AWS Questions

by

What is an Amazon Machine Image (AMI), and why is it important?

An Amazon Machine Image (AMI) is a pre-configured template that contains the software stack required to launch an Amazon EC2 instance. This template includes the operating system, application code, libraries, and any configurations or dependencies needed by the instance.

Importance of AMIs:

  1. Consistency: AMIs ensure that EC2 instances are launched with the same configuration every time, which is essential for consistency across development, testing, and production environments.
  2. Customization: AMIs can be customized to fit specific application needs, such as adding security patches, application setups, and dependencies, reducing the time required to set up instances manually.
  3. Scalability: AMIs allow you to quickly spin up new instances, making it easier to scale applications horizontally by replicating the same configuration across multiple instances.
  4. Backup and Recovery: AMIs can serve as snapshots of configured instances, enabling quick recovery by launching new instances from a saved AMI if an issue arises with existing ones.

What are the different types of AMIs in AWS?

  1. EBS-Backed AMIs: Store the root volume on Amazon Elastic Block Store (EBS), allowing you to stop and restart instances with data persistence.
  2. Instance Store-Backed AMIs: Use local instance storage for the root volume, providing faster performance but no data persistence when stopped.
  3. Public AMIs: Created by AWS or other users, available for anyone to use.
  4. Private AMIs: Created and accessible only within your AWS account.
  5. Marketplace AMIs: Pre-configured with software from AWS Marketplace vendors, often requiring a subscription.

What is the difference between an AMI and a snapshot?

  • AMI: A complete image of an EC2 instance, including the OS, software, configurations, and EBS volumes. It’s used to launch new instances with the same setup.
  • Snapshot: A backup of a single EBS volume at a specific point in time. It stores data but lacks OS and configurations, making it useful for restoring volume data rather than launching instances.

What are the permissions and limitations for sharing encrypted AMIs?

  1. Key Sharing Requirement: You must share the AWS Key Management Service (KMS) key used for encryption with the target account to allow access to the encrypted AMI.
  2. Limited Sharing Options: Encrypted AMIs can only be shared with specific AWS accounts; they cannot be made public.
  3. Cross-Region Limitations: While you can copy encrypted AMIs to other regions, the KMS key must also be available in the target region, or you’ll need to re-encrypt with a region-specific key.
  4. No Marketplace Sharing: Encrypted AMIs can’t be listed or shared via AWS Marketplace due to encryption restrictions.

How does AWS handle AMI deprecation and versioning?

  1. Deprecation Notifications: AWS lets you set deprecation dates for AMIs, notifying you when an AMI is approaching its end-of-life, after which it can’t be used to launch new instances but remains available for existing instances.
  2. AMI Versioning: AWS doesn’t have built-in versioning for AMIs, so users manage versions manually by naming conventions (e.g., my-ami-v1, my-ami-v2) or tags to track updates.
  3. Automated Cleanup: You can automate the cleanup of older AMIs using scripts or AWS tools like Lambda and AWS CLI to manage AMI lifecycle based on version or age.

Describe a use case where you’d regularly create new AMIs?

A common use case for regularly creating new AMIs is in application updates and deployments. For example, in a CI/CD pipeline, you might:

  1. Automate AMI Creation for New Releases: With each new software release, build an updated AMI containing the latest code, configurations, and dependencies. This ensures consistency across deployments.
  2. Use for Autoscaling: When scaling out, launching instances from the latest AMI ensures all instances run the most recent version, reducing configuration drift.
  3. Disaster Recovery: Regularly updated AMIs serve as reliable, ready-to-launch backups that contain the latest application state in case of failure or downtime.

Can you modify an existing AMI?

No, you cannot modify an existing AMI directly. However, you can achieve similar results by following these steps:

  1. Launch an Instance: Start a new EC2 instance from the existing AMI.
  2. Make Changes: Modify the instance as needed (install software, change configurations, etc.).
  3. Create a New AMI: Once the desired changes are made, create a new AMI from this modified instance.
  4. Clean Up: Optionally, you can terminate the modified instance if it’s no longer needed.

What are Glacier and Snowball?

Amazon Glacier and AWS Snowball are two AWS storage solutions, but they serve different purposes:

Amazon Glacier

  • Purpose: Glacier is an archival storage service for storing large amounts of data at low cost, suitable for data that is infrequently accessed.
  • Features: Designed for long-term storage, Glacier provides options for retrieving data over several hours (standard retrieval), minutes (expedited retrieval), or hours to days (bulk retrieval).
  • Use Case: It’s ideal for backup, archival, and compliance data where quick access isn’t a priority.

