- Dedicated Hosts and Dedicated Instances
都可以用来专享一个物理机,但dedicated host有更多控制。有了一个host就可以在它上面反复创建instance,主要用于自带licence的场景,按host收费。在CloudFormation创建EC2时指定HostId并将Tenancy设置为dedicated。
dedicated instance按instance收费,每次创建instances是独立的,不一定在同一个物理机上。 - Stack Set
用CloudFormation template可以创建一个Stack.借助Stack Set可以用一个template创建多个Stack,在当前帐号、其它关联帐号或AWS Organization中.创建的Stack可位于多个region但Stack Set本身只在一个Region. - CloudFormation Drift
CloudFormation创建的Stack可以绕过CloudFormation直接更改,利用Drift Detection可以探测Stack资源实际的配置是否与template一致。 - ingress traffic vs egress traffic
Data originating outside the local network that is transmitted to a station within the network. Contrast with "egress traffic," which is data originating within the local network that is transmitted to a station outside the network.
ingress traffic从外进入本网络,egress traffic离开本网络
- load balance 与 security group
Classic or Application Load Balancer应该指定至少一个security group,而Network Load Balancer不使用security group.
6.AWS Cost and Usage Report 与tag
想要在生成的报告中按tag分类,需要在Billing & Cost Management Console中激活Cost allocation tags,分为自定义tag和AWS生成的tag. - Beanstalk Immutable Deployment
首先创建一个临时的Auto Scaling Group并放置于load balancer之后,然后创建一个新的Instance,通过Health Check后,创建与原来同样多的Instances,等都通过Health Check后将它们加入原来的Auto Scaling Group,并删除临时的Auto Scaling Group和旧的Instances. - using IAM Policies for CodeCommit
可以使用IAM来管理CodeCommit,例如禁止merge和push master、禁止所有操作based on tags、或用户IP. - EC2 API keys
For applications, AWS CLI, and Tools for Windows PowerShell commands that run on the instance, you do not have to explicitly get the temporary security credentials—the AWS SDKs, AWS CLI, and Tools for Windows PowerShell automatically get the credentials from the EC2 instance metadata service and use them.
给EC2指定了role后,利用AWS CLI,SDK等就不用再自己操作accessKey等验证过程了。
- In-Memory Acceleration with DynamoDB Accelerator (DAX)
使用DynamoDB时如果read远大于write时,可以用它自带的缓存。它适用于eventually consistent。
注意当大部分read利用缓存时,就没必要加大read throughput了。 - AWS Beanstalk Configuration options
按优先级从高到低分为四类。
1> Settings applied directly to the environment
用Console,CLI,SDK创建或更新时直接指定的参数。
2>Saved Configurations
配置文件位于:.elasticbeanstalk/saved_configs/
3>Configuration Files (.ebextensions)
4>Default Values
前两种配置都可以CLI删除,这时3>或4>自动生效。Configuration Files需要更改文件后重新发布。 - Auto Scaling Health Check
Auto Scaling可以根据三种方式确定一个Instance的Health status.
1>Amazon EC2 Status Checks
这个包含两类,一个是System status checks主要检查底层的AWS系统。另一个是Instance status checks检查当前实例的网络,文件系统等。
2>Elastic Load Balancing (ELB) Health Checks
3>Custom Health Checks
其中自定义是用CLI或SDK设置Health状态。 - Elastic Load Balancing access log
默认是关闭的,需要开启并配置S3 bucket来存储文件. - CodeCommit Notifications and Triggers
在CodeCommit的Settings里,可以配置nofications或trigger SNS和Lambda. - CodeBuild Docker image
AWS CodeBuild不支持Red Hat Enterprise Linux System的Docker Image. - SNS HTTP HTTPS endpoint
与发邮件类似,只是它是用HTTP POST把数据发到指定的URL. - AWS Security Token Service
AWS Security Token Service (AWS STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).
