. Of
13444.939 -> course, the theory of using rabbit message
queue and they had their own systems and a
13445.939 -> virtual machine. They could just migrate them
to the cloud and have the same things on all
13446.939 -> three clouds and not worry about it. But this
is a this is a proprietary Amazon managed
13447.939 -> service. But managed means you don't have
to worry about the system of the virtual machines.
13448.939 -> Enterprise level customers can use it because
they don't have to reuse engineer things.
13449.939 -> But they didn't have to re engineer things
anyway by moving the virtual machines. But
13450.939 -> because Amazon's managing it. You don't have
to manage the maintenance security updates,
13451.939 -> monitoring or troubleshooting of the message
queue. Amazon message queue goes Pay As You
13452.939 -> Go pricing meaning users pay for what they
use. Every time the message brokers instance
13453.939 -> runs. The system is used storage is billed
monthly though, and AWS will calculate the
13454.939 -> number of gigabytes that are used each hour
divided by the number of hours in each month,
13455.939 -> and the result will be a value of gigabyte
months with data transfer fees charged separately.
13456.939 -> Now let's talk about SNS. SNS or simple notification
service. It's a managed messaging service
13457.939 -> used to deliver message between systems and
be or systems between systems or between systems
13458.939 -> and people. SNS is used to decouple messages
between micro service applications that can
13459.939 -> be used to send an email or a push message
or a notification to mobile devices, like
13460.939 -> a message, hey, you've been hacked. Your message
your CPU is 100%. Go do something about it.
13461.939 -> SNS is great for this, SNS basically facilitates
communication between senders and receivers
13462.939 -> using a publisher subscriber model. So when
you subscribe to a mailing list, for example,
13463.939 -> and you got an email publisher subscribed,
so publish or subscribe messaging model enables
13464.939 -> notifications to be delivered to clients by
using a push notification. You ever get a
13465.939 -> push notification from YouTube about a video,
same kind of thing with using a service like
13466.939 -> SNS. SNS will consist of two components, publishers
and subscribers. The publishers send the message
13467.939 -> This was carbers read the messages. I always
like to use the term mailing list. To me it
13468.939 -> makes sense.
13469.939 -> SNS is also used to do something called fanning
out messages. What does that mean? Here we've
13470.939 -> got a publisher, but subscriber and we send
those message that same message to multiple
13471.939 -> systems. And we could have a single message
that could be sent to SQS, which could also
13472.939 -> be sent somewhere else or somewhere else,
that's the fan out. But here's the point publisher
13473.939 -> sent to a topic that people subscribe to the
topic, and they're there. But it could also
13474.939 -> be used to fanned out message, we may have
a message which would then go into a message
13475.939 -> queue as well as a notification. And then
there's terrific to kind of keep that in the
13476.939 -> back of your mind, at all kinds of all kinds
of stuff. Chris, I just got your message,
13477.939 -> you're gonna have to tell me after this class
who was hired, I'm totally totally excited.
13478.939 -> Every day we got a new cloud hire. And I haven't
had my cloud hard yet today. So super excited.
13479.939 -> Can't wait to hear. You know, we had two yesterday.
So another one today. I'm thrilled, thrilled
13480.939 -> thrilled.
13481.939 -> Let's talk about SNS platform functionality.
Sorry, I didn't realize I was not I was behind
13482.939 -> my slides over there. SNS is a high availability
platform that by default runs across multiple
13483.939 -> availability zones. And SNS can be used to
fan out messages as I described before. So
13484.939 -> basically, you've got a message just going
to a lambda function on SQS queue a notification.
13485.939 -> And SNS allows you to do creation of filter
policy, so you only receive notifications
13486.939 -> you're interested in. That's great, right?
You only want to see what you're interested
13487.939 -> in. So let's talk about some use cases for
SNS, SNS consent applications and systems
13488.939 -> alert, hey, CPUs, 80%, or more capacity. SNS
can take incoming messages and send it to
13489.939 -> multiple systems at the same time, that's
called fanning out. SNS can be used for mobile
13490.939 -> notifications. I love this. Imagine an application
that's being pushed to realtors, for example.
13491.939 -> That's while they're driving, it says Milhouse,
for sale right now go show your clients. So
13492.939 -> we're dealing with some pretty pretty, pretty
exciting stuff here.
13493.939 -> Let's talk next about Elastic MapReduce. So
when you're dealing in a big data environment,
13494.939 -> but you're really dealing with is taking an
environment where you're going to take data
13495.939 -> from one source and move it to another source.
Now in the big data environment, typically
13496.939 -> somebody writes a Python spark script. And
it's used for mapping and reduction. So example,
13497.939 -> you may have Mike, Mike, maybe spelled in
all capitals, the next it may be spelled and
13498.939 -> all lowercase, then it may have a capital
M and a lowercase ik E. And that obviously
13499.939 -> would be a problem when we're analyzing the
data. So we need to normalize the data. Now
13500.939 -> normally, what happens is somebody makes a
Python spark script, and they do this automatically.
13501.939 -> But AWS has a service for doing it as well.
Now, if you write a Python spark script, you
13502.939 -> can use the same script closer through cloud
providers. But if you don't have somebody
13503.939 -> in the big data environments is good at reading
the Python spark script. You can use the AWS
13504.939 -> pre managed service. And that's what Elastic
MapReduce It's an application for processing
13505.939 -> large amounts of data. It's a managed cluster
in service for managing big data frameworks.
13506.939 -> And it's really a prebuilt framework that's
going to facilitate big data analysis and
13507.939 -> processing without the need for separate management,
application installation or configuration.
13508.939 -> And it's built upon open source tools such
as Apache Spark, Apache hive, Apache, HBase,
13509.939 -> Apache, Flink, Apache credo, or presto. And
it typically offers some higher performance
13510.939 -> than traditional solutions. And it could be
less expensive. If you don't have to code
13511.939 -> it yourself. Or if you've already got your
scripts, it's cheaper to use your own scripts.
13512.939 -> And that's the key is to determine what's
best for you in the organization. Now, when
13513.939 -> it comes to no SQL databases, I mentioned
previously, that Dynamo DB wouldn't work in
13514.939 -> a multi cloud environment. And well, because
it's proprietary. And it's not like we can
13515.939 -> have Cosmos dB, Google Cloud, big table, and
DynamoDB across our three clouds, that's not
13516.939 -> going to work. But we could use a standards
based database, like Apache Cassandra, or
13517.939 -> Mongo DB, across all of them, across all of
them. So because of this, AWS came up with
13518.939 -> Amazon keyspaces is basically a serverless
fully managed Apache Cassandra compatible
13519.939 -> database. Now, the good news with this is
you can take your data straight out of your
13520.939 -> Apache Cassandra database, and put it directly
in here. And there's no systems to manage.
13521.939 -> Of course, if you had an Apache Cassandra
database, you could just take those rights
13522.939 -> on machines with the three cards, and have
them synchronize and not have to worry about
13523.939 -> any of this. But you know, this is good for
organizations that don't want to manage their
13524.939 -> own systems. The service is provisionally
patched for them and deployed. And because
13525.939 -> there's nothing to marry about, it can be
helpful because organizations don't need a
13526.939 -> sophisticated in IT stuff. But remember, when
it's server lists, you have less to worry
13527.939 -> about, which is great. But you have less customization
and capabilities. So server lists is simpler.
13528.939 -> But simpler doesn't mean better. It means
different. If you need Max control, max performance,
13529.939 -> don't go serverless. If you need simplicity
and elegance go serverless. All based upon
13530.939 -> the business case, by case basis is a managed
the Patrick Cassandra service. Again, excellent,
13531.939 -> excellent, excellent. So when you deal with
Apache Cassandra, it's fully managed, like
13532.939 -> I said, there's nothing to manage. So it's
much easier for you to deal with, you basically
13533.939 -> have two kinds of capacity and throughput
knows for read and writes on demand mode,
13534.939 -> and provision capacity mode. On Demand mode
means was basically what you think you need.
13535.939 -> And provision capacity mode, as you tell it
exactly, I need this much performance, and
13536.939 -> you're gonna get it.
13537.939 -> Now, let's talk about Lake formation. If you
need a data lake, there's two ways to do it.
13538.939 -> Your data architects can architect it their
own way, normalize your data and create their
13539.939 -> own data lakes. And that takes a level of
sophistication. But with that level of sophistication,
13540.939 -> you get something very special. But it takes
a level of sophistication. That level of sophistication
13541.939 -> gets expensive, because now you need data
architects, potentially even some data scientists.
13542.939 -> But if you didn't want as many of them and
you wanted a simpler gene, AWS has this service
13543.939 -> called Lake formation. And Lake formation
is a managed service to facilitate the rapid
13544.939 -> deployment of a data lake. And a data lake
is effectively a repository that holds large
13545.939 -> volumes of unprocessed and processed data
in the same location. And this information
13546.939 -> will come from a variety of sources. Unprocessed
data is going to be captured very quickly
13547.939 -> in its raw format. It'll be tagged with metadata,
which will provide some information about
13548.939 -> the raw data. Conversely, process data going
to be assigned to tables, fields or other
13549.939 -> elements before storage. And while this will
slow data capture speeds, and creates an environment
13550.939 -> that there is an unlimited amount of data
in various formats, so pretty darn awesome.
13551.939 -> Now, what happens is forming these data lakes
quickly and accessibly. And then we can use
13552.939 -> any kind of analytical machine learning or
pattern matching techniques we use. Because
13553.939 -> that's the whole point of a data lake, create
all this data, store this data, and then use
13554.939 -> this data at some point in the future to make
better business decisions which can improve
13555.939 -> profitability, reduce costs or improve information.
And that's what we're talking about as actionable
13556.939 -> data. If an organization has data and they
analyze that data, and they mined that data,
13557.939 -> maybe they know that use this price, and you're
gonna maximize sales, maybe they know that
13558.939 -> at this time of the year, they don't need
as many employees. Maybe they know this time
13559.939 -> of year or hire some temporary employees.
The ability to make better predictions otherwise
13560.939 -> known as inferences, is really how big data
can do things. Big data can tell a customer,
13561.939 -> the customer can tell a company their customers
desires, they may find out that I like cat
13562.939 -> things. And when they've got a new cat product,
they might send me a cat email, as opposed
13563.939 -> to sending me an email every day, which is
going to cause me to unsubscribe from the
13564.939 -> mailing list. So data data and more data is
a really cool, cool, cool thing. Now let's
13565.939 -> talk about Amazon time spring. Amazon time
spreen is a fully managed auto scaling distributed
13566.939 -> fault tolerant read relational database uses
basically SQL and SQL database. And the service
13567.939 -> specializes in storing and quickly tracking
data variables that change over time, such
13568.939 -> as time series data, user data, IoT data.
And it's capable of ingesting millions of
13569.939 -> events over time interval from various device
sensors, etc.
13570.939 -> Let's talk about CloudWatch. Cloud watch is
just an event monitor record logging service,
13571.939 -> cloud trail auditing, CloudWatch logging,
because we got to these and people confuse
13572.939 -> them. Cloud trail auditing CloudWatch logging
is just a log log log. Now cloud watch is
13573.939 -> a monitoring service that's going to monitor
your AWS resources or applications on AWS.
13574.939 -> It's going to provide you system metrics,
like CPU usage, by the way, or disk usage.
13575.939 -> It can monitor applications give you custom
metrics. So I mean, let's look at it realistically
13576.939 -> speaking, it's no different than logging than
any other organization that have for their
13577.939 -> business. With Amazon CloudWatch, it'll collect
information, can monitor that information,
13578.939 -> you can analyze the information that you get,
you can act on that information to make changes.
13579.939 -> And then you can re monitor, re act, and then
reanalyze until you get it right. And this
13580.939 -> is going to be a constant state of flux. It's
never one thing where it's always going to
13581.939 -> be the same thing.
13582.939 -> CloudWatch can monitor a lot of things by
default, it looks at CPU utilization, disk
13583.939 -> read write in terms of input and output operations
per second, and network utilization. Now,
13584.939 -> that's not a lot. The default is disk IO,
CPU, and network. But if you need better logging,
13585.939 -> you can use custom metrics. maybe want to
look at your memory utilization, or your API
13586.939 -> performance or other metrics. CloudWatch also
has a notification system that notifies you
13587.939 -> when things are there. Ding ding, ding, tell
your systems administrators, your systems
13588.939 -> are at 80% load, maybe add capacity. And a
cloud watch event. Let's see something good
13589.939 -> or bad, can then trigger auto scaling increase
your capacity, kind of cool. It can trigger
13590.939 -> a lambda function to remediate something like
that. to remediate something like wait, it
13591.939 -> found an s3 bucket that's not doing what it's
supposed to be. And and then you can do something
13592.939 -> about it or act upon it. AWS CloudWatch is
available in two versions for easy two instances,
13593.939 -> basic monitoring. And with basic monitoring,
your data is going to be available every five
13594.939 -> minutes. And if it's accessible to you at
no charge, let me tell you, capturing your
13595.939 -> data every five minutes is not often enough
to give you the peaks and troughs when to
13596.939 -> really see what's going on. Many times if
you really look at it, you'll see that for
13597.939 -> three seconds, the CPU hits 100% And you've
got a problem. And then it's averaging the
13598.939 -> 30%. So, five minutes default, probably not
good enough. When you use the detail monitoring,
13599.939 -> you're here to date at least once a minute,
but that you're going to pay extra for it.
13600.939 -> And detail honoring must be enabled on your
virtual machines otherwise known as your EC
13601.939 -> to CloudWatch events deliver a near real time
stream of system events that describe changes
13602.939 -> in your set your account. You can set up a
rule to match events within particular function
13603.939 -> or stream. Cloud watch events will become
aware of the operational changes in your system
13604.939 -> as they occur. And CloudWatch will respond
to these events by changes by taking corrective
13605.939 -> action sending messages respond to something
like activating a lambda function anytime
13606.939 -> Under logging you can do is always a good
thing. Now I mentioned CloudWatch. Does logging
13607.939 -> and cloud trail does auditing. So what do
you think we're getting next to cloud trail
13608.939 -> everybody? Cloud trail is an AWS service that
assists with the auditing process. It provides
13609.939 -> an audit log that assists you with risk management.
So manager and healthcare or finance, and
13610.939 -> you need to know exactly exactly what your
people are doing. Here you go, completely,
13611.939 -> completely go. So that's what we're actually
dealing with. You could find out who does
13612.939 -> what tracks it. Cloud trail can track changes
made to NATO's account by user, which means
13613.939 -> a person or role, which typically means a
system or a service, when cloud trail is enabled,
13614.939 -> when you is enabled automatically as soon
as your AWS account is created. But then if
13615.939 -> you want to monitor, you're going to create
a trail at the club, what its console, CLI
13616.939 -> or cloud trail API. And it will record events
and these events are going to be visible in
13617.939 -> the cloud trail console under your event history.
Your cloud trail event history will let you
13618.939 -> review events that have occurred in the last
90 days. Additionally, cloud trail can be
13619.939 -> figured to store logs in an s3 bucket for
long term storage, long term storage long
13620.939 -> term logs machine learning on your logs analysis
of your logs, HIPAA compliance and your logs
13621.939 -> banking compliance in your logs. That's why
you know, we create a cloud trail, we can
13622.939 -> create two kinds of trails, we can create
a cloud trail that is local to one region,
13623.939 -> and a one reason only cloud trail to give
us information from one region. And it's going
13624.939 -> to store the CloudWatch log started the cloud
trail logs in a single bucket. And this is
13625.939 -> the default option when cloud trail is configured
via the CLI or the API. By comparison, we
13626.939 -> can create a cloud trail that applies to all
regions. And this will provide the most comprehensive
13627.939 -> logging and auditing an option. It'll provide
a record of all events that exist inside of
13628.939 -> the organization's entire infrastructure.
And this can help correlate problems across
13629.939 -> our global organizations to global infrastructures.
And that's the key, you may find something
13630.939 -> that happened in one part of the world. And
then something else that happened in another
13631.939 -> part of the world. And if you couldn't correlate
the events, you wouldn't know that they were
13632.939 -> related, but in many cases, they are related.
All this stuff is about event correlation.
13633.939 -> Why does one thing impact something else?
Okay, let's talk about cloud trail a little
13634.939 -> more. Here, you can see, we've got our virtual
machines EC to our identity and access management,
13635.939 -> our database. And it uses cloud and it's storing
all these logs into an s3 bucket. And that's
13636.939 -> the key. That's the key. And it's all done
for you. And it's all done storing all your
13637.939 -> information for long term storage analysis.
13638.939 -> Okay, let's get involved into AWS config very
quickly, then we'll take a break and answer
13639.939 -> some questions. A device config is a service
that enables the assessment, auditing and
13640.939 -> evaluation of configurations in AWS. It provides
an opportunity to see what changes were made
13641.939 -> and by whom. When a change is made in AWS
configure can send an SMS alert to systems
13642.939 -> admin. And how cool is that somebody does
something and you get notified, hey, by the
13643.939 -> way, somebody made a change. pretty helpful
if they're not supposed to be making changes.
13644.939 -> And like a production environment, for example,
people don't make changes during the day unless
13645.939 -> it's an outage, or during high periods of
use. And knowing when somebody made a change,
13646.939 -> when all of a sudden you have a problem, that's
pretty great. So you know how to revert that
13647.939 -> change. So config is going to provide constant
monitoring of all configuring configurations,
13648.939 -> it's going to check these configurations against
an organization's policy. And that way, if
13649.939 -> a change is made, that violates the policy,
you'd get an SMS alert, remember, there's
13650.939 -> notifications, and a cloud watch event will
occur. And because the cloud watch event occurs,
13651.939 -> we've got options. We can basically set up
a lambda function to remediate that event,
13652.939 -> so we need to it can tell us that something
was done so if there's a problem, we can go
13653.939 -> fix it. And we can integrate this with college
I also want to configure some changes are
13654.939 -> made we know what it is and we can fix it.
Should there be a problem? Okay, before we
13655.939 -> get back to the content, if you can give me
a hashtag AWS Certified Solution Architect
13656.939 -> Associate, and if you've not liked it yet,
please like, please subscribe and please hit
13657.939 -> the bell. And before we do this, we'll answer
a question. It's like cash. The cash is real
13658.939 -> quick question. Do I need to learn Apache
Kafka? Well, it depends. Are you an architect?
13659.939 -> You need to know what Apache Kafka does and
how to integrate it and its strengths and
13660.939 -> weaknesses, but we don't touch the tech doesn't
architect. Now if you're going to be a big
13661.939 -> data engineer, then yes, you need to get real
familiar with Apache Kafka. Okay, I'm seeing
13662.939 -> it. I'm seeing I'm not seeing enough subscribes
and likes yet, though. Maybe help us out with
13663.939 -> that. Looking to check and see if you guys
are paying attention to us. We work pretty
13664.939 -> hard. I'm dealing with laryngitis drinking
a tumeric and ginger tea trying to sue the
13665.939 -> throat. So it was some likes and comments,
please. Okay, now let's talk about CloudFront.
13666.939 -> CloudFront is something I love because it's
a content delivery network. And I love content
13667.939 -> delivery network. Why they improve performance
and enhance security. Nothing better than
13668.939 -> improving performance and enhancing security.
At the same time. Plus content delivery networks
13669.939 -> in many cases can even cut your cost down.