AWS Snowball

  • Purpose: Snowball is a data transfer device used to move large amounts of data physically to AWS, bypassing network limitations.
  • Features: Snowball devices are secure, rugged, and shipped to customers who load data onto them and then return the device to AWS for upload. Snowball Edge, an enhanced version, also offers limited local processing and storage capabilities.
  • Use Case: Commonly used for data migrations, disaster recovery, and large-scale data transfers, especially in locations with limited bandwidth.

What is CORS in s3?

CORS (Cross-Origin Resource Sharing) in Amazon S3 allows web applications running in one domain to access resources in an S3 bucket in a different domain. By default, S3 resources are only accessible within the same origin. To enable cross-origin requests, you need to configure CORS rules on the S3 bucket.

What was required for one resource to communicate with other resources?

IAM Role: The resource initiating the communication (such as an EC2 instance) should have an IAM role attached with permissions to access the target resource (like an S3 bucket).

Security Groups: Networking resources, such as EC2 and RDS, use security groups to allow inbound and outbound traffic on specific ports and IP ranges. Both resources need appropriate security group settings to communicate.

VPC Peering or Private Link: If resources are in separate VPCs or accounts, VPC peering or PrivateLink setups enable secure communication between them without going over the public internet.

Endpoint Configuration: For serverless resources (like Lambda) or private S3 access, you may need to set up VPC endpoints to enable direct communication within the VPC.

What is called an application load balancer?

An Application Load Balancer (ALB) is a managed load balancing service provided by AWS that operates at the Application Layer (Layer 7) of the OSI model. It’s designed to distribute incoming HTTP and HTTPS requests to multiple targets, such as EC2 instances, containers, and Lambda functions, within one or more availability zones.

Key Features of Application Load Balancer:

  • Content-based Routing: Routes traffic based on request content (e.g., URL paths, host headers) using path-based and host-based routing.
  • Load Balancing Across Multiple Targets: Distributes traffic to targets within an Auto Scaling group, across multiple Availability Zones for high availability.
  • Enhanced Security: Integrates with AWS Certificate Manager for SSL/TLS management, and supports AWS WAF for web application security.
  • WebSocket and HTTP/2 Support: Allows real-time applications and improved performance for HTTP connections.
  • Target Group Management: Organizes targets into groups and uses health checks to ensure traffic is only directed to healthy instances.

How can we enable communication between 500 AWS accounts internally?

To enable communication between 500 AWS accounts internally, you can use AWS Organizations along with VPC Peering, Transit Gateway, or AWS PrivateLink. Here’s a brief overview of each approach:

1. AWS Organizations:

  • Set Up Organizations: Create an organization in AWS Organizations and invite all 500 accounts to join.
  • Service Control Policies (SCPs): Use SCPs to manage permissions and ensure secure communication between accounts.

2. VPC Peering:

  • Establish VPC Peering Connections: Create VPCs in each account and establish VPC peering connections between them. Note that this can become complex with many accounts, as each pair of VPCs requires a separate peering connection.
  • Route Tables: Update route tables in each VPC to allow traffic between peered VPCs.

3. AWS Transit Gateway:

  • Create a Transit Gateway: Set up an AWS Transit Gateway in a central account.
  • Attach VPCs: Attach the VPCs from each of the 500 accounts to the Transit Gateway.
  • Routing: Configure routing rules in the Transit Gateway to enable traffic flow between all attached VPCs.

4. AWS PrivateLink:

  • Create VPC Endpoints: Use AWS PrivateLink to create VPC endpoints for services running in other accounts.
  • Endpoint Services: Share services across accounts securely by creating endpoint services and configuring permissions.

What is the maximum size of an S3 object?

The maximum size of an individual S3 object is 5 terabytes (TB). However, when uploading objects larger than 5 gigabytes (GB), you must use multipart upload, which allows you to upload the object in smaller parts. Each part must be between 5 megabytes (MB) and 5 GB (except the last part), making it easier to manage large uploads.

What encryption options do we have in S3?

Amazon S3 offers several encryption options to protect data at rest:

Server-Side Encryption (SSE):

  • SSE-S3: S3 manages the encryption keys and automatically encrypts data using AES-256 encryption.
  • SSE-KMS: Uses AWS Key Management Service (KMS) to manage keys, providing additional control and audit capabilities.
  • SSE-C: Allows you to use your own encryption keys (Customer-provided keys) for encryption.