- Auto Scaling default termination policy
先试图保持各可用区的实例数量平衡,然后是关闭the instances use the oldest launch template or configuration,最后是closest to the next billing hour. - Elastic Beanstalk worker environments
处理long-running task,它从SQS中取得数据,POST发送到 http://localhost/ ,然后在 daemon process中处理。 - Suspending and resuming scaling processes
Amazon EC2 Auto Scaling可以暂时禁止 Launch、Terminate、AddToLoadBalancer、ReplaceUnhealthy等。
其中禁用AddToLoadBalancer后它创建的Instances不会加入到Load Balancer中,再次启用后只对新创建的有效,之前已经创建的需要手动加入到Load Balancer中。 - AWS Beanstalk Customizing software
在Beanstalk的配置文件中利用Packages、Groups、Users、Sources、Files、Commands、Services、Container commands可以安装包,创建用户,文件等。
其中
Container commands run after the application and web server have been set up and the application version archive has been extracted, but before the application version is deployed.
You can use leader_only to only run the command on a single instance, or configure a test to only run the command when a test command evaluates to true.
- deployment configurations in CodeDeploy
定义CodeDeploy以什么样的比例和时机发布新应用.其中AWS预定义的有
1> for an EC2/on-premises compute platform
CodeDeployDefault.AllAtOnce, HalfAtATime, OneAtATime
2>on an Amazon ECS compute platform
CodeDeployDefault.ECSLinear10PercentEvery1Minutes以及3Minutes
线性地每次布署10%
CodeDeployDefault.ECSCanary10Percent5Minutes以及15Minutes
先布署10%,剩下的5分种后一次发布.
CodeDeployDefault.ECSAllAtOnce
3> for an AWS Lambda compute platform
CodeDeployDefault.LambdaCanary10Percent5Minutes以及10分,15分,30分钟.
CodeDeployDefault.LambdaLinear10PercentEvery1Minute以及2,3,10分钟.
CodeDeployDefault.LambdaAllAtOnce - Initializing Amazon EBS volumes
Empty EBS volumes receive their maximum performance the moment that they are created and do not require initialization (formerly known as pre-warming).
从snapshots创建的EBS volumes需要从S3上下载数据,这在初始化时会影响性能。
- CodeBuild 登录AWS ECR
在CodeBuild的buildspec.yml要登录Amazon ECR
$(aws ecr get-login --region $AWS_DEFAULT_REGION --no-include-email)
get-login取得一个带登录信息的命令,要包在$()中执行它。 - AWS OpsWorks Stacks Lifecycle Events
Each layer has a set of five lifecycle events: Setup, Configure, Deploy, Undeploy, Shutdown
其中Conifgure Lifecycle Event在以下情况发生:
- An instance enters or leaves the online state.
- You associate an Elastic IP address with an instance or disassociate one from an instance.
- You attach an Elastic Load Balancing load balancer to a layer, or detach one from a layer.
- Prevent updates to stack resources
After you set a stack policy, all of the resources in the stack are protected by default. To allow updates on specific resources, you specify an explicit Allow statement for those resources in your stack policy.
使用Stack policy可以使某些资源在AWS CloudFormation更新时不被更改。
- instance profiles
Use an instance profile to pass an IAM role to an EC2 instance.
If you use the IAM console, the instance profile is managed for you and is mostly transparent to you. However, if you use the AWS CLI or API to create and manage the role and EC2 instance, then you must create the instance profile and assign the role to it as separate steps. Then, when you launch the instance, you must specify the instance profile name instead of the role name.
Instance Profiles将role和EC2联系起来,只不过用IAM console时,它自动创建了instance profiles,感觉只用设置roles.
- AWS CloudFormation Custom resources
Custom resources enable you to write custom provisioning logic in templates that AWS CloudFormation runs anytime you create, update (if you changed the custom resource), or delete stacks.
就像AWS预定义的EC2, Lambda一样,可以使用自定义的resource.
分为三步:template developer、custom resource provider、AWS CloudFormation
- Amazon EC2 Auto Scaling lifecycle hooks
在启动或终止Instances时会进入一个等待状态,在此期间可以做指定的事,然后通知Auto Scaling继续进行。 - Monitoring Trusted Advisor check results with Amazon CloudWatch Events
注意要选择 US East (N. Virginia) Region。 - AWS CloudFormation cfn-hup
The cfn-hup helper is a daemon that detects changes in resource metadata and runs user-specified actions when a change is detected.
- Auto Scaling instances terminate policies
Using termination policies, you can control which instances you prefer to terminate first when a scale-in event occurs.
例如:
1> OldestLaunchTemplate. Terminate instances that have the oldest launch template.