So improving performance, improving security,
13670.939 -> cutting costs, can you imagine how awesome
this stuff is Love it, love it love it, it
13671.939 -> doesn't get any better than this. So when
you're dealing with multi cloud, you're going
13672.939 -> to need multiple content delivery networks.
Why a single content delivery network is a
13673.939 -> single point of failure. Don't believe me,
the entire country, India was nearly taken
13674.939 -> down because it was relying predominantly
on a single content delivery network that
13675.939 -> went down half of India's Internet access
window. Real businesses that are high availability
13676.939 -> use multi cloud and multi content delivery
networks. But we're on your certification,
13677.939 -> we're going to talk about the cloud front.
And CloudFront is an exceptionally good just
13678.939 -> like these other content delivery networks.
It's the Amazon branded content delivery network.
13679.939 -> And what is a content delivery network, everybody's
going to tell you that it's a geographically
13680.939 -> distributed group of servers. It is a group
of servers, but it's also a network, which
13681.939 -> means it provides private network access,
High Performance Network Access, and user
13682.939 -> caching with the servers. So this will provide
caching and many other optimizations. Now,
13683.939 -> CloudFront, or any content delivery network
can dramatically improve your web hosting
13684.939 -> performance. Now, CloudFront is integrated
with a lot of AWS services, making it simple
13685.939 -> and elegant on AWS. Here's what's gonna happen
when a request is made. And I'm going to graphically
13686.939 -> show you this in a minute. What's ultimately
going to happen is it's going to hit the CloudFront
13687.939 -> content delivery network. So here I go. Here's
an example. Today, I want to go to www dot
13688.939 -> Cindy the cute cat.com. And when I go to www
dot Cindy, the cute cat.com. I go to the CloudFront
13689.939 -> distribution, mine is in Miami. And there's
not nothing there on the CloudFront distribution.
13690.939 -> So I hit the CloudFront distribution, it goes
to the Cindy the cat website, it gets sent
13691.939 -> back to CloudFront. And then it gets sent
back to me. Now my wife wants to see send
13692.939 -> me the cat videos. So my wife uses the computer
in the other room. She goes to the CloudFront
13693.939 -> distribution, and Cindy's photos and websites
right there because I just accessed it now
13694.939 -> now child comes to visit me in Florida, and
she wants to see photos of Cindy. So she's
13695.939 -> at our house in Florida, she goes to get instant
access to photos of Cindy. And we're all happy
13696.939 -> and the only time the website actually have
to answer the request was for me, was for
13697.939 -> me. And that's what we love these things.
So what happened is, if I've got 100 more
13698.939 -> requests in Florida, the cache will answer
100 times. So that took 99 of those web requests
13699.939 -> off of me. And they sent it to Cindy, that
99 requests for the web server. So you can
13700.939 -> see huge amount of scalability here. So what
will happen is the CloudFront servers will
13701.939 -> speed content that will reduce loads, and
in many cases they'll reduce costs. Because
13702.939 -> what'll happen is let's just walk you through
it in a graphics. So in this graphic that
13703.939 -> I'd like to show you, here we go. Now, here
we go. You first person makes a web request.
13704.939 -> And it hits the CloudFront location if it's
not at the CloudFront location, but I'll actually
13705.939 -> go to the regional cache. And if it's not
on the regional cache is going to happen is
13706.939 -> it's going to ride the Amazon internal network,
not the public internet to that s3 bucket,
13707.939 -> which is the source of my static website.
So request immediately hits CloudFront CloudFront,
13708.939 -> if it has, it's going to send it back to me.
But if it doesn't, instead of using the public
13709.939 -> internet to get to the website, it's gonna
jump on the Express Highway Lane, the private
13710.939 -> network that AWS controls, and it goes straight
to the s3 bucket, so it's gonna get off the
13711.939 -> internet onto a better network. Now, then,
what will happen, the asset will leave the
13712.939 -> s3 bucket, it'll sit on that cloud front cache,
and it will be sent to me. Now the second
13713.939 -> request, you can see on the user in the bottom,
the user request the same thing as the previous
13714.939 -> person. And it goes to CloudFront. And its
answer. So now think about this in a DDOS
13715.939 -> environment, if I had 100,000 requests to
that Miami CloudFront location, and there
13716.939 -> were all valid requests CloudFront would handle
the 100 100,000 requests, which means my web
13717.939 -> servers, don't you see how that helps. Now,
what if we were dealing with inter regional
13718.939 -> charges like AWS bills, you win between regions?
Guess what? We don't have to worry about that
13719.939 -> either. And why don't we not have to worry
about that either, because the content is
13720.939 -> cached. And it's not constantly transferring
across the inter regional divisions. So we
13721.939 -> can save a huge load on our servers. And at
the same time, we can increase security and
13722.939 -> cut our costs. So when we're talking about
these things, what are we really dealing with?
13723.939 -> We're really dealing with websites scalability.
We're dealing with increased security. And
13724.939 -> we're dealing with things now when this caching
not help. If all of our website stuff is dynamic,
13725.939 -> and changing every minute, and every user
is accessing different information. Now, caching
13726.939 -> will actually increase latency and reduce
the effectiveness. So like all architectures,
13727.939 -> we must, must must must know, what is our
usage patterns prior to deploying any piece
13728.939 -> of technology. Hence, the reason the most
critical skill for the Cloud Architect solutions,
13729.939 -> I can take this communication skills to find
help the customers business better. Because
13730.939 -> the business requirements drive anything.
It's not the tech doesn't drive the business.
13731.939 -> That's like the tail wagging the dog. The
business determines exactly what technology
13732.939 -> we use. As architects, and engineers, we hand
them a piece of paper, their genius is that
13733.939 -> they build this and they build it. different
jobs, different role. So CloudFront is going
13734.939 -> to integrate with a whole lot of AWS services,
it'll integrate with your basically s3, if
13735.939 -> you had static website content, your AC tn
instances and load balancers for dynamic content.
13736.939 -> It'll work through. It'll work through route
53. For your DNS, you're going to be using
13737.939 -> multiple cloud providers are not going to
be using route 53. CloudFront could be used
13738.939 -> as a front end to a static website, it can
also be a front end to an easy to basic website
13739.939 -> is assuming a load balancer as part of the
architecture.
13740.939 -> So realistically speaking, what are we actually
dealing with? What we're dealing with is the
13741.939 -> following. We're dealing with CloudFront being
the front end to static content on an s3 bucket,
13742.939 -> and the dynamic content of our website. And
why might we do this? Well, we may have a
13743.939 -> bunch of pictures and videos, the cheapest
place to store them is putting them on the
13744.939 -> object storage. And, for example, you know
what we're dealing with regards to the front
13745.939 -> end that you see chill instances. That's where
our dynamic web pages
13746.939 -> let's talk about some key concepts with regards
to CloudFront. We're going to talk about distributions
13747.939 -> origins and cache control. A CloudFront distribution
is as follows. It's basically identified by
13748.939 -> your DNS name. And it's going to look like
abcdefg 111 dot cloudfront.net. In fact, if
13749.939 -> you were here the day before, I will do it
one more time, in case you guys didn't remember
13750.939 -> the other day there may bear with me a second.
Plus, plus, plus, plus plus, Chris, I'm going
13751.939 -> to try and share something in a second. When
I do so please share the window for me. Okay,
13752.939 -> Chris, share this. Share this window from
my Mac. It's my terminal window. Here we're
13753.939 -> going to do an NS lookup. We'll identify our
name servers, and we're going to do www.amazon.com.
13754.939 -> What you can see over here, is we actually
have this ugly name Ah, and look at which
13755.939 -> CloudFront they're using right now, which
content delivery network they're using right
13756.939 -> now they're not even using their own content
delivery network, who knows, maybe something's
13757.939 -> going on with CloudFront. And you can see
that amazon.com is actually using aacomas
13758.939 -> Content Delivery Network. And you can see
this echo 15316 Dash, Delta, Sierra Charlie,
13759.939 -> alpha dot, aka my edge.net. So right now,
Amazon is using the optimized content delivery
13760.939 -> network two days ago, it was using CloudFront.
And in this particular environment may be
13761.939 -> called Flintstone. And that's what we're dealing
with. So this is actually the new URL of your
13762.939 -> company, when to use a content delivery network.
Now, clearly, we want to use amazon.com, and
13763.939 -> not this ugly thing. So what ultimately happens
is a Swede create a CNAME record that will
13764.939 -> map amazon.com, which is user friendly, do
this ugly looking thing, which is on the aka
13765.939 -> my network, and here's its IP address. Oops,
not what I was trying to scouts. Son there.
13766.939 -> Okay. Thanks, Chris, for fixing that for me.
And reading my mind, Chris, you're fantastic.
13767.939 -> Thank you. Thank you. Seriously, Chris is
my as my Chief Operating Officer, he's amazing.
13768.939 -> He doesn't need to be producing my stuff.
But he makes sure that we're successful, and
13769.939 -> I feel extra safe knowing he's behind the
scenes. So let's talk about the cloud front
13770.939 -> origin. Now. When you set up CloudFront, you
really have to specify an origin. And an origin
13771.939 -> is really the location of where your content
is coming from. Whether it's an s3 bucket,
13772.939 -> the load balancer that's front end and your
website, where's your content coming from?
13773.939 -> That's the CloudFront cord. Anytime you're
setting up a content delivery network, or
13774.939 -> dealing with a cache, you're gonna have something
called cache control. The whole point of CloudFront
13775.939 -> is to cache or temporarily cache the information.
Let's talk a little bit about caches and cache
13776.939 -> control. By default, your information is cached
for 24 hours, 24 hours. Now, why is this done?
13777.939 -> Well, if I post a photo of my beautiful Cindy
the cat, she's the cutest thing I've ever
13778.939 -> seen. Because I'm a little bit biased. And
you see the photo send me the cat. Now, if
13779.939 -> we cache it for 24 hours, for the next 24
hours, the cache will hold that Sydney the
13780.939 -> cat photo, so the website doesn't have to
respond. Now this is good. If the website
13781.939 -> doesn't change more than once every 24 hours.
More scalability, faster web blow speeds,
13782.939 -> all great things. But what if Cindy likes
to post on our website four times a day, she's
13783.939 -> got lands where she's laying on her back with
their hands in the air. And another one where
13784.939 -> she's sleeping, there's a video of her doing
a flip to chase a bird outside the house.
13785.939 -> And there's another photo with a little lizard
in her mouth that you just brought in to surprise
13786.939 -> me. Now if we cache it for 24 hours, the only
people are gonna see the first photo, nobody's
13787.939 -> gonna see the second. And Cindy, the cat will
be angry that nobody is seeing her do photos
13788.939 -> on her website. So then we would reduce the
cache to change more frequently. So longer
13789.939 -> cache times out more scalability, but the
people won't see new updates on your page.
13790.939 -> Should or update times mean lower performance.
And the cache is going to timeout more frequently
13791.939 -> and we're working with for your service. So
what drives this? Your usage pattern like
13792.939 -> everything else is based upon your business
requirements? So part of the things the architect
13793.939 -> would have to interview let's say, Cindy was
the actor and actress here. We'd have to have
13794.939 -> a conversation with Cindy, but your publishing
schedule? What's on here? How many times a
13795.939 -> day do you want people to see your new photos
and videos. So that's where you have to get
13796.939 -> it from your customer. Find out your customers
business pattern for your page, and then determine
13797.939 -> the appropriate cost control, which is also
called the T to know if any of you guys or
13798.939 -> girls have ever worked with the cache before,
or dealt with anything, you know, periodically,
13799.939 -> systems get corrupt. And if you have bad data
in your cache, it could be spinning bad data
13800.939 -> for upwards of 24 hours, your customers and
that would be real bad. So you can always
13801.939 -> clear the cache, keep them the doctor in mind.
So let's talk about setting up the CloudFront
13802.939 -> distribution. How would it be done? Well,
basically, you set up your web servers and
13803.939 -> put your content on them. If you set up your
web servers, and you put your content on them,
13804.939 -> you're going to create the CloudFront distribution.
AWS will accept it and give you one of the
13805.939 -> ugly, ugly, ugly domain names. And you can
either accept that domain name, or you can
13806.939 -> you create a CNAME record like AWS did, and
they will provision your computers. Like I
13807.939 -> said, Never use a single content delivery
network. And as you can see, when we did this
13808.939 -> two days ago, Amazon was using the Amazon
content delivery network a few days ago. And
13809.939 -> today, they're using the Akamai content delivery
network. So even they want they use multiples,
13810.939 -> multiple service providers, as do we all.
So now let's walk through CloudFront. One
13811.939 -> more time, something I showed you on the first
day, here's basically the architecture, you
13812.939 -> got two regions, which are your giant geographic
areas, you've got your data centers inside
13813.939 -> of each geographic area called the availability
zones, and then we have your Edge locations.
13814.939 -> Now how's it going to work? Let's do it one
more time. Let's take the user in the upper
13815.939 -> right hand corner. Hi, I'm user I request
a web page, www dot Gokhan careers.com. I
13816.939 -> hit the edge location, it's not there. So
my request is the edge location, it hits the
13817.939 -> regional cache, it's on the AWS private network
back down there content delivery network backbone,
13818.939 -> it gets sent to the source, it gets sent back
to the regional cache, which gets sent then
13819.939 -> to the edge location, which then gets sent
to the user. Now the subsequent users that
13820.939 -> hit that same edge location in the top corner,
will basically get an immediately. Now if
13821.939 -> a user on the bottom edge location requests
the photo from www.co, ca careers.com. If
13822.939 -> it's not on the cache, it'll go to the cache
the edge location, hit the regional cache,
13823.939 -> right the private network from the Content
Delivery Network back to AWS, come back to
13824.939 -> the regional cache, put it on the edge location,
and then give it to the user. And that's how
13825.939 -> these things sort of work. And that's how
they help. Let's talk a little more about
13826.939 -> what we're dealing with. CloudFront, as we
mentioned, can increase website performance
13827.939 -> dramatically. Because it contents caches your
content. It's time we made this there were
13828.939 -> 278 to 217 points of presence for CloudWatch.
I'm going to tell you right now, that's always
13829.939 -> going to change and grow. It helps with your
routing efficiency for the following reason.
13830.939 -> Normally, your web requests will traverse
the public Internet. But there's no guarantees
13831.939 -> of performance in the public Internet. So
what you really want to do is you want to
13832.939 -> use CloudFront, either hit the cache, jump
off the public Internet, jump onto your content
13833.939 -> delivery network, use that higher speed content
delivery network to go back to the source.
13834.939 -> So no matter what it's going to increase systems.
Now, you can help with your routing efficiency,
13835.939 -> as I mentioned, because you're going to try
to traverse the AWS network, not their content
13836.939 -> delivery network, not the public Internet.
And CloudFront also maintains persistent connections
13837.939 -> to the source. So you're not starting a new
session with a web server every request. So
13838.939 -> then that TCP SYN and ACK and SYN ACK that
were necessary to open up a connection, it's
13839.939 -> already maintained. So it's further than a
reduced latency. content delivery networks
13840.939 -> are excellent, but you need multiple ones.
CloudFront you can obviously put your web
13841.939 -> application firewall there. But you can also
put your shield there. In this way your DDoS
13842.939 -> protection can be streamed on the content
delivery network before they hit your firewalls
13843.939 -> before they hit anything. Block all bedroo
Bad requests before they ever get to you.
13844.939 -> So all content delivery knuckleduster matter.
Clean Crewson distributed denial of service
13845.939 -> attack prevention. And by being able to put
shield directly on the content delivery network
13846.939 -> and get it, and again, optimized got their
own DDoS protection. Microsoft's content delivery
13847.939 -> network has their own DDoS protection. Cloudflare
is another content delivery network, they've
13848.939 -> got their own DDoS protection. So this is
normal functionalities with regards to a content
13849.939 -> delivery network. But again, that ability
to terminate your SSL HTTPS connections on
13850.939 -> the CDN without even hitting your servers,
reduces load, the ability to make sure that
13851.939 -> the server is on if the answer to everything
only new responses reduces load. So increased
13852.939 -> speed performance, and in many cases reduces
cost. Now CloudWatch CloudFront can also provide
13853.939 -> your encryption and transit, because it can
enforce SSL slash TLS protocols. It'll integrate
13854.939 -> with many services, such as the certificate
manager, and CloudFront, support server name
13855.939 -> identification and custom certificates. Now,
normally speaking, use CloudFront for a public
13856.939 -> website. But what if you wanted a private
website, for example, paid website subscribers,
13857.939 -> private applications, there are a couple of
ways to do this. We can set up an origin,
13858.939 -> access identity, and we can restrict the data
to say an s3 bucket to certain individuals,
13859.939 -> we can use a signed URL, or we could use some
signed cookies. That's where we're at right
13860.939 -> now. Let me very quickly do something about
some lambda functions. And after lambda functions,
13861.939 -> we'll we'll take some questions. So let's
talk about lambda. Next, lambda is a serverless
13862.939 -> computing service. And it's used for micro
things. Basically, you upgrade the code and
13863.939 -> the lambda function works the same thing as
an Azure function, for example. And there's
13864.939 -> no need to manage servers or operating systems,
it's basically quick and dirty things. C sharp,
13865.939 -> Java, Node js, Python, basically, it's a way
for you to automate simple things. The way
13866.939 -> we're going to use lambda is as follows, users
going to update their code. And when something
13867.939 -> happens, the function is going to run. And
we're going to pay every time that lambda
13868.939 -> function runs. Lambda is stateless, which
means it doesn't track anything, functions
13869.939 -> performed, and completed. If you need another
function, you're gonna have to set up another
13870.939 -> function, it's not going to multistep function
without doing something else. And therefore,
13871.939 -> lamda is useful in many situations, where
automation can create an increase in efficiency,
13872.939 -> or decrease manual intervention to process
data across multiple systems. Because your
13873.939 -> s3 buckets, for example, got hit by a security
event. Patching an operating systems for example.
13874.939 -> A lambda function can response to an event,
you misconfigured s3 bucket Ding, ding, ding
13875.939 -> run fix something, a user can error. For example,
we could create our own thing. For example,
13876.939 -> let's walk through something that here would
be a great place for them to function. Let's
13877.939 -> say for example, I wanted to upload a video
to s3 and have a multi step video process.
13878.939 -> I can create a lambda function to have the
video transcribed, and another lambda function
13879.939 -> to basically have the video converted from
say raw video to H dot 264 H dot 265. I can
13880.939 -> then even have another lambda function to
send me an email that says, Hey, Mike, your
13881.939 -> video is ready. It's been processed, transcribed,
go download it. So lambda is really about
13882.939 -> automating these compute lambda functions
are exceptionally good for chisel transformation.
13883.939 -> One of the things we absolutely love about
the cloud or something like this. It's complete.
13884.939 -> Now let's talk about lambda at edge since
we just talked about cloud front, what if
13885.939 -> we wanted to run a lambda function basically
right next to the user? Well, we use lambda
13886.939 -> edge is completely serverless. And it works
with the CDN. So let's talk about lambda at
13887.939 -> edge. And lambda at edge, basically, you upload
your code and it'll run directly, basically,
13888.939 -> while your CloudFront location very simple,
very simple and elegant. While we're tying
13889.939 -> lambda together, we're going to enter step
functions. And then we're going to go to questions
13890.939 -> and answers and we probably should end right
there.
