AWS Fundamentals

Internet-facing ELBs • Elastic Load Balancing scales your load balancer as your incoming traffic changes over time. • It can automatically scale to the vast majority of workloads • Elastic Load Balancing supports the following load balancers: oApplication Load Balancers, o Network Load Balancers, o Gateway Load Balancers, o and Classic Load Balancers. 2 0 1

Internet-facing Classic Load Balancers An internet-facing load balancer has a publicly resolvable DNS name. Load Balancers can route requests from clients over the internet to the EC2 instances that are registered with the load balancer. If a load balancer is in a VPC with ClassicLink enabled, its instances can be linked EC2-Classic instances. If a load balancer is in EC2-Classic, its instances must be in EC2-Classic. 2 0 2

Public DNS names for your load balancer When your load balancer is created, it receives a public DNS name that clients can use to send requests. The DNS servers resolve the DNS name of your load balancer to the public IP addresses of the load balancer nodes for your load balancer. Each load balancer node is connected to the back-end instances using private IP addresses. EC2-VPC Load balancers in a VPC support IPv4 addresses only. The console displays a public DNS name with the following form: name-1234567890.region.elb.amazonaws.com EC2-Classic Load balancers in EC2-Classic support both IPv4 and IPv6 addresses. The console displays the following public DNS names: name-123456789.region.elb.amazonaws.com ipv6.name- 123456789.region.elb.amazonaws.com dualstack.name-123456789.region.elb.amazonaws.com 2 0 3

VPC-facing ELBs • It is internal load balancer • Its nodes have private IP address • It has a public DNS name which resolves to private IP • VPC facing ELB routes client’s requests who have VPC access • Mostly database servers are registered as internal or VPC facing to address database load 2 0 4

Create an Internet-facing Load Balancer in a VPC 1. Click Services > Load Balancers. 2. Click Create. The CREATE LOAD BALANCER dialog box appears. 3. In the Load Balancer Name field, type a name for the load balancer. 4. This name must be unique for the whole Region and follow the domain names rules. 5. It must follow domain name rules. It can contain up to 32 alphanumeric characters. 6. From the VPC list, select the VPC in which you want to create the load balancer. The Availability Zone list is deactivated. 7. From the Scheme list, select internet-facing. 8. From the Subnet list, select the subnet for your back-end instances. 9. FloraodmbtahleanSceecru. rity Group(s) list, select one or more security groups to associate with the 10.Click Create to validate. The load balancer is created and appears on the Load Balancers page.

Activity: Quiz Choose the correct alternative: 1. Which service divides the amount of work among multiple Your Scorecard computers? Total Questions: a. CloudFront b. Amazon S3 c. ELB d. EC2 2. Which IP addresses do ELB supports ? Points Scored: a. IPv4 b. IPv6 c. Both a & b d. None Correct Answers: 3. ELB helps an IT team adjust capacity according to _______________ Incorrect Answers: application and network traffic. a. incoming b. outgoing c. client d. server Reset Next

Activity: True or False Choose the correct alternative: True False Your Scorecard 1. An load balancer route requests from clients over the internet to the EC2 instances 2. Elastic Load Balancing can’t be used with an Total Questions: Amazon VPC to distribute traffic Points Scored: Correct Answers: 3. ELB supports for both IPv4 and IPv6 Incorrect Answers: 4. A load balancer node is connected to the back- end instances using public IP addresses Elastic Load Balancing scales your load balancer Reset Next 5. as your incoming traffic changes over time.