2> OldestLaunchConfiguration. Terminate instances that have the oldest launch configuration.
3> ClosestToNextInstanceHour. Terminate instances that are closest to the next billing hour.
4> NewestInstance. Terminate the newest instance in the group.
- AWS API Gatew/Lambda canary release deployment
canary release deployment是在API Gatewa里面设置的,Lambda Function Console里面没有相关设置。 - IAM database authentication for MySQL and PostgreSQL
You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication. IAM database authentication works with MySQL and PostgreSQL. With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you use an authentication token.
注意这种方式每秒的连接数不能过多。几百个左右。
35 . Deploy strategies
Bule/Green和Red/Black是一个方式。
A/B Testing测试两个版本,找出最好的一个最终发布。
- Amazon S3 Analytics
Automated analysis and visualization of Amazon S3 storage patterns to help you decide when to shift data to a different storage class.
S3 Analytics可以用来分析数据,节省开支。
- AWS Compute Optimizer
AWS Compute Optimizer recommends optimal AWS resources for your workloads to reduce costs and improve performance by using machine learning to analyze historical utilization metrics.
通过分析来推荐合理的配置,以降低成本并满足需求。
- AWS Auto Healing Feature
OpsWorks有auto-healing功能,Beanstalk没有。 - Elastic IP limitation
默认每个帐号在每个region最多有5个Elastic IP. - Managing large Amazon SQS messages using Amazon S3
使用S3和Amazon SQS Extended Client Library for Java可以保存最大2G的Queue Message. - Warm Standby
Standby环境具有全部功能,但是instance的数量较少,切换后要根据负载调整。 - AWS Macie
数据源有两个S3和 CloudTrail - Real-time Processing of Log Data with Subscriptions
CloudWatch log能Stream到Lambda和ElasticSearch等。 - Changing the launch configuration for an Auto Scaling group
Auto Scaling group的launch configuration创建后不能再更改,要基于现有的复制一份再做修改。 - launch configuration 和 launch template
创建Auto Scaling group时可以用launch configuration或launch template。
launch template相当于把配置放在一个文件里了,所有它有版本管理,并且可以配置On-Demand and Spot Instances的比例。 - Network maximum transmission unit (MTU) for your EC2 instance
the most common format is the standard Ethernet v2 frame format. It supports 1500 MTU, which is the largest Ethernet packet size supported over most of the internet.
Jumbo frames (9001 MTU) allow more than 1500 bytes.
注意Jumbo frame不是网络标准,所以它适合在vpc内部的通讯。
- Database snapshot
Automated RDS snapshots不能被直接share,需要先手动复制一份。 - DynamoDB Global Tables
Amazon DynamoDB global tables provide a fully managed solution for deploying a multiregion, multi-active database, without having to build and maintain your own replication solution.
- DBSnapshotIdentifier
By specifying this property, AWS CloudFormation create a DB instance from the specified DB snapshot.
- Active Directory Connector
AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud.
- Advanced environment customization with configuration files (.ebextensions)
You can add AWS Elastic Beanstalk configuration files (.ebextensions) to your web application's source code to configure your environment and customize the AWS resources that it contains. Configuration files are YAML- or JSON-formatted documents with a .config file extension that you place in a folder named .ebextensions and deploy in your application source bundle.
- AWS Lambda function scaling
Your functions' concurrency is the number of instances that serve requests at a given time.
它有默认的限制。
When the burst concurrency limit is reached, the function starts to scale linearly. If this isn't enough concurrency to serve all requests, additional requests are throttled and should be retried.
- Amazon Inspector
AWS Systems Manager(SSM)用来安装Amazon Inspector agent. - AWS Systems Manager Managed Instances
在它的Managed Instances console中,Instances ID以mi-开头的是on-premises或virtual machine(VM)managed instance. EC以i-开头。 - DynamoDB Stream
DynamoDB table和DynamoDB Streams的数据都是加密的。 - Elastic Beanstalk .ebextensions For Linux machines
Configuration files support the following keys that affect the Linux server your application runs on.
Packages
Groups
Users
Sources
Files
Commands
Services
Container commands
注意
1> Container commands run after the application and web server have been set up and the application version archive has been extracted, but before the application version is deployed. Non-container commands and other customization operations are performed prior to the application source code being extracted.