13891.939 -> So let's talk about step functions. If you've
got multiple lambda sequences, I mentioned
13892.939 -> they're stateless, you're going to need to
schedule them. And that's where step functions
13893.939 -> comes in. It enables you to create step one,
step two, step three, step four. So execute
13894.939 -> step focus on one executes the function to
executes the function three, execute. So assumption
13895.939 -> flair. So how's it gonna work? You design
the steps of the application, we create individual
13896.939 -> lambda functions, we're going to configure
the workflow and step functions will connect
13897.939 -> the workflow components to the individual
lambda functions. Each function will execute
13898.939 -> it step and will optimize and above the data
functions as needed. Here's a graphic for
13899.939 -> how that works. And then I will take questions.
Basically step one, step two, left, so step
13900.939 -> one, lambda functions step two, lambda function
step three, lambda function, step four lambda
13901.939 -> function. Good to see you. So the first thing
we're going to talk about today is this certificate
13902.939 -> manager. When you're dealing with websites,
and HTTP and HTTPS, what you're really dealing
13903.939 -> with is you want to make sure that it's encrypted.
And you have to identify that the website
13904.939 -> is who they claim to be. For example, if I
was going through a website to go buy cat
13905.939 -> toys, right? If I thought I was going to a
cat toy website, and instead it was a hackers
13906.939 -> website, you know, that hacker could steal
my credit card information. On my beautiful
13907.939 -> cat Cindy wouldn't get the cat toy. So two
things would happen, my credit card would
13908.939 -> be compromised. And I got Cindy would be really
sad. And we don't like my cats. And so we
13909.939 -> need to know that we're connecting to a website
that they are who they claim to be. There's
13910.939 -> not a hacker in the middle. So that's what
we do is we put a certificate on a website.
13911.939 -> The certificates on our website enable us
to determine who they are, help us do our
13912.939 -> encryption, verification and things like that.
And the AWS certificate manager is a service
13913.939 -> to help you do that. And certificate manager
adds protection to website by using certificates
13914.939 -> to establish safe and secure connections.
And I'll start with a quick manner tour itself
13915.939 -> is an AWS proprietary service that enables
for the simple provisioning management and
13916.939 -> deployment of your certificates, both public
certificates and private certificates. What's
13917.939 -> the difference? public certificate you put
on your external website, a private certificate
13918.939 -> you might do on your intranet, which is accessible
only from your internal network, not the intranet.
13919.939 -> And certificate manager allows users to deploy
certificates on AWS resources very quickly
13920.939 -> and efficiently. It's and certificate Manager
provides free and public certificates to services
13921.939 -> like our load balancers or API gateways. Now,
let's look graphically speaking for about
13922.939 -> a moment what certificate manager actually
looks like. You can see in this environment.
13923.939 -> We've got a certificate manager that we can
put on our elastic load balancers, our CloudFront
13924.939 -> content delivery network. Mind you in reality,
many organizations will use many content delivery
13925.939 -> networks at least one or two, but we can definitely
put it on the CloudFront distribution. So
13926.939 -> certificate manager is going to help you with
security by making sure you working identify
13927.939 -> and use basic encryption, HTTPs type encryption
or SSL based encryption, otherwise known as
13928.939 -> TLS, encryption for your webs. Let's talk
a little bit more about certificate manager.
13929.939 -> There are two options when deploying certificates.
And there's going to be the public and the
13930.939 -> private ca. And private CA is used for communication
inside of your organization. Now private CA
13931.939 -> certificates you have to pay for. And these
are basically what happens you can issue a
13932.939 -> certificate put on specific users computers,
applications or servers. And that way internally,
13933.939 -> your users can authenticate a system and users
can be authenticated. Not with a private certificate.
13934.939 -> You can't use it on the internet, right? Because
it's private. No public certificates obviously
13935.939 -> are public and they're free and you can use
them for your external facing websites. Now
13936.939 -> let's talk about Kendra. Kendra is another
service and it's a fully managed service provided
13937.939 -> but managed by machine learning. Now Kendra
lets users losers search through structured
13938.939 -> and unstructured data. What happens is Kendra
uses natural language processing to understand
13939.939 -> the context of a user's query and find relevant
answers. What will happen is Kendra will index
13940.939 -> your documents whether it's unstructured text
such as HTML, Powerpoint file presentations,
13941.939 -> Microsoft Word documents, plain text documents
or PDF. Kendra is capable of indexing structured
13942.939 -> tests for example, if frequently asked questions.
Now document actions can be used to fill up
13943.939 -> with Kendra can be used to filter responses
as well as queries. And of course, we can
13944.939 -> set up custom attributes that can be added
to documents as well as very specific searches.
13945.939 -> Now with Kenji, our queries can be directed
towards more relevant results by increasing
13946.939 -> or decreasing the importance of an individual
field in the index. How tight Do you want
13947.939 -> to search this really we're talking about
and if the user adds more wasting the importance
13948.939 -> of the highest replies or views, users can
see postings that are more popular or hot
13949.939 -> on forums. So it gives us the ability to use
machine learning to parse through a fair amount
13950.939 -> of information. And the type of machine learning
we're using in this particular case is natural
13951.939 -> language processing. Now we're gonna get into
some, we're gonna get into Kinesis. And Kinesis
13952.939 -> is a streaming service. Now it is a proprietary
streaming service. So many organizations can't
13953.939 -> use it. Again, Kinesis, to me feels like something
that you could toss away and replace it with
13954.939 -> Apache Kafka, and many big organizations in
the cloud who have done so because they don't
13955.939 -> want to lock themselves into a proprietary
solution. But no, this isn't reality. This
13956.939 -> is an AWS Certified Solution Architect Associate
under professional help training. And when
13957.939 -> you're dealing with an AWS certification that's
designed to make sure you know the AWS products
13958.939 -> that kind of make you excited to go recommend
it and sell it. So we're going to talk about
13959.939 -> it again, this is in a multi cloud environment
or a real critical high availability situation,
13960.939 -> you're going to be using kinni, you're going
to be using Apache Kafka not conducive. Now
13961.939 -> Kinesis is a service for collecting, processing
and analyzing streaming data. Now Kinesis
13962.939 -> can collect information in real time. And
that's kind of nice, because you can do this
13963.939 -> with Kafka as well. And typically use it for
video or application logs or website, click
13964.939 -> streams, or IoT devices. And normally, there's
two ways of collecting information, you could
13965.939 -> just connect it, collect information in system
logs and store it, then analyze it later.
13966.939 -> Or you can use a streaming service like Kinesis,
or Apache Kafka. And you can connect the data
13967.939 -> in real time. And you can kind of analyze
the data in real time, visualize the data
13968.939 -> in real time. And think about it this way.
What kind of a competitive advantage could
13969.939 -> you absolutely get? You know, if you have
historical information, and you can make data
13970.939 -> after the fact. But if you have real time
information, you can make much better decisions.
13971.939 -> Let's talk about Kinesis. Kinesis is ideal
for situations where large amounts of training
13972.939 -> data need to be processed and rapidly moved.
Think of it this way. If you had weather sensors
13973.939 -> all over the Caribbean, and Florida, and a
hurricane is coming, how cool would it be
13974.939 -> to have access to be able to look at that
information, visualize that information, analyze
13975.939 -> it in real time, that's what we're talking
about. We're a bunch of airplanes flying around,
13976.939 -> where you want to get their status, and make
sure they don't bump into each other. You
13977.939 -> know, it's high traffic when you're actually
in these airplanes. We don't realize it in
13978.939 -> our seats. But the pilots will tell you it's
like a congested highway over there to kind
13979.939 -> of keep that in the back of your mind. Now,
when we talk about Kinesis, we're going to
13980.939 -> talk about four platforms. And they're going
to be Kinesis video streams Kinesis data streams
13981.939 -> Kinesis data Firehose and Kinesis data analytics.
Let's talk first about Kinesis data firehose.
13982.939 -> It's a managed service to load streaming data
into data stores, data lakes, analytic services.
13983.939 -> Kinesis data, Firehose can capture streaming
data and put it into s3 or redshift, as well
13984.939 -> as many other services. And it's fully managed
and auto scaling and it'll, it'll scale as
13985.939 -> you need to for the throughput with auto scaling.
And of course, you can monitor what's going
13986.939 -> through Kinesis Firehose know when data is
going through Kinesis data firehose, or Kinesis.
13987.939 -> For that matter, the throughput is going to
be measured in shards. And a shard is basically
13988.939 -> going to be one megabit per second. Now, that
doesn't sound like a lot when you're dealing
13989.939 -> with video, because it's not. But when you're
dealing with little text files from internet
13990.939 -> sensors, those kinds of things, that's a lot
to do. Now, when you're going to do you obviously
13991.939 -> could use multiple shards, and the pricing
is going to based upon the number of stars
13992.939 -> shards. So like anything else prior to use,
your organization should determine the required
13993.939 -> shards in terms of capacity. And of course,
you can increase it when capacity is needed
13994.939 -> a little more about data firehose, we can
use up to 10 charts per region per account.
13995.939 -> And if we need more than 10 charts, no big
deal, but just contact AWS support, and they
13996.939 -> can enable it or we could also set up an auto
scaling policy on a scale the number of shards
13997.939 -> based upon utilization. Now we can set up
Kinesis data Firehose from the console setup
13998.939 -> as essentially setting up the sources and
the destinations for you. Know, we're dealing
13999.939 -> with Kinesis data Firehose streaming data
is captured by the firehose, I'm going to
14000.939 -> consent it and store it in s3. And we can
also analyze the data tools with analytics
14001.939 -> tools. So let's look at what this typically
could look like.
14002.939 -> Visually. In this environment, you can see
we've got multiple data streams coming in.
14003.939 -> We've taken these data streams in and we pop
these data streams into Kinesis firehose,
14004.939 -> from the Kinesis, Firehose you can see there,
we're putting it into an s3 bucket. And from
14005.939 -> there, what we're actually doing is we're
using analytical tools to kind of look at
14006.939 -> it, maybe something like Tableau or visit,
Tableau, or Power BI, those kinds of analytics
14007.939 -> tools give us the ability to parse through
large amounts of information, and actually
14008.939 -> visible.
14009.939 -> Now, let's talk about some Kinesis data Firehose
concepts. With Kinesis data firehose, we basically
14010.939 -> have a delivery stream, which is data coming
in, you set your Kinesis Firehose by crenate,
14011.939 -> creating a Kinesis data Firehose delivery
system. And then we get a record. And the
14012.939 -> record is the data that's ingested. record
can be as large as one megabyte. Few more
14013.939 -> things. As we talk about Kinesis data firehose,
we've got our data producers, right. That's
14014.939 -> the stuff that's sending you the information,
our IoT devices, for example. We also may
14015.939 -> have a buffer size and a buffer pool. And
what is that? Well, when we're dealing with
14016.939 -> Kinesis data coming in, it buffers in turn
incoming data streams to a certain size for
14017.939 -> a certain period of time before delivering
it to the destination. Make sense? Bundle
14018.939 -> up your data, send it, bundle up your data,
bundle up your data. And it's not a lot of
14019.939 -> time that it's going to be there, but it's
a short buffer. And now, we talked about Kinesis
14020.939 -> data firehose, let's talk about Kinesis video
streams. Every connected device such as a
14021.939 -> smart car, smartphone camera that unchain
we can use that data with Kinesis video streams.
14022.939 -> So we can pull information from all kinds
of video devices, we can store the information,
14023.939 -> convert the information and encrypted or we
can analyze it in real time. You can use this
14024.939 -> video streams automatically scales to handle
any amount of data. And it's used by analyst
14025.939 -> AI machine learning. And that way, we can
look at what's coming in and analyze it in
14026.939 -> real time using tools. A Kinesis application
specifically for video stream. So video streams
14027.939 -> enables the the ingestion. So we're it's really
about pulling things in as are all of these
14028.939 -> things. And one advantage of streaming through
this platform is that users can collect saving
14029.939 -> processing data. So let's look a little bit
about Kinesis video streams. Here you go in
14030.939 -> this environment, begin the taking in data
from a lot of different places, analyze it,
14031.939 -> use it for media processing. Let's look if
we wanted to crowdsource a video thing, for
14032.939 -> example. And we wanted to basically enable
1000 users to be streaming their video. So
14033.939 -> we could create a movie based upon cell phone
information. Imagine using Kinesis video streams,
14034.939 -> pull information from a variety of sources.
And wow, wow, wow, wow, you can do something
14035.939 -> very cool. So I can use this video streams
is a nice concept.
14036.939 -> We've talked about Kinesis firehose, we've
covered Kinesis video streams, let's talk
14037.939 -> about Kinesis data streams. Now Kinesis data
streams is a scalable platform to capture
14038.939 -> real time streaming data. And you can capture
data in real time. And you can actually analyze
14039.939 -> it within 70 milliseconds, which is pretty
darn fast. Imagine capturing hundreds of gigabytes,
14040.939 -> capturing gigabytes from hundreds of sources
or hundreds of 1000s of sources, and instantly
14041.939 -> making a decision, financial transactions
location tracking. So Kinesis streams can
14042.939 -> ingest data and then export it to a business
intelligence tool. What's happening with the
14043.939 -> streaming data is going to be captured by
Kinesis data streams at some central processing.
14044.939 -> And it can be central to like Power BI. So
let's look at what this actually can be used
14045.939 -> in concert. And we'll talk about some some
Kinesis data streams term. Here we go, we've
14046.939 -> got our data coming into Kinesis data streams.
Now their data is coming into Kinesis data
14047.939 -> streams, it's sent to Kinesis. Now we could
be using a Power BI Power BI or quick side
14048.939 -> or some tool like that. We can look at our
data and do something about it in real time.
14049.939 -> Now when we talk about Kinesis data streams,
there's a couple things which could pop up
14050.939 -> on your exam. Let's make sure we talk about
it. We've got the data producer, which is
14051.939 -> the application that emits the data records.
And what will happen as a data producer will
14052.939 -> assign a partition key. And the partition
keys will ultimately determine which shard
14053.939 -> is going to ingest your data. And of course,
we're gonna have the data consumer. What is
14054.939 -> the data consumer, it's what's receiving the
data from all shards as they're generated.
14055.939 -> Most data consumers are really receiving the
most recent data and a sharp and that's going
14056.939 -> to be used for real time analytics are handling
of your day. So let's talk about when we will
14057.939 -> use Kinesis data stream large event data collection
real time data analytics, capturing gaming
14058.939 -> data for example. Capturing mobile mobile
data quite quite useful in a lot of cases.
14059.939 -> Now, let's talk about Kinesis data analytics,
and new service or different service. Now
14060.939 -> Kinesis data analytics is going to be a managed
service that's used to transform and analyze
14061.939 -> streaming data in real time. Kinesis Data
Analytics uses the built in Apache Flink to
14062.939 -> process data, which is what many organizations
use for big data processing Kinesis streams
14063.939 -> is auto scaling, which means it's going to
scale the needs to meet your organizational
14064.939 -> needs. And data on Kinesis. Data streams can
be queried via standard SQL type graph queries.
14065.939 -> Sorry, I'm trying to call it data analytics.
I'm calling it data streams. Apologies for
14066.939 -> that. So let's look on our let's look graphically
at Kinesis data analytics. See, we can you
14067.939 -> can see we have a data stream that's going
into analytics, and then it's going to a business
14068.939 -> intelligence tool. So we can analyze the information
or have better business decisions in real
14069.939 -> time.
14070.939 -> Now, AWS knows most people would not use this,
they use Apache Kafka by building their own
14071.939 -> Apache Kafka servers. So now they're trying
to make a managed streaming platform for Apache
14072.939 -> Kafka. And now, that's exactly what managed
streaming for Apache Kafka is, it's a fully
14073.939 -> managed service that allows you just to build
them run their own application and use Apache
14074.939 -> Kafka for data stream processing. And, of
course, you could build your own and not use
14075.939 -> any of these matches any of these managed
services, and use the same virtual machines
14076.939 -> and multiple clouds for high ability. But
if you want to manage servers, and you don't
14077.939 -> want to manage the server, the operating system
and patching it, here's your option. So manage
14078.939 -> streaming for Kafka is a fast, scalable, durable
and fault tolerant streaming platform. And
14079.939 -> it's going to provide a unified high throughput
highly distributed messaging system. And it's
14080.939 -> a low latency platform for handling real time
data feeds. It's distributed partition and
14081.939 -> really good basically gives you a good logging
environment. It provides a publish subscribe
14082.939 -> message bus that can be used to build real
time data pipelines or streaming applications.
14083.939 -> Managed streaming for Kafka is distributed
platform designed to handle large amounts
14084.939 -> of data, and can be used to store and process
large amounts of data. Let's talk about another
14085.939 -> service which can pop up on your Certified
Solution Architect Associate or certified
14086.939 -> solution architect, professional exam, AWS
outpost. And what is the AWS outpost, it's
14087.939 -> basically AWS would define and define it as
a fully managed service that uses AC two instances
14088.939 -> or a series of VNC, two instances configured
inside of your V PC in an appliance, what
14089.939 -> is it really, you go buy a server from AWS,
you store that server inside of your data
14090.939 -> center, and AWS manages that server. And now
you've got easy chances inside your data center.
14091.939 -> Now reality is you can put your own server
here and manage your own systems. You don't
14092.939 -> have to buy that server from AWS, but you
have to manage it. That's what it is. It's
14093.939 -> a fully managed server that's got your own
virtual machines that you stick in your data
14094.939 -> center, and they manage it for you. The AWS
outpost appliance acts as a virtual part of
14095.939 -> your V PC, part of your VPC, even though it's
sitting your data center, which is placed
14096.939 -> in your data center. Now, why would you put
this AWS outposts in your data center, because
14097.939 -> the latency to the cloud is long and slow.
And even edge computing is not that great.
14098.939 -> So by putting the server in your data center,
now you've got a beautiful environment. Of
14099.939 -> course, you don't need to buy outpost at all,
you could just get a server from Dell, for
14100.939 -> example. And it probably be a lot cheaper,
because you'd have to manage it yourself.
14101.939 -> But if you don't want to manage the server
yourself, you can get the server from AWS.
14102.939 -> And because that way is part of your own EC
two and your VPC, you could use the cloud
14103.939 -> tools to manage it as opposed to the standard
tools to manage the server, whichever is easiest
14104.939 -> for you. So now let's talk about comprehend
another machine learning service from AWS.
14105.939 -> And Amazon comprehend is a natural language
processing service. And what happens natural
14106.939 -> language processing is in machine learning
artificial intelligence service that gives
14107.939 -> computers the ability to interpret text or
speech similar the way humans do but not exactly
14108.939 -> what happens is human language will be dissected
into pieces, so that the grammatical structure
14109.939 -> of the sentences and the meaning of the words
can be evaluated by machine learning from
14110.939 -> their natural language processing will extract
critical elements from the data. Natural language
14111.939 -> processing can identify patterns as well as
recognize the sentiments of the context, which
14112.939 -> is pretty cool. But we've got a long way to
go. With the intelligence to mimic human abilities
14113.939 -> or understanding language context, natural
language processing can help save businesses
14114.939 -> money, because an OT can automate processes.
For example, recognizing client behavior,
14115.939 -> and the preferences of voicemails and text,
mining data from various sources, making it
14116.939 -> easier to extract useful information so that
businesses can have a better understanding
14117.939 -> of the insights of the customers they're serving.