AWS's Domain Name System

Learning Objectives By the end of this module, you will be able to: • Define AWS Security • Describe AWS Shared Responsibility Model • Give an explanation on AWS Compliance Program • Describe AWS Global Infrastructure Security • Describe Physical and Environmental Security • Explain Layered Security, Security Groups & Network ACLs • Explain about AWS Reports, Certifications, and Third-Party Attestations • Describe AWS Account Security Features • Explain about AWS Credentials, Passwords

210 Glossary This table displays a vocabulary of a technical terms : TERMINOLOGY MEANING 1. Encryption Amazon Web Services, inc. 2. Configuration 3. Intrusion A shared cloud infrastructure To compromise a computer system by breaking the security 4. Attestation of a system 5. Compliance A process that documents that an organization or individual 6. Latency has successfully demonstrated meaningful requirements The process of adhering to policies and decisions Measure of the responsiveness of a network

Amazon Route 53 Amazon Route 53 is a scalable and highly available Domain Name System (DNS) service. Amazon Route 53 was released on December 5, 2010. DNS is a collection of rules and records which helps clients understand how to reach a server through URLs. It operates on port 53. The name is a possible reference to U.S. Routes, and \"53\" is a reference to the TCP/UDP port 53, where DNS server requests are addressed. 2 1 1

Domain Name System (DNS) & Concepts DNS, or the Domain Name System, translates human readable domain names (for example, www.amazon.com) to machine readable IP addresses (for example, 192.0.2.44). All computers on the Internet, from your smart phone or laptop to the servers that serve content for massive retail websites, find and communicate with one another by using numbers. These numbers are known as IP addresses. A DNS service such as Amazon Route 53 is a globally distributed service that translates human readable names like www.example.com into the numeric IP addresses like 192.0.2.1 that computers use to connect to each other. The Internet’s DNS system works much like a phone book by managing the mapping between names and numbers. 2 1 2

Types of DNS Service Authoritative DNS • Amazon Route 53 is an Recursive DNS authoritative DNS system. • Authoritative DNS has the final authority over a domain and is responsible for providing answers to recursive DNS servers. • Client generally connect to another type of DNS service known a resolver, or a recursive DNS service. • A recursive DNS service acts like a hotel concierge: while it doesn't own any DNS records, it acts as an intermediary who can get the DNS information on your behalf. 2 1 3

Steps Involved in Domain Name System (DNS) Resolution : Step 1: Requesting Website Information First open a website in a web browser. Our computer will then look for the IP address associated with the domain name in its local DNS cache. If it is present locally, then the website will be displayed. If our computer does not have the information, it will perform a DNS query to retrieve the correct information. Step 2: Contact the Recursive DNS Servers If the information is not in your computer’s local cache, then it will query another server. Recursive DNS servers have their local cache, much like your computer. Step 3: Query the Authoritative DNS Servers If a recursive DNS server or servers do not have information stored in its cache memory, it looks elsewhere. The query then continues up the chain of authoritative DNS servers. The search will continue until it finds a nameserver for the domain. 2 1 4

Steps Involved in Domain Name System Resolution(Cont’d): Step 4: Access the DNS Record A Recursive DNS server accesses the record from the authoritative name servers. It then stores the record in its local cache. If another query requests, the recursive server will have the answer. All DNS records have a time-to-live value, which shows when a record will expire. 2 1 5

Steps Involved in Domain Name System Resolution(Cont’d): Step 5: Final DNS Step The Recursive DNS server has the information and returns the record to your computer. Our computer then stores the record in its local cache. It reads the IP address from the DNS record and passed it to our browser. The entire lookup process, from start to finish, takes only milliseconds to complete. We can refer to previous image for a better understanding 2 1 6

DNS Record Types DNS records are stored in authoritative servers. These records provide information about a domain. It is mandatory for all domains to have a specific set of default records. Below are a list of the most common record types and frequently utilized DNS records. A (Address) Record : An Address Record points a domain name to an IP address. CNAME (Canonical Name) Record : A CNAME record forwards a domain name to a different domain name. This record does not contain an IP address. We can utilize this type of record only when there are no other records on that domain name. MX (Mail Exchanger) : The MX record routes email messages to a specific mail server linked to a domain from a designated mail host on a different server. MX records use a priority system if there is more than one MX record used for a domain that is using more than one mail server. Increase Collaboration 2 1 7

