Sunday, 13 November 2022

AWS Solution Architect - Professional Certification

Some time ago I completed AWS Solution Architect - Professional Certification exam. The exam is hard. You have a lot of questions and most of the questions actually tell a story. So you need to react fast because most of the questions it mostly takes time to read the question and not to answer it. As will ML certification I did earlier I wrote the key points that helped mew to prepare and answer the questions and I am going to share it with you.

  • Amazon SQS extended client library for Java is designed for messages up to 2 GB.
  • For time series data, create new Dynamo table for each series. For example, new table for each week.
  • Dynamo DB - you need to know RC and WC to calculate the partition
  • Aurora supports regional failover
  • Beanstalk, has "swap url" feature to support blue green deployment
  • StackPolicy - uses in CloudFormation to protect the resources from modification.
  • If you have implicit deny, you need to have also "Allow". Can be updated only from CLI
  • Lambda calls from API Gateway have 30s timeout. You can decrease the timeout, but not to increase.
  • API Gateway - responses like 403 can be customized to something else, like 400 (with ability to add custom headers)
  • VPC CIDR is not modifiable, but you can add up to 4 secondary CIDR.
  • For BYOL (L-license) use AWS license manager
  • Cannot upload ACM certificate from IAM. No management from IAM console.
  • OpsWork is supported in CloudFormation.  If you need to use OpsWork inside the CloudFormation stack. it is better to manage the EC2 within OpsWork stack and CLoudFormation should deal with a resources which do not change frequently.
  • Instance from the different customers, running on the same physical machine are isolated by hyperviser
  • If using CodePipeline with OpsWork, the OpsWork should be put into Deploy stage
  • RDS MySQL can create cross-region read replica.
  • ENI can have a static MAC address that doesn't change when you reattach it to another EC2.
  • AWS workdocs can be used to create file-sharing solution and can be integrated with Active Directory.
  • There is no option to modify the DHCP option in VPC. You need to create the new one if you want to change,
  • S3 transfer accelerator cannot compare the speed at Edges, only at Regions
  • CloudFront caches GET,HEAD and optionally OPTIONS requests
  • To replicate RDS from AWS to On-Prem use IPSEC VPN.
  • You can assign several ENI to EC2 and each ENI can get SSL certificate.
  • CloudTrail can send the logs from different accounts to a single bucket. Also from different regions.
  • AppsStream 2.0 price is based on the monthly fee per user and stream resource.
  • Custom SSL certificate or third-party certificate can not be configured in Route 53. Origin Access Identity does not deal with custom SSL.
  • AWS Inspector is used for EC2. Cannot inspect API Gateway
  • Once you enable the encryption on RDS, the snapshots are encrypted also, and read replicas.
  • CloudFormation "DeletePolicy" for RDS can be "retain" and "snapshot". For the "snapshot" the RDS data will be stored, for "retain" the RDS will keep running
  • Aurora MySQL can be set as replication slave for self-managed MySQL or RDS MySQL
  • CloudWatch can monitor data cross-region
  • Redshift cannot replicate the data from Cluster in Region A to data in Region B. It can only replicate the snapshots.
  • Raid 0 - instead of writing to a single disk, the data is split between several disks to increase the throughput. 
  • CloudFront doesn't support IP as origin
  • Route 53 alias can point to ALB
  • OAuth 2.0 is used with WebIdentityFederation. Also used with public identity providers like Google, Facebook...
  • CloudFront signer can be "key group" or account. For "key group", you don't need ROOT user to manage the keys.
  • Dynamo DB stream has 24 hours retention limit.
  • Cognito identity pool - supports anonymous guest user.
  • Beanstalk cannot delete the source bundle or previous versions
  • Spots are not good for EMR core nodes.
  • Beanstalk "zero downtime" creates new instances. Cannot update existing.
  • CodeDeploy can disable ELB health check.
  • EC2 Termination protection doesn't prevent ACG from terminating the EC2. Instance protection - does.
  • To support client-side certificates use TCP listeners at ELB. So the HTTPS will not terminate at ELB but at EC2
  • AWS doesn't support promiscuous mode.
  • Client IP can be preserved in ELB for both HTTP and TCP with Proxy Preservation feature.
  • DMS selection rules allows to filter the source data
  • DMS transformation rules can be used to remove columns or add prefixes to table names.