For example, dissect the meaning of videos
14118.939 -> to see if there's any negative content that
needs to be flagged categories of documents.
14119.939 -> So great way to use technology, to look through
your video context and all your things and
14120.939 -> text contests, to see if anything's offensive,
not good. Get a sentiment of your customers,
14121.939 -> it's great. That's a great these are great
tools. Now, AI tools are not a replacement
14122.939 -> for humans. They are supporting humans, because
the humans have the ultimate judgment. No
14123.939 -> machine learning tool has ultimate judgment,
but it can parse through large amounts of
14124.939 -> information and help provide decision support,
so the humans can actually make better business
14125.939 -> decisions. Let's talk about elastic transcoder.
Now this is a service for converting videos
14126.939 -> between various video formats. And the cloud.
It's easy to use cost effective and highly
14127.939 -> scalable way to convert videos that somebody
stores in s3 to some other verb. Now, you
14128.939 -> can do this on your own on your own servers.
It can be done in the CPU, and the GPU, but
14129.939 -> it's computationally expensive. So what is
this really about, I could actually shoot
14130.939 -> uncompressed video, and have a one terabyte
file after 15 minutes of video. Now, I can't
14131.939 -> stream a terabyte inside of 15 minutes, because
most users don't have the internet bandwidth
14132.939 -> for that, because they don't have a 10 gig
internet link. So what happens is we take
14133.939 -> our video and put the video into a compression
algorithm typically called the codec. And
14134.939 -> the codec, which is not exactly the compression
algorithm, but it's mostly a compression algorithm.
14135.939 -> But change that video format to say an mp4.
And by doing it, it can take video that might
14136.939 -> be a terabyte, and make it maybe 10 gigabytes
or 20 gigabytes sounds packable and streamable.
14137.939 -> And distributed. And elastic transcoder can
do it for you on the cloud. So you don't need
14138.939 -> big Xeon systems or big AMD epic servers to
do it. And these things, like I said, they're
14139.939 -> very computationally expensive. I can tell
you internally, but I need to transcode a
14140.939 -> video, I use a system that's got 64 cores,
and a $2,000 GPU on it, and a half a terabyte
14141.939 -> of RAM. So you could buy a system like that,
where you can pay to use a service like elastic
14142.939 -> transcoder, what's going to be the determining
factor whether it's good for you or not, how
14143.939 -> many of these things you need to do and how
often you need to run the system. So elastic
14144.939 -> transcoder is easy to use, because it's got
a very clear workflow, and predefined video
14145.939 -> formats that can be selected for lots of output
devices. It's available in various AWS regions,
14146.939 -> and users can just transcode their content
wherever it's stored, and users are paying
14147.939 -> only for the minutes needed to transcode the
videos. Let's talk about poly. Now Poly is
14148.939 -> a cloud service is going to transform text
into lifelike speech. Dozens of voices are
14149.939 -> available in different countries. And it gives
the user the ability to create a web page
14150.939 -> that somewhat realistic speech. We've all
been to websites where it's got like some
14151.939 -> robot that's trying to read you an article,
and it sounds sort of human. That's what we're
14152.939 -> talking about here. Polly's text to speech
technology uses artificial intelligence to
14153.939 -> create natural sounding human sounds. Now
neural detects the speech is a service that
14154.939 -> can improve the quality and get better with
advanced speaking styles. It can be used to
14155.939 -> help people read to a document at a faster
pace or even narrate a book on the go. This
14156.939 -> can vastly improve productivity, many people
can read much faster than they can listen.
14157.939 -> Other people can listen faster than they read.
So this is a Your mileage may vary. Now Polly
14158.939 -> can return audio is real time stream. And
this is going to make it ideal for a call
14159.939 -> center. Because that way we can use reactions
for problems during phone calls. Polly can
14160.939 -> be used as an announcer public transport transportation
system perfect for that kind of application,
14161.939 -> giving an up to date schedule information
that would be beneficial to the user or someone
14162.939 -> visually impaired. From games interactive
media, it can be used to to basically react
14163.939 -> to tailored speech responses. Chris did we
reach 20 minutes where I should open some
14164.939 -> questions
14165.939 -> continue going, you've got about two or three
more language things to do. Okay, changes.
14166.939 -> Okay, let me do a few more language. Let's
talk about recognition. Recognition is a way
14167.939 -> to analyze videos and images using machine
learning. Now this is kind of a kind of tool
14168.939 -> cool tool, Amazon recognition was used for
identification of individuals in a in a video,
14169.939 -> analysis of emotional state based upon facial
expressions, identification of unwanted content
14170.939 -> and videos, the ability to search a video
for a different person labeling of images
14171.939 -> detecting anomalies. Now, this is pretty cool
because in real life, you know, there's lots
14172.939 -> of times where you get a lot of information.
Think of it from a security perspective, you're
14173.939 -> in England, they've got a cat like one that
has cameras everywhere. And there's a threat,
14174.939 -> you can use something like recognition to
kind of go through this burden, think about
14175.939 -> your business, you want to make sure there's
nothing in your business from you users that
14176.939 -> could be brand damaging, so recognition is
quite helpful.
14177.939 -> Let's talk about textract. Amazon textract
is another machine learning service that can
14178.939 -> extract text handwriting and data from scanned
documents jpg png PDF to kind of like the
14179.939 -> old school optical character recognition with
machine learning to make it smarter. Amazon
14180.939 -> textract works by reading and processing millions
of documents using machine learning, which
14181.939 -> is a combination of various application programming
interfaces, plus learning all the stuff that's
14182.939 -> there. After reading context, text, rock can
extract text, handwriting, and information.
14183.939 -> Text route can automate document workflows
using AWS lambda functions. It by making API
14184.939 -> calls. Using text tracks makes it easier for
companies or businesses that deal with a lot
14185.939 -> of documents to automate the processing, and
extracting of critical data in an easy and
14186.939 -> cost efficient manner. textract is useful
when it comes to the ability to extract critical
14187.939 -> business data such as applicant names, mortgage
rates, and invoices. Assumptions. Let's talk
14188.939 -> about transit. This is a service that can
provide translation of 25 languages from one
14189.939 -> form to another. It's an automated language
transit translator. Some things don't naturally
14190.939 -> translate for real. And we humans actually
have to basically come up with things like
14191.939 -> if I were to say to Chris, open the lights,
he'd look at me like I have foreheads. But
14192.939 -> if I said to him, turn on the lights, we'll
know what that means. Remember, some things
14193.939 -> don't actually translate. And that's going
to be your weaknesses with these kinds of
14194.939 -> things. Keep that in the back of your mind.
So it's a service that will provide translation,
14195.939 -> it uses artificial intelligence machine learning
to try and translate as accurately as possible
14196.939 -> as time in demand permits. People of different
languages can communicate despite their language
14197.939 -> barriers.
14198.939 -> Translate uses neural networks to then identify
an intelligent translate languages it supports.
14199.939 -> This is helps in converting one language audience
to another language audio. Basically what
14200.939 -> happens is you've got an encoder, and the
encoder is going to read through the text
14201.939 -> word by word and then theoretically, intelligently
translate that and process that data. So what
14202.939 -> the text is supposed to mean. It's aided by
a neural network neural network node called
14203.939 -> attention mechanism best understand the text,
and then it's got a decoder. And the decoder
14204.939 -> is going to use the semantic meaning to translate
the word in the text for the intended output.
14205.939 -> Now Translate is a service that can be used
to detect an input source language and tell
14206.939 -> the user realistically speaking what language
they're using to aid that to it to enable
14207.939 -> a multilingual user experience in your application.
Translate company authored documents such
14208.939 -> as meeting minutes, technician reports, knowledgebase
articles and posts. So let's open it up for
14209.939 -> some question. Actually, I'm going to be to
talk about Alexa. And then we're gonna go
14210.939 -> to we're gonna go to the the question and
answer session. What is Alexa for business,
14211.939 -> Alexa for business is going to improve the
usability of conference rooms and offices
14212.939 -> by providing a more streamlined method of
accessing your company's scheduled tasks and
14213.939 -> information. By utilizing Alexa for business
companies can develop Alexa skills created
14214.939 -> or curated to their staff or clientele Alexa
for business enables it to centrally manage
14215.939 -> and deploy Alexa devices were used by employees
and shared spaces etc. and can put it in a
14216.939 -> conference room a huddle space, a phone booth,
the lobby, any physical person in possession
14217.939 -> of a shared device can use now let's go back
to the AWS server and actually before we can
14218.939 -> put it to good question Summit. So before
we go back to the content if you guys can
14219.939 -> give me all a hashtag AWS Certified Solution
Architect Associate.
14220.939 -> Alonso is perfect. Consider the clock a timeshare
I like to view it as a hotel room inside of
14221.939 -> a big hotel. Exactly the best way to look
at it again, I'm seeing this AWS Solutions
14222.939 -> Architect Associate more AWS Solutions Architect
Associate, actually from Cambridge, I love
14223.939 -> that I'm going to Cambridge in a little while.
Alonso AWS Certified Solution Architect, associate
14224.939 -> and Simas. There you go. You're down there
using an abbreviation, no abbreviations for
14225.939 -> architects. But we're thrilled to have you
here. So I'm most timeless, I actually had
14226.939 -> some engineer yesterday. And some of my other
favorite things. So let's talk about Elastic
14227.939 -> Beanstalk. Now, Elastic Beanstalk is one of
those automatic things and automatic make
14228.939 -> people like me terrified. Basically speaking
Elastic Beanstalk provides the necessary tools
14229.939 -> for web deployment, what will happen is it
will automatically deploy your tools. So what
14230.939 -> happens is you'll write some code, and either
go or Java or dotnet, or Node js or PHP or
14231.939 -> Python or Ruby. And what happens is Elastic
Beanstalk is going to manage and provision
14232.939 -> the environment for you. Then it's going to
monitor the health of your systems and scale
14233.939 -> or not scale for you. Now, think about having
something that's done for you never going
14234.939 -> to be optimal. It's never going to be smooth,
there's going to be whatever the computers
14235.939 -> determined for you. So it's like going to
McDonald's and saying, I'd like a Big Mac
14236.939 -> fries and a coke. It's never going to have
that degree of customization is if your grandmother
14237.939 -> made it for you, or you made it in your grill,
your wife made it for you or you made it for
14238.939 -> your wife. So keep that in the back of your
mind. All these automated systems are great
14239.939 -> because they save time. But you also lose
something along the way. So let's look at
14240.939 -> the concept of Elastic Beanstalk. You basically
put in your code, and poof, it automatically
14241.939 -> deploys a fully redundantly in a single cloud
environment for you for your web applications.
14242.939 -> Now let's talk about amplify. Now, amplify,
is a service for the quick deployment of full
14243.939 -> stack, web and mobile applications. And what
happens is full step applications are made
14244.939 -> in the front end, in which the user basically
sets up their interface. And the back end
14245.939 -> refers to servers, code and databases that
make the app work. Now, a developer can create
14246.939 -> the application without needing to manage
services, virtual machines or storage. Yes,
14247.939 -> you don't have to do it. But what happens
when you don't do it yourself. So let's talk
14248.939 -> about amplify and include three main tools
for development and testing. We've got the
14249.939 -> amplify AWS amplify studio, which is a web
browser based visual deployment interface,
14250.939 -> and allows for simplified drag and drop configuration
of the applications front end and back end.
14251.939 -> And then, of course, we've got the AMPLIFi
CLI, which allows command line development
14252.939 -> of the applications back end, of course, the
developer can choose from up to 175 of AWS
14253.939 -> services to build their support their application
just by writing a few lines of code, amplify
14254.939 -> hosting, they can update, push new, updated
applications to the internet code can be retrieved
14255.939 -> from a git repository or amplify studio and
replace and then deployed in cloud fronts
14256.939 -> content delivery network. Now let's look at
app discovery. App Discovery is a service
14257.939 -> that helps enterprises migrate their on premise
applications to the cloud. This service reveals
14258.939 -> about the business case creation and application
migration planning. But in business case,
14259.939 -> creation is going to need to be done by somebody
that knows business, business business, this
14260.939 -> can give the people that are going to do this
and insight. But no application can build
14261.939 -> the business case for you. Some of the data
will be the cost of operating in cloud versus
14262.939 -> on premise. But look where the data is coming
from the cost of migrating information to
14263.939 -> the cloud, the cost of leaving your current
infrastructure, the benefits of being in the
14264.939 -> cloud, the cost of doing nothing. Now you
know when I remember when I learned how to
14265.939 -> practice medicine, they were very careful.
Look at the source of the information. If
14266.939 -> you're dealing with a drug company funded
study, chances are the study is going to be
14267.939 -> supporting thing that's funded by the drug
company. When a cloud providers making something
14268.939 -> that's going to build a business case automatically
for you, it's probably going to be biased
14269.939 -> towards them. Meaning they may use overly
high pieces of information for they think
14270.939 -> you'd have costed for run your own systems,
which may be accurate, or may be totally off.
14271.939 -> Now, app discovery makes migration easier
by allowing enterprises to make better decisions
14272.939 -> because it's a tool for This data companies
can rapidly organize track and ship applications
14273.939 -> to the cloud. And what it predicts is the
most efficient way again, analysis by the
14274.939 -> human mix with App Discovery magic, one application
by itself, not so good. Not looking at data
14275.939 -> not so good either. So it's a combination
that should never be gut, it should always
14276.939 -> be data plus human intervention. And when
we deal with AWS application discovery service,
14277.939 -> it collects information like CPU, disk space,
and network usage performance, capture data
14278.939 -> can be used for the analysis of network efficiencies
and deficiencies in your systems. Little more
14279.939 -> about application discovery, basically speaking,
it's used to collect detailed information
14280.939 -> about an enterprise's on prem data center,
it can then use this information to form the
14281.939 -> most efficient and cost effective migration
strategy to the cloud. Keep that in back your
14282.939 -> mind. It's from a cloud provider telling you
how the cheapest way to do it. From this data
14283.939 -> enterprises can determine total cost of ownership
benefits, etc. Let's talk about App flow.
14284.939 -> Now, app flow is a bi directional service,
meaning it goes in two directions that moves
14285.939 -> and synchronizes data from third party applications.
Software as a Service, for example, like Salesforce,
14286.939 -> or slack, to AWS services without having to
write code, the synchronization service we've
14287.939 -> had these for a long time. All that's needed
to do is to configure your data transfer requirements,
14288.939 -> and APA will take care of moving your data
between SaaS applications, SAS meaning Software
14289.939 -> as a Service, think about Microsoft 365. Think
about, for example. salesforce.com Software
14290.939 -> as a Service zoom software as a service. by
aggregating data from multiple services, companies
14291.939 -> can make observations create hypotheses and
draw conclusions based upon the information
14292.939 -> that's been consumed. App flow can help determine
the total amount of money a customer's spending
14293.939 -> on a user's business's products during their
lifetime. Outflow can improve operational
14294.939 -> efficiencies by connecting application services
and processes and devices to automate workflows.
14295.939 -> And anytime we can automate workflows. Theoretically
speaking, you can reduce real world errors
14296.939 -> and over and reduce the overall cost of business.
Now outflow modernizes data governance and
14297.939 -> clarity of the movement of your data between
these applications. Uses for app flow is to
14298.939 -> quickly integrate your applications to transfer
your data at a massive scale, and automate
14299.939 -> your data security. Let's talk a little bit
about App sync. Now. App sync is a simple
14300.939 -> solution that enables multiple applications
to be connected and synchronize with data
14301.939 -> from multiple sources including databases,
lambda functions, and open service. Now, app
14302.939 -> sync automatically manages and updates the
data in web and mobile applications in real
14303.939 -> time, and updates the data for users off for
offline users as soon as they connect. By
14304.939 -> doing this, it combines all the data from
multiple applications, and simplifies the
14305.939 -> processing of transforming transforming data
to the cloud. App sync uses a publisher subscriber
14306.939 -> model model method to push or pull data from
multiple sources. A template is used to define
14307.939 -> what data is going to be pulled on from what
sources a little more about App sync, app
14308.939 -> sync is a simplest solution. They really just
move your information, it can synchronize
14309.939 -> your data from databases, lambda functions,
and open source, app Sync will automatically
14310.939 -> manage the updates from your web and mobile
applications.
14311.939 -> Now let's get into cloud nine. Cloud Nine
is an integrated development environment,
14312.939 -> which is software that pulls together common
tools that is used to build applications under
14313.939 -> a simple graphical user interface. Now CLOUD
NINE provides 40 Plus programming languages,
14314.939 -> and provides developers within an environment
with all the tools necessary to build run
14315.939 -> and test and debug applications and software
releases. Cloud Nine offers the ability to
14316.939 -> develop, deploy and debug applications using
a simple browser and you don't even have to
14317.939 -> deploy the application delivery environment.
Now, this integrated delivery environment
14318.939 -> will help save time and developing new applications
because there's not so many tools that need
14319.939 -> to be configured separately. They have automatic
code generation and intelligent code completion
14320.939 -> features which have cut down on the time,
just like when you send a text and there's
14321.939 -> a predictive text that finishes your word
for you. This is what Cloud Nine is doing.
14322.939 -> And it can really save you some time here.
Now, CLOUD NINE will also identify bugs and
14323.939 -> real time, it'll highlight certain things
in your syntax. And this way, developers are
14324.939 -> not going to have to switch between tools
because they're in a simple graphic user interfaces.
14325.939 -> It's kind of a very nice tool. These features
enable developers to have an organize workflow
14326.939 -> and solve problems when they arise. Now we're
going to talk about a service called CloudFormation,
14327.939 -> which has no place in today's modern world.
TerraForm has replaced it by using TerraForm.
14328.939 -> You can deploy something in AWS, Azure, Google,
OpenStack, and Nutanix, all at the same time.
14329.939 -> By creating CloudFormation templates, which
we're going to talk about next, you are locking
14330.939 -> yourself into only AWS, and making it harder
to create a high availability, multi cloud
14331.939 -> environment, but it's on your exam. So we're
going to talk about it for the purposes of
14332.939 -> the exam. CloudFormation is an infrastructure
as code service, it provides the means for
14333.939 -> you to template known good configurations
of your systems. Meaning you've got a web
14334.939 -> server with a certain level of patching and
a certain amount of information in it. And
14335.939 -> you can use cloud formation to basically provision
that server exactly, or provision all your
14336.939 -> things. Now CloudFormation would be great
if it was worked on multiple clouds, like
14337.939 -> TerraForm, but it doesn't so but CloudFormation
templates can be made with your simple text
14338.939 -> files or any of the supporting languages.
Like it's it's Amazon proprietary version
14339.939 -> of TerraForm. Here's what it's going to look
like you're going to code your information,
14340.939 -> infrastructure, you're going to store your
template in s3, you're going to launch that
14341.939 -> template, and it's automatically going to
deploy your information exactly where it's
14342.939 -> supposed to be exactly where it's supposed
to be. CloudFormation templates are available
14343.939 -> for a multitude of options. You can write
them from code from scratch, and either JSON
14344.939 -> or Yamo format. Yamo format you'll recall,
is typically used in Kubernetes deployments.
14345.939 -> The code is either stored locally or on s3,
the code is either used by the CloudFormation
14346.939 -> you can use in the console CLI, of course,
the appropriate API or programming interface.