DNS Record Types(Cont’d) 2 1 TXT (Text) Record : A TXT record is utilized for information and verification purposes. 8 A Sender Policy Framework (SPF) record is an example of a TXT record. NS (Name Server) Record : The NS or Name Servers records denotes which DNS server is authoritative for a domain. NS records are created to identify the name servers used for each domain name within a given zone. SOA (Start of Authority) Record: The SOA record is a resource record which stores information regarding all the DNS records within a given zone. SRV (Service) Record: The SRV records are created to establish connections between services and hostnames. For example, if an application is searching for a location of a service that it needs, it will look for an SRV record with that information. It filter through the list of services to find the following information: Hostname Ports Increase Collaboration Priority and Weight IP Addresses

Domain Registration with Amazon Route 53 When you register a domain, we automatically create a hosted zone that has the same name as the domain. We use the hosted zone to specify where you want Amazon Route 53 to route traffic for your domain. Step 1: Obtain a Static URL a. Open the Elastic IPs part of the EC2 console in a new window and click Allocate New Address. 2 1 9

b. Set EIP used in: to VPC and click Yes, Allocate. c. Note your new IP address and click Close. 2 2 0

d. Select the new IP address in the Elastic IP column. Press the Actions button and choose the Associate Address option. e. Click in the Instance text box and choose the option that has your instance name. 2 2 1

f. Make a note of your new IP address in the Elastic IP column. g. Verify that your new Elastic IP address is working by typing it into your web browser. 2 2 2



Step 2: Register a Domain Name Now that you have an IP address associated with your instance, we will need to configure the Domain Name System (DNS) to point to this address so that people can find your website. Step 3: Configure DNS Our last step is to configure the DNS so that the new domain we created in step 2 can point to the address we have for our server. 2 2 4

Domain Name System (DNS) Service • DNS, or the Domain Name System, translates human readable domain names (for example, www.amazon.com) to machine readable IP addresses (for example, 192.0.2.44). • Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service • It is designed to give developers and businesses an extremely reliable and cost effective way to route end users to Internet applications • Amazon Route 53 Traffic Flow makes it easy for you to manage traffic • Amazon Route 53 also offers Domain Name Registration – you can purchase and manage domain names such as example.com and Amazon Route 53 will automatically configure DNS settings for your domains

Video on AWS Domain name system Given below is an official video on Amazon Route S3 for your understanding :

Hosted Zones • A hosted zone is a container for records, and records contain information about how you want to route traffic for a specific domain, such as example.com, and its subdomains (acme.example.com, zenith.example.com). • A hosted zone and the corresponding domain have the same name. There are two types of hosted zones: o Public hosted zones contain records that specify how you want to route traffic on the internet. For more information o Private hosted zones contain records that specify how you want to route traffic in an Amazon VPC. For more information

Activity 1 : Creating a public hosted zone 1. Saatnigdhntotipnpset:no//ttchhoeenRAsooWlueSt.eaMw5a3sn.caaomgneasmzooelenn.tcCoomn/srooluete5 3/. 2. Isftayortue'dreunnedwertoDNRSoumtean5a3g, cehmoeonste. Get 3. Icpfhayonooeu.s'reeHaolrsetaeddyzuosninegs iRnotuhtee n5a3v, igation 4. Choose Create hosted zone. 5. ItnnraatmfhfieecCofofrert.haYteeoduHoocmsaatneindaltsZhooantoeypotpiuoannwaeal,lneytnettnoetrreotrhuaete comment.

Activity 1 : Creating a public hosted zone(Cont’d) For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to specify internationalized domain names, see DNS domain name format. 6.For Type, accept the default value of Public Hosted Zone. 7.Choose Create. 8.Create records that specify how you want to route traffic for the domain and sub domains.

Activity 2 : Creating a private hosted zone 1. For each VPC that you want to associate with the Route 53 hosted zone, change the following VPC settings to true: o enableDnsHostnames o enableDnsSupport 2. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/ . 3. If you're new to Route 53, choose Get started 4. If you're already using Route 53, choose Hosted zones in the navigation pane. 5. Choose Create hosted zone.

