AWS Local Zones
AWS Local Zones places AWS compute, storage, db, and other selected AWS services closer to end users to run latency-sensitive apps. It extends our VPC to more locations and acts as an extension of an AWS region.
It is compatible with EC2, RDS, ECS, EBS, ElasticCache, and Direct Connect. For example, AWS Region: N. Virginia (us-east-1) can have AWS Local Zones in Boston, Chicago, and Dallas.
Local Zones are enabled from EC2 Dashboard under account attributes in settings. Once enabled, it will appear in Availability Zones while creating a subnet.
Global Application Architecture
When designing applications, we choose architecture models based on availability and latency.
A Single Region with a Single AZ does not provide high availability and global latency is not possible, making it difficult to use in real scenarios.
A Single Region with Multiple AZs provides high availability, but global latency is still not possible, and the difficulty is moderate.
In Multi Region Active-Passive architecture, two regions are used with more than one AZ each. Read and write happen in the active region, while read happens in the passive region. It supports global reads latency but not global writes latency, with moderate difficulty.
In Multi Region Active-Active architecture, both regions handle read and write. It supports global reads latency and global writes latency, and the difficulty remains moderate.
Cloud Integrations
When we deploy multiple apps, they need to communicate with each other. There are two patterns of communication.
Synchronous communication happens app to app. When there is a sudden spike, problems can occur.
Asynchronous communication happens app to queue to app. In this case, it is better to decouple applications using SQS queue model, SNS pub/sub model, and Kinesis real time streaming model. These services scale independently from applications.
Amazon SQS
Amazon Simple Queue Service is used where producer sends message to SQS queue and queue polls messages to consumer.
SQS Standard Queue is serverless and used to decouple apps. It scales from 1 message per second to 10,000 per second. Messages are deleted after they are read, with low latency and no message limit. Multiple producers can send messages, stored up to 14 days, and multiple consumers share the work.
SQS FIFO Queue ensures first in first out. If messages are sent in order 4-3-2-1, consumer will read in the same order. Messages are processed in order.
Amazon Kinesis
Amazon Kinesis Data Streams is used for real time big data streaming, persistence and analysis. It is a managed service to collect, process and analyze streaming data at any scale.
Amazon SNS
Amazon Simple Notification Service follows pub/sub model. It has no message retention. Publishers send message to one topic and all subscribers receive the message.
SNS can publish to SQS, Lambda, Data Firehouse, Emails, SMS, mobile notifications, and HTTP endpoints.
Amazon MQ
Amazon MQ is a managed message broker for ActiveMQ and RabbitMQ. It supports protocols like MQTT and AMQP. It runs on servers and can run in multiple AZ with failover. It does not scale as much as SQS and SNS. It supports both queue features like SQS and topic features like SNS.
Machine Learning Services
Amazon Rekognition is used to find objects, people, text, and scenes in images and videos. It also provides facial analysis, celebrity recognition, and people counting.
Amazon Transcribe converts speech to text using deep learning and automatically removes PII. It supports automatic language identification and is used for customer calls and subtitles.
Amazon Polly converts text to lifelike speech.
Amazon Translate provides neutral and accurate language translation and helps localize content.
Amazon Lex uses ASR and Natural Language Understanding to build chatbots and recognize customer intent. Amazon Connect is used to receive calls and integrate with Lex.
Amazon Comprehend is used for NLP, finding insights and relationships in text. It analyzes sentiment and organizes text by topic.
Amazon SageMaker is a fully managed service to build ML models with everything in one place.
Amazon Kendra is an ML-powered search engine that extracts answers from documents.
Amazon Personalize builds real time recommendation systems.
Amazon Textract extracts text and data from scanned documents.
Monitoring & Logging
Amazon CloudWatch Metrics provides metrics for AWS services such as CPUUtilization, networking, and billing.
CloudWatch Alarms trigger actions like auto scaling, EC2 actions, or SNS alerts.
CloudWatch Logs collects logs from ECS, Lambda, and EC2 (via CloudWatch agent).
Amazon EventBridge is used to schedule cron jobs, archive events, and replay events.
AWS CloudTrail provides governance and audit by tracking API calls. It is enabled by default and used to investigate actions like resource deletion.
AWS X-Ray helps debug applications in production, analyze performance, and identify bottlenecks.
Amazon CodeGuru provides automated code review and performance recommendations.
AWS Health Dashboard shows service history globally.
VPC & Networking
A VPC is a private network to deploy resources. It is a regional resource. Subnets divide the VPC and are AZ specific.
Public subnets are accessible from the internet, while private subnets are not.
Internet Gateway connects VPC to the internet, while NAT Gateway allows private instances to access the internet.
Security Groups are stateful firewalls with allow rules. Network ACLs are stateless firewalls with allow and deny rules.
VPC Flow Logs capture IP traffic for monitoring and troubleshooting.
VPC Peering connects two VPCs privately but is not transitive.
VPC Endpoints allow private connection to AWS services without internet.
AWS PrivateLink exposes services securely without VPC peering.
Site-to-Site VPN connects on-prem to AWS over public internet, encrypted.
Direct Connect provides private, secure, and fast connection but takes longer to establish.
Client VPN allows users to connect securely from their systems.
Transit Gateway simplifies complex network connections using hub and spoke model.
Shared Responsibility Model
AWS is responsible for security of the cloud, including infrastructure, hardware, and facilities.
Customers are responsible for security in the cloud, including OS, firewall, IAM, and data encryption.
Shared responsibility includes patch management and configuration.
For RDS, AWS manages infrastructure and patching, while users manage access, ports, and encryption.
For S3, AWS manages storage and security of infrastructure, while users manage bucket policies and permissions.
Top comments (0)