Client-Side Encryption (CSE): Data is encrypted before it is uploaded to S3, using client libraries like the AWS SDK. You manage the encryption keys on the client side.

Bucket Policies and Encryption Enforcement: You can enforce encryption at the bucket level to ensure all objects are encrypted on upload.

What are A records and CNAME records?

A records and CNAME records are DNS record types used for routing and resolving domain names to IP addresses.

  • A (Address) Record: Maps a domain name directly to an IP address (IPv4). For example, if example.com has an A record pointing to 192.0.2.1, any request to example.com is directed to that IP. A records are best for fixed IP addresses and are commonly used for root domains (e.g., example.com).
  • CNAME (Canonical Name) Record: Maps a domain name to another domain name, rather than an IP. For example, if you have a CNAME record that points www.example.com to example.com, traffic to www.example.com will route to example.com. This type is useful for aliases, subdomains, or dynamically changing IPs, as the target domain’s IP address can change without updating the CNAME record.

What is the use of a target group in a load balancer?

A target group in a load balancer is used to route requests to one or more specified targets, such as EC2 instances, containers, or IP addresses. It organizes these targets under a logical grouping, allowing the load balancer to efficiently distribute traffic according to configured health checks, protocols, and routing rules. Target groups also enable fine-tuned routing for different types of traffic and allow for granular control over how traffic is distributed across applications, helping ensure reliability, scalability, and high availability.

If a target group is unhealthy, what might be the reasons?

  1. Failed Health Checks: Targets may be failing periodic health checks due to incorrect configurations or unresponsive applications.
  2. Incorrect Target Configuration: The target might be configured with the wrong port, IP, or protocol, causing failures.
  3. Application or Service Errors: The application running on the target instance could be down or experiencing errors.
  4. Network Issues: Connectivity issues or firewall restrictions could prevent the load balancer from reaching the target.
  5. Insufficient Resources: The instance may lack necessary resources (CPU, memory) to handle requests, causing it to respond slowly or fail health checks.
  6. Security Group or ACL Restrictions: Security groups or Network ACLs could be blocking traffic, preventing the load balancer from accessing the target.

What is AWS Lambda, and what have you done with it?

AWS Lambda is a serverless computing service provided by AWS that allows you to run code without provisioning or managing servers. You can execute your code in response to events, such as changes in data or system state, and automatically scale in response to the incoming requests.

What is S3 ?

Amazon S3 (Simple Storage Service) is a scalable, high-speed, web-based cloud storage service offered by AWS (Amazon Web Services). S3 is used for storing and retrieving any amount of data at any time and from anywhere on the web.

What is VPC ?

A VPC (Virtual Private Cloud) in AWS is a private, isolated network where you can launch resources like EC2 instances with full control over network settings, security, and IP ranges. It enables secure communication within AWS and to on-premises networks.

What is RDS ?

Amazon RDS (Relational Database Service) is a managed service that simplifies setting up, operating, and scaling relational databases in the cloud. It supports databases like MySQL, PostgreSQL, and Oracle, handling backups, patching, and scaling.

What IAM in AWS ?

AWS IAM (Identity and Access Management) is a service that helps you securely manage access to AWS resources. It allows you to create and control users, roles, and permissions for accessing AWS services and resources.

What is route53 in aws ?

Amazon Route 53 is a scalable Domain Name System (DNS) web service in AWS. It routes end-user requests to applications, automatically directs traffic, and can manage DNS health checks and load balancing. It also supports domain registration.

What is the difference between VPC peering and transit getway ?

VPC peering and Transit Gateway are both used to connect VPCs in AWS, but they differ in scale and complexity. VPC peering establishes direct one-to-one connections between two VPCs, offering low latency and simplicity but requires separate connections for each VPC pair, making it less efficient for complex networks. In contrast, Transit Gateway acts as a central hub for connecting multiple VPCs, supporting transitive routing and offering centralized management. It is ideal for large, scalable, and complex network architectures, allowing seamless connectivity between multiple VPCs without the need for numerous individual peering connections.

Difference between Classic ELB and Application ELB?

Classic Load Balancer (CLB): Operates at both Layer 4 (TCP) and Layer 7 (HTTP/HTTPS) of the OSI model. It is simpler and supports basic load balancing but lacks advanced routing features.

Application Load Balancer (ALB): Operates at Layer 7 and is specifically designed for HTTP/HTTPS applications. It supports advanced request routing and is more suitable for application-specific features.