14347.939 -> Confirmation will provision your system based
upon the template CloudFormation could deploy
14348.939 -> your templates across your infrastructure,
and CloudFormation. Also, as a couple of stacks,
14349.939 -> all resources managed by the template the
CloudFormation template are called stuck.
14350.939 -> Briefly, we'll talk about a new service called
Code artifacts. AWS code artifacts enables
14351.939 -> users to serve software packages used during
application development. The software packages
14352.939 -> are stored in a repository like GitHub, so
they can be accessed for future reuse reuse.
14353.939 -> The packages can then be simple files reports
of logs, why your company needs our AWS code
14354.939 -> artifact, it reduces delivery time by encouraging
code reuse just like we do. It's a fully managed
14355.939 -> service by AWS so it takes the stress off
the management, and there's no limit to the
14356.939 -> number of packages you'd like to store. Code
star is a service that assists in creating,
14357.939 -> managing and deploying software applications.
This service that facilitates using a central
14358.939 -> console that can be used to assign project
team members to specific roles needed to access
14359.939 -> certain tools and resources by a centralized
console. Code star offers a single dashboard
14360.939 -> that integrates software development tools,
thereby making it easier for managers develop
14361.939 -> players and team members to collaborate on
projects so they can track so they can use
14362.939 -> the console to truck software development.
Data Exchange. AWS data exchange is a data
14363.939 -> subscription service that allows the exchange
of data between organizations. Customers can
14364.939 -> subscribe to various published data through
the console. Data can be used for date to
14365.939 -> make data district data driven decisions by
using analytics or machine learning. with
14366.939 -> AWS data exchange data providers can host
data such as payroll information, debit card
14367.939 -> transaction, healthcare and demographic data.
For the for the use of AWS customers know
14368.939 -> if it's gonna be healthcare data, it's gonna
have to be de identified data. Because otherwise
14369.939 -> HIPAA rules will get in the way you can't
say Mike's medical record is this, but you
14370.939 -> can D aggregate the data and find out that
you had 600 people that had heart attacks,
14371.939 -> for example, and try and figure out what's
going on.
14372.939 -> A little more about data exchange, the data
is produced as a data product that customers
14373.939 -> can subscribe to, and the data exchange in
the marketplace. Data and the AWS data exchange
14374.939 -> can be organized in these three ways assets,
which is just a piece of data revisions, which
14375.939 -> is a container of one or more assets, and
data sets, which is a series of one or more
14376.939 -> revisions. Data Exchange allows customers
to migrate to the cloud with existing subscriptions
14377.939 -> by approved 30 party providers. somewhere
new services that are part of the new exams,
14378.939 -> associate and professional device farm. AWS
device farm allows developers to test their
14379.939 -> applications by using visual devices available
on the service without the need to buy physical
14380.939 -> devices. So basically using virtual devices
to use virtual devices can credit cross platforms
14381.939 -> including iOS, Android on weather as well
as our web platforms. So instead of buying
14382.939 -> an iPad, you can use a virtual iPad to test
your code. This is nothing new, we've been
14383.939 -> using things like this forever. AWS device
farm allows testers and developers to test
14384.939 -> their applications in the following ways.
Automated AP testing remote access integration,
14385.939 -> for example. Automated AP testing users can
upload and choose the application to test
14386.939 -> select devices and operating system versions,
and the number of devices that are going to
14387.939 -> be used for the test. Users can select as
many virtual devices as possible different
14388.939 -> operating systems, as well as to get to the
desired outcome. Users can then remote access
14389.939 -> integration users can set up a virtual device,
interact with it while remotely achieving
14390.939 -> real time outcome. So if any of you have ever
seen what some QA testers do in real life,
14391.939 -> you deploy something and then they create
a fake 10,000 users and use excuse to generate
14392.939 -> traffic and use other scripts to generate
users. That's what this is doing. It's a nice
14393.939 -> way to simplify testing across a wide variety
of platforms.
14394.939 -> Talk about forecast. Forecast is a machine
learning tool to assist with business forecasts.
14395.939 -> It works on a time based on working in a time
based environment by analyzing data, oldest
14396.939 -> data first, to the newest data to help businesses
make predictions. That's the whole point of
14397.939 -> machine learning in the first place. Amazon
forecast works by using machine learning algorithms
14398.939 -> to combine historical time series data with
other variables to build accurate forecasts
14399.939 -> with the aim of predicting business outcomes
accurately. To create a forecast project and
14400.939 -> Amazon users work with following resources,
imported datasets training, predictors and
14401.939 -> generating forecasts. Amazon forecast is used
when you want to predict business outcomes
14402.939 -> accurately. Useful in fields like healthcare,
retail, finance, hospitality, you these things
14403.939 -> are useful anywhere, man, I take information
aggregated and monitored. So let's talk about
14404.939 -> where we would use it. With regards to operational
planning. It can support business applications
14405.939 -> predict to predict amounts of web traffic,
AWS usage IoT sensor usage, we can use it
14406.939 -> for supply chain planning, for example, to
allow businesses to predict how much goods
14407.939 -> and services they need to purchase when they
need it. We can use it for retail demand planning,
14408.939 -> it'll give business the opportunity to predict
demand based on historical data, and associated
14409.939 -> data. So businesses can adjust inventory and
pricing, for example. And it allows businesses
14410.939 -> predict requirements for staffing, energy
utilization, and marketing.
14411.939 -> Now we'll briefly talk about global accelerator.
Global accelerator is the way to get your
14412.939 -> stuff in the data quicker. And what happens
global accelerating, we'll use a built in
14413.939 -> health check to make sure your endpoints are
healthy. And what happens it's a means to
14414.939 -> connect to the system. So let's let me whiteboard
this out how these things work. Typically
14415.939 -> speaking, these are done with like any caste
environment. So let's share those. So I want
14416.939 -> you to think of this and the concept of routing.
Let's say you're you're here, the user, let's
14417.939 -> say this is the user, you want to connect
to an endpoint with AWS. Now let's normally
14418.939 -> say this is your closest endpoint, this endpoint
is going to have an IP address a three dot
14419.939 -> 3.3 to three. That's where you're going to
connect. And then let's say this is going
14420.939 -> to bring you on to the AWS cloud.
14421.939 -> Now what's going to happen is we're going
to create an IP address that 3.3 dot 3.3,
14422.939 -> we're also going to use something called anycast.
Typically speaking, when we do something like
14423.939 -> this, you do something like this, let's say
you have another three dot 3.3 over here.
14424.939 -> And the other three dot 3.3 is also going
to be connected to the cloud. So the way this
14425.939 -> works is if your users over here, what's going
to happen is your user is going to connect
14426.939 -> to this 3.3. Because it's closer to them,
you move the user up so you can see the user.
14427.939 -> So if the users over here, they're going to
use this three dot 3.3. But what happens if
14428.939 -> this three dots three goes away, late? Now
this user is going to going to connect to
14429.939 -> the cloud over here, which is going to get
them to the cloud. So what these endpoints
14430.939 -> are dealing if they're using a single IP address,
and this is called anycast. You'll see it
14431.939 -> widely use an IP multicast routing. You'll
see it used in DNS, and it's creating multiple
14432.939 -> devices with the same IP address. For us,
because we're using the same IP address for
14433.939 -> each one of these devices, which is really
cool. We'll only be able to reach the closest
14434.939 -> one. And what's going to determine the closest
three dot 3.3. For us, let's move this stuff
14435.939 -> up. Let me move some of the stuff over a little
more, to try and make it a little more clear
14436.939 -> to you. Because let's say there's a couple
of three dots. On the screen, what I'm trying
14437.939 -> to do is want to make this picture clear for
you guys. And we're typically going to have
14438.939 -> multiple endpoints when we deal with a global
accelerator. And the goal is to get us to
14439.939 -> the closest one. Now, if we happen to be over
here, this three men in this particular use
14440.939 -> case, this 3.3 is here. But what happens when
this three to three dies, trust me all technology
14441.939 -> dies, then we want to go to this three to
then we're going to be taking this to this
14442.939 -> three dots, we will go here. And if this was
dead, we hit the other three dots, right.
14443.939 -> So that's really what we're talking about
global accelerator, we're finding an entry
14444.939 -> point to get you on to the AWS network. And
we want to find the closest entry point. But
14445.939 -> we also want to do it in a high availability
manner. And that's why we're using anycast.
14446.939 -> Because if any one of these goes, that's going
to be there. Now, how are you going to determine
14447.939 -> what's the closest three dot 3.3? Well, if
you're on your computer, you're going to have
14448.939 -> a default route, your default route is going
to take you to your internet router. And either
14449.939 -> that router is going to have a default route
and use your ISPs information. Or you're going
14450.939 -> to have to an IT service providers which should
be can have BGP, and BGP will determine what's
14451.939 -> the closest three dots three to three for
you, on your routers. So that's kind of the
14452.939 -> the way this kind of works. Let's get back
to the content, we've got an ambitious agenda
14453.939 -> for another hour and a half today. If you
can give me a hashtag AWS Certified Solution
14454.939 -> Architect Associate. And for Brent who just
got a new keyboard, maybe you can give it
14455.939 -> to us twice, because you weren't able to type
for the rest of the week. And so have you
14456.939 -> have a new keyboard.
14457.939 -> So let's get into manage Grafana. Grafana
is a service that's used to enhance productivity,
14458.939 -> while making use of Grafana applications by
taking away a burden of self knowledge because
14459.939 -> it's a managed service. Grafana is an open
source analytical platform that's used to
14460.939 -> visualize query and understand metrics stored
anywhere in your production data center environment.
14461.939 -> It's going to be serverless, which means you
don't have anything to manage. And so they
14462.939 -> say a server list and secure. Users can instantly
query correlate and visualize operational
14463.939 -> metrics and traces from multiple sources.
Now we're dealing with managed Grafana, it's
14464.939 -> going to be highly scalable. And because it's
managed for you, you don't have the burden
14465.939 -> of upgrading your platform. Now, manage Grafana
provides a single dashboard containing all
14466.939 -> of your resources and tools. It's a highly
interactive data visualization service for
14467.939 -> monitoring real time data. It allows for the
easy integration with open source tools like
14468.939 -> AWS tools, or third party tools, and common
data called sources. No manage Grafana support
14469.939 -> SAML Security Assertion Mark markup language,
which is widely used everywhere like Active
14470.939 -> Directory. It's highly secure sharing data
privacy and protection. It eases the stress
14471.939 -> of licensing and removing periodic licensing
with grip grip with Grafana because they manage
14472.939 -> it for you. Now remember, they manage it for
you. Open search server lists. Open search
14473.939 -> is an open source service that allows users
to search analyze and monitor large volumes
14474.939 -> of data from multiple sources. It's going
to incorporate visualization tools that provide
14475.939 -> information to unstructured and semi structured
data. In addition, open source integrates
14476.939 -> well with analytics, machine learning and
other mining tools. When data is captured
14477.939 -> and fully loaded into open search, it's going
to use built in services such as Cabana, full
14478.939 -> text, querying, autocomplete, or scroll search
to search visualize an analogue dogs and get
14479.939 -> real time and insights into your data. And
it can reduce operational overheads because
14480.939 -> it's open source, it's somewhat managed for
you and it's easy to use. Let's talk about
14481.939 -> another AWS is a new one called proton, which
is an automated applicant delivery application
14482.939 -> delivery service that focuses primarily on
containers and serverless workloads. Proton
14483.939 -> enables platform teams to enforce and control
best practices in your underlying infrastructure.
14484.939 -> proton is a service that separates the infrastructure
and its code to promote effective collaboration
14485.939 -> between infrastructure teams and development
teams. Proton provides the offerings and infrastructures
14486.939 -> code, CIC D monitoring and an efficient way
for dealing with containerized and serverless
14487.939 -> applications. These templates can be used
to replicate across various development, staging
14488.939 -> and production environments. And users will
have full capacity to manage, update and troubleshoot
14489.939 -> as appropriate. This deployment is really
a workflow tool for modern applications to
14490.939 -> help DevOps engineers achieve more organizational
agility. Now, we're going to get into something
14491.939 -> that's really cool. VMware on AWS. Now, there's
VMware on all the cloud providers. And this
14492.939 -> is really an infrastructure of a service platform
that basically offers a complete software
14493.939 -> defined data center on AWS on Amazon bare
metal servers. So realistically speaking,
14494.939 -> you got two options. When you go to these
clouds, you can use their management console
14495.939 -> and older stuff, which for many people is
new to them. Now, most data centers for the
14496.939 -> last 20 years have been using VMware. They're
fairly virtualized, fully hyper converged
14497.939 -> just like a cloud. And everybody knows how
to use them. And we're all comfortable with
14498.939 -> using them. And then when we go to the cloud,
our cloud providers make up silly terms, such
14499.939 -> as Elastic Compute Cloud, Compute Engine instance,
and all these things, which confuses customers.
14500.939 -> So now AWS and the main cloud providers say,
Hey, you can just use the same VMware stuff
14501.939 -> on our cloud. So basically, what happens now
is you can now use VMware on the cloud, use
14502.939 -> the same beautiful, elegant VMware interface
that all your people have known for the last
14503.939 -> 20 years, not have to deal with any of those
AWS Management Console or CLI is anyway. And
14504.939 -> well, AWS can say, hey, we made a light, but
a dark mode, who cares, we're trying to do
14505.939 -> these things. This is basically letting your
users use the stuff they've used with all
14506.939 -> the control they've been using forever, I'm
going to take their virtual machines from
14507.939 -> their data center to the cloud, they don't
even need to convert them now because they're
14508.939 -> going to just move them directly and basically.
So now let's the simple VMware user face,
14509.939 -> that same vSphere, all these kind of wonderful
VMware tools that people have used. And now
14510.939 -> they can easily push this on multiple multiple
clouds all at the same time. With an interface
14511.939 -> that's known, that means no real retraining
of your users, because they're going to do
14512.939 -> the same stuff they've ever done. And this
means they're going to use the same VMware
14513.939 -> servers, the same vSphere, the same VMware,
virtual Sam, the same VMware NSX virtualization
14514.939 -> technologies all in the data center, directly
in the cloud, nothing new to learn. So VMware
14515.939 -> on AWS, as well as VMware on the other clouds,
will enable enterprise IT operations continue
14516.939 -> to use their great services now in the cloud.
So now they don't have to buy their hardware,
14517.939 -> but they can still use it the same way they
always have. This is really great service.
14518.939 -> The offering enables customers to quickly
and confidently scale up or down the capacity
14519.939 -> with minimal friction and simplicity with
ease. The service is optimized to run on dedicated
14520.939 -> bare metal servers. So you'd be using the
VMware hypervisor as opposed to the AWS hypervisor,
14521.939 -> very simple migration, very fast disaster
recovery, flexible in every way. And basically,
14522.939 -> hey, you get to use your same VMware now on
the cloud, nothing to learn whatsoever, kind
14523.939 -> of make learning all these services somewhat
irrelevant, because now you can do it all
14524.939 -> on VMware the way you always have, but without
buying the servers. So that's what VMware
14525.939 -> is on all these clouds, simple and elegant,
lots of customers are going to take advantage
14526.939 -> of. Of course, if it's a new customer, they
could go straight to the AWS EC two version.
14527.939 -> But if they've got this and it's deployed
on their team knows about it, it makes it
14528.939 -> simple and elegant, they don't need to hire
or cross train new people to do the implementation.
14529.939 -> Let's talk about AWS web Wailoa. And that
typically exists outside of an AWS center.
14530.939 -> So what with wavelength users can create their
virtual machines otherwise known as easy to
14531.939 -> instances, block storage, otherwise known
as Amazon, elastic block storage, and Amazon
14532.939 -> Virtual Private Cloud subnets, an AWS wavelength
and you services that orchestrate elastic
14533.939 -> Kubernetes service, for example, an Amazon
cluster services, what we're going to be dealing
14534.939 -> with is infrastructures are going to be deployed
on 5g communication provider networks. And
14535.939 -> this is going to be useful when you've got
a low latency environment such as streaming
14536.939 -> applications and things that are going to
be out there. Wavelength is really an infrastructure
14537.939 -> deployment in better than telecommuters facility
like a 5g network. So this can be compared
14538.939 -> to a local zone that works with an availability
zone, but with low latency, part of AWS wavelength
14539.939 -> which you would have had done as application
traffic would have to travel from the device
14540.939 -> to the cell tower, and then a metro aggregation
location, and then it could go to the internet
14541.939 -> before it could reach into the wells. These
network cops were dealing Anytime we're dealing
14542.939 -> with Hops can add milliseconds of latency.
And by doing it this way, it's going to be
14543.939 -> closer. So, think of an internet IoT devices
that are going to go straight to this wavelength
14544.939 -> thing pushed on the 5g network and back to
the cloud. So there's lots of use cases for
14545.939 -> this. Amazon X ray, X ray is a tool used to
troubleshoot and identify root causes of performance
14546.939 -> issues with AWS services. X ray looks at your
application programming interface requests
14547.939 -> as they travel through your application and
produces a map of your application, developers
14548.939 -> can use AWS X ray to analyze and debug their
applications. X ray will provide a full picture
14549.939 -> view of the request passing through user services,
and it helps see who made the request to the
14550.939 -> service when the request was made. And when
the request came back. X ray was going to
14551.939 -> work by collecting data from the applications
or services running in your system, and it
14552.939 -> will then aggregate or combine that data to
form traces of each system. Next, what'll
14553.939 -> happen is X ray will create a service map
or visual representation that can be used
14554.939 -> to trace or debug the debug or even troubleshoot
each service, users will be able to further
14555.939 -> drill down on each service to identify the
root cause of any issue facing their application.
14556.939 -> Some benefits of using x ray are for auditing
purposes, to trace requests made by your applications,
14557.939 -> to create a detailed service map of the applications
running in your system to help find bottlenecks,
14558.939 -> and your architectures to improve performance,
to help us identify the security posture by
14559.939 -> encrypting all traces and to identify all
traces. Okay, so now let's get into something
14560.939 -> funner. And yes, no fun is not a perfectly
good piece of grammar. So wake up everybody,
14561.939 -> we're gonna go talk about containers and container
orchestration. So before I know that you're
14562.939 -> awake, and just want to know you're awake,
give me a hashtag solution architect or a
14563.939 -> hashtag cloud architect. And then we're going
to talk about containers, which is one of
14564.939 -> my favorite things. Because virtual machines
and containers are the basis of all computing
14565.939 -> in today's world.
14566.939 -> And while we're waiting for that, to come
in, you know, Anakin, you know, question in
14567.939 -> there is quite real. All this machine learning
how fast has become soft Skynet and the Terminator
14568.939 -> movies? Well, it depends how fast these things
get used, whether they get used, whether they
14569.939 -> get checked, whether people get wild and crazy
away with them. But automation can be great.
14570.939 -> FET, me is Cloud Architect, good to see you.
Governor, I'm loving us I'm seeing and Solution
14571.939 -> Architect cloud architect, I knew you guys
are awake, alert and oriented. And I do like
14572.939 -> containers. And actually, before we get to
containers, I've got the perfect visual for
14573.939 -> a container. That's going to explain the concept.