Activity 2 : Creating a private hosted zone 6. In the Create private hosted zone pane, enter a domain name and, optionally, a comment. 7. For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to specify internationalized domain names, see DNS domain name format. 8. In the Type list, choose Private hosted zone. 9. In the VPC ID list, choose the VPC that you want to associate with the hosted zone. 10. Choose Create hosted zone.

Amazon Route 53 Enables Resiliency The AWS global infrastructure is built around AWS Regions and Availability Zones. AWS Regions provide multiple physically separated and isolated Availability Zones. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures. Route 53 is primarily a global service, but the following features support AWS Regions: • If you're using Route 53 Resolver to set up hybrid configurations, you create endpoints in AWS Regions that you choose, and you specify IP addresses in multiple Availability Zones. For outbound endpoints, you create rules in the same Region where you created the endpoint. • You can configure Route 53 health checks to check the health of resources that you create in specific Regions, such as Amazon EC2 instances and Elastic Load Balancing load balancers. • When you create a health check that monitors an endpoint, you can optionally specify the Regions that you want Route 53 to perform health checks from.

Domain name management AWS Route 53 is intended for managing DNS for services and machines deployed on Amazon’s public cloud. The AWS Route 53 DNS service connects user requests to ELB load balancers, Amazon EC2 instances, Amazon S3 buckets, and other infrastructure running on AWS Key Amazon Route 53 Benefits and Features AWS service integration, Simple routing policy, Alias records, Amazon Route 53 failover, Domain registration, Geo DNS, Health checks, Latency- based routing, Private DNS, Traffic flow, Weighted round-robin load balancing

Route 53‘s DNS Failover Route 53‘s DNS Failover feature gives you the power to monitor your website and automatically route your visitors to a backup site if the main target is not healthy. AWS describes the failover scenarios in 3 different categories Active-passive: Route 53 actively returns a primary resource. In case of failure, Route 53 returns the backup resource. Configured using a failover policy. Active-active: Route 53 actively returns more than one resource. In case of failure, Route 53 fails back to the healthy resource. Configured using any routing policy besides failover. Combination: Multiple routing policies (such as latency-based, weighted, etc.) are combined into a tree to configure more complex DNS failover.

Activity: Quiz Your Scorecard Choose the correct alternative: Total Questions: 1. Amazon Route 53 was released ________ a. 2000 b. 2010 c. 2020 d. 2030 2. In which IP address did Amazon Route 53 translates human readable Points Scored: names? a. Alphabetical b. Numerical c. British d. English Correct Answers: 3. How many types of hosted zones? Incorrect Answers: a. One b. Two c. Three d. Four Reset Next

Activity: True or False Choose the correct alternative: True False Your Scorecard 1. Amazon Route 53 is a highly available and scalable cloud DNS web service 2. A hosted zone is a container for rules Total Questions: Points Scored: 3. AWS describes the failover scenarios in 3 Correct Answers: different categories. Incorrect Answers: 4. Authoritative DNS is a type of DNS Service 5. DNS records are stored in recursive servers Reset Next

Amazon CloudTrail

Learning Objectives By the end of this module, you will be able to: • Give an overview of CloudTrail • Describe the features of AWS CloudTrail • Explain the importance of AWS CloudTrail • Describe the procedure on how to configure AWS CloudTrail.

