Skip to main content

High Lights- 5

AWS WAF & CloudFront Integration​

  • AWS WAF is tightly integrated with Amazon CloudFront and the Application Load Balancer (ALB), services commonly used to deliver web content.
  • When used with CloudFront, WAF rules run at AWS Edge Locations globally, protecting any HTTP web server including EC2 and on-premises servers.
  • You can enforce HTTPS between CloudFront and your server and between CloudFront and viewers.

Amazon S3 Storage Classes & Security​

  • The S3 Intelligent-Tiering class optimizes storage costs by automatically transitioning objects between frequent and infrequent access tiers.
  • Amazon S3 Bucket Keys reduce SSE-KMS costs by generating unique data keys locally per object, reducing AWS KMS API calls by up to 99%.
    • Using a VPC endpoint for S3 enhances security and network cost-efficiency, but doesn’t affect KMS pricing.
  • The S3 Snapshot Recycle Bin retains deleted EBS snapshots for a configurable period (e.g., 7 days) to allow recovery from accidental deletion.

Different storage type S3 comparison

Amazon Kinesis​

  • Kinesis Data Firehose is an ETL service that captures and delivers streaming data to destinations like data lakes and analytics services.

    • It supports only one destination per stream (no multi-consumer setup).
    • Kinesis Firehose

  • Kinesis Data Streams require batching and parallel HTTP requests to efficiently send large numbers of records.

    • Simply looping PutRecord API calls is not efficient.
    • Kinesis Data Streams

Amazon FSx vs EFS in Transfer Family​

  • Amazon FSx for Lustre is not natively supported by AWS Transfer Family for SFTP.
  • Amazon EFS is supported by Transfer Family and enables secure access, IAM-based policies, and POSIX permissions when deployed with Elastic IPs in a VPC.

High Availability and Failover​

  • An active-passive failover configuration ensures standby resources are ready if primaries go down.
  • Amazon RDS Multi-AZ handles failovers automatically by switching the DNS CNAME to the standby, promoting it as the new primary.

AWS Global Accelerator​

  • Lets you associate static anycast IPs to AWS resources like ALBs, NLBs, EC2, and Elastic IPs.
  • Enables seamless endpoint migration across AZs or Regions without DNS changes.
  • Allows traffic control via traffic dials and endpoint weights for blue/green deployments or performance testing.

Amazon ElastiCache for Session Management​

  • Supports in-memory caching using Memcached or Redis, ideal for use cases like:
    • Real-time analytics
    • Caching
    • Messaging
    • Leaderboards
    • Geospatial use cases
    • ML and streaming applications
    • Session stores

CloudFront CDN and S3​

  • CloudFront caches content at edge locations after the initial request to Amazon S3.
  • This significantly improves performance for repeated uploads/downloads like video files.
  • Blog Reference

πŸ”₯ Super Important​

  • CloudFront only supports ACM certificates from the us-east-1 (N. Virginia) Region, even if your application is hosted elsewhere.
    • Custom domain HTTPS for CloudFront must use a certificate from this region

πŸ’‘ AWSEC2-PatchLoadBalancerInstance Automation Document​

The AWSEC2-PatchLoadBalancerInstance Systems Manager Automation document is used to safely patch EC2 instances behind a load balancer.
Here’s how it works:

  • Automatically removes the EC2 instance from the ALB target group
  • Waits for in-flight requests to complete before taking any action
  • Applies patches and performs reboots if necessary
  • Re-registers the instance back to the load balancer after patching

This prevents application downtime or request failures during patching.
It also ensures compliance with your security patching policies.

πŸ•’ Maintenance Windows with Systems Manager​

Systems Manager Maintenance Windows help schedule controlled and automated patching.

  • You can run Automation documents or Lambda functions at specific times
  • Use it to automatically remove instances from the load balancer, run patching workflows like AWSEC2-PatchLoadBalancerInstance, and then add them back safely
This gives you fine-grained control over patching, with zero disruption to traffic.

EC2 Instance Types​

  • Amazon EBS volumes are particularly well-suited for use as the primary storage for file systems, databases, or for any applications that require fine granular updates and access to raw, unformatted, block-level storage.
  • For high I/O performance, instance store volumes are a better option.