And then after we deal with the visual for
14574.939 -> the container, we're going to start talking
about containers. But let me get my container
14575.939 -> visual real first, because I had a really
good container. Example before. So let's talk
14576.939 -> about containers. Before we get into containerization,
I'm going to just share my purpose perfect
14577.939 -> representation of a container. Okay, so here
we go. So before we get into containers, here's
14578.939 -> what a container is. Normally speaking with
a virtual machine, what are we going to have,
14579.939 -> we're going to have a server, it's gonna have
its own operating system, it's going to have
14580.939 -> the application dependencies on the application.
Here, before we get into containers, here
14581.939 -> do we have, we have an application, the application
is represented by the beautiful Cindy the
14582.939 -> cat, who's sitting inside. Now if you notice
the cat put herself in the basket. The basket
14583.939 -> is the container. So basically, we'll container
and we'll talk more about it, because we're
14584.939 -> going to steal parts of the operating system
or libraries from the operating system. And
14585.939 -> it's a fully contained application sitting
inside of a container. Now I can take that
14586.939 -> container from one Linux system, and pop it
on another Linux system by using the same
14587.939 -> Linux libraries. This is how I view a container.
Like Cindy demonstrates containers everywhere.
14588.939 -> And let's talk about containers. And everybody
give me a hashtag Cindy? Well, I started talking
14589.939 -> about containers because Cindy is the best
container teacher I've ever met in my entire
14590.939 -> life.
14591.939 -> So while we talk about containers, there's
going to be two or three ways we can orchestrate
14592.939 -> our containers. Now the first one I'm going
to give you is AWS proprietary, and you probably
14593.939 -> should never use it in reality, because if
you do, you're going to be in trouble when
14594.939 -> you have to use Azure and Google and Nutanix
and OpenStack. Now let's define a container.
14595.939 -> It's a newer, more modern, lightweight version
of a virtual machine. So in a virtual machine,
14596.939 -> we have the entire Our operating system. Every
time we've got a server I showed you on the
14597.939 -> first day, we have our hypervisors. And then
we have a virtual machine, each virtual machine
14598.939 -> has its operating system application dependency
number container is just like Cindy, beautiful
14599.939 -> little Cindy, they're sitting in the container
is just the application. That's all we're
14600.939 -> doing. So by using containers, they're faster,
they're lightweight, and we can use much less
14601.939 -> computing power. Now, when we deal with containers,
14602.939 -> something needs to orchestrate these containers.
And we need to separate them. So we'll talk
14603.939 -> about container orchestration in a minute.
But what are we really talking about? In this
14604.939 -> particular environment, we've got our physical
server, we've got our operating system.
14605.939 -> And then we've got a container on the operating
system, the container on the operating system,
14606.939 -> a container on the operating system, another
container on the operating system, and they're
14607.939 -> all isolated on the same operating system.
So let's talk about the strengths and weaknesses
14608.939 -> of this approach. The container one crashes,
it's completely isolated from container two.
14609.939 -> So container one crashes, guess what? We've
got no problem with containers, two, three,
14610.939 -> and four. Now, everybody in the chat box,
I want you to tell me this, because I mentioned
14611.939 -> to understand this. What do you think happens
if the host operating system crashes, to the
14612.939 -> 1000 containers that are sitting inside of
this system? Everybody tells me in the chatbox,
14613.939 -> what's going to happen if the operating system
crashes, and I've got all these containers
14614.939 -> in the system. I want to make sure you understand
this very critical concept. Good job, Alex.
14615.939 -> Boom, all containers are gone. Lady Godiva
you're gone. Abigail by Yes, all data lives
14616.939 -> are lost, everything is dead. That's the whole
point. So you know, containers already, every
14617.939 -> technology we use has its strengths and weakness.
Containers are beautiful, because they're
14618.939 -> lightweight. But if that host crashes, everything
else is dead. So kind of keep that in the
14619.939 -> back of your mind. It's good. It's good. We
love them. There's a strength and weakness
14620.939 -> to every approach. If a virtual machines operating
system crashes, guess what, we only lose that
14621.939 -> virtual machine in its application. If we
have 1000 containers on a big giant server,
14622.939 -> they're all gone. But containers still make
sense. In most cases, I'm going to tell you
14623.939 -> right now, when they do certification, they'll
tell you, you can just migrate a container
14624.939 -> everywhere. Well, if you develop the container
on a Macintosh, you can't put that container
14625.939 -> on a Linux machine. You also can't put it
on a Windows machine. If you have a Windows
14626.939 -> container, you can't put it on a Linux machine.
If you've got a Linux machine, you can put
14627.939 -> it on any Linux server, where you can actually
put it on a Windows system that's running
14628.939 -> the Windows subsystem for Linux, because the
windows subsystem for Linux isn't a bunch
14629.939 -> of kernel that's added to Windows to Windows.
So keep that in the back of your mind containers
14630.939 -> are portable. But containers borrow things
from the operating system. And therefore a
14631.939 -> Windows container must be deployed on a Windows
system, a Mac container or Mac OS container
14632.939 -> must be deployed on a Mac. And somewhere along
the line. We've got to we've got to orchestrate
14633.939 -> these containers. So if we're going to have
containers, something needs to determine whether
14634.939 -> the containers need to grow size or control
them. So let's talk about this where you're
14635.939 -> at. One way that you can manage them, which
I strongly don't recommend you ever use as
14636.939 -> the AWS elastic container service. And the
elastic container service is 100% proprietary
14637.939 -> AWS only fully managed container service.
They'll they'll tell you it's high availability,
14638.939 -> which they call 99.99% available. That means
that you'll have one hour during the year
14639.939 -> expected 15 minutes a year where your systems
won't work. That's best case scenario. Some
14640.939 -> of the cloud providers and crash. Now, Alaska
10 container service is going to be deployed
14641.939 -> in your VPC, which usually means since it's
in your VPC, you'll be able to use access
14642.939 -> control lists like knuckles and security groups
protect your systems. And Elastic Compute
14643.939 -> Cloud can work with fargate, or virtual machines,
and I'll explain to you what they are. So
14644.939 -> here's the way you would typically build your
containers. And this is the same with a Kubernetes
14645.939 -> environment, or this proprietary AWS EC elastic
container service ECS which locks you into
14646.939 -> AWS. If you use this elastic container service,
it's going to manage and orchestrate your
14647.939 -> containers. And you're gonna have to build
your containers. You're gonna have to put
14648.939 -> your containers in a virtual machine. You'll
manage your virtual machines, and then you'll
14649.939 -> manage your applications and then containers
and you're going to pay for your virtual machine.
14650.939 -> Now if You want to run this in a serverless
environment, which you could also do, you
14651.939 -> could run your Elastic Compute Cloud with
fargate. And what is fargate fargate is an
14652.939 -> AWS managed serverless environment that host
your platforms as your platform. Because it's
14653.939 -> serverless, it means you don't need to manage
your virtual machines. Now, potentially, when
14654.939 -> you go serverless, it can often be cheaper.
Because with a virtual machine, you may be
14655.939 -> buying more capacity than you need, where
when you go serverless, you're not so but
14656.939 -> also when you go serverless, you have much,
much, much, much less control over your systems
14657.939 -> and your performance and your security. And
you're now part of a shared service where
14658.939 -> if the shared service gets hacked, you get
hacked, for example, Microsoft was just hacked.
14659.939 -> And what was it 65,000 of their customers
information that was hacked, I mean, lots
14660.939 -> of information. Because then one of the server
less cloud managed things as the call gets
14661.939 -> hacked, you get hacked to, or at least it's
a possibility. But with server lists, you
14662.939 -> don't have to manage it, which can make it
simpler. So it's an architectural trade off,
14663.939 -> do I want more control don't go serverless,
do we want more performance don't go serverless?
14664.939 -> Do I want simplicity and elegance and lack
of control, less work to do? Go serverless.
14665.939 -> So fargate is kind of that kind of that environment
where it's serverless, container orchestration,
14666.939 -> or serverless container hosting. So instead,
if we wanted to use fargate, versus a virtual
14667.939 -> machine, we've got the same elastic container
service, which is proprietary, which means
14668.939 -> you probably shouldn't use it, managing your
virtual machines. And we'll build our containers
14669.939 -> to find the required compute capacity. And
it'll be managed in this serverless platform.
14670.939 -> So potentially cheaper, much more agile. Now
we can put our containers in a traditional
14671.939 -> virtual machine called an EC two instance
here can be the same thing. If we were on
14672.939 -> Azure, we can put them on Azure virtual machine
on Google, they can put on a Google Compute
14673.939 -> Engine, it's the same concept. And if we need
more control, obviously put it on a virtual
14674.939 -> machine. If you're looking for simplicity,
stick it in a serverless environment, you
14675.939 -> and your business can determine exactly what's
needed. Now, if elastic container service
14676.939 -> is this proprietary service that I strongly
don't recommend you ever use. What would I
14677.939 -> recommend you use Kubernetes, why Kubernetes
is an open standard. You can build your beautiful
14678.939 -> Kubernetes clusters with your own servers,
take one server in your data center, one server
14679.939 -> in Azure, one server and AWS one server in
Google, you can have your multi cloud container
14680.939 -> orchestration, single cloud goes down, who
cares, you're still up and running, and your
14681.939 -> three other clouds, multiple control, your
cloud provider raises your rates, guess what
14682.939 -> you can leave and go to another cloud, your
cloud provider kicks you out. And we've seen
14683.939 -> cloud providers kick businesses out of their
business nearly bankrupting them overnight.
14684.939 -> If you're using Kubernetes, no big deal, you
can pick up your containers and move it to
14685.939 -> any cloud at a moment's notice. Now, if you
didn't want to build and manage your own standards
14686.939 -> based Kubernetes cluster, but you still wanted
to use a standards based process. This is
14687.939 -> where the elastic Kubernetes services. So
it's a fully managed Kubernetes container
14688.939 -> management service, which means you don't
have to build your own cluster. Now, elastic
14689.939 -> Kubernetes service is now in a single column.
So if you use multi cloud in the single cloud
14690.939 -> goes down, well, you got nothing. But if you're
looking for simple and elegant in the AWS
14691.939 -> code, and you're looking for something that
can work that standards base for your future,
14692.939 -> you elastic Kubernetes service is still a
very, very good option. It's an open source.
14693.939 -> Kubernetes, as you know, is an open source
container management platform. It's the standard
14694.939 -> container orchestration platform in the entire
world. And elastic Kubernetes service is similar
14695.939 -> to the elastic compute service, which we just
talked container service, which we just talked
14696.939 -> about. But it's a standard. It's not proprietary
whenever you want innovation, never use proprietary
14697.939 -> because now you can migrate to different clouds
or anything. Now with elastic Kubernetes service,
14698.939 -> we can host our containers in two places.
They can post it on a beautiful virtual machine
14699.939 -> if we need extreme control. Or we can post
it on fargate. And there's nothing to worry
14700.939 -> about. Because it's giving us a premade platform.
So let's look a little bit about the elastic
14701.939 -> Kubernetes service. We create an E Class P
E ks cluster, elastic Kubernetes service cluster
14702.939 -> is cluster is our orchestration platform.
And from there we can stick with server lists,
14703.939 -> which is fargate or Amazon Usutu. Which means
virtual machines and all cloud providers have
14704.939 -> the same service. Of course you could build
your own Kubernetes thing. Now if you build
14705.939 -> your own Kubernetes Then what's the weakness?
Well, the weakness is this, you've got to
14706.939 -> manage the Kubernetes cluster, which means
you need to have someone smart enough to know
14707.939 -> what Kubernetes is, and how to manage it.
But when you do that, you get much, much,
14708.939 -> much more control over your environment. And
you can create a higher availability system
14709.939 -> by using an unmanaged Kubernetes cluster.
We've got your own servers and multiple clouds
14710.939 -> all at the same time.
14711.939 -> Now let's talk about another cool Kubernetes
thing, elastic Kubernetes service distro.
14712.939 -> And this is a service that's going to enable
users to run container applications, containers,
14713.939 -> applications and their data centers. What
is it is Kubernetes. Now this enables users
14714.939 -> to create a Kubernetes cluster with the exact
version of Kubernetes used in AWS eks. The
14715.939 -> main difference between Eks and Eks distro
is that Eks is fully managed on AWS, we're
14716.939 -> Eks distro is basically a download of the
AWS version of it. By using Eks destroy users
14717.939 -> can deploy clusters that in their data centers
that exactly match AWS Eks distro can be used
14718.939 -> for hybrid clusters if users want Kubernetes
clusters that span their data center in the
14719.939 -> cloud. For example, when you need to use the
cloud for extra capacity, you can use Eks
14720.939 -> distro Eks distro could also be used for disaster
recovery, you could set up AWS Eks to be the
14721.939 -> backup data center if your own data center
goes down. Of course, you don't have to use
14722.939 -> anything proprietary like this, you could
create your own Eks, or your own Kubernetes
14723.939 -> environment with your own servers and not
get locked into anything. You just have to
14724.939 -> know how to install Kubernetes and set it
up where Eks disrict gives you a very beautiful
14725.939 -> simple like click click button install. So
it's removing the need to actually understand
14726.939 -> what you're dealing with. Now let's talk about
elastic containers registry. You may have
14727.939 -> been familiar with the interface of say Docker
and Kubernetes. Where basically speaking,
14728.939 -> we had Kubernetes, managing the container
and Docker as a host as basically a container
14729.939 -> runtime module. Docker to some degree is being
phased out by Kubernetes. But let's talk about
14730.939 -> what this is. The elastic Kubernetes registry
is a product that stores and manages the police
14731.939 -> Docker images that our managed clusters of
easy two instances. The elastic Container
14732.939 -> Registry allows developers to save quick configurations
quickly and migrate them to a production environment
14733.939 -> which was going to reduce workload, overall
workload and time. The elastic Container Registry
14734.939 -> provides a command line interface and API's
to manage repositories and integrated services,
14735.939 -> such as the elastic container service that
manages the infrastructure ports containers.
14736.939 -> The elastic Container Registry is a secure,
scalable and reliable service that accesses
14737.939 -> and distributes your application images faster,
reduces downtime, and improves the availability
14738.939 -> of your container. When to use Eks, anywhere,
basically, you're using Eks, anywhere less
14739.939 -> your Kubernetes service anywhere because it's
going to simplify customers on premise Kubernetes
14740.939 -> deployment via management configuration about
auto scaling, that offers a consistent, reliable
14741.939 -> Kubernetes cluster environment with your on
premise. Better than self managed, I don't
14742.939 -> know that it's better than self managed, they
will tell you that it's better than self managed
14743.939 -> because they manage it for you. Personally,
when you self manage things, you can always
14744.939 -> do better. Again, it goes back to can you
cook a better steak than you can get at McDonald's.
14745.939 -> You know, mass volume can never be done as
nice as precision and one on one things. But
14746.939 -> precision one on one things take a lot of
time, effort and money. And when you use Eks
14747.939 -> anywhere, it's going to reduce your support
cost. Because it's going to it's going to
14748.939 -> help you reduce third party application tools.
It's open source. And it's going to make a
14749.939 -> lot easier when somebody else has done the
hard work group a little more about ek as
14750.939 -> anywhere, it's a customer managed service
that's going to allow customers to create
14751.939 -> and manage Kubernetes clusters with optional
support, just deployed as an installable package.
14752.939 -> That simplifies the creation. It's an automates
the management of these clusters. Okay, we're
14753.939 -> gonna get next into IoT services. I think
I talked about some AWS services. And I think
14754.939 -> I talked about some Kubernetes things and
container things. So now let's get into IoT
14755.939 -> services. Well, I've been working with IoT
stuff for 1520 years. Now, when I was at Cisco,
14756.939 -> we were starting to work with all these little
IoT enabled sensors that were going to be
14757.939 -> out there that were going to be weather sensors,
all kinds of pain sensors. Now IoT is everything
14758.939 -> from your refrigerator. Because it enabled
your cable box which is IP enabled. The little
14759.939 -> sensors, we can watch the beach and see what
the beach things are for things like that.
14760.939 -> So AWS accordingly has a bunch of IoT services.
So let's begin with AWS IoT Core, which is
14761.939 -> a cloud service that acts as a communication
gateway, Message Broker and device application
14762.939 -> interface for internet connected IoT devices
is the foundation for Amazon's solution offerings
14763.939 -> that come to deploying, managing and as analyzing
and maintaining an Internet of Things infrastructure
14764.939 -> architecture. As we discussed IoT Core is
going to provide a scalable and fully managed
14765.939 -> solution that's gonna supply and secure connectivity
from devices, rule based IoT traffic manipulation,
14766.939 -> Command Control, really, what it's doing is
it's going to enable your back end fleet of
14767.939 -> cloud services. It can reduce the operational
burden for your IoT devices by providing a
14768.939 -> platform that supports the communication and
management. This service facilitates the communication
14769.939 -> from device to cloud services, applications
and other devices. What's going on is it as
14770.939 -> a built in authentication and authorization
RESTful API, which is basically a programming
14771.939 -> interface for command and control capability.
Multiple IoT communications protocols are
14772.939 -> going to be supported because these things
use lots of communication protocols. And you
14773.939 -> can create an access list to determine who
cannot who or what can access the systems.
14774.939 -> And it's going to provide a registry to store
the data a
14775.939 -> little more on IoT Core, the service is going
to be beneficial to a situation where there's
14776.939 -> a need to connect a fleet of IoT devices,
think weather sensors, or airplanes that are
14777.939 -> constantly transmitting their information.
The back end cloud services. This kind of
14778.939 -> access can give users the ability to process
analyze, and make actionable decisions from
14779.939 -> the IoT data quickly within a millisecond
timeframe. Now this service can be handled
14780.939 -> by device fleet ranging from a single device
to billions or trillions of devices. When
14781.939 -> we're dealing with these kind of IoT devices.
We're dealing with stuff coming from everywhere.
14782.939 -> Let's look graphically what some of these
pieces work like together. We've got an IoT
14783.939 -> device over here on the left, we've got some
restful API's that are sitting up top, we've
14784.939 -> got some internet connected devices, and they're
all going to be talking to each other through
14785.939 -> the IoT Core environment.
14786.939 -> Let's talk about device management. IoT device
management is a device inventory and management
14787.939 -> service for an internet of things connected
devices. Organizations using the AWS Internet
14788.939 -> of Things device management service can easily
register device information, configurations
14789.939 -> and organize and inventory their devices,
monitor them and remotely update their server
14790.939 -> software and firmware on IoT device management
helps to track monitor and manage an entire
14791.939 -> connected fleet. And by doing so it can ensure
that all IoT devices work properly and securely
14792.939 -> after they've been deployed. Device Manager
provides the ability to access securely and
14793.939 -> get information about Device Health defects.
By getting this you can remotely troubleshoot
14794.939 -> product problems while you're managing software.
I'll talk about opportunities to use IoT device
14795.939 -> management, remote fleet monitoring, let's
say you want to monitor your equipments, metadata,
14796.939 -> and set a policy to change like a service
alert. So you can see what's going on. You
14797.939 -> want to perform bulk updates or control the
deployment velocity, do some over the air
14798.939 -> updates like firmware and bug fixes. You want
to define steady jobs for automatic updates.
