Scalability vs availability vs reliability
Scalability describes a system’s elasticity. While we often use it to refer to a system’s ability to grow, it is not exclusive to this definition. We can scale down, scale up, and scale out accordingly.
If you are running a website, web service, or application, its success hinges on the amount of network traffic it receives. It is common to underestimate just how much traffic your system will incur, especially in the early stages. This could result in a crashed server and/or a decline in your service quality.
Thus, scalability describes your system’s ability to adapt to change and demand. Good scalability protects you from future downtime and ensures the quality of your service.
But what options do you have when it comes to implementing scaling and ensuring your business’s scalability? That’s where horizontal and vertical scaling come in.
Availability can be described as the percentage of a time period when the service will be able to respond to the request i.e system uptime
How can we achieve higher availability?
Deploying applications in different servers across geographically distant locations to withstand latency and disasters.
Use proper load balancing techniques to reroute requests to healthy servers.
High availability is the ultimate goal of moving to the cloud. The idea is to make your products, services, and tools available to your customers and employees at any time from anywhere using any device with an internet connection.
Cloud availability is related to cloud reliability.
For example, let’s say you have an online store that is available 24/7. But sometimes clicking the “checkout” button kicks customers out of the system before they have completed the purchase. So, your store may be available all the time, but if the underlying software is not reliable, your cloud offerings are basically useless.
Durability refers to the ongoing existence of the object or resource. Note that it does not mean you can access it, only that it continues to exist.
How can we achieve higher durability?
By taking regular backups
Storing resources in different geographical locations to sustain disasters.
Performing checksums on data and repairing the corrupted data from backups.
Reliability is closely related to availability, however, a system can be ‘available’ but not be working properly. Reliability is the probability that a system will work as designed.
How can we achieve higher reliability?
Equipping system test procedures to cover scenarios under production load and edge cases help to test the correctness of the system.
Any new feature should be thoroughly tested to cover all scenarios before being introduced, as most of the correctness issues surface when applying patches/system upgrades.
Resiliency can be described as the ability to a system to self-heal after damage, failure, load, or attack. Note that this does not mean that it will be available continuously during the event, only that it will self recover.
How can we achieve higher resiliency?
Desing to identify faulty software or hardware and automate the repair/restart features or in case of beyond repair, just take it out of the working system.
Active failover sites for applications and active replication to restore corrupted data.
Fault tolerance can be described as the ability that helps a system to continue operating properly in the event of failure within some of its components. It is similar to high availability, except that in the high available systems we may expect some downtime, but for fault-tolerant system, we need zero down time. Like an airplane is said to be fault-tolerant as we have two operational engines. If one engine is down, the airplane can still fly with another engine
Horizontal Vs. Vertical Scaling
Vertical Scalability = junior operator to senior operator
• Vertically scalability means increasing the size of the instance
• For example, your application runs on a t2.micro
• Scaling that application vertically means running it on a t2.large
• Vertical scalability is very common for non distributed systems, such as a database.
• RDS, ElastiCache are services that can scale vertically.
• There’s usually a limit to how much you can vertically scale (hardware limit) junior operator
Horizontal Scalability = More Operator
Horizontal Scalability means increasing the number of instances / systems for your application
• Horizontal scaling implies distributed systems.
• This is very common for web applications / modern applications
• It’s easy to horizontally scale thanks the cloud offerings such as Amazon EC2
Outbound traffic and Inbound traffic
Inbound traffic refers to information coming-in to a network.
The inbound requests originate from outside parties, such as a user with a web browser, an email client, a server or application making service requests, like FTP and SSH, or API calls to web services.
Inbound Traffic Is Traffic That Is Actively Seeking A Solution
Potential customers are considered inbound when they come to your website or the network you’re advertising on. In digital marketing, you can achieve this through great content marketing, search engine optimization, or paid advertising.
The best example of this is Google search. Let’s say somebody goes to Google and says, “I need a new garden hose.” If you sell garden hoses, that’s inbound traffic.
Outbound Traffic Is Traffic You Push Your Message In Front Of
Outbound requests, on the other hand, originate from inside the network, destined for services on the internet or outside network. Firewalls are typically designed to prevent inbound traffic from entering a network, but they can also prevent outside connections from receiving outbound traffic.