2>Elastic Beanstalk 支持: yum, rubygems, python, and rpm. Packages are processed in the following order: rpm, yum, and then rubygems and python. There is no ordering between rubygems and python. Within each package manager, package installation order isn't guaranteed.
- Automate the creation of EBS Snapshots
可以用Cloudwatch EvenT定时创建EBS Snapshots - AWS CloudFormation DeletionPolicy attribute
With the DeletionPolicy attribute you can preserve or (in some cases) backup a resource when its stack is deleted.
- cloudformation-stack-drift-detection-check
可以用AWS Config检测CloudFormation实际资源与template是否一致。
The rule and the stack are COMPLIANT when the stack drift status is IN_SYNC. The rule and the stack are NON_COMPLIANT when the stack drift status is DRIFTED.
- AWS Elastic Beanstalk Requirements
using a proxy server is not supported for Linux instances.
- Web Access Control List (Web ACL)
A web access control list (web ACL) gives you fine-grained control over the web requests that your protected resource responds to. You can protect Amazon CloudFront, Amazon API Gateway, Application Load Balancer, and AWS AppSync resources.
例如根据用户IP,地理位置,请求内容来阻止请求。
- AWS SMS
AWS Server Migration Service automates the migration of your on-premises VMware vSphere, Microsoft Hyper-V/SCVMM, and Azure virtual machines to the AWS Cloud.
- 控制cloudformation新建stack
例如通常EC2创建运行后就被认为创建完成,想要在创建的EC2安装指定的程序,只有当所安装的程序正常运行后才标志为完成。这时可以为EC2指定CreationPolicy,并用cfn-signal helper script来通知cloudFormation其创建完成。 - AWS OpsWorks Stacks Operating Systems
一个stack可以运行Linux或Windows,但不能混着用。 -
Lambda@Edge
可以有收到Viewer request后查询缓存前,发送Origin request前或者收到Origin response后执行Lambda.
- Amazon Cloudsearch vs Elasticsearch
Amazon Cloudsearch is a cloud-based solution, which is fully managed by AWS.
Elasticsearch is an open-source database and search engine tool.
Amazon Elasticsearch is a cloud-based solution provided by AWS.
因为Cloudsearch可以拿来就用,适用于快速布署。注意CloudFormation不支持它,要用AWS CLI或SDK来配置数据。
- State Machine Execution in Response to Amazon S3 Events
You can use Amazon CloudWatch Events to execute an AWS Step Functions state machine in response to an event or on a schedule.
- Build environment reference for AWS CodeBuild
可以用AWS提供的Managed image,包括Amazon Linux,Ubuntu ,Windows Server或私有的custom image. - Beanstalk lifecycle
可以用an application version lifecycle policy来避免 Elastic Beanstalk application version超过限制。 - Elastic Load Balancing Access logs
默认是停用的,开启后会将Log放到指定的S3 bucket. - AWS CloudTrail global service
For most services, events are recorded in the region where the action occurred. For global services such as AWS Identity and Access Management (IAM), AWS STS, and Amazon CloudFront, events are delivered to any trail that includes global services.
- tests your Android app with AWS Device Farm
可以在CodePipeline中添加AWS DeviceFarm作为Action provider. - Amazon Inspector rules packages and rules
Inspector用rules来完成评估。不同的rules检查不同的内容。
1>Common vulnerabilities and exposures
The rules in this package help verify whether the EC2 instances in your assessment targets are exposed to common vulnerabilities and exposures (CVEs).
2>Network Reachability
The rules in the Network Reachability package analyze your network configurations to find security vulnerabilities of your EC2 instances.
- AWS OpsWorks DeploymentCommand
AWS DeploymentCommand has a rollback option in it. 它能最多存储5个版本,执行roolback会回滚到上一个版本。 - External Cookbook on a Linux Instance
可以用Berkshelf,但Berkshelf is available only for Chef 11.10 Linux stacks. - Application Load Balancer traffic
注意ALB没有NetworkIn metric,只有EC2有。ALB有NewConnectionCount - AWS OpsWork Installing Custom Cookbooks
To have a stack install and use custom cookbooks, you must configure the stack to enable custom cookbooks, if it is not already configured.
- CodeDeploy config file
on-premise必须要有The application specification file appspec.yml
lambda也可以用json.