CloudTrail Overview : AWS CloudTrail is an auditing, compliance monitoring, and governance tool from Amazon Web Services (AWS). AWS console tool classed it as a “Management and Governance”. AWS CloudTrail is an application program interface (API) call-recording and log-monitoring web service offered by Amazon Web Services (AWS). AWS CloudTrail allows AWS customers to record API calls, sending log files to Amazon S3 buckets for storage. AWS service are recorded as events in CloudTrail. 2 3 9

Amazon CloudTrail AWS account owners with CloudTrail can ensure every API call made to every resource in their AWS account is recorded and written to a log. An API call can be made: • When a resource is accessed from the AWS console • When someone runs an AWS CLI command • When a REST API call is made to an AWS resource These actions can be coming from: • Human users (e.g. when someone spins-up an EC2 instance from the console) • Applications (e.g. when a bash script calls an AWS CLI command) • Another AWS service (e.g. when a Lambda function writes to an S3 bucket) CloudTrail saves the API events in a secured, immutable format which can be used for later analysis. 2 4 0

AWS CloudTrail Features Amazon CloudTrail has a number of features you would expect from a monitoring and governance tool. These features include: • AWS CloudTrail is “Always On,” enabling you to view data from the most recent 90 days. • Event History to allow you to see all changes made. • Multi-region configuration. • Log file integrity validation and encryption. • Data events, management events, and CloudTrail Insights. 2 4 1

How CloudTrail works? CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. We can easily view events in the CloudTrail console by going to Event history. Event history allows you to view and download the past 90 days of activity in your AWS account. We can create two types of trails for an AWS account: • A trail that applies to all regions • A trail that applies to one region 2 4 2

Activity: Configure CloudTrail in the Console • CloudTrail should be a core component of your governance program • AWS services are logged and recorded as events in CloudTrail • AWS outlines five best practices for security in the cloud, one of the six is detection. 2 4 3

Five steps of configuration 1. Create a Trail. • When you create your AWS account, AWS CloudTrail is enabled by default. For an ongoing record of activity and events, analysis and log retention, create a trail in your account. • Creating a trail will allow you to use other AWS services to analyze and act upon the event data collected in CloudTrail logs. 2. Configure your trail to apply to all regions. Specify a unique name for your trail and follow the CloudTrail naming requirements. Select yes to apply the trail to all regions, even if you are only hosted in one region currently. It is best practice to apply CloudTrail to all regions. 2 4 4

Five steps of configuration (Cont’d.) 3. Choose events to log There are three different types of events you can log with CloudTrail: management events, insights events, and data events. The events that you log will be based on your organization’s needs and preferences. 4. Configure logs to be stored on S3 and enable log file validation. The S3 bucket created for your trail is encrypted at rest using the default SSE- S3 encryption by AWS. Enable log file validation to have log digests delivered to your S3 bucket to verify the integrity of the logs and ensure they have not been modified after CloudTrail delivered them. 2 4 5

Five steps of configuration (Cont’d) 5. Configure CloudWatch Alarms for Security and Network related API Activity After creating the trail, open the trail to configure CloudWatch Security and Network related alerts. Within the trail settings, click configure under the CloudWatch Logs. Follow the prompt to configure the IAM role necessary for CloudWatch to work properly. 2 4 6

Activity: Quiz Your Scorecard Choose the correct alternative: Total Questions: 1. Which of the following activities enable by AWS? a. Auditing b. Monitoring c. Troubleshooting d. All 2. For how long days we can watch AWS CLI activities? Points Scored: a. 10 b. 80 c. 90 d. 100 Correct Answers: 3. How many types of trails is in AWS Account Trail? Incorrect Answers: a. One b. Two c. Three d. Four Reset Next

Activity: True or False Choose the correct alternative: True False Your Scorecard 1. AWS CloudTrail is classed as a “Management and Governance” tool in the AWS console. 2. AWS CloudTrail sends log files in S4 bucket. Total Questions: Points Scored: 3. We can create four types of trails for an AWS Correct Answers: account. Incorrect Answers: 4. Event history allows you to view, the past 90 days of activity in your AWS account. 5. Reset Next

Amazon CloudFront

Learning Objectives By the end of this module, you will be able to: • Give an overview on CloudFront • Describe on CloudFront Architecture • Explain the importance of AWS CloudFront • Describe the procedure of CloudFront Caching Process • Explain about Amazon CloudFront Media Streaming Process • Give an explanation on Monitoring CloudFront With CloudWatch