Outbound traffic is interrupter marketing. Potential customers aren’t looking for you. They’re not looking for a solution.
The best example of this is social media ads, or more generally, paid traffic. These ads show up inside the newsfeed or inside the Google display network or wherever you’re advertising.
If you’ve done your research and completed a Customer Avatar Canvas, you know who you can successfully advertise to. You target these potential customers because you think they might be interested in your product. So you push your message in front of them.
Private subnet and public subnet
A public subnet is a subnet that is linked to a routing table and has a route to an Internet gateway. This links the VPC to the Internet as well as other AWS services.
The public subnet’s resources can send outbound traffic directly to the Internet and vice versa. Users from the internet, for example, must be able to access a web server.
A private subnet is one that is associated with a routing table but does not have a route to an internet gateway. Backend servers are instances in the private subnet that do not accept traffic from the internet.
Resources such as databases may require internet access for updates/patches, but they should not accept requests from the internet. A private subnet is to be used in such cases.
Ingress and egress
Ingress means to enter, and egress means to exit.
Ingress: Refers to any access by an API client from outside the service perimeter to resources within a service perimeter. Example:
A Cloud Storage client outside a service perimeter calling Cloud Storage read, write, or copy operations on a Cloud Storage resource within the perimeter.
Egress Refers to any access that involves an API client or resources within the service perimeter and resources outside a service perimeter. Examples:
A Compute Engine client within a service perimeter calling a Compute Engine create operation where the image resource is outside the perimeter.
A Cloud Storage client – within or outside the perimeter – that calls a copy command where one bucket is within the perimeter and the other bucket is outside it.
Public IP vs Elastic IP vs Static IP
Public IP: is a unique IP address assigned by an Internet Service Provider (ISP) to devices connecting to the internet.
Elastic IP: is a static IPv4 address designed for dynamic cloud computing, assigned to an AWS account. It allows users to associate a public IP with an instance or network interface, and retain it even if the resource is stopped or restarted.
Static IP: is a permanent, unchanging IP address assigned by an ISP to a device. Unlike a dynamic IP address, a static IP does not change over time.
Public DNS/IP: It is allocated from a pool of available IP's and it is mandatory to let you connect from anywhere around the globe to your EC2 instance.
Private IP: Its allocation is based on vpc/subnet in which EC2 is setup. Every subnet has a range of IP's, out of which one IP gets allocated to the launched EC2. Scope or visibility of this IP is only under the defined VPC. Hence, to communicate between two or more EC2 instances using private IP, all must be under the same vpc.
Note: Private IP designated to an EC2 remains same until vpc is same.
Elastic IP: - It is similar to static IP and can be assign to any EC2 instance. Once we assign it, existing public IP gets released and replaced with the newly assigned Elastic IP. They are allocated to the AWS account so that we can release it from specific EC2 and re-assign it to any other EC2 instances (if needed).
Dedicated Host & Dedicated Instance
Dedicated Instances are EC2 instances that run in a VPC on hardware that’s dedicated to a single customer
Dedicated Instances are physically isolated at the host hardware level from the instances that aren’t Dedicated Instances and from instances that belong to other AWS accounts.
Each VPC has a related instance tenancy attribute.
default is shared.
the tenancy can be changed to dedicated after creation
all instances launched would be shared, unless you explicitly specify a different tenancy during instance launch.
all instances launched would be dedicated
the tenancy can’t be changed to default after creation
Each instance launched into a VPC has a tenancy attribute. Default tenancy depends on the VPC tenancy, which by default is shared.
default – instance runs on shared hardware.
dedicated – instance runs on single-tenant hardware.
host – instance runs on a Dedicated Host, which is an isolated server with configurations that you can control.
default tenancy cannot be changed to dedicatedor hostand vice versa.
dedicatedtenancy can be changed to hostand vice version
Dedicated Instances can be launched using
Create the VPC with the instance tenancy set to dedicated, all instances launched into this VPC are Dedicated Instances even though if you mark the tenancy as shared.
Create the VPC with the instance tenancy set to default, and specify dedicated tenancy for any instances that should be Dedicated Instances when launched.