  • Changes in "All Features" in AWS Organization can be upgraded in flight. 
  • S3 static website - CloudFront origin policy need to be HTTP.
  • Classic load balancer cannot handle multiple certifications.
  • NAT gateway is IP4 only.
  • Kinesis Data Stream data retention can be set up to 7 days (default = 1 day)
  • Simple AD allow access to AWS workspaces,workdoc.... and supports automated snapshots.
  • On-Prem load balancer can be set as custom origin in CloudFormation
  • ALB can use both on-prem IP addresses and AWS IP addresses as  target
  • Beanstalk can use customer AMI, dockers and "create custom environment" based on Ubuntu, Redhat or AWS Linux.
  • Storage Gateway. Cached volume = 1024TB, stored volume  = 512TB
  • AWS Organization  - cannot resend invite if present invite is still open
  • EC2 Image builder can distribute AMI to multiple regions and share with other AWS accounts. 
  • Data moved from EBS to S3 is not encrypted.
  • EFS enables encryption at rest when created. Encryption in transit is enabled when mounting.
  • Snapshots can be created only for EBS volumes.
  • AMI can be created for instance store.
  • CloudHSM can perform SSL transaction.
  • Cost allocation tags does not appear in cost reports before they were activated.
  • HVM AMI - Extend host hardware to "guest". Increases performance
  • Root user cannot "switch role".
  • NLB can preserve source IP if the target is "instance IP".
  • Billing reports can integrate with Redshift, Athena and Quicksight.
  • AWS Storage Gateway  - the replication is asynchronous.
  • RAID 1,5 not recommended for EBS/
  • Java SDK. - can increase SQS visibility for messages with specific header.
  • Only existing DX connections can be aggregated into LAG. Connections operate as Active/Active. Max number is 4 connections. They have to be of the same bandwidth .  
  • Single root IO (SR-IOV) provides high performance network, lower CPU utilization
  • Reserved Instances EC2 discount works cross-account, but only in the same AZ.
  • Classic LB - doesn't modify the headers for SSL
  • ASG - can be suspended and resumed.
  • Amazon Managed Blockchain  - does not allow to manage EC2 or ECS. AWS Blockchain templates - does.
  • CloudFront supports TTL=0.
  • Hibernate - only on ROOT volume. Volume should be encrypted. Must use HVM AMI.
  • EC2 ephemeral volumes are not encrypted at rest.
  • Dynamo DB - cannot combine On-Demand for read and provisioned for write.
  • Cannot delete VPC if it has NAT instance
  • Containers images for Lambda need to put the extensions to /opt folder.
  • Public virtual interfaces used to connect to AWS services reachable by public IP. (e.g S3)
  • Snowball data cannot be directly copied to Glacier. 
  • Gp2 - each 1GB adds 3IOPS.
  • Kinesis FIrehose can aggregate CloudWatch logs from different accounts, by creating the subscription filters.
  • You don't pay for S3 accelerated transfer if there is no acceleration.
  • SAM framework - can deploy blue/green deployment for Lambda via CodeDeploy
  • VPC sharing (part of RAM) allow multiple accounts to share resources into centrally managed VPC.
  • VPC flow logs cannot detect packet loss or inspect network traffic.
  • S3 object always owned by uploading account. If object owner is not the same as bucket owner, the bucket owner cannot access the object without relevant permissions.
  • CloudFrom - to improve cache hit ration, configure separate cache behaviour for static and dynamic content. Configure cookies forward to origin for dynamic content.
  • S3  - it can take up to 24 hours to propagate S3 names to another region
  • QuickSign can access RDS in private subnet by using VPC connector from QuickSign admin.
  • Route 53 private or public zones can use EC2 health check only if EC2 has public IP.  
  • S3 static web sites - objects cannot be encrypted by KMS. Bucket and object owner should be the same.
  • When choosing NLB or Global Accelerator for static IP, the NLB is cheaper.
  • AWS Service Migration Service is already at the end of life.
  • To connect On-Prem to VPC, use public virtual interface
  • Route 53 traffic flow policies - can route domains and subdomains but not path-based flows. ALB and Lambda@Edge - can.
  • S3 Gateway endpoint - no access from on-prem or another AWS region. Uses S3 public IP.
  • S3  - to ignote all public ACL, set IgnotePublicACL flag to true.
  • Farhgate task - if internet access needed. In public subnet  - enable auto assign IP, in private subnet disable auto-assign IP and configutr NAT gateway.
  • TAGS - takes up to 24 hours to activate
  • NLB - no security groups.
  • OpsWork support only blue/green deployment, not canary.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)