Launch template vs launch configuration

  • Launch configurations: An older method that’s simpler and suitable for straightforward use cases. You can use launch configurations to:
    • Specify settings like instance type, key pairs, and security groups 
    • Test the flow multiple times with complex or multiple sets of data 
  • Launch templates: A more flexible and feature-rich alternative that’s recommended by AWS. You can use launch templates to:
    • Store launch parameters like the AMI ID, instance type, and network settings 
    • Support multiple instance types, network configurations, and advanced parameters 
    • Define multiple versions of a template 
    • Create a default template that defines common configuration parameters 
    • Support EC2 Dedicated Hosts, which are physical servers dedicated to your use 

Difference between users and roles?

Users: A User in AWS represents an individual person or application that interacts with AWS resources.

Roles: Roles are often used for cross-account access, delegating permissions, or allowing AWS services like EC2 instances or Lambda functions to access resources securely. We can create a role with any permission (e.g ec2) and add the polices on that (e.g s3 or eks), now ec2 can access s3 and eks without configuring

Difference Between General Purpose and Directory Type in S3 ?

  • General purpose S3 buckets are the standard type of S3 buckets used for storing objects.
  • Directory buckets are a specialized type of S3 bucket designed for use with the AWS Application Discovery Service.
  • General purpose Supports all storage classes except S3 Express One Zone
  • Directory buckets Uses the S3 Express One Zone storage class

NAT Instance and NAT Gateway ?

NAT Instance

A NAT Instance is an EC2 instance configured to provide internet access to private subnets. It requires manual setup, scaling, and management. It is cost-effective for low traffic but lacks scalability and high availability.

NAT Gateway

A NAT Gateway is a fully managed AWS service that provides internet access to private subnets. It is highly scalable, fault-tolerant, and easier to manage but comes at a higher cost compared to a NAT Instance.

What is Cloud front and edge location ?

Cloudfront: Amazon CloudFront is a Content Delivery Network (CDN) service that securely delivers content (web pages, videos, APIs, etc.) with low latency and high transfer speeds. It uses a network of Edge Locations to cache and serve content closer to users globally.
Edge Location: An Edge Location is a physical data center in the AWS global network where CloudFront caches content. These are positioned globally to deliver content faster to end-users.

What will be the docker file if the image did not store in the docker hub ?

If the Docker image is not stored in Docker Hub but is available in a private registry or a local repository, you can specify the source of the image in your Dockerfile. The Dockerfile itself remains the same, but the way you pull or build the image changes depending on where the base image is hosted.

FROM private-registry.example.com/custom-image:tag

Difference Between Amazon EBS and Amazon EFS

EBS(Elastic block storage) is a block-level storage service provided by Amazon and it is basically designed to be used exclusively with separate EC2 instances, no two instances can have the same EBS volume attached to them. As EBS is directly attached to the instance it provides a high-performance option for many use cases, and it is used for various databases (both relational and non-relational) and also for a wide range of applications such as Software Testing and development.

EFS(Elastic file system) is a file-level storage service that basically provides a shared elastic file system with virtually unlimited scalability support. EFS is highly available storage that can be utilized by many servers at the same time. AWS EFS is a fully managed service by amazon and it offers scalability on the fly. This means that the user need not worry about their increasing or decreasing workload. If the workload suddenly becomes higher then the storage will automatically scale itself and if the workload decreases then the storage will itself scale down. This scalability feature of EFS also provides cost benefits as you need not pay anything for the part of storage that you don’t use, you only pay for what you use(Utility-based computing).

Explain the difference between On-Demand, Reserved, and Spot instances in EC2. When would you choose one over the others?

On-Demand Instances

  • Pricing: Pay for compute capacity by the hour or second with no long-term commitment.
  • Use Case: Ideal for applications with unpredictable workloads that cannot be interrupted. Great for short-term, temporary workloads, or when you need flexibility

Reserved Instances

  • Pricing: Commit to using the instance for a 1 or 3-year term and receive a significant discount (up to 72%).
  • Use Case: Best for applications with steady-state usage or predictable workloads. Helps reduce costs for long-term, consistent workloads3.

Spot Instances

  • Pricing: Bid for unused EC2 capacity at a much lower price, but instances can be interrupted with little notice.
  • Use Case: Suitable for flexible, fault-tolerant applications that can handle interruptions. Ideal for workloads that can be paused or moved, such as batch processing, data analysis, and workloads with flexible start and end times

Leave a Comment