14799.939 -> Let's see you want to create logical groupings
of devices for say sensors in a specific area
14800.939 -> to organize and target a fleet of remote actions
with a few clicks. Now let's talk about IoT
14801.939 -> events. Now, this is going to be a cloud service
that continually monitors data and applications
14802.939 -> and equipment for any changes in Dell daily
operations. If an event is going to occur,
14803.939 -> it's going to trigger a response. IoT events
run in the serverless environment. So there's
14804.939 -> no host, IoT events monitor ongoing data for
IoT device sensors, and applications to integrate
14805.939 -> with other services like IoT Core, and AWS
IoT analytics for early detection. This will
14806.939 -> help you gain insight and take action against
your data. This service will help manage the
14807.939 -> state of your devices. A little more on IoT
device events that's going to monitor equipment
14808.939 -> for failures and operations. And if you've
got a device that fails to continue or an
14809.939 -> event you know what to do about it. Users
will be better to take input from multiple
14810.939 -> sources and will be able to move device from
using I like IoT Core and collect analytics
14811.939 -> from IoT analytics So gives you kind of things
that are going on. Analytics can take the
14812.939 -> input and run that data on the edge of your
systems. Users can also route sensor data
14813.939 -> IoT events. So realistically, IoT events are
consistent with processing messages in a consistent
14814.939 -> with real time reporting. actions take place
in real time, and IoT events simultaneously
14815.939 -> monitor multiple applications and sensors
to detect critical events. IoT events also
14816.939 -> makes it easier to deploy, detect and respond
to events that happen across multiple devices,
14817.939 -> equipment, systems and applications. IoT events
will assess the behavior and performance of
14818.939 -> the devices and identify issues based upon
what when industry is being used. IoT can
14819.939 -> help an enterprise therefore understand the
conditions of their equipment, it takes more
14820.939 -> than a single sensor to get this kind of information.
Obviously, IoT events can learn new insights
14821.939 -> that will help you automate your operations
faster. And by automating things you can reduce
14822.939 -> costs, potentially reducing costs and making
better decisions faster can increase revenue,
14823.939 -> and decrease expenses, which can enhance profitability.
IoT events can help identify root cause analysis
14824.939 -> with device sensors and applications. And
IoT events will enable organizations to really
14825.939 -> focus on their business operations, and less
about the IoT, because it's a matter of service.
14826.939 -> Let's talk about the IoT of things graph.
AWS IoT things graph as a service that's to
14827.939 -> enable non developers to visually create workflows
between physical sensors, physical assets,
14828.939 -> assets, and web services. By doing so we can
basically build a network across physical
14829.939 -> and virtual things. With IoT great things
graph, we can quickly build IoT applications
14830.939 -> by connecting devices and web services from
different vendors. And of course, when you're
14831.939 -> dealing with IoT devices from different vendors,
they're going to speak different protocols
14832.939 -> and IoT things graph can help do that. Basically,
I've seen graphs gives you a visual editor
14833.939 -> that we can use to wire things together, such
as web series and a workflow, web series and
14834.939 -> web services in a step called the flow. I
like to call things workflow. And because
14835.939 -> it's basically a hosted environment, you're
going to pay for what you use, as opposed
14836.939 -> to just paying down the system, like if you
built it yourself. Now let's talk about a
14837.939 -> Iot IoT analytics. This is stored data. But
why are we using it? We're using a IoT analytics.
14838.939 -> Because it's a fully managed service that
enables users to collect, manage and ingest
14839.939 -> data from millions of sources. It's going
to provide us a solution for collecting, processing
14840.939 -> and analyzing data in real time. Anytime we
can analyze data in real time, we can make
14841.939 -> better business decisions, which means potentially
greater profitability. IoT analysis can help
14842.939 -> enterprises and device manufacturers quickly
and easily gain insights into their data by
14843.939 -> collecting filtering, and transforming things.
So let's talk a little bit more about AWS
14844.939 -> IoT analytics. The benefits of why we might
use something like this, it's going to help
14845.939 -> by storing data in an optimized manner. So
we get faster response times, it can prepare
14846.939 -> data to be easily processed and analyzed,
it can be managed as a pay as you go service,
14847.939 -> which some people like because that way, they
don't have to buy anything ahead of time.
14848.939 -> It's going to be it's going to help the organization
build applications that monitor in real time,
14849.939 -> it's going to be able to help monitor the
efficiency of different processes for improvement.
14850.939 -> Okay, now, we're gonna get into cost management,
at least as it's taught in the context of
14851.939 -> an AWS certification, versus cost management
in the context of reality. Because this is
14852.939 -> what you need to know, for your exams, in
real life, we would obviously teach you how
14853.939 -> to do this in our architecture program, if
this is a certification course. So we must
14854.939 -> do it the AWS way. When it comes to managing
costs, we must understand that moving to the
14855.939 -> cloud can have a profound impact on a customer's
costs. In many scenarios, going to the cloud
14856.939 -> will be cheaper. In some scenarios going to
the cloud can be far more expensive. So what's
14857.939 -> going to determine that how the user, the
systems, they have the capability of their
14858.939 -> systems, the performance of their system,
the engineers, they have the architects, they
14859.939 -> have the technology, people that have them
where those employees actually are. In most
14860.939 -> cases, most moving to the cloud is generally
cheaper, but not always. And that's where
14861.939 -> you're seeing a lot of work in it. Session
is the first one all to the cloud. And now
14862.939 -> they're pulling half of that stuff on the
cloud, putting it back in their data center,
14863.939 -> and they're still using the cloud. But they're
building their own clouds, and they're creating
14864.939 -> multi cloud solutions. I want you to understand
the difference between the two. There is definitely
14865.939 -> a capital structure, change, maybe here's
the capital structures. And when you have
14866.939 -> a data center, you have predominantly capex,
capital expenses, something I buy, a car is
14867.939 -> something I buy. I buy it once, and I can
keep it for years, 10 years, 20 years, depending
14868.939 -> upon how good the car is, and how well it's
maintained, right. that'll determine how long
14869.939 -> I can keep my car. Now, when you rent a car,
if you were to go to the rental agency every
14870.939 -> day, it might be cheaper, it might be more
expensive to rent the car, because the cloud
14871.939 -> is just renting. Now what will determine if
it's cheaper for you to buy the car and maintain
14872.939 -> it yourself? Or rent the car? How much do
you drive the car, for example? What kind
14873.939 -> of car is it? What the rental agencies change
versus what you cost to buy it, the kind of
14874.939 -> deal you get when you buy it. So these things
are not simple. But you need to understand,
14875.939 -> what we're talking about is a shift from a
capital expense to an operational expense.
14876.939 -> And many people think this is a good thing
it could be it could be a disaster. So for
14877.939 -> example, in our case, it was $10,000 to buy
our stuff that the cloud providers were looking
14878.939 -> for around $11,000 pre discount for us to
do. Now, I just broke, wrote a check and paid
14879.939 -> for the $10,000 A servers, it was no big deal.
But businesses don't write checks, they finance
14880.939 -> things. So when you're building a business
case, as an architect, which is something
14881.939 -> I can't teach here, you have to teach it in
our architect program, you're gonna have to
14882.939 -> look at the organization's weighted average
cost of capital, and what it costs to finance
14883.939 -> it versus what it costs to use the cloud,
which is effectively the leasing. So this
14884.939 -> is going to be that lease versus buy decision.
And let's talk about why the data centers
14885.939 -> are so capital intensive, well, there's a
lot of stuff to buy a lot of it. So first,
14886.939 -> with a data center, you gotta buy the real
estate, right. So now you got to buy a big
14887.939 -> building. Now, the buildings aren't designed
immediately to be datacenter. You're gonna
14888.939 -> have to buy your servers, you're gonna have
to buy your routers, you're gonna buy your
14889.939 -> switches, you're gonna buy your firewalls,
you're gonna buy your load balancers, your
14890.939 -> racks, your power environment. And look, data
centers don't have power failures, because
14891.939 -> you're going to be bringing in multiple power
transformers, ideally, to power companies.
14892.939 -> We're going to be having generators, we're
going to be having backup generators, our
14893.939 -> UPS systems and battery backup, we're going
to be dealing with data center cooling equipment,
14894.939 -> and it's a lot of things. Simply go to the
car, but not to buy any of that stuff. Because
14895.939 -> we pay far more for each service going off
the vibe. None of the data center, we have
14896.939 -> a big staff, you need a bunch of expensive
Cisco Certified internet experts like me to
14897.939 -> make sure the network actually works. You
need a lot of people to manage the physical
14898.939 -> servers themselves. Lots of people do parts
replacements with thing happens you don't
14899.939 -> deal with us. Definitely, there's no parts
replacement in the cloud. Somebody does it
14900.939 -> for you. Now on your data center, trust me
these things generate some sky high scary
14901.939 -> electricals things that you can't even imagine.
And then of course, we've got to buy our wide
14902.939 -> area network connections. I've worked with
customers who have spent hundreds of millions
14903.939 -> of dollars a year just for their network,
going from point A to point. Now in the data
14904.939 -> center, the majority of our costs are equipment.
That's where the capital expense, we still
14905.939 -> have operational expenses related to running
this stuff on our people. But the primary
14906.939 -> cost of the data center is capital cost purchases.
And when we go to cloud, the cloud, there's
14907.939 -> nothing to purchase. But we pay far, far,
far more for the use of everything we use.
14908.939 -> And on the cloud, we pay for everything. Like
in the data center, you don't pay for data
14909.939 -> transfer charges in your wide area network
in the US, you got a 10 gig link, you don't
14910.939 -> have to pay to use it on the cloud, you get
a 10 gig link, you have to pay for the link,
14911.939 -> you have to pay a daily fee for the link and
then they charge you to use the link that
14912.939 -> you just paid for. So you know the costs are
different. So it requires somebody with real
14913.939 -> business acumen to make a decision whether
the club makes sense or not makes sense, or
14914.939 -> whether part of the cloud part of the data
center. But for the purpose of your exam in
14915.939 -> the cloud, there's minimal equipment to purchase.
Which means there's low capital expenses because
14916.939 -> there's nothing to purchase, or almost nothing
the purpose, but remember, the ongoing costs
14917.939 -> on the cloud are sky high. So for most organizations
done properly and architected properly, which
14918.939 -> we're going to tell you I'd say two thirds
get wrong. The club will have a lower total
14919.939 -> Cost of Ownership because even if you're paying
so much more for the tech, you're paying so
14920.939 -> much less to operate it, how's it maintain
it? Now when it comes to managing costs, here's
14921.939 -> the thing, provision only what you need. See,
here's where we can gain some benefits on
14922.939 -> some applications in the cloud. And the data
center, we must provision for the worst case
14923.939 -> scenario. In the cloud, we can purchase on
average use, can use autoscaler. So that auto
14924.939 -> scaling thing and the agility of the cloud,
being able to take a virtual machine and created
14925.939 -> in six seconds, as opposed to calling Dell,
and ordering a new server, that agility is
14926.939 -> built as pure transformation for business.
Step to properly size your resources. So use
14927.939 -> whatever the minimum amount that you need
is, and then use auto scaling to scale out
14928.939 -> as needed. Don't over provision the house
can you further reduce your costs, decouple
14929.939 -> them whenever possible, decouple your systems.
So we showed you how using an SQS queue, or
14930.939 -> an Apache Kafka queue can reduce the need
for bigger databases by smoothing out things
14931.939 -> that are going on. We show Joe how using caching
can reduce the load on your servers, and you
14932.939 -> need less than them. So by decoupling things
in your architecture, you can put them together
14933.939 -> into an environment that can totally reduce
your costs. Many of the times step three,
14934.939 -> use the right platform. What I mean by this
is, you know, when we looked at our 10 cloud
14935.939 -> server, and we paid 10 grand for the servers
versus 11 grand a month, that was on demand.
14936.939 -> Now, we could have reserved them, and committed
to buying them three years in advance. And
14937.939 -> instead of paying $360,000, or four, or like
$380,000, for our systems, instead of the
14938.939 -> 10,000, that we paid to do it ourselves, potentially
speaking, we could have got a 40% discount,
14939.939 -> knocking it down to make 200,000. Now we have
to understand that just because I built the
14940.939 -> club for 10 grand, and it would have been
several 100,000 on the cloud doesn't necessarily
14941.939 -> mean my 10 grand was cheaper, because why
was the cheaper, because I have the firewalls
14942.939 -> here, I have the networking gear here, and
are willing to hire anybody to do it, because
14943.939 -> I did it in a couple of hours. And I thought
it was cool and fun. But if it was a production
14944.939 -> environment, you know, we'd have to hire the
people, and then it might be cheaper to the
14945.939 -> cloud. So these analyses are based upon the
people you have the technology you have what
14946.939 -> you need, what you don't need, what's modern
was not. So how do you structure your costs?
14947.939 -> Well, if you know your system, use, reserve
it and get a big discount. If you don't know
14948.939 -> your systems use on demand capacity. And as
soon as you figure it out, go reserve it.
14949.939 -> Now basically, you can reserve all your stuff
based upon what your needs are use on demand
14950.939 -> disco as needed. Let's talk about the Spot
Instances that we talked about the first day
14951.939 -> when we talked about computing. Spot Instances
are the kinds of things that you use to bid
14952.939 -> on unused capacity. So let's think about bidding
on unused capacity. You can get a very cheap
14953.939 -> rate for batch computing, by using Spot Instances,
but Spot Instances can get shut down. So the
14954.939 -> key is when it really comes to cost optimization
on your compute environment, it's going to
14955.939 -> be a combination of on demand reserved and
Spot Instances.
14956.939 -> How else can we manage costs? Well, it's often
cheaper to use a managed service or serverless.
14957.939 -> Because of the server, we probably have to
over provision. But once you go into manage
14958.939 -> servers and server lists, because what you
lose negotiation and bargaining power, and
14959.939 -> here's why your cloud provider knows it's
gonna be really hard for you to leave. And
14960.939 -> it may have costed you millions and millions
and millions of dollars to restructure your
14961.939 -> applications to go serverless. And now you're
trapped, you're locked it. So not in service
14962.939 -> and serverless can be good, it can be not
good. It depends on how you use the amount
14963.939 -> of servers and how you the server lists are
using industry standards, which can get you
14964.939 -> to go to multiple places. Now step five is
let's look at your data transfer costs. If
14965.939 -> you build your own wide area network, you
basically buy for the links, but you don't
14966.939 -> pay to use them. Now we're on the cloud, they
charge you to actually send data over your
14967.939 -> own length or over the cloud. So how do we
minimize the amount of data we're sending
14968.939 -> off the cloud provider? Well, if we've got
an s3 bucket or an object storage bucket into
14969.939 -> regions, maybe we just replicate the data.
So we're not traversing the entire when maybe
14970.939 -> we use CloudFront. So the web requests don't
go across the quality of time or another content
14971.939 -> delivery network, like Akamai. And then maybe
we look at what is our connection to the cloud.
14972.939 -> If we have limited data center, the cloud
is cheaper Do you over a VPN. But if you've
14973.939 -> got a lot of data in the cloud, it might be
cheaper to have a direct connection. Because
14974.939 -> remember, in a normal environment, you pay
for the link and not to use the link. And
14975.939 -> the cloud environment, you pay for the link,
the daily fee to have the link, and then you
14976.939 -> pay to use the link. And in many cases, it's
more expensive to use a VPN than a direct
14977.939 -> connection, you've got a lot of data. So the
next thing you can do is you can set up a
14978.939 -> budget. And a budget can help by basically
alerting you when you're spending too much
14979.939 -> money. So you can create a budget that says,
hey, when I spent over $20 million, send me
14980.939 -> a message $20 million for an organization's
causes have been nothing. But I recommend
14981.939 -> you set up a budget, when you're doing labs,
set the budget for $25. And when you hit $20,
14982.939 -> it's gonna send you an alert for $25, you
hit this alert, you hit this alert, or 50%
14983.939 -> along the way. And that way, it's going to
alert you if you've done a lab and forgot
14984.939 -> to set up a virtual machine. So you don't
get one of those multi $1,000 bills at the
14985.939 -> end of the month that people do when they're
training for certifications, because they
14986.939 -> forgot to set up a virtual machine to create
an budget and send an alert business can do
14987.939 -> this, and they're gonna find out hey, spending
lots of money here do something else.
14988.939 -> How's the budget work? Well. Basically, create
your budget, filter, whatever you want, and
14989.939 -> get your notifications. Now, let's talk about
trusted advisor. Trusted Advisor is a tool
14990.939 -> made by AWS to help you save money.
14991.939 -> It's a tool made by the cloud provider to
help you save money, which means pay them
14992.939 -> less. Is it in anybody's interest to sell
you less stuff? No, it's kind of like when
14993.939 -> a drug company sponsors a study. Again, it's
it's it's not objective. But it's in there.
14994.939 -> So trusted advisors and AWS tool designed
to help you make better decisions on how you
14995.939 -> spend stuff in the cloud. So it's a service
and what's going to happen is the trusted
14996.939 -> advisor service is going to look at your infrastructure.
It's going to then compare your infrastructure
14997.939 -> to what it thinks is right, based upon AWS
best practices. And then it'll give you advice.
14998.939 -> Now, the good news, it can give you advice
that you did stuff wrong. from a budget perspective.
14999.939 -> It could also maybe tell you that you made
some risks, things and things that you should
15000.939 -> fix this so it's good to use a tool. The tool
provides information but the point is the
15001.939 -> tool is not the be all or end all. When you're
using the trusted advisor. There's basically
15002.939 -> two versions. There's the kind of comes with
the the basic and developer support plans,
15003.939 -> where customers are going to get access to
six security checks and 50 service limit trucks,
15004.939 -> or customers that are on business support
plans or AWS enterprise support plans are
15005.939 -> gonna get 115 trusted advisor checks, of which
four are related to 14 are related to cost
15006.939 -> optimization. 17 are related to security.
24 are related to fault tolerance. 10 are
15007.939 -> related to performance and 50 are related
to service limits. Here's another tool that
15008.939 -> the cloud provider is trying to use to help
you save money which means spend less on them,
15009.939 -> which is damaging to their business. So take
it for what it's worth. Compute optimizer
15010.939 -> is a free management tool that recommends
AWS resources to increase the efficiency and
15011.939 -> reduce your user costs. Compute optimizer
reviews previous resources activity to use
15012.939 -> to distinguish between your platforms. Like
where your data is stored. For example, compute
15013.939 -> optimizer will compare your user activities
levels to similar users or similar activities
15014.939 -> and make you give some recommendations. And
compute optimizer will take on comparison
15015.939 -> and prevent graphical data. And it's going
to explain its recommendations what it thinks
15016.939 -> you should do to optimize performance or just
customers but as a tech devices giving you
15017.939 -> information. Now with Compute optimizer clients
are given the opportunity to use the look
15018.939 -> back option to route three months of long
term data history and make recommendations
15019.939 -> based on that. The service will enable users
to utilize resources that theoretically reduce
15020.939 -> cost and improve performance. When users enable
these suggestions, AWS will configure the
15021.939 -> resources deliver optimal performance based
upon business needs. Talk about service quotas.
15022.939 -> Service quotas are going to give the ability
to view log and set limits on several services
15023.939 -> that integrate with the AWS back dashboard.