EC2 Dedicated Host is a physical server with EC2 instance capacity fully dedicated to your use
Dedicated Hosts allow using existing per-socket, per-core, or per-VM software licenses, including Windows Server, Microsoft SQL Server, SUSE, and Linux Enterprise Server.
NAT Gateway & NAT Instance
Cognito User Pool & Cognito Identity Pool
Internet Gateway vs NAT Gateway
Internet Gateway (IGW) allows instances with public IPs to access the internet. NAT Gateway (NGW) allows instances with no public IPs to access the internet.
CloudFront Signed URL’s and Cookies
CloudFront signed URLs and signed cookies provide the same basic functionality: they allow you to control who can access your content. If you want to serve private content through CloudFront and you're trying to decide whether to use signed URLs or signed cookies, consider the following.
Use signed URLs in the following cases:
You want to restrict access to individual files, for example, an installation download for your application.
Your users are using a client (for example, a custom HTTP client) that doesn't support cookies.
Use signed cookies in the following cases:
You want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers' area of website.
You don't want to change your current URLs.
A signed URL is for individual files. 1 file = 1 URL
A signed Cookie is for multiple files. 1 cookie = multiple files
When we create a signed URL or signed cookie, we attach a policy and the policy can include:
i. URL expiration
ii. IP ranges
iii. Trusted signers
In CloudFront, a signed URL allow access to a path. Therefore, if the user has a valid signature, he can access it, no matter the origin.
In S3, a signed URL issue a request as the signer user. When you sign a request, you need to provide IAM credentials, so accessing a signed URL has the same effect as that user would have done it.
Gateways vs endpoints
A gateway connects your VPC to another network. For example, use an internet gateway to connect your VPC to the internet. Use a VPC endpoint to connect to AWS services privately, without the use of an internet gateway or NAT device.
AWS Gateway and Storage Gateway
It is an Amazon Web Services (AWS) service that provides a secure way for applications to interact with AWS resources and services.
It acts as a proxy between the application and the services, adding additional features like authentication, rate limiting, and caching.
AWS Storage Gateway:
It is a hybrid cloud storage service that provides a seamless connection between an on-premises software appliance and cloud-based storage.
It integrates with existing applications and enables customers to use cloud storage as part of their on-premises IT infrastructure.
AWS Direct Connect vs VPN
AWS Direct Connect
AWS Direct Connect is a high-speed, low-latency connection that allows you to access public and private AWS Cloud services from your local (on-premises) infrastructure. The connection is enabled via dedicated lines and bypasses the public Internet to help reduce network unpredictability and congestion.
AWS Site-to-Site VPN
Sometimes called AWS-managed VPN, AWS Site-to-Site VPN is a hardware IPsec VPN that enables you to create an encrypted connection between Amazon VPC and your private IT infrastructure over the public Internet. VPN connections allow you to extend existing on-premises networks to your VPC as if they were running in your infrastructure.
Aws Zone vs Regions
It is a geographical area that contains multiple Availability Zones.
Regions are physically isolated from each other, providing customers with higher availability and data durability.
AWS Availability Zone:
It is a physically isolated datacenter within an AWS Region.
Multiple Availability Zones within a region provide customers with greater resilience and more options for disaster recovery.
AWS Regions are the actual geographic places in which the AWS data centers are located. AWS Regions can either be states such as Ohio, Oregon, Northern Virginia, cities like Mumbai, London, São Paulo, or countries such as Canada and Singapore. An AWS Region has at least one Availability Zone and this number can go up to 6 in some of them.
Availability Zones are the actual AWS data centers that are located in these regions. AZs can have either a single or culmination of closely situated data centers. AZs within a region are within a distance of 100 km or 60 miles from each other.
Each Region is designed to be isolated from the other Regions. This achieves the greatest possible fault tolerance and stability.
When you view your resources, you see only the resources that are tied to the Region that you specified. This is because Regions are isolated from each other, and we don't automatically replicate resources across Regions.
When you launch an instance, you must select an AMI that's in the same Region. If the AMI is in another Region, you can copy the AMI to the Region you're using.
Each Region has multiple, isolated locations known as Availability Zones. The code for Availability Zone is its Region code followed by a letter identifier. For example, us-east-1a.