Service quotas will help users scale various
15024.939 -> workloads. As workloads increase, users can
adjust service quotas, or service quota values
15025.939 -> and monitor them by setting up alerts. And
these alerts will inform users and pin pending
15026.939 -> limits. This will help keep users from from
having unintentional spending that's going
15027.939 -> to negatively impact the company's overhead
service quotas is a is a good resource because
15028.939 -> I'm looking at your logs and it's going to
determine if there's a need are a place where
15029.939 -> you can save in a certain area. Theoretically,
this can help control costs. Another tool,
15030.939 -> a well architected tool, which is a free cloud
service, that's going to give you a general
15031.939 -> guidelines of those practices, it's going
to theoretically help plan to create better
15032.939 -> workloads. Here's the thing with a well architected
tool that's going to recommend AWS services.
15033.939 -> And there may be many good reasons to not
use them. Such as you need good security way
15034.939 -> above, when you can find like next generation
firewalls, you're going to need a more robust
15035.939 -> and more robust applications that are known
that are provided by AWS, you're gonna need
15036.939 -> a more robust content delivery network. Look,
right now, AWS isn't even using CloudFront
15037.939 -> they're using aka my right now. And that's
part of what goes into a well architected
15038.939 -> system, putting in the best tools, from the
best resources, deliver the business business
15039.939 -> outcomes, you know, we have to be careful
where we're getting this information. And
15040.939 -> a service like this is not necessarily going
to give us exactly what we need to. Now here,
15041.939 -> you can see now Amazon is using another content
delivery network, now they're using fastly.
15042.939 -> And that's the point is, you know, when it
comes to high availability, no comes to good
15043.939 -> architecture, everybody should ever use a
single point, or single cloud, it's a single
15044.939 -> point of failure, nobody should ever use a
single content delivery network as a single
15045.939 -> point of failure. Amazon doesn't use a single
content delivery network, we've gone through
15046.939 -> two content delivery networks in two days.
15047.939 -> Now we're gonna get into building high availability
architectures, at least what we're supposed
15048.939 -> to cover for the certification. So before
we come back, if you give me a hashtag, AWS
15049.939 -> Certified Solution Architect Associate.
15050.939 -> So now we're gonna getting into the part of
this program, which I hate teaching, because
15051.939 -> it gives me cognitive dissonance, because
I'm going to tell you what you need to know
15052.939 -> to pass the exam, and it's completely inaccurate.
So I'm going to tell you the accurate thing
15053.939 -> first, when it comes to building a high availability
system, never use a single cloud. I'm gonna
15054.939 -> say it again, if it comes to high availability,
never use a single cloud. When it comes to
15055.939 -> high availability never use a single cloud
because the single cloud is a single point
15056.939 -> of failure. If a cloud no matter how many
availability zones and region you use, gets
15057.939 -> hacked, you're down. If there's a major network,
Miss configuration, there's down your dump
15058.939 -> the whole cloud. If there's a network outage,
they're down. If the control plane goes down
15059.939 -> and gets hacked, they are down. So single
cloud is a single point of failure. Every
15060.939 -> cloud provider has an outage just in the last
few years, none of them have gotten the four
15061.939 -> nines availability. And I want you to think
about this. If you your mother, your sister,
15062.939 -> your brother was in a hospital on life support.
And AWS, or Azure, or Google was the only
15063.939 -> cloud and they had a cloud outage, and cloud
outages happen all the time. And your systems
15064.939 -> that were keeping your parents alive went
down, your parents would die. Would you ever
15065.939 -> want that? No. If you had a bank, by the way,
were billions of dollars or trades were going
15066.939 -> on and they were down the bank could literally
go bankrupt with your money. Would you want
15067.939 -> that? No. So a single cloud is a single point
of failure. So when I go to talk about this,
15068.939 -> what I'm telling you is the stuff that the
cloud providers are telling you as far as
15069.939 -> the exam, but likewise, you know, Amazon right
now is use two different content delivery
15070.939 -> networks and less two days from the times
we did an NS lookup. And I'm sure they use
15071.939 -> more than that. So keep that in the back of
your mind. What I'm going to tell you now
15072.939 -> is passing the exam only. So when you're designing
for availability, understanding that the higher
15073.939 -> availability systems you get, the more costly
it's going to go. And we typically talk about
15074.939 -> availability in terms of nines. 99 is two
nines available and 99.9 is three nines available
15075.939 -> and 99.99. Just four nines availability. AWS
calls that high availability 99.999% availability
15076.939 -> is what I've worked on for the last 20 years.
These are critical performance systems, banks,
15077.939 -> hospitals, internet service writers, they
all need to be at 99.999. As does any business.
15078.939 -> Imagine how much it will cost Amazon. If you
went to Amazon to go buy something, and it
15079.939 -> was unavailable. It'd be a disaster right?
Now, if Netflix goes down for 30 minutes,
15080.939 -> who's care who cares? But if you try to buy
stuff on Amazon, and they can't sell you for
15081.939 -> two hours, imagine what it would cost. So
most organizations would consider 99.99% available
15082.939 -> high availability. real critical availability
systems like a bank of service provider health
15083.939 -> care we consider 99.999% Now when you build
the highest Oh buddy system, you have to think
15084.939 -> about everything, the networking connections
to the cloud provider. Because if you can't
15085.939 -> reach the cloud, guess what, you got nothing.
So my grandmother would call book guests and
15086.939 -> my other grandmother would call Deepa or the
pata. It was just nothing. So you means if
15087.939 -> you're going to have to direct connections
to the to your cloud provider, your two direct
15088.939 -> connections, comm should be on two different
routers. And each router should have three
15089.939 -> different power supplies. Each power supply
plugged into a different outlet why, because
15090.939 -> of the power failures and the rocker the outlet,
you don't want your LAN connections to go
15091.939 -> down. And other routers connecting to the
cloud should have two brains in them and multiple
15092.939 -> cards where your wires are installed. And
that way, you have no single points of failure.
15093.939 -> Now when you build a high availability system,
you can feel comfortable with the cloud because
15094.939 -> they maintain redundant power. Well, AWS has
had to power outages, which took down half
15095.939 -> of their system in the last year. But the
reality is, is data centers and you assume
15096.939 -> a cloud provider has has redundant power in
their data center, so they won't come up with
15097.939 -> outages, which means they have redundant power.
They have redundant generators coming in redundant
15098.939 -> power companies coming in. So if they came
down to a power outage, you can think about
15099.939 -> what that possibly could have been. Now a
good cloud provider like AWS is going to have
15100.939 -> redundant cooling why, if an air conditioner
goes down, or two air conditioners go down,
15101.939 -> their systems will cook and you'll have no
clouds, we have to assume they have redundant
15102.939 -> cooling. We know AWS has multiple redundant
connections to the internet. And their backbone
15103.939 -> is highly redundant. Their routers and switches
are highly redundant. And for people like
15104.939 -> me building these environments, that's what
I did in my sleep. I've been doing it for
15105.939 -> 25 years. But many organizations don't know
how to do this. So for organizations without
15106.939 -> a bunch of network experts, it's often higher
availability for them to go to the cloud provider
15107.939 -> than doing it themselves, because they don't
have the sophistication to do it. But for
15108.939 -> organizations that need it, they can hire
people like me that have been network architects
15109.939 -> and high availability architects for decades.
So when you build a high availability system,
15110.939 -> don't use a single cloud. But if you do, it
leaves us to two availability zones, which
15111.939 -> is two different data centers, theoretically,
according to that the cloud providers can
15112.939 -> get you to 99.99%. I don't think any cloud
providers delivered 99.99% In the last two
15113.939 -> years. So but theoretically, they can do that.
If you need better than that, use multiple
15114.939 -> availability zones, which has data centers
and multiple regions. But if you're going
15115.939 -> to put your stuff in two different regions
in two different data centers, just use two
15116.939 -> clouds, two data centers and two clouds, a
much higher availability solutions. So anything
15117.939 -> that needs high availability, like your servers
should be put in multiple data centers, your
15118.939 -> databases should be in data centers, your
load balancers should be in data centers.
15119.939 -> And of course, you know, DNS or route 53 is
a is a single point of failure and a single
15120.939 -> cloud. Ideally, architect surrounded by using
a real DNS service to comment you would get
15121.939 -> from a fly from the marketplace, and have
your DNS servers in multiple multiple places.
15122.939 -> Building a high availability network, make
sure there's redundant connections, which
15123.939 -> means a direct connection of backup, direct
connection of VPN backup, minimum or direct
15124.939 -> connection in the backup different action.
Now, if you're gonna have to win connections,
15125.939 -> it makes us very clear. If you have two connections
to AWS, this connection, some of this connections
15126.939 -> and at&t and this connections on it into you
just architected a single point of failure,
15127.939 -> because if you get a cable cut goes down on
AT and T you still got the other link. But
15128.939 -> if AT and T goes down, you got nothing. So
for the last 20, some years organizations
15129.939 -> building high availability systems always
use two links from two providers AT and T
15130.939 -> and Verizon, Verizon and NTT. So when it comes
to when building, you always use two connections,
15131.939 -> so each connection to the cloud should be
through different people. So if you had an
15132.939 -> at&t Private line, and an AT and T Internet
connection VPN, you just architected a single
15133.939 -> point of failure, should at&t have a global
audit, because you don't have any connectivity
15134.939 -> to the cloud and all your systems are dumb.
So multiple connections. So if you're gonna
15135.939 -> have direct connections, chances are you might
want redundant ones. And that means you need
15136.939 -> to go to ring different direct connection
location data centers, because for example,
15137.939 -> if you had your direct connection, it was
going to a single direct connection data center.
15138.939 -> Guess what is that their connection data center
goes down, you lost your connections, you
15139.939 -> always want to go to multiple connections,
multiple places. Now let's talk about security.
15140.939 -> If your systems get hacked, they're not available.
So use the principle of least privileges and
15141.939 -> I am disable all unnecessary services and
your systems, regularly Patra systems Micro
15142.939 -> segment your system into multiple V PCs. Use
things like organizations to relax reduced
15143.939 -> blast radius. Keep unwanted traffic out of
your systems with access controls and security
15144.939 -> groups. Make sure you've got good security.
So use a next generation firewall, for example,
15145.939 -> over WAF. Use some sort of a DDoS protection
like shield. Shield is strong physical security.
15146.939 -> If you've got a router over here and the router
is connected to the cloud, and somebody can
15147.939 -> plug into the router, they can just plug an
Ethernet cable into the router, guess what
15148.939 -> they got into the cloud, like nothing. So
make sure the systems are locked up, makes
15149.939 -> it a strong security around the wiring closet
or data center. You need to use passwords,
15150.939 -> use strong passwords and template known good
configurations for your team that are going
15151.939 -> to be deploying it in TerraForm. So they can
redeploy things that you know to be good fast.
15152.939 -> Make sure that your systems are backed up
constantly. Backups should be stored in one
15153.939 -> location. If you're an AWS and you backup,
your AWS, your data to AWS and AWS goes down,
15154.939 -> you're in trouble backup to another cloud,
for example. Take your virtual machines, your
15155.939 -> service current machine and images of them
so you can watch them somewhere else if you
15156.939 -> ever needed to. Now how do you build some
availability and performance will build some
15157.939 -> use auto scaling why you're under a DDoS attack
and all of a sudden, you get a multiple requests
15158.939 -> more than you can handle your systems will
add capacity on demand. decouple your application
15159.939 -> architecture components. If your database
fails, when you've got a queue in front of
15160.939 -> the database, the queue can store your messages.
Use caching what happens if my website to
15161.939 -> www dot coklat careers.com goes down. But
But I had everything cached on a content delivery
15162.939 -> network, you might be able to get to my website
and see it while my web server is down because
15163.939 -> it's stored on the cache. Use DNS with health
checks for load balancing. Use load balancers
15164.939 -> to increase performance and reduce single
points of failure by sharing the load against
15165.939 -> 10s Medium servers as opposed to one gigantic
server. constantly monitoring your system
15166.939 -> so you can figure out what's going on. Look
at the logs, look at the auditing events,
15167.939 -> monitor for security events and monitor your
IDs IPS system for security breaches. Monitor
15168.939 -> the usage of your system, and monitor for
performance. And lastly, change management
15169.939 -> and a real high availability system. Here's
what it's like. Alonza says Mike, I want to
15170.939 -> change the configuration. And I who sends
a message to me, who sends it to Chris, who
15171.939 -> sends it to Leo, who sends it to chow, who
sends it to Manuela who sends it to Eddie,
15172.939 -> who sends it to Anslem. And part of the change
management request is, hey, if I change this
15173.939 -> thing at three o'clock in the morning, will
this affect your system. And we can all analyze
15174.939 -> the change to see if it's going to cause a
problem. And if we all say go ahead and do
15175.939 -> it. Then after Alonso makes that change, he
needs to check in with all of us. And we need
15176.939 -> to retest our systems to make sure he didn't
break anything. And if he did, we need to
15177.939 -> fix it. And that's why all these things are
done, typically speaking in the middle of
15178.939 -> night. That's why I have lots of sympathy
for engineers, because engineers are doing
15179.939 -> work in the middle of night architecture,
buying dinners and drinks, it's a little easier.
15180.939 -> But those that con engineers, we've got a
lot of respect for them. Two o'clock in the
15181.939 -> morning, they're doing work like this. Now
let's briefly talk about passing the exam
15182.939 -> and then I'll answer questions.
15183.939 -> The AWS exams are not difficult, but the way
they ask questions can be brutal. They ask
15184.939 -> questions in a very wordy environment, there's
typically not a winning answer. So let's select
15185.939 -> the best answer. The less you know about tech,
the easier these exams are going to be. Because
15186.939 -> when you if you know a lot about tech, these
exams are going to be hot, complicated, because
15187.939 -> they're gonna give you a question and there's
going to be four answers. One might be the
15188.939 -> way Cisco would do it. One might be the way
VMware would do it, or Microsoft would do
15189.939 -> it. One would be the AWS way. So if you don't
know a lot about tech, this is going to be
15190.939 -> a very simple exam. If you know a lot about
tech, forget everything you know, when you
15191.939 -> took this exam, and just try to pretend that
you just read this book, and you just took
15192.939 -> this class and you don't know anything. And
then it'll be very simple to get to the answers.
15193.939 -> But if you know a lot, it's going to work
against you. So you almost want to shut your
15194.939 -> brain off and think exactly what is only on
the AWS curriculum, and take that exam and
15195.939 -> then be done with it. Now I recommend that
you look at this. Watch this presentation
15196.939 -> again. You carefully look at all documents.
You read the AWS white papers covering the
15197.939 -> services listed in this books. And here's
the reason why. The AWS white paper Pressure
15198.939 -> designed to convince you to go use and sell
AWS stuff. What are these certifications certifications
15199.939 -> in today's world are designed to get you used
to thinking about using the brand terms and
15200.939 -> helping to sell their stuff. So read those
white papers, you're going to see a lot of
15201.939 -> questions from there. I strongly recommend
you get a practice test. There's two companies
15202.939 -> that make practice tests that I like. Holman
Sharma is the CEO of review and trap prep.
15203.939 -> He's a good friend, and he's got excellent
AWS practice exams. I also love Andrew Brown's
15204.939 -> content from example. He focuses on certification,
I focus on getting people hired. Andrew and
15205.939 -> I are good friends, we recommend people back
to each other. He sends me cool people for
15206.939 -> career stuff, I send him people for for a
certification stuff. He also has some free
15207.939 -> AWS training. And I think for less than $20,
guess what you get, you can get his practice
15208.939 -> exams, and they are really, really, really
good. Now I suggest you take a practice exam.
15209.939 -> And when you take a practice exam, you retake
these exams until you can get a 95% or better
15210.939 -> on our practice test. Here's the reason why.
It'll make sure that you're used to that you're
15211.939 -> used to taking exams. And when you get used
to taking exams, these exams will be silly,
15212.939 -> easy, trust me, they're nothing compared to
some of the more complicated exams like a
15213.939 -> CCIE. But I will tell you one more thing,
because the way AWS writes these questions,
15214.939 -> they're ugly, read the way they're written.
So the night before the exam, get a good night's
15215.939 -> sleep, eat healthy cocoa, drink a bottle of
silver oak with your buddies, or have a bunch
15216.939 -> of scotches. Don't drink any alcohol. If you're
in California, don't use any of the other
15217.939 -> substances that are illegal, that can affect
your thinking either Colorado or one of those
15218.939 -> other states. Keep your brain fresh and start
the day before the exam. arrived for the exam
15219.939 -> early, whether it's in person or not, I promise
you tech problems are going to occur, there's
15220.939 -> going to be some tech problem that occurs,
your system will freeze up either security
15221.939 -> software they're putting in there. So the
early and if you drive there be early, don't
15222.939 -> try to be cheap on parking when I had no money,
it's still pay the 20 bucks for parking now
15223.939 -> it's probably more because I wanted to be
there relaxed, not worried to find a parking
15224.939 -> meter worried about who was going to tick
me, ticket me and make sure you've got a valid
15225.939 -> photo ID for the exam. This way, you're out
there, you're relaxed. And why am I so concerned
15226.939 -> with you being relaxed? I'll give you a little
bit of the neurological reasons why. Right
15227.939 -> now we're talking we're having a good time
we're using the prefrontal cortex part of
15228.939 -> our brain is the thinking, the logical reasoning,
the intelligent part of our body. Then when
15229.939 -> we get nervous, what happens is the prefrontal
cortex shuts down. This nasty thing called
15230.939 -> the amygdala kicks in the amygdala is responsible
for freeze, fight or flight and we get dumb.
15231.939 -> So be relaxed, be calm, be good to go. Regarding
the amygdala, if you don't know what I'm talking
15232.939 -> about, let's say you're with your wife, and
she says something that normally be no big
15233.939 -> deal you deal with it. But if you're angry,
you say something and you say something you
15234.939 -> regret, and then you're in the doghouse for
the next three years. Well, husbands could
15235.939 -> do it, wives can do it, best friends can do
it, it doesn't matter. So kind of keep that
15236.939 -> in the back of your mind. And you'll be good
to go. It's been such a privilege and an honor
15237.939 -> to see what to do with you this week. I hope
you guys all learned a lot. Make sure you
15238.939 -> download a copy of that free book. Make sure
you learn the AWS labs and sign up for them.
15239.939 -> They're completely free. And join me on Thursday
on how to get your first cloud architect job
15240.939 -> webinar. I look forward to seeing you there.
Take care everyone have a wonderful day. I'd
15241.939 -> like to tell you about some free things we
do to help you get your first cloud architect
15242.939 -> job or transition into tech free time for
which completely free on YouTube, I will answer
15243.939 -> any type of cloud computing questions you
have come and ask questions about how to build
15244.939 -> your career and I will answer them completely
free. Every Thursday, we have a completely
15245.939 -> free how to get your first cloud job of it.
Our people come from all over the world in
15246.939 -> this webinar, I will tell them the following
how to leverage their life experience. So
15247.939 -> the hiring manager, they're ready. I'll go
over the job, the Cloud Architect job in depth.
15248.939 -> I'll go over the things that hiring managers
desire. I'll teach you how to bypass HR and
15249.939 -> get your hands directly your resume directly
in the hands of the hiring manager. So you
15250.939 -> can get heard about auto rejected by HR and
your lack of experience, and it'll be a great
15251.939 -> time and you'll learn so much and by the end
of this you'll know exactly what you need
15252.939 -> to get hired. This is Michael Gibbs. I'm the
founder and CEO of go kart careers and I look
15253.939 -> forward to seeing you another video. Take
care
Source: https://www.youtube.com/watch?v=uc5C1Zt5tD8