When you launch an instance, you select a Region and a virtual private cloud (VPC), and then you can either select a subnet from one of the Availability Zones or let us choose one for you. If you distribute your instances across multiple Availability Zones and one instance fails, you can design your application so that an instance in another Availability Zone can handle requests. You can also use Elastic IP addresses to mask the failure of an instance in one Availability Zone by rapidly remapping the address to an instance in another Availability Zone.
Edge Locations (EL) vs Availability Zones (AZ)
Both the Edge Locations (EL) and Availability Zones (AZ) are AWS Data Centers, but EL are primarily used for caching of the data to provide better user experience with low latency, the AZ are used for hosting servers, websites, applications, softwares, Big Data processing, analytics and a wide variety of use cases.
AZ are big and few when compared to the EL. Also, the EL are closer to the user providing better latency when compared to the AZ.
Aws Gateway and Storage Gateway
AWS Gateway is a service that connects your data center to AWS, providing secure and low latency network connectivity. It enables you to securely transfer data between your data center and the AWS cloud.
AWS Storage Gateway, on the other hand, is a hybrid cloud storage service that enables your on-premises applications to securely access virtually unlimited cloud storage. It is designed to store data in the AWS cloud while maintaining low latency access to the data from your on-premises applications.
AWS Direct Connect is a dedicated network connection from your on-premises data center to AWS, which provides low latency and high throughput data transfer. This direct connection eliminates the need for data to travel over the public internet, providing increased security, reliability, and performance.
AWS VPN is a virtual private network (VPN) connection that enables you to securely connect your on-premises infrastructure to AWS. VPN connections are implemented over the public internet, and provide secure encrypted connections to the AWS network. VPN connections provide lower bandwidth and higher latency compared to Direct Connect, but are often more cost-effective and easier to implement.
In summary, Direct Connect is a dedicated connection that provides high performance and security, while VPN provides a cost-effective solution that is easy to implement. The choice between Direct Connect and VPN depends on the specific requirements and budget of the organization.
AWS Direct Connect
AWS Site-to-Site VPN
Aws Zone vs Region
edge location and data centre
Aws User vs role
AWS IAM User:
It is an AWS Identity and Access Management (IAM) entity that represents an end user.
An IAM user is granted permissions to access AWS resources through policies attached to the user.
AWS IAM Role:
It is an AWS IAM entity that defines a set of permissions for making AWS service requests.
Unlike users, roles are not associated with a specific set of long-term credentials such as a password or access keys. Instead, a role can be assumed by an IAM user, an AWS service, or an application that runs on an EC2 instance.
Aws Policy vs role
AWS Policy defines the permissions for a specific resource or AWS service, while an AWS Role defines the permissions for a user or service to access multiple resources across the AWS infrastructure. A policy is attached to a role, a user, or a resource, while a role is assumed by a user or an AWS service to access other AWS resources.
CNAME vs alias
CNAME (Canonical Name) and Alias are two ways to map a domain name to an AWS resource such as an S3 bucket or a CloudFront distribution.
CNAME is a traditional method of mapping a domain name to an IP address. In this method, you create a CNAME record in your domain's DNS configuration that points your domain name to the target domain name of the AWS resource.
Alias, on the other hand, is an AWS-specific method of mapping a domain name to an AWS resource. In this method, you create an Alias record in the Route 53 DNS service that maps your domain name to the AWS resource, such as an S3 bucket or a CloudFront distribution. Alias records provide a more flexible and efficient way to map a domain name to an AWS resource as they support easy updates and support advanced features such as weighted routing and failover.
Server side encryption vs customer site encryption
Server-side encryption is the process of encrypting data at rest on the server before it is stored. AWS provides Server-side encryption using encryption services such as AWS Key Management Service (KMS) and Amazon Simple Storage Service (S3) managed encryption keys.
Client-side encryption is the process of encrypting data locally on a client device before it is transmitted to a server for storage. In client-side encryption, the encryption keys are managed by the client, rather than the server. This provides greater control and security to the client, but also requires additional implementation effort to ensure the encryption keys are securely managed.
Geoproximity Routing Policy vs Geolocation Routing Policy